Beefing up the Coordinator: Restrictions to initiator, ritual duration, fee model, automatic TX reimbursements, etc #86
Conversation
Optimize Ritual struct layout
Also replace contract owner for parameter administration role
Initiator is just the entity that calls initiateRitual(), needs to be authorized, and provides initial payment. Authority is who controls ritual lifecycle going forward.
Fee Models dictate what's the cost for rituals
Also, changes AccessControl base contract for the more specific AccessControlDefaultAdminRules
Also, change isInitiationRegulated to isInitiationPublic
| timeout = _timeout; | ||
| maxDkgSize = _maxDkgSize; | ||
| feeModel = IFeeModel(_feeModel); |
There was a problem hiding this comment.
Shall we permit the feeModel address to be updated by the proper role?
There was a problem hiding this comment.
Yeah, it's possible, but I'd rather handle that in a later PR, when we decide how do we want to manage fee models (see comment in L71). For our immediate needs (devnets), I don't foresee we will want to change the fee model
Can't revoke INITIATOR_ROLE addresses since our AccessControl doesn't inherit from AccessControlEnumerable. It doesn't matter much anyway
We may want to parametrize tests based on this
Add also previous StakeInfo deployment on Mumbai
Either ritual is successful and fees can be used by the protocol, or ritual is failed and fees are refunded to initiator (consider partial refund)
…es long (as of nucypher-core v0.10.0).
cygnusv
changed the title
cygnusv
requested review from
KPrasch,
theref,
derekpierre,
vzotova,
manumonti,
arjunhassard,
jMyles and
piotr-roslaniec
There was a problem hiding this comment.
Huge step towards v7.0.0 👏
It may be that:
(i) educating stakers on reimbursements
(ii) adding it to staker UX
(iii) maintaining & updating this section of the contracts
may be more trouble than it's worth during genesis given that they will be 'paid back' by duration-based fees within a few days).
Also, allowing permissionless ritual initiation is predicated on those rituals being far cheaper, so it's hard to know ex ante whether the reimbursements will be enough to justify the gas of withdrawal, and also exactly what the reimbursement could be bundled with and on what layer!
| uint256 size = providers.length; | ||
| require(duration > 0, "Invalid ritual duration"); | ||
| require(size > 0, "Invalid ritual size"); | ||
| return feeRatePerSecond * size * duration; |
There was a problem hiding this comment.
the proposal contains a default duration fixed at 182.5 days for initialization
and then top ups are fixed at 30 days (payable every 30 days) to keep the availability horizon 182.5 days into the future
There was a problem hiding this comment.
Is this something you would expect to be hardcoded at the smart contract level?
There was a problem hiding this comment.
I'm opening an issue to track top-ups #93
There was a problem hiding this comment.
No not hardcoded, as ofc we may need to change these. Just wanted to note the likely genesis defaults, pending feedback. However there is a small question of trust implications post-v7.0.0 – ideally the Threshold DAO would control sponsorship parameters like these
| stakes = IAccessControlApplication(_stakes); | ||
| } | ||
|
|
||
| function getRitualInitiationCost( |
There was a problem hiding this comment.
Since the 'paywall' here appears to be generating a public key for the first time, I'm wondering how a sponsor tops-up the availability horizon without a new ritual, and also if once they are conferred theINITIATOR_ROLE, they can do this unilaterally and whenever they want
There was a problem hiding this comment.
Good questions. Let's track these here #93
|
|
||
| // TODO: Include cohort fingerprint in StartRitual event? | ||
| emit StartRitual(id, msg.sender, providers); | ||
| emit StartRitual(id, ritual.authority, providers); |
There was a problem hiding this comment.
StartRitual's 2nd parameter is indexed as "initiator":
- Should this be
ritual.initiator? - Should both
initiatorandauthoritybe in the event?
There was a problem hiding this comment.
Good catch. I meant authority here. IMO, once we introduce the authority role, the initiator is nothing more than a sponsor so there's in principle not much interest on it. In fact, once the fee is fully processed (so there's no refund), this role is not needed anymore. I would lean towards just including the authority in the event.
| ritual.initiator = msg.sender; // TODO: Consider sponsor model | ||
| ritual.dkgSize = uint32(length); | ||
| ritual.initiator = msg.sender; | ||
| ritual.authority = authority; |
There was a problem hiding this comment.
Could be authority zero address?
This is an omnibus PR that addresses several pending functionalities for the Coordinator. From a subjective order of relevance:
IFeeModelinterface that allows to calculate initiation costs, but that could be later extended to manage other payment inputs. For this PR, I'm instantiating the interface with a simpleFlatRateFeeModel, where ritual initiation cost is justdkg_size * duration * rateand the currency is assumed to be an ERC20 token. We also introducedurationas a parameter to initiate rituals.INITIATOR_ROLEcan create rituals)