Add ICRC-2 Advisory Clarifying Deduplication, Error Semantics, and Fees #205
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a non-normative advisory document (ADVISORY.md) to clarify underspecified aspects of the ICRC-2 standard that were identified during a security review. The advisory provides explicit guidance to reduce ambiguity for ledger implementers and client developers without changing compliance requirements.
- Clarifies transaction deduplication behavior for
approveandtransfer_fromoperations - Defines error semantics and atomicity expectations for externally observable ledger effects
- Specifies fee charging expectations for ICRC-2 operations
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tmu0
left a comment
tmu0
left a comment
There was a problem hiding this comment.
LGTM overall 🚀
Just two minor remarks:
In (1) I would use more consistent wording for duplicates (see suggestions). In Transaction Identity we define what a duplicate is, independently of ledger behaviour. The ledger can then decide to either process a duplicate or not.
Nit: In the whole document I would include the ICRC prefix in the method names and call them icrc2_approve and icrc2_transfer_from.
Co-authored-by: tmu0 <[email protected]>
Co-authored-by: tmu0 <[email protected]>
|
Thanks @tmu0! I've accepted your suggestions. For completeness, I've added an advisory for ICRC-1 that parallels the text on errors/atomicity expectations. |
dietersommer
left a comment
dietersommer
left a comment
There was a problem hiding this comment.
Good and nice-to-read content overall.
My comments mainly concern:
- editorial aspects;
- style improvements; and
- making formulations more crisp to support their intention.
Please address at your discretion.
| the corresponding transaction log entry have been applied. | ||
|
|
||
| - An error response SHOULD imply that: | ||
| - no account balances have been modified, and |
There was a problem hiding this comment.
I'd use a semicolon here following the more prevalent opinion on style.
| - The ledger MUST NOT apply the transaction effects again. | ||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
Editorial: Headings seem to be separated by 1, 2, or 3 newlines. Make it consistent as the current version may look a little sloppy to some.
| - Ledger implementations SHOULD ensure that `icrc2_approve` and `icrc2_transfer_from` | ||
| operations are atomic with respect to **externally observable ledger | ||
| effects**, such as: | ||
| - account balances, |
There was a problem hiding this comment.
Style: I'd use the following style consistently for enumerations (you can also omit the "and")":
- account balances;
- allowances; and
- the transaction log.
| return a success response (`Ok(nat)`). | ||
|
|
||
| - If an error response is returned, the ledger SHOULD ensure that: | ||
| - no balances or allowances have been modified, and |
|
|
||
| #### Transaction Identity | ||
|
|
||
| - A transaction is identified by the combination of: |
There was a problem hiding this comment.
Maybe make it a little clearer and relate to the below-used term "transaction identity":
"A transaction is identified by its transaction identity, which is the combination of:"
|
|
||
| In particular: | ||
|
|
||
| - A successful response (`Ok(nat)`) SHOULD imply that all balance updates and |
There was a problem hiding this comment.
Maybe make explicit that this is made up by the balance updates for the tx itself as well as the balance updates for the fees (and possibly other things).
| - no transaction log entry corresponding to the call has been recorded. | ||
|
|
||
| This guidance does not restrict changes to internal or auxiliary ledger | ||
| state (e.g., caches, metrics, bookkeeping data). |
There was a problem hiding this comment.
maybe add ", or internal logs"
|
|
||
| ICRC-1 transfers are expected to be atomic with respect to balances and the | ||
| transaction log, and error responses should not result in partial externally | ||
| observable effects. |
There was a problem hiding this comment.
Error responses should not only result in no "partial" but in no externally-observable effects at all, right? This is a bit ambiguous in my view currently.
Resulting in no effects would imply resulting in no partial effects.
| value returned by `icrc1_fee`. | ||
| - Fees SHOULD only be charged when the operation succeeds. | ||
| - The fee SHOULD be applied in a manner consistent with ICRC-1 transfers. | ||
|
|
There was a problem hiding this comment.
There is no summary here, even though there is one for the ICRC-1 advisory.
|
|
||
| To align with common ledger expectations and reduce ambiguity: | ||
|
|
||
| - Ledger implementations SHOULD ensure that `icrc2_approve` and `icrc2_transfer_from` |
There was a problem hiding this comment.
Similarly to the ICRC-1 advisory, can we give an exhaustive list?
dietersommer
left a comment
dietersommer
left a comment
There was a problem hiding this comment.
Update: Once my comments have been considered at your discretion, consider the PR approved.
4 participants
Add ICRC-1, ICRC-2 Advisory Clarifying Deduplication, Error Semantics, and Fees
This PR adds an
ADVISORY.mddocument next tostandards/ICRC-2/README.mdto clarify several aspects of the ICRC-2 standard that were previously underspecified, and raised within a security review.The advisory is non-normative and does not change the ICRC-2 interface or compliance requirements. Its purpose is to reduce ambiguity for ledger implementers and client developers by making certain expectations explicit.
Specifically, the advisory clarifies:
approveandtransfer_from, including that retrying calls with identical parameters is safe when deduplication is implemented -- SECFIND-1088approveandtransfer_fromare expected to charge the fee returned byicrc1_fee-- SECFIND-1090The advisory documents common expectations and best practices without retroactively invalidating existing implementations.