-
Notifications
You must be signed in to change notification settings - Fork 746
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve developer experience by removing timepoint
from multisig
#2541
Comments
At the cost of the scenario you described. It's very likely that a multisig would approve the same call many times (e.g. recurring payments), so I don't think it's highly unlikely nor harmless. The documentation of the type that you deleted tells you that it is to "allow a transaction in which a multisig operation of a particular composite was created to be uniquely identified.".
Adding one seems like the better solution than removing the replay protection. |
It's not about "carelessness", it's about the other key(s) being compromised and acting in a malevolent fashion. The timepoint is there primarily to ensure that the authorization can only be utilized on the instance of the call expected at the time of authorizing. It's a real concern, but probably not so important for most use-cases. I appreciate that it may be a friction point for developers. However, rather than the change suggested of removing the timepoint entirely and making a breaking change, not to mention preclude the possibility of security-minded applications utilizing it, I would consider making it optional. Since it is already passed as an option with let timepoint = maybe_timepoint.ok_or(Error::<T>::NoTimepoint)?;
ensure!(m.when == timepoint, Error::<T>::WrongTimepoint); would become if let Some(timepoint) = maybe_timepoint.as_ref() {
ensure!(m.when == timepoint, Error::<T>::WrongTimepoint);
} |
I think the suggested solution by Gavin Wood should be great for everything:
do you want me to contribute by changing my PR to that solution? Edit: opened a new PR with the suggested solution (changed docs, added tests, and changed events) |
What is
timepoint
?timepoint
parameter foras_multi
andapprove_as_multi
functions.AccountId, Hash
pair, and they are stored in storage asStorageDoubleMap
. And we don't needtimepoint
to uniquely identify multisig operations.timepoint
is:M
), with AccoundId = A, and Hash = HM
(say Alice) forgot to approve it (and it's ok. It got dispatched, which means it got enough approvals already)M'
) is created, with AccountId = A, and Hash = H (so basically, it is the same multisig operation again)M
, but in fact, she will be approvingM'
M'
is basically the exact copy ofM
, it will somehow be a problem that Alice approvedM'
.timepoint
parameter prevents that highly unlikely and probably harmless situation... But at what cost?The problem
Having a
timepoint
parameter is significantly hindering the developer experience for multisig pallet. Due to following reasons:timepoint
of a multisig operation.timepoint
: https://github.com/paritytech/txwrapper-core/tree/768bb445beb2907582b2d5e13ade3be5d995af3e/packages/txwrapper-examples/multisig#timepoint-of-approveasmulti--storagetimepoint
s purpose is in the pallet. It is confusing for most of the developers to encountertimepoint
The solution
Simply getting rid of
timepoint
in multisig pallet.And in the scenario where Alice is too careless, and approves
M'
instead ofM
, and this becomes a problem for her, I think it is Alice to blame, not this pallet.To me, it seems like: to make maybe 1 or 2 user/s happy, we are making 99.9% of the users unhappy.
The text was updated successfully, but these errors were encountered: