-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update hashProposal visibility to view #5097
base: master
Are you sure you want to change the base?
Update hashProposal visibility to view #5097
Conversation
🦋 Changeset detectedLatest commit: 667d07d The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for the contribution! Some thoughts
Changing to view
allows to extend the hash and include block.chainid
or addres(this)
, but also enables developers to read from storage, which concerns me more.
As opposed to pure functions, a view function depends on the state, which means that the proposalId
may unexpectedly change if a state variable is added to the formula. In that case, the proposal may end up stuck (i.e. not deriving the same proposalId
in queue
or execute
)
Though the concern of replayability does make sense in the context of signatures, I would add a nonce to the signature instead.
Thank you @0xDiscotech for this proposal. I'm not sure what the consequences of changing the proposalId computation would be on UI such as Tally ... but given it is virtual, I don't see why we would allow some changes but not that change. So its good to me |
@0xDiscotech, we discussed this PR internally, and we have some concern with the consequences of using pure vs view. Using pure would allow change that make the fonction change value independently of the input parameter (that is the whole point of pure vs view). This means reading state variable, reading the time, reading anything that is not constant. If this was to happen, then the proposalId may not be consistently computed through the lifecycle of a proposal, and that would be bad. Potentially, it could be used to hide some attack vector that allows a priviledge user to prevent a proposal from being executed. This could be happen by mistake, or intentionally by a malicious dev. On the other hand, we don't really understand the usecase. If two governors, on the same chain, or on two different chains, are planning to execute the exact same logic, what is the issue using the same identifier for both proposals ? The same proposalId means the same input was proposed. The execution outcome may differ depending on the governor instance doing it, but the input remains the same. Whe voting on it, the voting scheme (that is based on EIP-721) does already prevent cross-instance / cross-chain replay. With all that in mind, we see a not very likelly but still very clear risk ... and we don't really see an upside to that. |
Thanks for you response @Amxx @ernestognw! You have a good point there, but I will explain the reason behind my proposal: In our solution, we had to concatenate the description with a kind of 'signature' using the chain ID and the Governor's address. This breaks the functionality of the This approach might be very specific to the mentioned use case, but it's not uncommon for future Governors to use similar protocols to get proof-of-personhood while preserving user privacy. In summary, my point is that developers can still modify the logic behind |
Also we could use the |
This is something that was discussed in the past, and was rejected. We were concerned that changing the hash computation could break tools such as Tally, and we did not see a clear advantage (as discussed above). It would also cause issues if a governor contract is upgraded while proposals are active. It is not inconceivable that we make the function view, so that overrides can use address(this) ... but for sure we are not going to change the default function. |
Awesome, makes sense. Good to know 👍 |
This is an interesting insight. I guess the problem here is that we never intended From your code I see you added some information to the returned proposalId. That's fine in my opinion since it's not altering the internal assumptions the Governor does about the I would be fine making the function |
My point of view is that by setting it to That said, you make a good point. While I maintain my perspective, I respect and understand any decision you make 🫡 |
Hi @0xDiscotech, We've been discussing this change since #5290 came up as a requirement for some other DAOs too. Those changes may likely end up being even more aggressive than this visibility change so we might get this merged before. |
Hi @ernestognw, |
All good, just an update :D |
Just wanted to leave an update here--we are currently leaning towards just merging #5290 which moves in the direction of deprecating |
Fixes
Update
hashProposal()
function visibility toview
instead ofpure
to allow an override usingblock.chainid
and/oraddress(this)
in order to guarantee more uniqueness on the same proposal but on different networks.Can be very useful when the proposal is used as a kind of proof to validate the vote, and the same proposal is created on different networks. This allows the developer to mitigate a replay attack over the same
proposalId
in a clean way by overriding the function to read from the environment or the contract's state.PR Checklist
npx changeset add
)