Extend multisig contract with weights #285
Comments
|
I am voting for option 1. :-) I have seen the weight in multisig contracts at stellar before and it made sense for me as it enables more use cases than the equal weight contract. No need to restrict this to "voting" scenarios IMHO. |
|
@alpe please propose a clear spec for this... eg. max weight how to handle ensure backwards compatibility for old clients how to properly remove members from the mutlisig maybe some ideas for test cases that should be covered (tricky conditions) |
|
Nice link to stellar by the way. I don't really understand why a transaction shoulf fail if it has too many signatures, but there are lots of good ideas there, seem like more thought out versions of much of what I have designed and built in weave. We can gladly incorporate some inspiration from that. |
|
Q: How many members (individual signatures) do we need to support within the voting use case? |
|
Yes for no votes and timeouts, we need a different contract. I would say this only works for short-period voting for a relatively small group of people (eg. 30 for governance). For general voting, you are right, it is missing many features. It may also be useful for some sort of social backup. Like using a 3 of 7 multisig to hold my balance... I have 3 votes, 4 of my friends each have one. If I cannot access my account, I need to get 3 of those 4 to update my key (multisig member). Maybe we should be more explicit about possible uses before going deeper in the design |
|
|
Nice, but you can also increase the gas cost / minimum fee for the signatures. Not to be put a hard limit, but rather charge for it. |
|
@ethanfrey will review @alpe spec document https://docs.google.com/document/d/1J3zUUKw06E6yLviwrRUlVMO_MMa_NDxgov3xlmLctrs/edit and integrate it into the above requirements. Please pause work on this issue until requirements are clarified (before Wednesday) |
ScenarioTo make use of the weighted multisig contract the following examples describe some use cases which are inspired by the Stellar doc. Stellar Example 1: AnchorsA backup master key + Signing key
Stellar Example 2: Joint AccountsAny of 3 people can authorize a Tx but only all of them together change the contract
Stellar Example 3: Company AccountsAny 3 of 6 employees need to agree for a Tx
Stellar Example 4: Expense AccountsThe contract is controlled by 1 admin but Diyuan or Emil can authorize TX, too. Only the Admin can modify the contract, though.
Lock an accountA signing key can authorize TX but the contract is locked and can not be modified anymore
|
|
For the last example Lock an account this was originally not possible as the validation was preventing from creation with such configuration. Maybe instead of using admin threshold greater than sum of weights it is better to add a random signature to bump the total weight value. |
|
We could also consider changing the validation. I just didn't want people to remove a member and accidentally render the contract un-usable |
- update authentication to consider signature weights - cleanup tests and code - redo handlers tests resolve #285
`x/multisig` extension was updated and now each signature is having a weight that defines what is the power of that signature. - each signature power/weight must be greater than 0, - activation threshold must be less or equal to the sum of all signature powers, - admin threshold can be greater than the sum of all signature powers. This can be used to create a contract that can be only activated but never changed, - multisig contract must have at least one participant/signature declared, - maximum number of participants is 100 in order to prevent CPU burning, resolve #285
We want to allow for election scenarios to happen off-chain. In many cases, different actors will have different voting power (just like validators).
We can do much of the vote aggregation off-chain, and use a multi-sig contract to control execution. However, it is missing the ability to provide different voting power to different keys.
Two proposal:
Decision
We will update the existing multisig to hold a weight per voter. However, there is no need for backwards compatibility if we can get this into a 0.12.x on zebranet, as so far we have no client code outside of this repo that uses the multi-sig feature.
Technical Spec
To think about...
Currently the
multisig.UpdateContractMsgbehaves like aPOSTand overwrites the existing contract with a new state. All fields must be set like the original Create. However, the zero-value is illegal for all fields. We could modify this toPATCHandUpdatewill only overwrite the fields defined. This means:If there are Sigs, we must clarify what that means... overwrite current set with that new set? or do a diff, like with validators... setting weight=0 to mark current members for removal, and positive weight to update or add a member.
We could also allow
CreateContractMsg,UpdateContractMsg(POST) andPatchContractMsg(ony apply diff.(Read below in comments to see some example usages from @alpe 's doc)
The text was updated successfully, but these errors were encountered: