-
Notifications
You must be signed in to change notification settings - Fork 1
Manager
The PlasmaRifle Root-chain Manager contract manages the bridge between Ethereum and the Gunero network. It creates a public signal that the child-chain follows to manage entries and exits from the zero-knowledge trading system that the validating nodes manage through their consensus protocol. It also allows network participants the ability to retain control over their assets in the child-chain by exiting from the chain's control and returning their tokens back into their own control if the network is ultimately experiencing consensus failure or transaction censorship.
The functionality described below enables owners of tokenized firearms to perform these actions.
| Property | Value |
|---|---|
| API |
deposit(tokenId, txnIdHash) (note: onERC721Received(data)) |
| Who can do it? | owner of tokenId (must be Auth'd) |
| When can they do it? | Anytime |
| Can they be challenged? | Yes, see challengeDeposit(...) below |
The Deposit function allows the token's owner to transfer control of the token into the child
chain network, which unlocks zero-knowledge transfers according to the rules of the Gunero network.
This assumes that the Manager contract can assume control of tokenId from the current owner
at the time the function was called.
Note that only currently authorized accounts can access this functionality.
This only applies to the deposit(...) functionality, exits can be initiated even if
the user is not currently able to trade the underlying token.
We provide this functionality directly through onERC721Received(data) in the manager contract,
which can be called via the safeTransferFrom() function in the Token contract.
Note that the deposit() function is private due to this reason.
Due to re-tokenization of the underlying asset in case of loss of access to that token, this deposit process may be duplicating a token for a firearm already in circulation in Gunero. This duplicate is undesirable, and represents
Since GunClear has no advanced knowledge of ownership in the system, this opens a potential griefing attack of current token owners in the Gunero network.
If the deposit was a re-tokenization of an existing managed asset, this function starts off the
challenge process for the deposit by first burning the existing managed token.
A challenger then has up to an entire challenge period (currently 28 days) to respond.
For more information, see challengeDeposit(...) below.
| Property | Value |
|---|---|
| API | challengeDeposit(serial, j, ownerProof) |
| Who can call? | prior owner of tokenId in plasma-chain |
| Who can they challenge? | No one |
Since our tokens represent physical assets, someone can deposit a new tokenId, which may be linked
to an older tokenId already tracked in the Plasma-chain, as we described prior in deposit(...).
We allow this because the owner of the token in the Plasma-chain could have lost access to their keys,
so we need a method for them to recover access to trading the asset in the zero-knowledge trading system.
deposit(...) therefore represents an attestation that the owner had control over the old token before
losing access to their keys, which may not be the true state of that token (the owner could have lied),
but shouldn't be challenged if it was true.
The owner of that token in Gunero will then have to "re-assert" their ownership of that asset through a challenge to that user's attestation, which in turn burns the new token because it was contested. Since GunClear has no advanced knowledge of ownership, it relies on the outcome of this public claim process to determine what to do with the relevant accounts involved, which may involve removing those accounts from trading (see Authlist) and/or minting new tokens (see Token).
| Property | Value |
|---|---|
| API | exit(tokenId, txnSyncId, plasmaProof) |
| Who can call? | last owner of tokenId in plasma-chain at current synced block |
| When can they call? | One Plasma sync after a "burn" Plasma txn |
| Who can challenge? | No one |
The Exit function allows the token's current owner in the Gunero network to exit their token from the Gunero network, removing it's ability to be transferred according to the rules of the network. Due to the "Zero Knowledge" property of Gunero it is not possible to know who the owner is of the token directly, but thanks to the usage of the Simple Merkle Tree (SMT) data structure for the database that Plasma Cash uses (which Gunero is derived from), it is possible to prove the current state of token ownership directly via a Merkle proof. This exit procedure will then have the Gunero operators "burn" the token and remove it from tracking in the SMT.
Thanks to the "provable computation" property of Gunero's zk-SNARK transactions, it is cryptographically unlikely that anyone besides the owner can actually submit an exit transaction. This does not mean we can eliminate the "challenge period" required in Plasma Cash exit procedures however. It is still possible that the owner will "double spend" their token during the block synchronization period that the token exit was started in. The likelihood of this happening in Gunero is fairly small, due to the nature of what "ownership" represents, and similarly it is difficult to determine if a double-spend is provably malicious. GunClear chooses to work around this potential for double spend griefing attacks by re-tokenizing the represented firearm if the token exit is found to be invalid, and black listing any bad actors found.
A primary use case of the exit procedure in PlasmaRifle is actually an attestation of loss or theft of the physical firearm. This allows a user to burn their token, blacklisting that firearm from future tokenization unless that user re-discovers the firearm. This also creates a signal for law enforcement and other interested parties to follow the status of the firearm. Any exit will be cancel-able by the attestor by re-tokenizing the firearm, allowing trading of the firearm on the Gunero chain again.
Another use case is to use the platforms of any competitors GunClear may have, or simply public, unsanctioned trading of that firearm token, which we don't disallow. An authorized owner can deposit their token back into the system at any time, acknowledging that the trading history outside of the GunClear system is publically available.
| Property | Value |
|---|---|
| API | forward(tokenId, ownerData, ownerProof, txnBlockNum) |
| Who can call? | past owner of tokenId in plasma-chain at txnBlockNum
|
| Who can challenge? | owner of tokenId in plasma-chain at txnBlockNum can "forward" it |
In PlasmaRifle, we introduce the concept of "Hot Potato" or Forwarded Exits, which are defined as an exit with a proof
of that party spending a specific tokenId and transferring it to someone else, which they publicly announce.
This exit is backed by submitting their original transaction data and a proof of existance of that transaction,
which shows that the transaction was originally conducted correctly, and no false information was in this forwarding.
The "hot potato" exit starts with any owner along the chain of ownership that can provably show their history.
Anyone further along the ownership chain can then show a more recent transaction to forward that exit to whomever
they have traded that asset to, effectively saying "it wasn't me!".
This behavior only stops if the exit is shown to be "final" by someone submitting an exit(...) transaction.
This exit can give law enforcement the tools necessary to track down the ownership chain of the firearm in the case of an incident by appealing to the original party who tokenized that firearm, either through a court order or that party's own volition. This is the only way to uniquely determine the current owner of a firearm of interest, by retracing each step in the ownership chain through having a previous owner reveal their own history, and since it is transparent and on-chain it can be a mitigating factor against the possibility of "mass surveillance" by law enforcement, since it is not possible to determine overall ownership without private information from each participant in every transaction, information that GunClear does not know. This lets gun owners voluntarily participate in the investigation process by submitting on-chain proofs for firearms of interest, without having to directly interact with officers, speeding up critical investigations.
Note that neither GunClear nor law enforcement can compell a user to reveal this information publicly. The zero-knowledge properties of the system should remove the possibility of mass surveillance, so in practice it is the same as using the existing system of record-keeping and court orders to identify "bad actors", with the added benefit that gun owners can support faster investigations if they choose to.
Information contained in this wiki is licensed under CC-BY-SA-4.0
Copyright 2018 GunClear