-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERC: Proxy standard #121
Comments
I would consider the wording of |
I would tend to agree, I'm just into the |
While it is much more complex than the simple proxy contract here, it may be worth trying to align with Mist's wallet contract, which has the following signature for the forwarding function:
The version I've written for ownage uses the above signature, as well as this one for transferring ownership:
(It also has a few more things specific to its context.) I think reaching alignment on the forwarding function is the biggest priority. As the Mist example shows, concepts like ownership may be different for different contracts. |
One of the reasons I think a standard proxy contract makes a lot of sense is that it isolates concerns very neatly. The Mist Wallet conflates the concerns of a proxy contract with the responsibilities of a multi-sig authorizer. With the proposed architecture, you could always assign the "implementor" to be a multi-sig contract, which itself could be any sort of advanced authorization logic, and replicate the behavior of the Mist wallet. I think it's very important that these types of standards be developed, and be atomic, so that larger Dapps tomorrow could be composed entirely out of tiny, well audited, highly reusable contracts. Perhaps I'd like a Mist-like wallet, but with different authorization logic. This type of proposed Proxy standard allows that upgrade to be easily deployed. |
@FlySwatter It's not completely clear to me that a single configurable owner address is the best design for this. There are other plausible ways to secure and upgrade a proxy contract, such as having an attached validator contract, or using Another consideration should be that EIP 101 will make this pattern substantially less necessary. |
I don't think there needs to be a single final proxy contract architecture. I like the idea of a validator-based proxy, too. I more think that these tiny patterns should become well known to the point of naming and standardizing, so they can be easily audited and reused. Maybe a more diplomatic name would be |
|
I agree with peter that it's not obvious that this is the most natural way to structure delegations/proxy/configurable behavior (are those even the same problem?) but having some kind of common "target" for governance-like contracts would be immediately useful, and this seems to work fine |
This is doable with inline assembly. https://github.com/ownage-ltd/ether-router/blob/master/contracts/EtherRouter.sol#L24-L32 (There's other stuff going on in that file, but the key is that the |
Thanks for the writeup @SilentCicero! Not surprisingly I think this is a very important question since my view is that this could be the standard way to do identity on Ethereum.
Interesting using a more general In general I'm interested in making the Proxy contracts as simple as possible. @PeterBorah How would you design these things differently once BIP 101 is in place? To me it seems that there would still be the need for proxy contracts defining a persistent identifier for identities. |
With EIP 101, your "account" and "proxy contract" can be the same thing, since you can send messages directly to contracts. So we probably won't want to assume that our proxy contract is receiving messages from an account, but rather have the "account"'s verification logic be configurable. |
@PeterBorah I don't see how this is different from the current approach of having a proxy contract relay messages from an implementer/owner/controller contract which contains the verification logic. There is not really any assumption of an external account in the structure. As I understand it EIP 101 is basically that all messages/transactions now originate from 0x0 and the authentication/verification logic (like digital signatures) are now abstracted away into the data field. Plz correct if I'm wrong! |
I would like to see a way to forward an arbitrary number of transactions in order. This is important from a UX perspective, so dapp developers can make "all or nothing" transactions which are dependent on each other.
For a larger discussion of why this is necessary, refer to this http://ethereum.stackexchange.com/questions/1561/is-it-possible-to-chain-mulitiple-individual-transactions-into-a-single-all-or/ |
@aakilfernandes That abstraction can be built out of the simpler standard proposed. If you want to include sequences, I'd counter that we should include an entire interpreted message language. |
@nmushegian Using another abstraction would make things difficult, since the user would then have to authorize the abstraction to call the proxy. We would need to include authorization functionality in the proxy which would complicate things even further. |
^ That's the idea behind delegation via proxy, isn't it? I'm imagining a "keyring manager" proxied to a "execute sequence of statements" proxied to a "rate-limiting withdrawal actor" a proxy contract as an example of this pattern. What is the purpose of the proxy contract at all, if it's not intended to be extended/chained? The base implementation doesn't add any extra behavior except the ability to transfer.. |
@aakilfernandes Yeah like @nmushegian said the point of the Proxy is to be very simple so that it can be stable and it's Owner can be a complex contract or constellation of contracts.
That's how it would be set up for the user to begin with. The complexity would be hidden from the user ideally. |
@nmushegian @christianlundkvist if we create a different contract capable of forwarding an arbitrary number of transactions, wouldn't that make this contract obsolete? Why would a contract capable of forwarding an arbitrary number of transactions bother calling this contract? |
yes it would make it obsolete but your version would quickly become obsolete as well. We should go with the simplest future-proof version possible, or we might as well do a whole independent effort to figure out the complete feature set for interpreter contracts |
An OwnedProxy example @nmushegian @FlySwatter @aakilfernandes @christianlundkvist thoughts? |
Good change to name it
|
Any reason we're not taking gas as an argument too? The proxy implementation is dynamic, so burdening the caller with figuring out the correct limit doesn't seem right. A related discussion is whether we want the proxy to be smart about exceptions or not (see Simplicity is a good argument to avoid it, but we should then explicitly recognize what usage constraints it adds. |
@nmushegian I don't think I fully understand your gas suggestion. Is there a substantial difference between:
and
? An advantage of the latter is that you don't have to do any work to express "pass all gas", which is arguably the default. |
The use case is if I want to execute the action with exactly N gas, but I don't know if the proxy will add 100 or 1m gas. |
I see! I don't think I've ever needed to do that, but I can invent situations where I might. (Though usually I would handle that at some other layer of the stack.) Solidity's method overloading means that we could easily have both in a proxy contract. |
@nmushegian I did like your Action struct, with more data like gas, etc. #121 (comment) Not sure where that got hung up. The return value? Or it seems people prefer the simplest. (A hybrid could have both |
I now think the Someone could inherit from the class, and with only This allows a smaller standard surface area (a simple contract could proxy without bothering with upgradeability), while being easily compatible with established auth patterns. |
@FlySwatter has it right! After ownership logic I think the only thing left to discuss is whether "interpreter"/"atomic sequences"/"return threading" and other proxy power-ups are in scope for this EIP, or if we want to revisit them after some EVM opcode EIPs are addressed to make it cleaner. Thoughts from uport/boardroom teams? |
There has been no activity on this issue for two months. It will be closed in a week if no further activity occurs. If you would like to move this EIP forward, please respond to any outstanding feedback or add a comment indicating that you have addressed all required feedback and are ready for a review. |
This issue was closed due to inactivity. If you are still pursuing it, feel free to reopen it and respond to any feedback or request a review in a comment. |
Update the EIP to the working version from https://github.com/eth-infinitism/account-abstraction/blob/develop/eip/EIPS/eip-4337.md Changes: AA-94 update keccak rules. AA-93 Adding debug RPC APIs for the Bundler to use (ethereum#153) AA 92 simulate execution (ethereum#152) AA 73 unify reputation (ethereum#144) AA-68 rpc calls (ethereum#132) AA-61 rename wallet to account (ethereum#134) AA-69 wallet support for simulation without signing (ethereum#133) AA-70 rename requestId to userOpHash (ethereum#138) AA-67 relax storage rules in opcode banning (ethereum#121) AA-63 remove paymaster stake value from EntryPoint (ethereum#119) AA-51 simpler simulation api, including aggregation AA-60 validate timestamp (ethereum#117) Clarify wallet factory behavior when the wallet already exists (ethereum#118)
Update the EIP to the working version from https://github.com/eth-infinitism/account-abstraction/blob/develop/eip/EIPS/eip-4337.md Changes: AA-94 update keccak rules. AA-93 Adding debug RPC APIs for the Bundler to use (ethereum#153) AA 92 simulate execution (ethereum#152) AA 73 unify reputation (ethereum#144) AA-68 rpc calls (ethereum#132) AA-61 rename wallet to account (ethereum#134) AA-69 wallet support for simulation without signing (ethereum#133) AA-70 rename requestId to userOpHash (ethereum#138) AA-67 relax storage rules in opcode banning (ethereum#121) AA-63 remove paymaster stake value from EntryPoint (ethereum#119) AA-51 simpler simulation api, including aggregation AA-60 validate timestamp (ethereum#117) Clarify wallet factory behavior when the wallet already exists (ethereum#118)
Update the EIP to the working version from https://github.com/eth-infinitism/account-abstraction/blob/develop/eip/EIPS/eip-4337.md Changes: AA-94 update keccak rules. AA-93 Adding debug RPC APIs for the Bundler to use (ethereum#153) AA 92 simulate execution (ethereum#152) AA 73 unify reputation (ethereum#144) AA-68 rpc calls (ethereum#132) AA-61 rename wallet to account (ethereum#134) AA-69 wallet support for simulation without signing (ethereum#133) AA-70 rename requestId to userOpHash (ethereum#138) AA-67 relax storage rules in opcode banning (ethereum#121) AA-63 remove paymaster stake value from EntryPoint (ethereum#119) AA-51 simpler simulation api, including aggregation AA-60 validate timestamp (ethereum#117) Clarify wallet factory behavior when the wallet already exists (ethereum#118)
* Update to latest working version Update the EIP to the working version from https://github.com/eth-infinitism/account-abstraction/blob/develop/eip/EIPS/eip-4337.md Changes: AA-94 update keccak rules. AA-93 Adding debug RPC APIs for the Bundler to use (#153) AA 92 simulate execution (#152) AA 73 unify reputation (#144) AA-68 rpc calls (#132) AA-61 rename wallet to account (#134) AA-69 wallet support for simulation without signing (#133) AA-70 rename requestId to userOpHash (#138) AA-67 relax storage rules in opcode banning (#121) AA-63 remove paymaster stake value from EntryPoint (#119) AA-51 simpler simulation api, including aggregation AA-60 validate timestamp (#117) Clarify wallet factory behavior when the wallet already exists (#118) * lint fixes
Abstract
The following describes standard functions a proxy contract can implement.
Motivation
Many Ethereum users and smart-contracts hold and manage digital assets. A unified way to hold, acquire and transfer digital assets could greatly simplify and unify the designs of many contractual services making them more inter-operable with each other, while also gaining from the design benefits of standardization. Many contractual services also require a single persistent account at which to transact within the ecosystem. These services could also greatly benefit from a single unified contractual design enabling this practice to happen in a predictable and consistent way.
Rational
This allows Ethereum users/services to store, transfer and manage multiple kinds of digital assets in a single simple vetted standardized smart-contract. By doing so, we simplify digital asset acquisition, storage and management. A proxy standard also simplifies and/or unified contractual design of governance, identity or financial services on Ethereum. While there is always the potential that the implementer contract of a Proxy could be compromised or poorly design and all assets exposed to attack or freezing, we can expect at the very least the proxy contract implementer to be able to transfer its proxy's ownership (and the digital assets contained therein).
Specification
transfer_implementer
, andforward_transaction
) and one variable (i.e.implementer
).transfer_implementer
method is solely responsible for changing ownership from the stored implementer to a new implementer and is access restricted to the implementer and the contract itself.forward_transaction
has three inputs:address _destination
,uint _value
,bytes _bytecode
.forward_transaction
method is access restricted to theimplementer
only.forward_transaction
forwards transactions to the destination address as the ProxyContract address.StandardProxy
contract implements theProxy
interface contract containing theforward_transaction
andtransfer_ownership
methods.Code for
Proxy
contract interfaceCode for the
StandardProxy
contractStandardProxy
contract in use with a factory contractPotential Attack Vectors/Pitfalls
forward_transaction
method.Examples of proxy contract designs
DSBaseActor
-- https://github.com/nexusdev/dappsys/blob/develop/contracts/actor/base.solProxy
-- https://github.com/ConsenSys/uport-proxy/blob/master/contracts/Proxy.solNotes
forward_transaction
method.implementer
term/concept: "ownership" is certainly a valid term/concept here, however, implementer does seem more metaphysically accurate, as the term "owner" only implies ownership, where as implementer implies that which can implement state change within and as the contract -- this is to be debated however and perhaps it just has too much overlap with the "owner" contract infrastructure).A special thanks and credit goes to Christian Lundkvist, Nikolai Mushegian, Simon de la Rouviere, Niran Babalola, and Peter Borah for furthering the design of proxy and proxy like smart-contracts on Ethereum.
The text was updated successfully, but these errors were encountered: