-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow asset issuers to require authorization per transaction #135
Comments
We may be able to leverage the The user's account starts out with a requested trustline to the issuer's asset. The trustline is NOT authorized yet. Each transaction sent to the
The benefit of doing it this way is:
|
for the this will allow programmatic access to the validation information by wallets while also making requirements explicit to users since these fields will be standardized across all issuers. the |
Regarding the Regarding explicit conditions - Yes, for sure. These will be part of the SEP. |
I guess it's worth thinking about what changes would be required to make the sandwich approach viable, vs TX_AUTH_REQUIRED. The sandwich approach might require re-thinking offers so that the funds really belong to the order book (and the issuer can then cancel any order involving that asset). I suspect TX_AUTH_REQUIRED will be simpler, but we still might need a way for the issuer to cancel transactions. My main concern with both proposals is that there is some risk that the asset issuer will accidentally do something they don't want to do. There's a bit of a confused deputy problem in that the co-signing issuers has more authority than just to allow the transaction (the issuer can, for example, create trust lines). It would be nice if the key or signature could somehow be limited to prevent it from doing anything with the issuing account. This isn't exactly a vulnerability per se, but it's an error prone situation that could lease issuers to create vulnerabilities. Another issue is that it would be nice to have some way to bypass this for certain accounts, so some people need co-signing and people don't. Both of my concerns could be addressed by, for instance, attaching signers to the trustline instead of just one bit. But this is obviously a very heavy-weight change, so this would need to solve a bunch of other problems, too, before we seriously consider it. |
@stanford-scs The sandwich approach can be complementary. In both cases, there's still a requirement for an external signer service. So the issuer can declare that they will only sign sandwiched transactions. However, it doesn't solve the ghost offer issues. Regrading bypassing for some accounts. That's a good point. Do you think this should be a flag on a trustline? |
Hi :) I'm a little late to this thread, but wanted to add my $0.02. This issue really does get complex as you dive into the nature of the asset being exchanged or represented on the DLT. As much as I completely, 100% agree that it would be cleaner to implement flexibility in the protocol for these regulatory requirements, my fear is that the work will never become complete, and what will be complete will be a very complex mess of a base DLT protocol. We've been working around this by utilizing option 2 - multisig. Yes, this does help our organization ensure proper fee structures by ensuring a payment transaction includes a fee payment to a 2nd address where required, but it also allows us to do some "online transaction processing," as the FFIEC puts it. This is essentially the ability to analyze the TX against some pretty sophisticated models to find risks of the individual payment. Its possible that transactions between 2 addresses generates significant risk. It's also possible to receive letters from the various regulators about specific persons or specific addresses which can contain specific rules such as "dont allow this address to receive funds exceeding $1,000 per day." ...and there are SO MANY MORE examples here. Basically, and the devil is in the details here, but is boils down to this: the organization anchoring real-world assets (vs. pure-play cryptocurrency or cryptoassets) has to have "skin in the game" when it comes to transfer of value. Today, multisig with explicit trustlines (with the unfortunate side-effect of 1 account for that asset) works OK for us. (we also manage XLM balances on each account o.b.o. clients) The ecosystem proposal looks logical to me. FYI, we're using the following protocol (described in OpenAPI) for our "signing service" (we call "TX Verification"): During meetings with regulators this month, we agreed to workshop some of these rules with them when it comes to real-world financial assets in custody, so hopefully will have more requirements to contribute. Would love to be actively involved in this issue :) |
Thanks @michaeldowling for the feedback and the API reference. It's especially important since this proposal will help facilitate the exact conversations you're having with the regulators. I want to empathize that the only suggested protocol change in Approach 1 is that issuers can define an asset to require authorization per transaction. How they communicate their requirements and facilitate signing is left to the ecosystem part of the proposal (which is identical to approach 2) and the issuer. Like I mentioned, the problem with Approach 2 is that the issuer has too much power over a user's account. Every operation needs to be authorized, even if it doesn't involve the issuer's asset. The current solution you're forced to implement, which is adding your self as a signer without a clear way to communicate this to the ecosystem is what we need to fix. |
@michaeldowling regarding your signer service:
We want to ensure that the issuer:
After some discussion, the draft might include a two-step process:
Thoughts? |
Update on the protocol side: #146 |
Hey @tomerweller - sorry for the late reply. 1: No, the service does NOT expect a signed transaction from the entity Our signing service's scope is limited to those two key activities. Whether the user submits the transaction for ledger close is up to them; I will mention that it's an obvious red flag for future signing requests if the same device requests signatures for TXs that end up not getting submitted. BTW, to follow up, I totally misunderstood the design you presented above - quickly reading, I thought you were proposing a complex stellar-core to stellar-core orchestration protocol at first; now I see you're proposing an endorsement-submission protocol. There is interesting precedent for something like this - Hyperledger Fabric uses something kinda-sorta similar in concept: (I'm not advocating Fabric, to be clear ;) ) Your proposal seems like a much cleaner design to go alongside an asset-specific flag for multisig. Right now, as you noted above, the "side effect" of the multisig approach today is a one-asset-one-account setup. Not sure how this negatively effects the network as a whole - we're not seeing super negative UX as a result. We're basically hiding the fact that a DLT is even involved. But we can easily help test the asset flag without much change on our end. <3 |
Thanks for the feedback @michaeldowling. Will update. One potential issue with the way that you describe your implementation: you don't expect a signed transaction yet it can still raise a "red flag". This means that a malicious user can construct a transaction that uses my source account, submit it for approval and have my account flagged due to content and/or behavior. If that's indeed the case, it can easily be solved by only accepting signed transactions and verifying that signature before proceeding. |
Actually if a user attempts to use a source acccount not previously associated with their authenticated device, the service will simply decline to sign. It won’t specifically raise a flag. What WILL raise a flag is if an authenticated device requests signing for transactions with their source account without submitting them. Several hundred checks occur during this signing request, with lots of factors involved in the decision. |
One issue that is unfortunately not solved here (or really addressed beyond the 'motivation') is the need to attach fee structures to trades (see my latest reply in #101), as those should be applied at the time of the trade, not at the time of the ManageOffer operation. In most cases an issuer will not want to attach the same (or any) fee to offers that are later canceled before they are matched, or are canceled after a partial match. In addition, things get much more complicated when trying to change an offer because of the need to know the current state of the offer (which could change after signing, or even after being polled by the signing service) in order to apply deltas to the fees. |
Has anyone thought through how this will work with path payments? I have a feeling it may cause great havoc.
As much as I love the platform, without path payments, Stellar is just a slightly above average shitcoin. |
Without the protocol change (#146) I wouldn't expect to see any trades that involve more than one regulated asset, path payments included. It's unrealistic to maintain accounts that have multiple issuers as co-signers. If the protocol change does take place, I don't think that adding the no-ops and requesting approval from all the issuers is a massive overhead. As a wallet developer, are you concerned about the added ~2 HTTP requests per approval or the user experience associated with it? I agree that if every issuer starts modifying your transactions with weird operations and send you back a PENDING response while waking up a representative, than yeah it might turn problematic. It's hard to say this right now but due to the nature of these assets (probably securities) I don't see them being used as bridge currencies. Regarding finding paths, that's a good question. I'd say that a good enough solution for now is to completely ignore whether or not an asset is regulated and to tackle that only when the user actually attempts to make a transfer. |
Just a security consideration: |
Even with protocol changes, what kind of restrictions can an issuer make that they can't do already? You probably would like to be able to restrict who you trade with, but then you'd have to intercept the order matching, and I don't see that ever happening. So you're stuck with things you can do already; limiting how much an individual account can hold, and if they can move your asset at all -- which is already done better by trust line limits, and auth_required. |
And how does it jive with state channels? Anyone? |
I'm more concerned about the number of different code paths, special cases, and added overhead I have to add, with no benefit for me.
All in all, you're outsourcing all of this business logic complexity to software with very limited monetization paths. |
And it's not two requests extra.
None of this is needed as of now. The first ones would be needed for any asset, regulated or not. |
Thanks for the feedback @johansten, I'll comment on some of these things but given that the initial version of this sep has been merged, it's better to open new individual issues.
To name a few: velocity constraints, min/max account holders (a trustline that has a balance>0), min/max balances.
The issuer can disallow any offers that, if fully filled, will violate a constraint.
I hear you. We should ensure that the various sdks have high level support for identifying these assets and doing the approval dance. Would appreciate any help with specing that out.
Less relevant here. It's one of the milestones for horizon 0.15.0.
Again, less relevant. Ideally this should be solved by exchanges implementing federation.
Sep8 indeed outsources complexity, mostly to the asset issuers. Yes, it also adds complexity to the wallets and, like i mentioned above, we should ensure that the sdks make wallet developers' lives easier.
If a wallet wants to present a user with basic information about a currency, such as an icon and some information about the issuer, they'll need to perform a toml lookup anyway. |
Motivation
There is a growing number of requirements, set by asset issuers and regulators, regarding assets and trust-lines. From velocity limits to minimal balances and weird fee structures. (Related issues: #101, #85, #71)
Introduction
Instead of supporting all of these different requirements, we could delegate this logic to an off-chain service.
Note: this is not a complete proposal. just a starting point for discussion.
I propose adding the ability to declare that an asset is TX_AUTHORIZATION_REQUIRED. Meaning that this asset requires the issuer's signature for every transaction involving the asset. The issuer will commit to providing a signing service, that signs compliant transactions and provides meaningful errors for non-compliant ones.
I propose two approaches for achieving this:
Given that both approaches utilize a similar ecosystem proposal, and that protocol changes take time, we can start from 2 and then easily migrate to 1 if/when the protocol changes.
Approach 1
Protocol changes
UPDATE: a possible outline for the protocol changes: #146
Ecosystem Proposal
Approach 2
Without any changes to the protocol, the issuers can create accounts for their signers, in which they are a co signer (2/2 scheme). This allows the SEP from approach 1 to be used as is.
However, this presents some issues, to name a few:
The text was updated successfully, but these errors were encountered: