New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New operation proposal: Bump Sequence #53
Comments
After playing a bit with the code, it looks like the fee changes are going to require an update to the meta format (used in Horizon for example).
in a nutshell:
For code that only cares about operations side effects, the code has to be updated to read either |
@MonsieurNicolas The PR for Trezor support is currently under review and I'd like to get this operation in there now so it doesn't need to be added later. How confident are you that the XDR is final? Will it be operation number 11? |
@zulucrypto you like to live dangerously :) yes, likely to be be the one we end up with. I am currently working on the implementation. |
@MonsieurNicolas The importance of second point is obvious from the first. If sequence can be bumped backward then transactions can be replayed and anything lower than high threshold should not be allowed to do this. As stated in the current proposal a typical use case for this is to skip ranges of transactions in complex workflows. In this case ability to replay transactions adds lots of flexibility, namely loops. If we allow to bump sequence only forward then only conditionals are possible. My proposal is to have bump sequence operation in Stellar to be similar to a goto statement in programming. An example of where this is useful is a mortgage loan. Suppose that Alice has a token t that represents ownership of real estate and Bob has lots of XML that he wants to lend and Alice will repay those XML with interest over N payments. They can set up a custodian account C with the following rules. The sequence numbers for these transactions are: There are other use cases for this functionality for example a crowdfunding campaign that can end early. In general this functionality would allow Stellar developers to reason about Stellar accounts as deterministic finite automaton where sequence number combined with txHash signers are states and transactions are transitions. I will try to wrap up what I have written so far into a serious counter proposal over the next two days and then post it here. |
Thank you for bringing this up! I do not want to allow jumping back wrt sequence numbers as it would violate one of the main tenets in Stellar: keep our users (this includes the devs) as much as possible from shooting themselves in the foot. What kind of problems would that create:
On the smart contracts front, the idea was always to unroll loops. This operation's purpose is just to allow to skip blocks of transactions. Now your second point is still very relevant: Another thing that I also realized is that we should also probably make it fail instead of no-op:
For this last point, I am going to illustrate it with an example: W is the account used for tracking the workflow's state
With the "fail" semantics, only one of those 2 tx will succeed even though they originate from a different account (A and B respectively). I can see this being used by having multiple |
When you try to keep users from shooting themselves in the foot sometimes the opposite effect can occur, after all it is a basic principle of software engineering that user will find a way to shoot himself. If a developer needs to have some functionality x at all costs and the obvious way to implement x is not possible because it uses potentially dangerous operations then the developer will implement a complicated pirouette that does x in a strange way and in the end will be more error prone. From a philosophical standpoint I firmly believe users should have the right to shoot themselves, however I understand this is an issue of opinion and should be dropped. I have a personal insult because I performed the pirouette. Regarding history recording I understand and agree. Changing creates to upserts is usually a bad idea and making new tables to keep history is not elegant as well. In fact this reason alone is good enough to reject my proposal. Other points you made I would still oppose and I will start by defining the security model. The most convenient and secure way for multiple parties to sign a transaction is if each of them use the same software to generate the tx and then sign, exchange and combine signatures. We can assume that this software is mainstream and any observer can build a transaction for any smart contract with any given txHash (where txHash is applicable to smart contract). Let us call a smart contract trustless if it has no external ec signatures and use txHash type signatures instead. Therefore under my security model any observer can inject transactions in a trustless smart contract. I am not going deep in why trustless smart contracts are important. Most notable reason is that it is possible to put an existing smart contract in another smart contract workflow without knowing the internals and not messing up permissions. Two more fundamental assumptions come from Stellar design. If a transaction passes consensus then a tx fee has to be collected. Also if a transaction passes consensus then sequence number should be bumped otherwise an observer could resubmit the tx and deplete the account. In this security model DoS is a non issue because in trustless smart contracts observers can inject transactions and force branches anyway. As for depleting accounts I agree it is possible. For this reason the smart contract should be kept at minimum balance and XLM sent to it only when it is supposed to run. This concept is similar to Ethereum gas. Also note that account depletion is a low threshold attack and any non savings account should be kept little above minimum reserve. Most useful loops cannot be unrolled. These include
On a side note I would like to propose to use a term 'scripted account' instead of 'smart contract' in Stellar terminology. I think 'smart contract' is misleading. |
I think I see your point regarding the use of trustless contracts when used as a sub process of some sort. I imagine that to fix this would require having a way to perform some simple conditions as part of workflows - or at a minimum being able to perform branching from within a given transaction. I didn't spend too much time yet on that front as we've been focusing on enabling the simpler scenarios, while at the same time letting the folks at Etherum experiment with more open ended contracts. If you start to have good ideas on how we would solve that in Stellar - you should open a new issue to discuss it. This issue doesn't seem to be the right place for this and I don't want to lose valuable context. So... going back to btw, when we use terms like "smart contract" we simply are using the definition that Nick Szabo put together 20+ years ago (something very simple); Etherum (for example) implements a lot more than that. |
On the First, it seems that keeping the weight to low as per the original proposal is the way to go for "BumpForward" (what this operation is). Second, we need to move the restriction on the new value out of |
Circling back here after playing with the implementation. One change that makes sense as part of this is to move to
Also, in case this was not clear, With this change the contract of DescriptionBump sequence allows to bump forward the sequence number of the source account of the operation. If the specified Threshold: Low Return valuesBUMP_SEQUENCE_SUCCESSThe source account's sequence number was successfully updated. BUMP_SEQUENCE_BAD_SEQ_NUMThe specified XDR
|
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
note: the change was merged in master on March-21st |
Do you plan to publish this protocol change as |
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
This makes it compliant with the proposal dated 02-Feb-2018 stellar/stellar-protocol#53
Description
Bump sequence allows to bump forward the sequence number of the source account of the operation.
If the specified
bumpTo
sequence number is greater than the source account's sequence number,the account's sequence number is updated with that value, otherwise it's not modified.
Threshold: Low
Note:
This operation only allows bumping the sequence number up to
(current_ledger_number<<32) - 1
.Return values
BUMP_SEQUENCE_SUCCESS
The source account's sequence number was successfully updated.
BUMP_SEQUENCE_TOO_FAR
The specified
bumpTo
parameter is greater than the maximum allowed, see note above.XDR
Implementation considerations on how transaction sets are applied to ledgers
Some background
Currently a transaction set is processed in two phases:
The problem with this approach is that with the introduction of an operation like
BumpSequenceOp
,we have some inconsistencies in the way transactions are processed:
if a transaction bumps the sequence number of an account used in a later transaction, the second
transaction is expected to fail but with the current implementation, it won't (as sequence number
checks are performed while collecting fees).
One the reasons that
BumpSequenceOp
is introduced is to invalidate ranges of transactions, andwith the current behavior it would make it difficult to reason about the correctness of sequence
of transactions.
Proposed update
Only process fees first:
We would not change the logic to construct or validate a transaction set:
a transaction set would still be built with transactions that have consecutive sequence numbers.
The difference is that in the event that a transaction is invalidated by an operation from
a different transaction, it would fail (collecting fees), which allows for transactions that make use of
BumpSequenceOp
to be able to make clean assumptions for any operations scheduled for after the bump.Example usage
A typical use for this is to allow invalidating large ranges of transactions that were pre-shared with others when implementing complex multi-party transactions that form workflows.
This example has two such workflows:
Notation
(sequence number, tx source account)[operation1... operation b]
Transactions prepared
main workflow
(1, A)[...], ... , (99, A)[...]
Some transactions may have the same transaction number, as they are logically equivalent to branches:
(5,A)(payment B->C)
(6,A)(payment B->E)
(5,A)(bumpSeq 199)
dispute workflow
(200,A)(...), ..., (250, A)(...)
The text was updated successfully, but these errors were encountered: