Skip to content

Latest commit

 

History

History
63 lines (48 loc) · 4.98 KB

cap-0028.md

File metadata and controls

63 lines (48 loc) · 4.98 KB
Raw

Preamble

CAP: 0028
Title: Clear pre-auth transaction signer on failed transactions
Author: Siddharth Suresh
Status: Final
Created: 2019-10-10
Discussion: https://github.com/stellar/stellar-protocol/issues/495
Protocol version: 13

Simple Summary

Pre-auth signers are only removed from the source account if signature verification on the transaction succeeds during transaction application. The signer is left on the account otherwise. This proposal will remove the signer from the source account when the transaction is being applied, regardless of the outcome of that transaction.

Motivation

If the pre-auth transaction fails before signature verification succeeds, the pre-auth signer needs to be removed manually using the Set Options operation. The fee for that transaction will have already been consumed, so it should never be applied again. The pre-auth signer can never be used again due to this, so there's no reason to keep it around.

CAP-0015 (Fee-Bump Transactions) also introduces behavior that can make it harder to clean up the obsolete pre-auth signers. If the outer fee bump transaction has an invalid signature, the inner transaction will still need to be applied. The pre-auth signer will not be removed due to the outer transaction failing, but the inner transaction can return txSUCCESS, so the account owner won't know to remove the signer.

Goals Alignment

The Stellar Network should facilitate simplicity and interoperability with other protocols and networks.

Specification

This proposal will add functionality to remove a pre-auth signer even if the signer has not been checked yet. A method will be added to TransactionFrame that will check every transaction and operation source account for the pre-auth signer, and remove it if found. This method will be called every time a transaction enters the application stage (even if the transaction fails for any reason).

Caveat

The existing functionality along with what's being added is only executed when the transaction is in the application stage. The application stage is where the transaction will be used to execute it's operations and modify the ledger. The transaction will not enter the application stage if it isn't accepted into the transaction set, which means the signatures on the source accounts of the transaction/operations won't be considered for removal. The transactions must have valid signatures and sequence number at the time of submission to be accepted into the transaction set. Here are some examples to make this clearer.

An example of signer NOT being removed on sequence number failure

  1. Source account B with a pre-auth signer is at sequence number X.
  2. A transaction that corresponds to the signer on B is submitted for source account B with sequence number X.
  3. This sequence number is invalid, so the transaction will not be included in the transaction set to be applied. The signer will not be removed.

An example of signer being removed on sequence number failure

  1. Source account B with a pre auth signer is at sequence number X.
  2. A transaction for source account B is submitted with sequence number X + 1, with a BUMP_SEQUENCE operation that sets the sequence number to X + 2. This transaction makes it into the transaction set. It hasn't been applied yet.
  3. A transaction that corresponds to the signer on B is submitted for source account B with sequence number X + 2. This transaction makes it into the transaction set because the sequence number is right.
  4. Transaction set is being applied. The first transaction with the BUMP_SEQUENCE operation is applied succesfully, which sets the sequence number of source account B to X + 2.
  5. Now the second transaction is being applied. The sequence number check on the transaction will fail because it is equivalent to the sequence number on the account (both are X + 2). The signer will be removed in this case.

Removing signer on signature verification failure

A similar scenario to the sequence number failure above can happen with a signature verification failure. To remove a signer on signature verification failure -

  1. Source account B has pre-auth signer with weight 1. All thresholds on account are also set to 1.
  2. A transaction set with two transactions for source account B are being applied.
    1. Transaction #1 - SET_OPTIONS operation that sets all thresholds to some high value (say 255)
    2. Transaction #2 - Pre-auth transaction that corresponds to the signer that was added to B
  3. Transaction #2 will fail during application because the signer weight isn't high enough, and the pre-auth signer will be removed from account B.

Design Rationale

The proposed solution is simple and maintains backwards compatibility.

Backwards Incompatibilities

None

Security Concerns

There are no security concerns here, as this is a small change that removes a signer from a source account.

Test Cases

None yet

Implementation

stellar/stellar-core#2379