Multisignature (rebase 0.20.0) #1765
Conversation
…added max_signature_per_transaction genesis parameter
…ification, rebuild wasm_for_tests
* origin/fraccaman/multisignature-draft-rebase-0.20.0: added changelog fix: e2e test fix: unit test wasm: added new account methods to tx_prelude, refactor signature verification, rebuild wasm_for_tests docs: update tx definitions apps,shared: added cli tx and query methods core: added multisignature tx format, refacctor account storage api, added max_signature_per_transaction genesis parameter
There was a problem hiding this comment.
Hi @Fraccaman ! The multi-signature component of this PR seems to be fine. However the SDK API changes pertaining to transaction building and signing will most likely break the web client's ability to sign transactions using the hardware wallet. Apologies for only bringing this up now, but actually trying to generate, inspect, and integrate the test vectors into the hardware wallet repository drew my attention to these issues.
Having the following transaction flow: build Tx -> generate test vectors -> sign Tx -> protocol filter, should eliminate/minimize incompatibilities with the hardware wallet/web client. But other approaches could also be valid.
@adrianbrink The web client and hardware wallet work fine with Namada v0.20.1 . But releasing #1772 (which contains this PR) as-is will break the web client's ability to use this SDK with the hardware wallet. We can either fix these issues now or release this (accepting a breakage) and do a follow-up release attempting to fix these issues.
| if args.tx.dump_tx { | ||
| tx::dump_tx(&args.tx, tx_builder); | ||
| } else { | ||
| submit_reveal_aux(client, ctx, args.tx.clone(), &args.owner).await?; |
There was a problem hiding this comment.
This call to submit_reveal_aux is likely to invalidate the proof of work computed in the above build_custom call. Indeed, trying to do a Transfer from an implicit account for the first time fails with the error message Mempool validation failed: The given address does not have a sufficient balance to pay fee. This issue likely affects all the other submit_* functions that call submit_reveal_aux.
This seems to be fixed in your https://github.com/anoma/namada/tree/fraccaman/multisignature-fixes branch.
| @@ -291,10 +314,8 @@ pub async fn process_tx< | |||
| client: &C, | |||
| wallet: &mut Wallet<U>, | |||
| args: &args::Tx, | |||
| mut tx: Tx, | |||
| tx_builder: TxBuilder, | |||
There was a problem hiding this comment.
The hardware wallet takes an unsigned Tx and produces a signed Tx object. However, the SDK function tx::process_tx now takes a TxBuilder (instead of a signed Tx). Hence this change could be problematic for the web client which uses the hardware wallet for signing.
This issue seems to be fixed in https://github.com/anoma/namada/tree/fraccaman/multisignature-fixes .
| tx.add_section(section); | ||
| } | ||
|
|
||
| tx.protocol_filter(); |
There was a problem hiding this comment.
This protocol_filter call removes MaspBuilder sections from the transaction. But having this call in this function is problematic because this build function needs to return a Tx with MaspBuilder sections inside in order to give the hardware wallet a chance to validate the MaspTx section of the transaction being constructed.
| _ => None, | ||
| }) | ||
| .collect(); | ||
| tx.add_section(Section::SectionSignature(MultiSignature::new( |
There was a problem hiding this comment.
The transaction signing correctly happens after the Tx::protocol_filter call which is good because the MaspBuilder section will not be sent to the protocol. However, if the Tx::protocol_filter function were to be moved outside this function, this signing call would need to follow it out to ensure that it still happens temporally after the filtering is done.
| .map(|section| section.get_hash()) | ||
| .collect::<Vec<Hash>>(); | ||
| sections_hashes.push(tx.header_hash()); | ||
| tx.add_section(Section::Signature(Signature::new( |
There was a problem hiding this comment.
Comments analogous to those for MultiSignature should also apply here.
|
|
||
| #[cfg(feature = "std")] | ||
| { | ||
| super::signing::generate_test_vector(client, wallet, &tx).await; |
There was a problem hiding this comment.
The test vectors need to be constructed while the MaspBuilder section is still inside the Tx because those sections contain the information necessary for a hardware wallet to sign a MASP transaction. More precisely, this call needs to happen before protocol_filter is called (which happens to be inside the let tx = tx_builder.build(); call right now).
| let tx_builder = signing::sign_tx( | ||
| &mut ctx.wallet, | ||
| &args.tx, | ||
| tx_builder, |
There was a problem hiding this comment.
It probably is possible to have signing::sign_tx work over TxBuilders. However, doing this will probably cause an incongruence/divergence with web client's signing logic (which is constrained by the hardware wallet's implementation). Specifically, the web client needs to build a (unsigned) Tx first which is the object that is signed by hardware wallet. (In contrast, the approach taken in this PR has the build coming after the signing.) Keeping the same signing flow would probably ease the parallel development of the CLI and the web client in the context of hardware wallets.
| @@ -57,7 +57,7 @@ pub mod cmds { | |||
| TxCustom(TxCustom), | |||
| TxTransfer(TxTransfer), | |||
| TxIbcTransfer(TxIbcTransfer), | |||
| TxUpdateVp(TxUpdateVp), | |||
| TxUpdateAccount(TxUpdateAccount), | |||
There was a problem hiding this comment.
Running the scripts/generator.sh client script (which is necessary for the hardware wallet test vector generation) throws the error The application panicked (crashed). Command add-erc20-transfer: Argument names must be unique, but 'fee-payer' is in use by more than one argument or group on the first 23 commands. This suggests a slight issue with the CLI argument configuration.
This seems to be fixed in your https://github.com/anoma/namada/tree/fraccaman/multisignature-fixes branch.
|
How much
How much work is involved in fixing it so that it works with the sdk? In general I'm in favor of not breaking the sdk. |
|
@adrianbrink I believe #1794 should fix it. That PR is currently undergoing review. |
Describe your changes
Took #1741 and rebased on 0.20.0. Cleaned git history.
Close #1178 and #81
Indicate on which release or other PRs this topic is based on
Based on 0.20.0
Checklist before merging to
draft