Replies: 8 comments 8 replies
-
The real concern is the gravity of the power placed in the hands of the Handing over access to basically all redeemable funds in any stream alive means that if a party gets a hold of one of the allowed addresses, that party can now redirect all funds into their own wallet. In a DAO reality, if someone puts up a vote that passes unseen, containing a rage-quit instruction, they can steal literally everything available for withdrawal. In a legal situation, if the signers for one of those wallets are pressured to activate the deadly option, the reality of things going so very wrong is no less than frightening. Aside from trying to limit our access-control schema to the bare minimums (which is a security best practices), not providing too much power that can end up in a nuclear explosion is usually a good thing to do. Implementing this global As you can see I'm pretty much against these global/public triggers. I'd be fine with implementing (at a slightly steeper development cost) a per-stream allow-list through a proxy "recipient". While it doesn't really solve the foolproof 1st argument, one could transfer an existing stream to a proxy (one with logic) that grants their address full rights (as a transient owner) and our relayer withdrawal rights in order to account for argument 2 and 3. |
Beta Was this translation helpful? Give feedback.
-
@razgraf any new thoughts on this? In your latest comment above you said you wanted to sleep on this idea. I have basically maintained my position - the only real concern is the development cost. The benefits are worth it. |
Beta Was this translation helpful? Give feedback.
-
Locking this conversation, as per the decision that @razgraf and I have made during our most recent in-person meeting. In short, implementing the rescuers is not worth it when there are simpler alternatives for rescuing funds, such as #189. |
Beta Was this translation helpful? Give feedback.
-
I'm re-opening this discussion based on the latest conversation in #666. Here's a sketch of the most recent proposal:
While this system will not completely alleviate the NFTFI integration issue discussed in #666 (comment), the risk will be more negligible. The ability to withdraw from streams shifts from all senders to just a tiny set of relayers, which will be controlled by Sablier Labs (in the foreseeable future). |
Beta Was this translation helpful? Give feedback.
-
It looks like Yearn's vesting contracts offer this feature via an |
Beta Was this translation helpful? Give feedback.
-
Validation for this feature:
From https://twitter.com/thecurious_gark/status/1631451577973104641 |
Beta Was this translation helpful? Give feedback.
-
Anecdotally, we have received several requests from users asking for the ability to allow stream creators to pay for the withdrawal gas fees of the stream recipients, essentially asking for the ability to withdraw on behalf of recipients. They can already do so to the recipient's address, though, so not sure it's worth it to implement this for addresses other than the recipient's address. |
Beta Was this translation helpful? Give feedback.
-
Closing as outdated since we have decided to make the withdraw function public: |
Beta Was this translation helpful? Give feedback.
-
An offshoot of #110:
What if we implemented a simple allowlist of special accounts with permission to call
withdraw
on behalf of the recipient of any stream, transferring the funds to the recipient? The allowlist would be managed by a multisig.Pros
Cons
My Take
I personally think that the pros outweigh cons. The only real concern about this is the development cost.
Beta Was this translation helpful? Give feedback.
All reactions