CIP-0159? | Account Address Enhancement #1061
Conversation
|
This is a first draft, but @GeorgeFlerovsky and I would like to start getting community feedback on it. Tagging some people who might be interested: @Quantumplation @lehins @colll78 @michele-nuzzi |
|
Great CIP! Can you add a script purpose that allows you to do partial withdrawals? |
Why not just use the already present |
|
@fallen-icarus we'll tag it for |
|
@fallen-icarus maybe I'm missing something, but not supporting native assets means that minUtxo is solved only for ada-only utxos? I think the big pain point is sending assets without minUtxo |
Yes, that is correct. This section discusses the concern for dusting attacks with native asset support.
That might be true for you, but that is not true for everyone. I have spoken to several projects and they would like to charge fees (in ADA) for their services, but currently the smallest fee they can charge is 1 ADA because of the minUTxO. Also, for DAOs whose treasuries are mostly ADA, using an account address makes more sense. I would like to one day see support for native assets as well; but as the CIP says, why should we wait since we can safely add support for ADA now? It could be years before someone figures out a simple solution to native asset dusting attacks. |
|
I think this does help with minUTxO though, because you can always withdraw from an account to cover minUTxO; so if someone has a very congested wallet, but wallets keep the reward account topped up, then the "solve" for utxo selection is less of a fixed point: select the UTxOs needed to cover whatever you're trying to do, and then furnish the minUTxO from the account. You don't have to go back to UTxO selection and potentially loop multiple times. |
Collateral taught us that making assumptions about the user wallet is not good, both for DevExp and UX. Having support for tokens in the account helps everyone, solving both the singular case for ADA and the broader case for tokens |
|
I believe we could come up with a minAda for the account minAda in the account would be significantly less problematic than minUtxo because you only have to have 1 shared minAda for all the assets, whereas the minUtxo implies an overhead for each utxo (the simplest utxo has at least the overhead of the address). |
|
I think a minUTxO for account addresses would open up an attack vector. 🤔 Imagine if I have only 5 ADA in my account. You could mint a bunch of worthless tokens and deposit them into my account. Doing so effectively forces my ADA to be used as the minUTxO deposit in the account. I didn't consent to this. Now, in order to claim my 5 ADA, I need to do something with these worthless tokens. This attack isn't possible with UTxOs since you can't use my ADA from other UTxOs to be your minUTxO deposit. You need to cover the minUTxO deposit yourself when you send me the worthless tokens and my ADA is still segregated from these tokens. |
how does this not have the same problem you describe? |
|
one naive-ish way to solve for this attack would be to require authorisation to deposit in the account (either by pub key signature or by contract) |
You're right. It does.
I don't think this would work for pubkeys since it requires the business to sign every transaction that wants to send them money. For it to work at scale, the business would need to automate the signing and have their keys online 24/7. This is a major security sacrifice just to allow filtering native asset deposits. Also, I'd personally like to avoid requiring deposit script executions due to execution costs. Some services could possibly charge 0.01 ADA per tx, but a deposit script execution would add way more than that in tx execution fees. |
|
Perhaps it is possible to whitelist native assets in an account address' registration certificate? But I don't know if this would add too much overhead to still rely on Phase 1 validation. @lehins |
|
I'm not sure why everyone is so scared about executing scripts lately, but these are the relevant parameters {
"price_mem":0.0577,
"price_step":0.0000721,
"max_tx_ex_mem":"14000000",
"max_tx_ex_steps":"10000000000"
}that means that a tx that spends 100% of the max tx budget pays that is I would find hard to believe a script that verifies the whitelist of contract (a single utxo ref in a linked list) to go over 2% of max tx budget 2% implies a |
|
IMHO a fee-based script is a workaround, not a solution. Since all we are trying to do is filter native asset deposits, a phase 1 check that also works for pubkey addresses would be preferable. |
agree, but, as you said, we don't want to put too much load on phase 1, so it would have to be benchmarked. if it is doable it would be preferred. regardless, in order to truly solve for minUtxo we need to consider CNTs |
|
I am pretty sure we will also need to provide the ability to operate on multi-assets in accounts, because:
Problems that I am aware of with respect to putting multi-assets into accounts are:
Solution that comes to mind is to also require addition of ADA to the deposit associated with the account, where the amount of ADA would be proportional to the size of binary representation in memory of the multi-asset (which is similar to how minUTxO works). This has a few benefits:
Naturally, this is still just an idea that I have not given good enough thought, but I have a feeling that it could work. Slight complication I can see with this is with getting the deposit back. After all, we do not want to encourage users to drain accounts and unregister in order to get what could be a pretty big deposit. This could potentially be solved with a special "rebalance" certificate that allows users getting back surplus from the deposit by looking at current multi-asset balance in the account. I am just not confident that it is safe to do something like this automatically on a withdrawal, since there would be a dependency on some protocol parameter and that has implications for plutus scripts, but maybe that would be fine too. |
|
@lehins Whitelisting CNTs in the address' registration cert seems much cleaner. The registration deposit could be exponentially proportional to the number of CNTs whitelisted. Then any tx that deposits a non-whitelisted CNT just fails (phase 1?) validation. This approach safely allows the account address owner to cover the minUTxO for all deposits. EDIT: Actually, I think the whitelist could be checked during phase 2 validation. Phase 1 would only check that the receiving account is registered. This means depositing CNTs would require posting collateral. This seems fine since it is your fault if you try depositing a non-whitelisted CNT. ADA can always be deposited without specifying collateral. |
Whitelisting is a limiting solution, IMHO, since you need to know all multi-assets you want to accept a priori. In other words, if you'd like to accept a new token, you'd have to unregister and register back again, which would also require undelegation from DReps and Stake Pools. Also, from what I understand about this suggestion, this is not an acceptable protection from ledger perspective, because it would rely on logic that is not directly enforced by the ledger. In other words, ledger has no knowledge or control of what is being validated in phase2. If we are to allow multi-assets in accounts, all of the enforcement must be done at the ledger rules level. Most importantly, however, whitelisting does not protect against an attack where an attacker creates couple of hundred accounts with millions of multi-assets white listed. That would allow such an attacker to do a DDoS, and it would be fairly inexpensive.
So, I am sorry to say, but this is not a viable solution. |
@fallen-icarus You do need to mention that partial withdrawals will not be available in presence of Plutus versions that are already active on mainnet (PlutusV1-V3 today), otherwise this would be a backwards incompatible and unsafe change, which we must avoid. |
|
Why would a partial withdraw look any different from just a withdrawal certificate with less ada in the wallet, from the perspective of plutus v1-v3? The "account balance interval" stuff, or deposits, certainly wouldn't be visible, but any existing script can't possibly care whether it's a partial or "complete" withdrawal |
I don't see how this is a problem. If I'm running a service and people need to pay me, they need to use a pre-approved currency. I won't accept payment in just any asset. If they need to send me a one-off asset, sending it into a UTxO is still possible. In what scenarios do you need to frequently accept random assets? 🤔
I personally don't consider this to be an issue since adding pre-approved assets to the whitelist for payments would be a rare occurrence. But if it is an issue, we can decouple the whitelist into its own certificate.
I don't see how this attack is actually possible. The whitelist itself must fit inside a certificate which must fit inside a transaction. I doubt you can fit "millions of multi-assets" into a whitelist. My guess is that it is only a few hundred per address before the certificate size exceeds the tx limits. Plus, if we have the exponential deposit calculation like I suggested, it could be prohibitively expensive after only 20 assets whitelisted. The attack you're describing would require locking up millions of ADA. AFAIK the number one use case for this feature is accepting payments or specific markers (e.g. vote counting). This implies a very finite list of assets that each account address needs to accept. I don't see why we need to enable support for depositing a lot of unique random assets into each account address. |
Because there is an implicit assumption that some scripts might rely on the account balance to be fully drained. It might not affect anyone, but it might affect someone significantly. We just never know.
Presence of an interval or deposit would immediately disqualify any presence of PlutusV1-V3 scripts in a transaction. The only exception we have ever done intentionally to this rule was enabling reference inputs for PlutusV1, which was weighted very carefully. |
This fact of whitelisting has to be stored in the ledger state, which itself has the exact same overhead as just storing that multiasset for the account state in the ledger state. So, you are not solving anything with this.
It is not the transaction that is the problem, but the space whitelist would occupy in the ledger state.
Imagine that I am an attacker and I submit a certificate that contains as many multi assets that you'd like to whitelist as transaction size limit allows. Now you have 16KiB of data that has to be stored in the ledger state. Rinse and repeat for more accounts until node is killed with out of memory. The reason why we have reward account deposit and minUTxO, is to prevent precisely this attack. Side note. I think we should consider renaming withdrawal and deposit to something like credit and debit. It is really confusing discussing deposits, since accounts already have 2ADA deposit, which means something totally different. |
It is not a problem of allowing depositing anything random into the account, it is a problem with storing the whitelisting in the state, cause it occupies the same amount of memory as the multi-asset itself. We could potentially make the deposit proportional to the size of the whitelisting. That could work too. However, it would be very similar to my suggestion, except the user that is creating an account would have to leave the deposit, instead of the one that is putting the actual multi-asset into the account. 🤷♂️
FTR. We'd also have to cap the amount of any multi-asset that can be stored in the account to 2^64-1, but I don't think that would be a deal breaker 😄 |
|
I've made this CIP a topic for the next Ledger Working Group Meeting #20. Anyone interested in it is encouraged to join. |
@Quantumplation Agreed, we should elaborate on rationale for balance intervals. The bottom line is that (phase-1 validated) balance intervals are the only way to expose the volatile account balance to phase-2 scripts without breaking phase-2 determinism (which the ledger team has indicated would be a deal-breaker). We already do the same thing with time-validity intervals for the same reason. The balance interval can be quite useful. Two different usecases that I recently described on twitter:
|
As others pointed out, they have different invariants. That was enough for me to consider a separate high-level type. But TBH I don't have a strong opinion on this. If other smart contract devs believe it would be better to work with
👍 The main use case I see would be building up the proper |
IMHO not requiring a witness is the biggest use case for the intervals. The "withdraw 10 ADA + deposit 10 ADA" approach requires a witness from the account owner which means it can't be used for decentralized use cases. The decentralized fixed-supply minting is an example use case that wouldn't be practical without the witness-less intervals. Basically, if you want something to happen when a threshold is reached, how can you enable that in a decentralized way without the witness-less intervals? |
| These changes require a new plutus and ledger version. | ||
|
|
||
| ### Acceptance Criteria | ||
| - [ ] These rules included within an official Plutus and Ledger version, and released via a major hard fork. |
There was a problem hiding this comment.
may consider references to different node implementations/teams
There was a problem hiding this comment.
@fallen-icarus for CIPs affecting core systems we're planningconsidering to recommend language like added here:
There was a problem hiding this comment.
@fallen-icarus FYI to document what you observed on this topic in the last CIP meeting: the CIP-0001 modification above may be less significant than planned — due to difficulties with the original recommendation as summarised in #1070 (review) — so in my opinion this can be resolved unless perhaps @Ryun1 can recommend something in the spirit of that meeting's consensus.
Co-authored-by: Ryan <ryan.williams@intersectmbo.org>
|
@lehins (If not, or if there are lingering reservations from your team, please comment and we'll continue the discussion) |
|
As Midgard protocol architect, I can confirm that we are very excited about the features of this CIP. @colll78 please add your 👍 if you agree |
rphair
changed the title
There was a problem hiding this comment.
@fallen-icarus thanks for the well rounded presentation at the CIP meeting yesterday: as expected this is confirmed as a candidate. @GeorgeFlerovsky your bringing in the feedback from Ledger and the significance to L2 development were also very helpful: and promising both for this CIP and for Cardano.
Editors would look forward to confirming that the remaining disputable details, especially based on Ledger input, are worked out before merging this: so please @lehins @WhatisRT confirm when you think that has been accomplished and we'll put this up for Last Check (no rush).
Please rename this directory to CIP-0159 and update the new pathname to the rendered proposal in your OP 🎉
rphair
added
State: Confirmed
|
Bringing my comment from X here for visibility. Also, bringing here @Crypto2099 , @disassembler , @HinsonSIDAN since they also showed interest in lowering min utxo ada. Other people/companies that we spoke with and showed interest in this approach are: Sheldon Hunt + Michael Yagi (Sundial) , Matteo + Raul (FluidTokens)
Also bringing this: |
|
One more thing I forgot to mention on the UX side: users would effectively have two possible receive addresses: their normal base address and their stake address. From a user’s perspective, the stake address will seem preferable since it doesn’t lock ADA, but it would only work in some cases depending on which assets are approved. That inconsistency will make it feel unreliable. Wallets would then have to show both addresses and explain when and why each one works, which is going to be a UX nightmare. |
While also removing most of the security it provides in the form of bounds on UTxO state size.
Just registering my interest here for this proposal regardles of the minUTxO considerations; this unlocks really powerful new design patterns in the dApp design space, and as I look at our internal 2 year roadmap, this would solve quite a few of the awkward things we'll have to work around in the products we want to build. Lots of those have been enumerated by the likes of @GeorgeFlerovsky above, but there are others as well. |
Could you please elaborate @Quantumplation ? My current understanding is that this was never about security, but rather about keeping the max network state within some bounds for the sake of node operators (keep a small minimum memory requirement). This is no longer much of a problem with UtxoHD being introduced, which allows UTxOs to be offloaded to hdd/ssd. |
|
Keeping the utxo state within some bounds is a security concern, as growing that state without bound could take the network offline. Even with UTxOHD, there should still be a reasonable bound, for the sake of state growth, access times, and other indexing services. We can certainly likely lower it, but I'm not sure we could lower it to zero; and having it present at all is what causes the UX issues; lowering it to 0.01 ada still means we need to include the ada, meaning tx building is more complicated, etc. An alternative that would simplify things greatly is simplify the equation. If we calculated what the minUTxO should be for the maximum sized utxo after UTxOHD, and that came in below what it is currently (let's say, 0.5 ada), and we just made it constant, accepting the inefficiency, we could simplify a lot of code, clarify a lot of error messages, etc; it becomes much easier to explain to users, and to resolve programatically. I would still argue in favor of this CIP in addition, fwiw. |
|
@Quantumplation Appreciate the extra context. I believe lowering it to 0 would not be allowed anyways, and is not what was suggested. I believe that lowering it to ~0.01 ada (or even ~0.1 ada) would still improve a lot of things. The dev complexity doesn't change compared to how it is currently, but the user experience would be massively improved. And it's very easy to deliver.
A fixed utxo ada would absolutely improve both dev and user experience. Only downside that I see is complexity. It requires again real code updates for many components and dev tools, so it'd be much harder/slower to deliver. I'd still like to see this maybe more like 0.1 ada per utxo, but I am generally liking this solution too. (except for the complexity to deliver it)
My comments here are primarily meant to be about improving the users UX when it comes to the min utxo pains. If this proposal still makes sense (for other reasons than min utxo cost), I'd like to see a version where it's not viable for P2P transfers, but rather only for SCs. Because if people expect to do transfers to users via stake account, the whole sending experience on Cardano will get insanely messy and confusing. |
|
@AlexDochioiu Recall that currently, Cardano nodes must keep track of each utxo for its entire lifecycle until it is spent, which could be never. So, fundamentally we need something in place to constrain the total number of utxos that each person can create. In that sense, while this CIP is not about security per se, the solution you're suggesting as an alternative would degrade security IMO. However, even if minUtxo were eliminated or greatly reduced, this CIP would still be useful. Unlike with a utxo:
As Pi mentioned, I provided more details on usecases above. See here: |
i strongly disagree. First of all, if we enhance accounts the way the CIP describes, then they will become general-purpose accounts, not just "staking accounts". Second, I think users would find it more intuitive to send to an account because that's how they've already done for hundreds of years in the traditional finance world. On the contrary, if accounts become available, I think that utxos will be used primarily to store datums for smart contracts, because updating datums is an inherently contentious action. A utxo will also be used in situations where its whole contents must be spent atomically. However, in the great majority of other cases, keeping funds in an account (as described in this CIP) is the superior option. Lastly, I think it would be very messy/complicated for the ledger to allow full-accounts at plutus smart contract addresses while disallowing them for pubkeys and native script addresses. Also, Cardano can't distinguish between a native script and a plutus script until a script witness is provided in a transaction. If you disallow full accounts only for single pubkey addresses, then I expect that users will just start using native script addresses with singleton key sets, as there is only negligible extra cost for invoking a native script. They would do this to benefit from the features of full accounts. |
|
As others pointed out minUtxo is needed for security, as such, it is not going away anywhere. Once UTxOHD becomes a recommended method of storing UTxO then we would probably be able to lower this minimum amount a bit, but definitelty not enough to solve that problem. In general I would suggest to anyone avoiding speculating about potential values for any of the protocol parameters, especially whithout knowledge of their purpose. Such confidence can give wrong impression to members of the community that such changes are fine, when they are absolutely not fine. Regardless of minUtxo, I am sure there are plenty of other use cases that will come out of this CIP, that we haven't even thought of yet. Proper chymeric ledger has some superpowers, even Charles Hoskinson agreed when I discussed this feature with him. |
|
First, to clarify the minUTxO discussion: nobody is suggesting removal. The proposal was always a 10-100x reduction (post UTxOHD introduction). Security arguments against complete removal are irrelevant to what was actually suggested. If there are actual arguments against the reduction, I'd appreciate if you could point out the exact concern so that we can be productive and see if they can be addressed, or if they are complete blockers. @GeorgeFlerovsky - I disagree with several points: 1. The traditional finance comparison doesn't work here. 2. Additional deposits per registered token. 3. Receiver education burden. 4. Extra failure causes. 5. Ecosystem support burden. My core concern isn't whether this has dev value for SC use cases since clearly it does. It's that nobody has mapped the actual user journey. How do wallets and dApps surface this? How do users choose between addresses? What happens when they pick wrong? How do they understand which tokens require deposits? It would be good to see some actual:
Without this, we're shipping technical capabilities that will confuse users and fragment the ecosystem. The comparison to traditional banking doesn't address the actual complexity this introduces. |
@AlexDochioiu I'm not just a smart contract dev. I've also created my own prototype wallet and am working with Lace to create a market-ready version. I've already thought about how to integrate this CIP into the wallet. I think the issue here is that you are misunderstanding two things:
To start, the sender is not the one who pays the deposit. The recipient pays the one-time deposit when they register the whitelist. The recipient preemptively pays the deposit so that the senders don't need to. This is the reverse of the minUTxO flow where the sender is the one that covers the deposit for the assets they send.
First of all, this is already the case due to it being a financial transaction. If an entity wants to get paid, it must specify which assets it accepts for payment and where to send the payment. You seem to think the senders will have a choice of addresses which is simply not true in the real world. Whether you are paying a friend, buying something at a store, or sending to a dApp, the sender will be told what address and asset(s) to use. Second of all, the certificate Bob used to register the whitelist was recorded on-chain. To know what assets are supported by this account address, you just need to lookup the latest whitelist certificate for that account address. (If there is none, then only ADA is supported.) It is exactly the same process as checking where a stake address is delegated. So determining the address' supported assets actually does not require any more coordination than right now. Recipient UI/UX Flow: Wallets already show reward address balances. It would be pretty straightforward to update these components to:
Sender UI/UX Flow: The sender will already know what asset to send and what address to use. The user will first enter the address. If it is an account address, lookup the latest whitelist certificate for it. Then ask the user to enter asset quantities but only allow quantities for the assets in the whitelist. There is never a reason for a user to send any other asset to the recipient: if a store only accepts ADA and you send them SNEK, the store will not recognize it as a valid payment. So if there is ever a mismatch between the whitelist and what the user is trying to send, either the recipient misconfigured their whitelist or the sender is doing something wrong and is rightly blocked. If the wallet submits the tx anyway, it will fail phase 1 validation and tell you exactly what happened: the sender tried sending an unsupported asset. Also your approach of only decreasing minUTxO is actually significantly worse than this CIP. Consider airdrops. Airdrops send assets to people without their consent. It is effectively spam. I actually like the high minUTxO because it disincentivizes exactly this spam. If a user actually wants the airdropped token, they can add the token to their account address whitelist. Now the project doing the airdrop can send the user the token without having to pay any deposit. Right now, airdrops are so expensive because of all the minUTxO deposits required. This CIP entirely eliminates that pain-point! Cardano goes from being one of the most expensive chains for airdrops to being one of the cheapest! This is because the receiver pays all deposits for account addresses. And it does so while still deterring spammy airdrops. Just lowering minUTxO would not do this and your suggestion of lowering it by a factor of 10-100 would dramatically increase the number of spammy airdrops. 👎
@GeorgeFlerovsky is actually correct about the ideal user flow. If the recipient is willing to accept the asset the sender wants to send, the ideal UX is for the recipient to register the whitelist (also preemptively paying the deposit) and the sender sends the asset to the specified account address. If the recipient does not want to accept the asset, they can optionally provide a normal UTxO address as a backup option. The sender can choose to use this address if they really want to but the minUTxO deposit they must pay properly discourages going against the recipient's wishes.
The sender doesn't pay the deposit for account addresses so from their perspective, none of the tokens require deposits. And again, it is actually quite trivial to know which assets are whitelisted because you can always just lookup the account address' latest whitelist certificate.
This is not true. The only new errors are the first two: not whitelisted and insufficient deposit. The former only applies to senders and the latter only applies to receivers. I hope this helps clear things up. It really is an easy UI/UX. Beginner-friendly wallets should prioritize using account addresses while normal UTxO addresses will be for more advanced users and smart contracts. |
13 participants
This CIP adds support for depositing assets into account addresses (a.k.a. reward/staking addresses) which helps alleviate some of the pain-points from the
minUTxOValuerequirement. The CIP also provides a mechanism for plutus smart contracts to get a sense of the account's current balance using account balance intervals similarly to how time is specified.Rendered Proposal