-
Notifications
You must be signed in to change notification settings - Fork 649
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Threshold authority weights per operation. #1061
Comments
I like this idea. Optional overriding the treshhold for hand-picked operations, while keeping the base logic. I have no clue of the impact code-wise, but it will bring great security for automation tools. |
Just realised that https://github.com/bitshares/bsips/blob/master/bsip-0029.md battles a similar security issue. In BSIP29's case, we split the operation to 2 different ones and make one require owner auth. With the functionality above we would have multiple authorities and different weight thresholds for the 2 ops. |
Removed the "DEX" impact. |
Taking this more into a abstract level birthed the following idea: We currently have two authorities (active, owner) and a memo key. We add a fourth: Custom active
Custom active authorities can be added and deleted with active authority of the account. Impact Use cases Account A adds Key Z as custom active authority for trade operation. The user can then login from anywhere with cloud login using the private key from key Z to unlock his account and only be granted trading possibilities. Further securing the account against phishing I can think of many other use cases but I think the above is already strong enough. With such a setup and only logging in the trading authority, the phishing attempt that compromised OpenLedger would not have allowed to harm the account in the same extent (other then trading on already allowed pairs). |
After careful consideration, I'm leaning slightly towards your abstraction. My one would be easier to UI for and for people to understand but might lead to edge cases where 2 ops desired weights/authorities are 'incompatible" Yours takes care of that by explicitly setting auths for each op if needed...Downside being it's harder for people to set up. Or we could allow both. My scheme as described above with yours on top with higher priority to explicitly cover potential edge cases. Anyone else wanna chip in? @oxarbitrage @abitmore @pmconrad @jmjatlanta ? |
This also references #590 |
This is being turned into a BSIP. Further discussion here: bitshares/bsips#86 |
Discussion has moved to BSIP-40. Closing. |
User Story
As a
user
I wantthe ability to set authority threshold weight on the operation level
rather than the account-level so that I canhave finer-grained control of the account and improve security
.Example use cases
As a
gateway operator
I have a service that automates the issuing of assets to users as deposits come in. This requires keeping the active authority keys on the machine running this service. I want to be able to set a low threshold weight to the issue_asset operation so a single key can be used, but have all other ops require multisig to limit the impact of a potentially compromised key.As a
trader
, I want to set up a trading bot on a server and similar to case 1 have placing and cancelling orders on a low threshold so that a single auth can be used but limit transfers and other ops to multisig.CORE TEAM TASK LIST
The text was updated successfully, but these errors were encountered: