Ledger & Tokenization Working Group Update

timo · September 7, 2022, 11:52am

Yes, but on which level? You mean (principal) is a subtype of (principal, opt blob)? So we don’t even have to write “null” anywhere?

roman-kashitsyn · September 7, 2022, 11:59am

Ok, I think I see your point. You propose that we make the form (principal, blob) as a canonical form so blob always has to be specified in the Ledger interface, but the ledger and the client libraries can take liberties in how they store the “default” value?

I see the null case as a space and usability optimization for the most common case. We can live without it, but it’s a bit hard to go back and change ICRC-1 to make subaccounts required.

timo · September 7, 2022, 12:27pm

Can we just live with the disambiguity of the default account and with not having some natural properties for this special case?

roman-kashitsyn · September 7, 2022, 1:35pm

I don’t see any serious issues with that, I’ll update the spec to require unique textual representation.

timo · September 7, 2022, 4:47pm

Alternatively, I think it also acceptable to tell the users that all zeros isn’t a valid subaccount. They can either use the default account or they can specify a non-zero subaccount. It makes sense and the worry that a function isn’t total seems minor. What the internal representation does with that is up to the developer. They can represent the default by all-zeros or in some other way. That is not visible to the user. But the encode and decode functions have to throw an error if you feed in what would result in an all-zero subaccount.

roman-kashitsyn · September 13, 2022, 1:44pm

I’ve updated the spec; valid textual representations are unique now. I’ve also sketched a reference implementation in Motoko.

timo · September 14, 2022, 10:26am

Could we make the special trailing byte 0x7f instead of 0xff?

In case the use of principals proliferates and more values of that byte get a meaning assigned to them then we don’t close off the option to expand the space via leb encoding of those values.

dieter.sommer · September 19, 2022, 8:47pm

Dear community!

The next meeting of the Ledger & Tokenization Working Group is scheduled for tomorrow, September 20. Please note that it has been scheduled an hour earlier than the usual time slot due to various overlaps.

There are two topics on the agenda of tomorrow’s Working group meeting, as agreed in the most recent meeting:

Proposal for textual encoding for accounts. See feat: specify textual encoding by roman-kashitsyn · Pull Request #55 · dfinity/ICRC-1 · GitHub.
Proposal for an extension to ICRC-1 by Psychedelic.

We are looking forward to the discussions on those important aspects of the token standard!

Maxfinity · September 19, 2022, 11:05pm

Hi all, I want to raise an important security related issue, that the working group could include on the agenda for this week or for the next session.

Can we have a fixed size representation for the internal tokens. At the moment, I can see from the official reference implementation that:

public type Tokens = Nat;

rather than:

public type Tokens = Nat64;

I believe this could lead to memory errors or attack vectors where attackers try to consume all the memory of a canister.

The benefit of this using a wrapper over using u64/nat64 directly is that we can define the behaviour for arithmetical overflow: in particular we can return an option rather than a panic on overflow. Other operations can also be defined. So, the internal use of the Tokens struct in the ledger made total sense from a safety perspective - we shouldn’t get rid of this imo. We can, however, make this more ergonomic by serialising from Nat.

Not sure how we would do all this in Motoko, but perhaps with a new type?

roman-kashitsyn · September 20, 2022, 5:59pm

Hi @Maxfinity!
I don’t think there is an attack vector. To create a transaction with a huge amount, you need to own this amount first. So if the ledger author knows that there are no more than 2^64 tokens, the author is free to use u64/Nat64 internally.

For example, here is how the DFINITY implementation of the ICRC-1 ledger works: main.rs - dfinity/ic - Sourcegraph. All the externally visible balances are Nats, but internally all balances are u64. If the amount in the transfer arg doesn’t fit into u64, we report an InsufficientFunds error.

dieter.sommer · October 3, 2022, 6:23pm

Dear Working Group!

The next meeting of the Ledger & Tokenization Working Group is scheduled for October 4. We propose to have the items agreed upon last time and one additional item requested by the community on the agenda for this meeting:

Working Group governance
ICRC-2 proposal by Psychedelic (ICRC-2)
Textual encoding for accounts (ICRC-1#55) (if time)

We are looking forward to the discussions in the upcoming meeting!

dfisher · October 4, 2022, 6:06am

Do you mind reposting the zoom link ?

dieter.sommer · October 4, 2022, 2:08pm

If anybody requires the Zoom link for the working group meeting, please send it to @nikhil.ranjan or @dieter.sommer via a private forum message so that we can add you to the email invitation. We do not want to post the link publicly as we have been experiencing severe Zoom bombing with a public link.

inviscidpixels · October 4, 2022, 5:08pm

Sometimes useful to look how it’s been done, here’s a thread on “Rough Consensus” circa btc 2015:

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-October/011457.html

infu · October 4, 2022, 9:09pm

Few notes from me:

From a scalping trade, arbitrage bot, or leverage trader perspective, the best solution is when the trader funds are in an account controlled by the DEX/DeFI canister. This way there is no need to do ledger calls, trading can be done without async calls. The faster they are, the more profit they will make.

From the end user’s perspective - the best solution is to use the Swapper pattern which I have published in forums (it lacks slippage, but that can be added). End-users make a few transfers a month and just want them to be successful. This pattern guarantees the user will get what they agreed for and no developer errors or malicious behavior can result in fund loss.

So we have 3 ways of doing it. fast(risk) - medium(risk) - slow (guaranteed). I am not sure the medium one (approve flow) is worth it since the other two will beat it at everything.

Both Swapper and the fastest approach can be done with the core we have right now.

To be more specific: I think approve in Ethereum was invented to make the fastest exchange with slippage possible. In IC the fastest exchange with slippage is just preloading an account = (dex_canister_principal, caller) and then trading (buying + selling) with a single call (or placing orders which get triggered). Once a trader is done, they withdraw funds. Now that Stable Memory got increased, there will be no need for a DEX to be multi-canister to be able to hold trader’s accounts.
I think we shouldn’t blindly copy Ethereum, instead work towards the most optimal solution.

Even if approve flow gets approved, DEXes which do what’s mentioned above will be better for traders and will make DEXes using approve obsolete. On the other hand, DEXes using swapping will be more secure so end users will prefer them.

Additionally, you can’t have loans or leverage with approve flow. You will need to lock the funds inside the DeFI contract. The reason swaps in Ethereum don’t work like Compound loans is the gas fee, which in IC is not a problem.

This means multi or single-canister ledgers
Single canister DeFi

And because a single canister DeFi at some point won’t have the throughput, there will be many such and arbitrage synchronizing them. An arbitrage bot won’t open an account in one DeFi canister, it will open accounts in all of them.

This is pretty far-fetched. I would like it if someone proves me wrong.

AndraGeorgescu · October 5, 2022, 6:04am

Where can we find the info presented and proposed in yesterday’s working group?

roman-kashitsyn · October 5, 2022, 6:54am

I put notes and links to slides in the Charters.md file in the ICRC-1 repo:

github.com

dfinity/ICRC-1/blob/7a3cdf510f675b644fc5c2d281bbe88ad590f52d/Charters.md#2022-10-04

# Ledger & Tokenization Working Group Charters

## 2022-10-04
[Slide deck](https://docs.google.com/presentation/d/1_xiYE4Ng8gz_u_dNos-xxZ1Ro6ckOwBMkm0fBgMaYLI/edit#slide=id.g125c3b1bfa8_0_0)

Highlights:
  * Dieter presented a proposal for the governance model for the Working group.
    One idea was to adopt the rough consensus model like IETF, see [RFC 7282](https://www.rfc-editor.org/rfc/rfc7282).
    The WG agreed that rough consensus seems to be a good fit.
    Questions raised:
    - Should we create NNS votes for decisions affecting the community?
    - How do we decide who constitutes the WG?
      If we do not know the exact members, it is hard to be sure that we take everybody's opinion into account.
    - Often there are no objections in the WG discussions, but when you ask people to vote and explain their decision, there is a lot of valuable feedback.
      How do we address that?
  * The WG discussed the ICRC-2 proposal by Psychedelic: https://github.com/dfinity/ICRC-1/tree/f8c39bec71b1ac7f6cdb1a6c9844726efc58be38/standards/ICRC-2.
  * The main concern about ICRC-20 is that ERC-20–style approve/transfer_from does not work well with concurrency:
    If A approves five tokens to B, then A notifies B, then A approves ten tokens to B, then A notifiers B, the following message sequence is possible:
    - The Ledger sees five-token approval and accepts it.
    - The Ledger sees a ten-token approval and accepts it.

This file has been truncated. show original

Feel free to open a PR against this file if I misrepresented something or missed something important.

dieter.sommer · October 17, 2022, 5:11pm

Dear community!

The next meeting of the Ledger & Tokenization Working Group is scheduled for tomorrow, October 18, 2022.

We propose to discuss the following items in tomorrow’s meeting:

Working Group governance
- Continuing the discussion from where we left off
ICRC-2 proposal by Psychedelic (ICRC-2)
- Asking the WG once more for feedback on the most recent version of the proposal (Note: The agreed-upon PR from the most recent meeting is still outstanding)
Transaction log API (ICRC-3)
- First overview of the proposal

We are looking forward to the discussions!

Embark · October 17, 2022, 8:47pm

Hi Dieter, how can I take part tomorrow?

Thanks

dieter.sommer · October 19, 2022, 6:04am

Hi @Embark
Just saw this after the fact. If you want to take part in the future WG meetings, just send a private message with your email address to me. Then you will receive a Zoom invitation by mail.