diff --git a/.github/workflows/lineendings.yml b/.github/workflows/lineendings.yml
index d73ed4829..6f0ebbc51 100644
--- a/.github/workflows/lineendings.yml
+++ b/.github/workflows/lineendings.yml
@@ -1,15 +1,18 @@
-name: 'Check CAP Line Endings'
+name: "Check CAP Line Endings"
on:
push:
branches:
- - master
+ - master
pull_request:
jobs:
lineendings:
runs-on: ubuntu-latest
steps:
- - run: sudo apt-get update && sudo apt-get install dos2unix
- - uses: actions/checkout@v5
- - run: (ls core/cap-*.md | xargs -I '{}' sh -c 'cat {} | dos2unix | cmp - {}') || (echo 'Documents listed above contain CRLF line endings, and should be LF.'; exit 1)
+ - run: sudo apt-get update && sudo apt-get install dos2unix
+ - uses: actions/checkout@v5
+ - run:
+ (ls core/cap-*.md | xargs -I '{}' sh -c 'cat {} | dos2unix | cmp -
+ {}') || (echo 'Documents listed above contain CRLF line endings, and
+ should be LF.'; exit 1)
diff --git a/.github/workflows/mddiffcheck.yml b/.github/workflows/mddiffcheck.yml
index 3cce558f0..d40d05ca2 100644
--- a/.github/workflows/mddiffcheck.yml
+++ b/.github/workflows/mddiffcheck.yml
@@ -1,23 +1,21 @@
-name: 'Check CAP Diffs'
+name: "Check CAP Diffs"
on:
push:
branches:
- - master
+ - master
pull_request:
jobs:
mddiffcheck:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v5
- - name: Set up Go
- uses: actions/setup-go@v6
- with:
- go-version: ^1.24
- - run: go install github.com/stellar/mddiffcheck@v1
- - run: >
- mddiffcheck
- -repo
- 'https://github.com/stellar/stellar-core https://github.com/stellar/stellar-xdr'
- core/*.md
+ - uses: actions/checkout@v5
+ - name: Set up Go
+ uses: actions/setup-go@v6
+ with:
+ go-version: ^1.24
+ - run: go install github.com/stellar/mddiffcheck@v1
+ - run: >
+ mddiffcheck -repo 'https://github.com/stellar/stellar-core
+ https://github.com/stellar/stellar-xdr' core/*.md
diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
index 0617d0ad0..56183950d 100644
--- a/.github/workflows/prettier.yml
+++ b/.github/workflows/prettier.yml
@@ -1,4 +1,4 @@
-name: 'Prettier for SEP files'
+name: "Prettier for SEP files"
on:
pull_request:
@@ -13,6 +13,5 @@ jobs:
with:
node-version: 24
- run: corepack enable
- - run: corepack prepare yarn@stable --activate
- run: yarn install --frozen-lockfile
- run: yarn sep-check
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index ce741ca93..25eab05a3 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,8 +1,8 @@
-name: 'Stale Issues'
+name: "Stale Issues"
on:
schedule:
- - cron: '0 18 * * *' # approx 9:30am daily
+ - cron: "0 18 * * *" # approx 9:30am daily
jobs:
stale:
@@ -14,10 +14,16 @@ jobs:
debug-only: false
days-before-stale: 30
days-before-close: 30
- stale-issue-message: 'This issue is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.'
- stale-pr-message: 'This pull request is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.'
+ stale-issue-message:
+ "This issue is stale because it has been open for 30 days with no
+ activity. It will be closed in 30 days unless the stale label is
+ removed."
+ stale-pr-message:
+ "This pull request is stale because it has been open for 30 days
+ with no activity. It will be closed in 30 days unless the stale
+ label is removed."
stale-issue-label: stale
stale-pr-label: stale
- exempt-issue-labels: 'needs draft,needs pilot,accepted,blocked'
- exempt-pr-labels: 'needs draft,needs pilot,accepted,blocked'
+ exempt-issue-labels: "needs draft,needs pilot,accepted,blocked"
+ exempt-pr-labels: "needs draft,needs pilot,accepted,blocked"
remove-stale-when-updated: true
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 82e57350b..eced0b753 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,22 +2,26 @@
👍🎉 First off, thanks for taking the time to contribute! 🎉👍
-Check out the [Stellar Contribution Guide](https://github.com/stellar/.github/blob/master/CONTRIBUTING.md) for details
-on contributing to stellar-core and Stellar's other repositories, especially with regard to our code of conduct and
-contributor license agreement.
+Check out the
+[Stellar Contribution Guide](https://github.com/stellar/.github/blob/master/CONTRIBUTING.md)
+for details on contributing to stellar-core and Stellar's other repositories,
+especially with regard to our code of conduct and contributor license
+agreement.
# CAP Contribution Process
CAPs deal with changes to the core protocol of the Stellar network.
-Please see the contribution process outlined in [the core folder](core/README.md).
+Please see the contribution process outlined in
+[the core folder](core/README.md).
# SEP Contribution Process
-SEPs deal with changes to the standards, protocols, and methods used in the ecosystem built on top of the Stellar
-network.
+SEPs deal with changes to the standards, protocols, and methods used in the
+ecosystem built on top of the Stellar network.
-Please see the contribution process outlined in [the ecosystem folder](ecosystem/README.md).
+Please see the contribution process outlined in
+[the ecosystem folder](ecosystem/README.md).
-Please run `./bin/prettier.sh` or `yarn sep-prettify` (if your OS doesn't have sh) before submitting
-your PR.
+Please run `./bin/prettier.sh` or `yarn sep-prettify` (if your OS doesn't have
+sh) before submitting your PR.
diff --git a/README.md b/README.md
index ca4047b3d..84ce958ab 100644
--- a/README.md
+++ b/README.md
@@ -9,27 +9,34 @@
-This repository is home to **Core Advancement Proposals** (CAPs) and **Stellar Ecosystem Proposals**
-(SEPs).
+This repository is home to **Core Advancement Proposals** (CAPs) and **Stellar
+Ecosystem Proposals** (SEPs).
-Similar to [BIPs](https://github.com/bitcoin/bips) and [EIPs](https://github.com/ethereum/EIPs),
-CAPs and SEPs are the proposals of standards to improve the Stellar protocol and related client APIs.
+Similar to [BIPs](https://github.com/bitcoin/bips) and
+[EIPs](https://github.com/ethereum/EIPs), CAPs and SEPs are the proposals of
+standards to improve the Stellar protocol and related client APIs.
-CAPs deal with changes to the core protocol of the Stellar network. Please see [the process for CAPs](core/README.md).
+CAPs deal with changes to the core protocol of the Stellar network. Please see
+[the process for CAPs](core/README.md).
-SEPs deal with changes to the standards, protocols, and methods used in the ecosystem built on top
-of the Stellar network. Please see [the process for SEPs](ecosystem/README.md).
+SEPs deal with changes to the standards, protocols, and methods used in the
+ecosystem built on top of the Stellar network. Please see
+[the process for SEPs](ecosystem/README.md).
## Repository structure
The root directory of this repository contains:
-* Templates for creating your own CAP or SEP
-* `contents` directory with `[cap | sep]-xxxx` subdirectories that contain all media/script files for a given CAP or SEP document.
-* core directory which contains accepted CAPs (`cap-xxxx.md` where `xxxx` is a CAP number with leading zeros, ex. `cap-0051.md`)
-* ecosystem directory which contains accepted SEPs (`sep-xxxx.md` where `xxxx` is a SEP number with leading zeros, ex. `sep-0051.md`)
+- Templates for creating your own CAP or SEP
+- `contents` directory with `[cap | sep]-xxxx` subdirectories that contain all
+ media/script files for a given CAP or SEP document.
+- core directory which contains accepted CAPs (`cap-xxxx.md` where `xxxx` is a
+ CAP number with leading zeros, ex. `cap-0051.md`)
+- ecosystem directory which contains accepted SEPs (`sep-xxxx.md` where `xxxx`
+ is a SEP number with leading zeros, ex. `sep-0051.md`)
Example repository structure:
+
```
├── CONTRIBUTING.md
├── README.md
diff --git a/cap-template.md b/cap-template.md
index f0d105b99..18b1a638c 100644
--- a/cap-template.md
+++ b/cap-template.md
@@ -14,8 +14,9 @@ Protocol version: TBD
```
## Simple Summary
-"If you can't explain it simply, you don't understand it well enough." Please provide a simplified
-and layman-accessible explanation of the CAP.
+
+"If you can't explain it simply, you don't understand it well enough." Please
+provide a simplified and layman-accessible explanation of the CAP.
## Working Group
@@ -23,59 +24,79 @@ This section describes the composition of the working group.
### Recommended structure
-The recommended structure of the working group is based on the [RACI](https://en.wikipedia.org/wiki/Responsibility_assignment_matrix#Role_distinction) model.
+The recommended structure of the working group is based on the
+[RACI](https://en.wikipedia.org/wiki/Responsibility_assignment_matrix#Role_distinction)
+model.
The model contains the following roles:
- * Authors - ("Recommender" in RACI) group of people that author the CAP with the owner
- * Owner - ("Accountable" in RACI) the person that owns the CAP. This includes
- * signing off on any changes to the CAP and
- * moving the CAP through the [CAP process](core/README.md)
- * Consulted - list of people that need to be consulted and provide feedback
- * Informed - not explicitely listed, the developer mailing list allows for that.
+
+- Authors - ("Recommender" in RACI) group of people that author the CAP with
+ the owner
+- Owner - ("Accountable" in RACI) the person that owns the CAP. This includes
+ - signing off on any changes to the CAP and
+ - moving the CAP through the [CAP process](core/README.md)
+- Consulted - list of people that need to be consulted and provide feedback
+- Informed - not explicitely listed, the developer mailing list allows for
+ that.
### Example working group composition
#### Semantic protocol changes
Example:
- * adding or modifying operations
- * modifying the behavior of operations
+
+- adding or modifying operations
+- modifying the behavior of operations
The working group must include a representative set of
- * downstream systems developers (Horizon, block explorers, etc)
- * SDK developers (Go, Javascript, etc)
-In some cases, application developers (or somebody representing their interest) can also be involved.
+- downstream systems developers (Horizon, block explorers, etc)
+- SDK developers (Go, Javascript, etc)
-The motivation section should clearly show how the changes will be used end to end.
+In some cases, application developers (or somebody representing their interest)
+can also be involved.
+
+The motivation section should clearly show how the changes will be used end to
+end.
#### Ledger and historical subsystem changes
The working group must include a representative set of
- * downstream systems developers (Horizon, block explorers, etc)
- * node operators
-The motivation section should articulate the positive impact on stakeholders (the "Protocol Upgrade Transition" section can focus on other aspects).
+- downstream systems developers (Horizon, block explorers, etc)
+- node operators
+
+The motivation section should articulate the positive impact on stakeholders
+(the "Protocol Upgrade Transition" section can focus on other aspects).
## Motivation
-You should clearly explain why the existing protocol specification is inadequate to address the
-problem that the CAP solves. In particular, CAP submissions without sufficient motivation may be
-rejected outright.
+
+You should clearly explain why the existing protocol specification is
+inadequate to address the problem that the CAP solves. In particular, CAP
+submissions without sufficient motivation may be rejected outright.
### Goals Alignment
-You should reference the Stellar Network goal(s) that this proposal advances, such as:
-* The Stellar Network should run at scale and at low cost to all participants of the network.
-* The Stellar Network should enable cross-border payments.
+
+You should reference the Stellar Network goal(s) that this proposal advances,
+such as:
+
+- The Stellar Network should run at scale and at low cost to all participants
+ of the network.
+- The Stellar Network should enable cross-border payments.
## Abstract
+
A short (~200 word) description of the technical issue being addressed.
## Specification
-The technical specification should describe the syntax and semantics of any new feature.
+
+The technical specification should describe the syntax and semantics of any new
+feature.
### XDR changes
-This section includes all changes to the XDR (`.x` files), presented as a "diff"
-against the latest version of the protocol (or in some rare exception,
+
+This section includes all changes to the XDR (`.x` files), presented as a
+"diff" against the latest version of the protocol (or in some rare exception,
on top of a different CAP). Diffs should be generated against on the XDR in the
[stellar-core repository].
@@ -83,61 +104,87 @@ To generate diffs, use the `git diff` command.
To apply diffs, use the `git apply --reject --whitespace=fix` command.
-For large changes, it may be beneficial to link to actual XDR files copied
-in the relevant "contents" folder.
+For large changes, it may be beneficial to link to actual XDR files copied in
+the relevant "contents" folder.
#### XDR Example
-If this update to XDR or any logical change to meta will have any effect on Horizon, RPC, etc., include some base64-encoded `LedgerCloseMeta` examples. The examples should reflect the updated XDR structures for downstream testing purposes. The feasibility of generating this XDR will depend on the XDR change itself, but the CAP author should do their best to give downstream consumers enough to test with so they don't need to wait for the Stellar Core implementation before starting testing.
-The `stellar-xdr` CLI can convert between base64 XDR and JSON, so that can be used to modify an existing testnet or mainnet `LedgerCloseMeta` to use as an example. Note that you may need to build or install a version of `stellar-xdr` that contains the changes in this CAP.
+If this update to XDR or any logical change to meta will have any effect on
+Horizon, RPC, etc., include some base64-encoded `LedgerCloseMeta` examples. The
+examples should reflect the updated XDR structures for downstream testing
+purposes. The feasibility of generating this XDR will depend on the XDR change
+itself, but the CAP author should do their best to give downstream consumers
+enough to test with so they don't need to wait for the Stellar Core
+implementation before starting testing.
+
+The `stellar-xdr` CLI can convert between base64 XDR and JSON, so that can be
+used to modify an existing testnet or mainnet `LedgerCloseMeta` to use as an
+example. Note that you may need to build or install a version of `stellar-xdr`
+that contains the changes in this CAP.
-This section should be filled out by the time the XDR is agreed on in a protocol meeting.
+This section should be filled out by the time the XDR is agreed on in a
+protocol meeting.
### Semantics
-This section includes subsections, one for each logical change included in the XDR changes,
-that describes how each new or changed type functions and is used, and for new operations
-a step-by-step description of what happens when the operation is executed.
+
+This section includes subsections, one for each logical change included in the
+XDR changes, that describes how each new or changed type functions and is used,
+and for new operations a step-by-step description of what happens when the
+operation is executed.
## Design Rationale
-The rationale fleshes out the specification by describing what motivated the design and why
-particular design decisions were made. It should describe alternate designs that were considered
-and related work, e.g. how the feature is supported in other protocols. The rationale may also
-provide evidence of consensus within the community, and should discuss important objections or
+
+The rationale fleshes out the specification by describing what motivated the
+design and why particular design decisions were made. It should describe
+alternate designs that were considered and related work, e.g. how the feature
+is supported in other protocols. The rationale may also provide evidence of
+consensus within the community, and should discuss important objections or
concerns raised during discussion.
## Protocol Upgrade Transition
-Typically CAPs have a direct impact on core that should be well understood,
-and indirect impact on other systems in the ecosystem (Horizon, SDKs,
-application, etc).
-The following sections look at common challenges associated with those
-protocol transitions.
+Typically CAPs have a direct impact on core that should be well understood, and
+indirect impact on other systems in the ecosystem (Horizon, SDKs, application,
+etc).
+
+The following sections look at common challenges associated with those protocol
+transitions.
### Backwards Incompatibilities
-All CAPs that introduce backwards incompatibilities must include a section describing these
-incompatibilities and their severity.
-The CAP must propose how to deal with these incompatibilities, potentially pointing to other standard documents that complements the CAP (for example SEPs).
+All CAPs that introduce backwards incompatibilities must include a section
+describing these incompatibilities and their severity.
-CAP submissions with an insufficient discussion of backwards compatibility
-may be rejected outright.
+The CAP must propose how to deal with these incompatibilities, potentially
+pointing to other standard documents that complements the CAP (for example
+SEPs).
+
+CAP submissions with an insufficient discussion of backwards compatibility may
+be rejected outright.
### Resource Utilization
+
Reasonable effort should be made to understand the impact of the CAP on
resource utilization like CPU, memory, network bandwidth and disk/database.
## Security Concerns
-All CAPs should carefully consider areas where security may be a concern, and document them
-accordingly. If a change does not have security implications, briefly explain why.
+
+All CAPs should carefully consider areas where security may be a concern, and
+document them accordingly. If a change does not have security implications,
+briefly explain why.
## Test Cases
-Test cases for an implementation are mandatory for CAPs that are affecting consensus changes. Other
-CAPs can choose to include links to test cases if applicable.
+
+Test cases for an implementation are mandatory for CAPs that are affecting
+consensus changes. Other CAPs can choose to include links to test cases if
+applicable.
## Implementation
-The implementation(s) must be completed before any CAP is given "Final" status, but it need not be
-completed before the CAP is accepted. While there is merit to the approach of reaching consensus on
-the specification and rationale before writing code, the principle of "rough consensus and running
-code" is still useful when it comes to resolving many discussions of API details.
+
+The implementation(s) must be completed before any CAP is given "Final" status,
+but it need not be completed before the CAP is accepted. While there is merit
+to the approach of reaching consensus on the specification and rationale before
+writing code, the principle of "rough consensus and running code" is still
+useful when it comes to resolving many discussions of API details.
[stellar-core repository]: https://github.com/stellar/stellar-core
diff --git a/contents/sep-0042/assetlist.schema.json b/contents/sep-0042/assetlist.schema.json
index bf3224cb8..d6ff88a92 100644
--- a/contents/sep-0042/assetlist.schema.json
+++ b/contents/sep-0042/assetlist.schema.json
@@ -16,7 +16,7 @@
"minLength": 5,
"description": "Short descriptive title of the list"
},
- "network":{
+ "network": {
"type": "string",
"enum": ["public", "testnet"]
},
@@ -106,32 +106,19 @@
"description": "Alerts, messages, or other additional information specified by the provider"
}
},
- "required": [
- "name",
- "org"
- ],
+ "required": ["name", "org"],
"anyOf": [
{
- "required": [
- "contract"
- ]
+ "required": ["contract"]
},
{
- "required": [
- "code",
- "issuer"
- ]
+ "required": ["code", "issuer"]
}
],
"additionalProperties": false
}
}
},
- "required": [
- "name",
- "provider",
- "version",
- "assets"
- ],
+ "required": ["name", "provider", "version", "assets"],
"additionalProperties": false
-}
\ No newline at end of file
+}
diff --git a/core/README.md b/core/README.md
index 17b3e593c..e9066d489 100644
--- a/core/README.md
+++ b/core/README.md
@@ -3,186 +3,209 @@
## CAP Status Terms
### Primary Workflow
-- **Draft** — A CAP that is currently open for consideration and actively being discussed.
-- **Awaiting Decision** — A mature and ready CAP that is ready for final deliberation by the CAP
- Core Team. After a maximum of three meetings, a vote will take place that will set the CAP's
- intended FCP disposition (**FCP: Acceptance/Rejection**) or go back into a **Draft** state.
-- **FCP: [Acceptance/Rejection]** — A CAP that has entered a Final Comment Period (FCP) with an
- intended disposition. After one week has passed, during which any new concerns should be
- addressed, the CAP will head towards its intended disposition [**Acceptance/Rejection**] or go
- back into a Draft state.
-- **Accepted** — A CAP that has been accepted on the merits of its idea pre-implementation, and is
- ready for implementation. It is still possible that the CAP may be rejected post-implementation
- due to the issues that may arise during an initial implementation.
-- **Implemented** - A CAP that has been implemented with the protocol version specified in the CAP. It will graduate to
- **Final** when it has been formally accepted by a majority of validators (nodes) on the network.
-- **Final** — A CAP that has been accepted by a majority of validators (nodes) on the network. A
- final CAP should only be updated to correct errata.
+
+- **Draft** — A CAP that is currently open for consideration and actively being
+ discussed.
+- **Awaiting Decision** — A mature and ready CAP that is ready for final
+ deliberation by the CAP Core Team. After a maximum of three meetings, a vote
+ will take place that will set the CAP's intended FCP disposition (**FCP:
+ Acceptance/Rejection**) or go back into a **Draft** state.
+- **FCP: [Acceptance/Rejection]** — A CAP that has entered a Final Comment
+ Period (FCP) with an intended disposition. After one week has passed, during
+ which any new concerns should be addressed, the CAP will head towards its
+ intended disposition [**Acceptance/Rejection**] or go back into a Draft
+ state.
+- **Accepted** — A CAP that has been accepted on the merits of its idea
+ pre-implementation, and is ready for implementation. It is still possible
+ that the CAP may be rejected post-implementation due to the issues that may
+ arise during an initial implementation.
+- **Implemented** - A CAP that has been implemented with the protocol version
+ specified in the CAP. It will graduate to **Final** when it has been formally
+ accepted by a majority of validators (nodes) on the network.
+- **Final** — A CAP that has been accepted by a majority of validators (nodes)
+ on the network. A final CAP should only be updated to correct errata.
### Additional Statuses
-- **Rejected** - A CAP that has been formally rejected by the CAP Core Team, and will not be
- implemented.
-- **Superseded: [New Final CAP]** - A CAP that which was previously final but has been superseded
- by a new, final CAP. Both CAPs should reference each other.
+
+- **Rejected** - A CAP that has been formally rejected by the CAP Core Team,
+ and will not be implemented.
+- **Superseded: [New Final CAP]** - A CAP that which was previously final but
+ has been superseded by a new, final CAP. Both CAPs should reference each
+ other.
## List of Proposals
-| Number | Protocol Version | Title | Author | Status |
-| ---- | --- | --- | --- | --- |
-| [CAP-0001](cap-0001.md) | 10 | Bump Sequence | Nicolas Barry | Final |
-| [CAP-0002](cap-0002.md) | 10 | Transaction level signature verification | Nicolas Barry | Final |
-| [CAP-0003](cap-0003.md) | 10 | Asset-backed offers | Jonathan Jove | Final |
-| [CAP-0004](cap-0004.md) | 10 | Improved Rounding for Cross Offer | Jonathan Jove | Final |
-| [CAP-0005](cap-0005.md) | 11 | Throttling and transaction pricing improvements | Nicolas Barry | Final |
-| [CAP-0006](cap-0006.md) | 11 | Add ManageBuyOffer Operation | Jonathan Jove | Final |
-| [CAP-0015](cap-0015.md) | 13 | Fee Bump Transactions | OrbitLens | Final |
-| [CAP-0017](cap-0017.md) | - | Update LastModifiedLedgerSeq If and Only If LedgerEntry is Modified | Jonathan Jove | Accepted |
-| [CAP-0018](cap-0018.md) | 13 | Fine-Grained Control of Authorization | Jonathan Jove | Final |
-| [CAP-0019](cap-0019.md) | 13 | Future-upgradable TransactionEnvelope type | David Mazières | Final |
-| [CAP-0020](cap-0020.md) | 11 | Bucket Initial Entries | Graydon Hoare | Final |
-| [CAP-0021](cap-0021.md) | 19 | Generalized transaction preconditions | David Mazières | Final |
-| [CAP-0023](cap-0023.md) | 14 | Two-Part Payments with ClaimableBalanceEntry | Jonathan Jove | Final |
-| [CAP-0024](cap-0024.md) | 12 | Make PathPayment Symmetrical | Jed McCaleb | Final |
-| [CAP-0025](cap-0025.md) | 12 | Remove Bucket Shadowing | Marta Lokhava | Final |
-| [CAP-0026](cap-0026.md) | 12 | Disable Inflation Mechanism | OrbitLens | Final |
-| [CAP-0027](cap-0027.md) | 13 | First-class multiplexed accounts | David Mazières and Tomer Weller | Final |
-| [CAP-0028](cap-0028.md) | 13 | Clear pre-auth transaction signer on failed transactions | Siddharth Suresh | Final |
-| [CAP-0029](cap-0029.md) | 16 | AllowTrust when not AUTH_REQUIRED | Tomer Weller | Final |
-| [CAP-0030](cap-0030.md) | 13 | Remove NO_ISSUER Operation Results | Siddharth Suresh | Final |
-| [CAP-0033](cap-0033.md) | 14/15 | Sponsored Reserve with EphemeralSponsorshipEntry | Jonathan Jove | Final |
-| [CAP-0034](cap-0034.md) | 14 | Preserve Transaction-Set/Close-Time Affinity During Nomination | Terence Rokop | Final |
-| [CAP-0035](cap-0035.md) | 17 | Asset Clawback | Dan Doney | Final |
-| [CAP-0038](cap-0038.md) | 18 | Automated Market Makers | Jonathan Jove | Final |
-| [CAP-0040](cap-0040.md) | 19 | Ed25519 Signed Payload Signer for Transaction Signature Disclosure | Leigh McCulloch | Final |
-| [CAP-0042](cap-0042.md) | - | Multi-Part Transaction Sets | Nicolas Barry | Final |
-| [CAP-0046](cap-0046.md) | 20 |Soroban smart contract system overview | Graydon Hoare | Final |
-| [CAP-0046-01 (formerly 0046)](cap-0046-01.md) | 20 | WebAssembly Smart Contract Runtime Environment | Graydon Hoare | Final |
-| [CAP-0046-02 (formerly 0047)](cap-0046-02.md) | 20 | Smart Contract Lifecycle | Siddharth Suresh | Final |
-| [CAP-0046-03 (formerly 0051)](cap-0046-03.md) | 20 | Smart Contract Host Functons | Jay Geng | Final |
-| [CAP-0046-05 (formerly 0053)](cap-0046-05.md) | 20 | Smart Contract Data | Graydon Hoare | Final |
-| [CAP-0046-06 (formerly 0054)](cap-0046-06.md) | 20 | Smart Contract Standardized Asset | Jonathan Jove | Final |
-| [CAP-0046-07 (formerly 0055)](cap-0046-07.md) | 20 | Fee model in smart contracts | Nicolas Barry | Final |
-| [CAP-0046-08 (formerly 0056)](cap-0046-08.md) | 20 |Smart Contract Logging | Siddharth Suresh | Final |
-| [CAP-0046-09](cap-0046-09.md) | 20 | Network Configuration Ledger Entries | Dmytro Kozhevin | Final |
-| [CAP-0046-10](cap-0046-10.md) | 20 | Smart Contract Budget Metering | Jay Geng | Final |
-| [CAP-0046-11](cap-0046-11.md) | 20 | Soroban Authorization Framework | Dmytro Kozhevin | Final |
-| [CAP-0046-12](cap-0046-12.md) | 20 | Soroban State Archival Interface | Garand Tyson | Final |
-| [CAP-0051](cap-0051.md) | 21 | Smart Contract Host Functionality: Secp256r1 Verification | Leigh McCulloch | Final |
-| [CAP-0053](cap-0053.md) | 21 | Separate host functions to extend the TTL for contract instance and contract code | Tommaso De Ponti | Final |
-| [CAP-0054](cap-0054.md) | 21 | Soroban refined VM instantiation cost model | Graydon Hoare | Final |
-| [CAP-0055](cap-0055.md) | 21 | Soroban streamlined linking | Graydon Hoare | Final |
-| [CAP-0056](cap-0056.md) | 21 | Soroban intra-transaction module caching | Graydon Hoare | Final |
-| [CAP-0058](cap-0058.md) | 22 | Constructors for Soroban Contracts | Dmytro Kozhevin | Final |
-| [CAP-0059](cap-0059.md) | 22 | Host functions for BLS12-381 | Jay Geng | Final |
-| [CAP-0062](cap-0062.md) | 23 | Soroban Live State Prioritization | Garand Tyson | Final |
-| [CAP-0063](cap-0063.md) | 23 | Parallelism-friendly Transaction Scheduling | Dmytro Kozhevin | Final |
-| [CAP-0065](cap-0065.md) | 23 | Reusable Module Cache | Graydon Hoare | Final |
-| [CAP-0066](cap-0066.md) | 23 | Soroban In-memory Read Resource | Garand Tyson | Final |
-| [CAP-0067](cap-0067.md) | 23 | Unified Asset Events | Siddharth Suresh | Final |
-| [CAP-0068](cap-0068.md) | 23 | Host function for getting executable for `Address` | Dmytro Kozhevin | Final |
-| [CAP-0069](cap-0069.md) | 23 | String/Bytes conversion host functions | Dmytro Kozhevin | Final |
-| [CAP-0070](cap-0070.md) | 23 | Configurable SCP Timing Parameters | Garand Tyson | Final |
-| [CAP-0074](cap-0074.md) | Host functions for BN254 | Siddharth Suresh | Awaiting Decision |
-| [CAP-0075](cap-0075.md) | Cryptographic Primitives for Poseidon/Poseidon2 Hash Functions | Jay Geng | Awaiting Decision |
-| [CAP-0076](cap-0076.md) | P23 State Archival bug remediation | Dmytro Kozhevin | Final |
+| Number | Protocol Version | Title | Author | Status |
+| --------------------------------------------- | -------------------------------------------------------------- | --------------------------------------------------------------------------------- | ------------------------------- | -------- |
+| [CAP-0001](cap-0001.md) | 10 | Bump Sequence | Nicolas Barry | Final |
+| [CAP-0002](cap-0002.md) | 10 | Transaction level signature verification | Nicolas Barry | Final |
+| [CAP-0003](cap-0003.md) | 10 | Asset-backed offers | Jonathan Jove | Final |
+| [CAP-0004](cap-0004.md) | 10 | Improved Rounding for Cross Offer | Jonathan Jove | Final |
+| [CAP-0005](cap-0005.md) | 11 | Throttling and transaction pricing improvements | Nicolas Barry | Final |
+| [CAP-0006](cap-0006.md) | 11 | Add ManageBuyOffer Operation | Jonathan Jove | Final |
+| [CAP-0015](cap-0015.md) | 13 | Fee Bump Transactions | OrbitLens | Final |
+| [CAP-0017](cap-0017.md) | - | Update LastModifiedLedgerSeq If and Only If LedgerEntry is Modified | Jonathan Jove | Accepted |
+| [CAP-0018](cap-0018.md) | 13 | Fine-Grained Control of Authorization | Jonathan Jove | Final |
+| [CAP-0019](cap-0019.md) | 13 | Future-upgradable TransactionEnvelope type | David Mazières | Final |
+| [CAP-0020](cap-0020.md) | 11 | Bucket Initial Entries | Graydon Hoare | Final |
+| [CAP-0021](cap-0021.md) | 19 | Generalized transaction preconditions | David Mazières | Final |
+| [CAP-0023](cap-0023.md) | 14 | Two-Part Payments with ClaimableBalanceEntry | Jonathan Jove | Final |
+| [CAP-0024](cap-0024.md) | 12 | Make PathPayment Symmetrical | Jed McCaleb | Final |
+| [CAP-0025](cap-0025.md) | 12 | Remove Bucket Shadowing | Marta Lokhava | Final |
+| [CAP-0026](cap-0026.md) | 12 | Disable Inflation Mechanism | OrbitLens | Final |
+| [CAP-0027](cap-0027.md) | 13 | First-class multiplexed accounts | David Mazières and Tomer Weller | Final |
+| [CAP-0028](cap-0028.md) | 13 | Clear pre-auth transaction signer on failed transactions | Siddharth Suresh | Final |
+| [CAP-0029](cap-0029.md) | 16 | AllowTrust when not AUTH_REQUIRED | Tomer Weller | Final |
+| [CAP-0030](cap-0030.md) | 13 | Remove NO_ISSUER Operation Results | Siddharth Suresh | Final |
+| [CAP-0033](cap-0033.md) | 14/15 | Sponsored Reserve with EphemeralSponsorshipEntry | Jonathan Jove | Final |
+| [CAP-0034](cap-0034.md) | 14 | Preserve Transaction-Set/Close-Time Affinity During Nomination | Terence Rokop | Final |
+| [CAP-0035](cap-0035.md) | 17 | Asset Clawback | Dan Doney | Final |
+| [CAP-0038](cap-0038.md) | 18 | Automated Market Makers | Jonathan Jove | Final |
+| [CAP-0040](cap-0040.md) | 19 | Ed25519 Signed Payload Signer for Transaction Signature Disclosure | Leigh McCulloch | Final |
+| [CAP-0042](cap-0042.md) | - | Multi-Part Transaction Sets | Nicolas Barry | Final |
+| [CAP-0046](cap-0046.md) | 20 | Soroban smart contract system overview | Graydon Hoare | Final |
+| [CAP-0046-01 (formerly 0046)](cap-0046-01.md) | 20 | WebAssembly Smart Contract Runtime Environment | Graydon Hoare | Final |
+| [CAP-0046-02 (formerly 0047)](cap-0046-02.md) | 20 | Smart Contract Lifecycle | Siddharth Suresh | Final |
+| [CAP-0046-03 (formerly 0051)](cap-0046-03.md) | 20 | Smart Contract Host Functons | Jay Geng | Final |
+| [CAP-0046-05 (formerly 0053)](cap-0046-05.md) | 20 | Smart Contract Data | Graydon Hoare | Final |
+| [CAP-0046-06 (formerly 0054)](cap-0046-06.md) | 20 | Smart Contract Standardized Asset | Jonathan Jove | Final |
+| [CAP-0046-07 (formerly 0055)](cap-0046-07.md) | 20 | Fee model in smart contracts | Nicolas Barry | Final |
+| [CAP-0046-08 (formerly 0056)](cap-0046-08.md) | 20 | Smart Contract Logging | Siddharth Suresh | Final |
+| [CAP-0046-09](cap-0046-09.md) | 20 | Network Configuration Ledger Entries | Dmytro Kozhevin | Final |
+| [CAP-0046-10](cap-0046-10.md) | 20 | Smart Contract Budget Metering | Jay Geng | Final |
+| [CAP-0046-11](cap-0046-11.md) | 20 | Soroban Authorization Framework | Dmytro Kozhevin | Final |
+| [CAP-0046-12](cap-0046-12.md) | 20 | Soroban State Archival Interface | Garand Tyson | Final |
+| [CAP-0051](cap-0051.md) | 21 | Smart Contract Host Functionality: Secp256r1 Verification | Leigh McCulloch | Final |
+| [CAP-0053](cap-0053.md) | 21 | Separate host functions to extend the TTL for contract instance and contract code | Tommaso De Ponti | Final |
+| [CAP-0054](cap-0054.md) | 21 | Soroban refined VM instantiation cost model | Graydon Hoare | Final |
+| [CAP-0055](cap-0055.md) | 21 | Soroban streamlined linking | Graydon Hoare | Final |
+| [CAP-0056](cap-0056.md) | 21 | Soroban intra-transaction module caching | Graydon Hoare | Final |
+| [CAP-0058](cap-0058.md) | 22 | Constructors for Soroban Contracts | Dmytro Kozhevin | Final |
+| [CAP-0059](cap-0059.md) | 22 | Host functions for BLS12-381 | Jay Geng | Final |
+| [CAP-0062](cap-0062.md) | 23 | Soroban Live State Prioritization | Garand Tyson | Final |
+| [CAP-0063](cap-0063.md) | 23 | Parallelism-friendly Transaction Scheduling | Dmytro Kozhevin | Final |
+| [CAP-0065](cap-0065.md) | 23 | Reusable Module Cache | Graydon Hoare | Final |
+| [CAP-0066](cap-0066.md) | 23 | Soroban In-memory Read Resource | Garand Tyson | Final |
+| [CAP-0067](cap-0067.md) | 23 | Unified Asset Events | Siddharth Suresh | Final |
+| [CAP-0068](cap-0068.md) | 23 | Host function for getting executable for `Address` | Dmytro Kozhevin | Final |
+| [CAP-0069](cap-0069.md) | 23 | String/Bytes conversion host functions | Dmytro Kozhevin | Final |
+| [CAP-0070](cap-0070.md) | 23 | Configurable SCP Timing Parameters | Garand Tyson | Final |
+| [CAP-0074](cap-0074.md) | Host functions for BN254 | Siddharth Suresh | Awaiting Decision |
+| [CAP-0075](cap-0075.md) | Cryptographic Primitives for Poseidon/Poseidon2 Hash Functions | Jay Geng | Awaiting Decision |
+| [CAP-0076](cap-0076.md) | P23 State Archival bug remediation | Dmytro Kozhevin | Final |
### Draft Proposals
-| Number | Title | Author | Status |
-| --- | --- | --- | --- |
-| [CAP-0007](cap-0007.md) | Deterministic Account Creation | Jeremy Rubin | Draft |
-| [CAP-0008](cap-0008.md) | Self Identified Pre-Auth Transaction | Jeremy Rubin | Draft |
-| [CAP-0009](cap-0009.md) | Linear/Exterior Immutable Accounts | Jeremy Rubin | Draft |
-| [CAP-0010](cap-0010.md) | Fee Bump Account | Jeremy Rubin | Draft |
-| [CAP-0011](cap-0011.md) | Relative Account Freeze | Jeremy Rubin | Draft |
-| [CAP-0012](cap-0012.md) | Deterministic accounts and creatorTxID | David Mazières | Draft |
-| [CAP-0014](cap-0014.md) | Adversarial Transaction Set Ordering | Jeremy Rubin | Draft |
-| [CAP-0022](cap-0022.md) | Invalid transactions must have no effects | David Mazières | Draft |
-| [CAP-0032](cap-0032.md) | Trustline Preauthorization | Jonathan Jove | Draft |
-| [CAP-0037](cap-0037.md) | Automated Market Makers | OrbitLens | Draft |
-| [CAP-0041](cap-0041.md) | Concurrent Transactions | Leigh McCulloch, David Mazières | Draft |
-| [CAP-0043](cap-0043.md) | ECDSA Signers with P-256 and secp256k1 Curves | Leigh McCulloch | Draft |
-| [CAP-0044](cap-0044.md) | SPEEDEX - Configuration | Jonathan Jove | Draft |
-| [CAP-0045](cap-0045.md) | SPEEDEX - Pricing | Jonathan Jove | Draft |
-| [CAP-0057](cap-0057.md) | State Archival Persistent Entry Eviction | Garand Tyson | Draft |
-| [CAP-0060](cap-0060.md) | Update to Wasmi register machine| Graydon Hoare | Accepted |
-| [CAP-0071](cap-0071.md) | Authentication delegation for custom accounts | Dmytro Kozhevin | Draft |
-| [CAP-0072](cap-0072.md) | Contract signers for Stellar accounts | Dmytro Kozhevin | Draft |
-| [CAP-0073](cap-0073.md) | Allow SAC to create G-account balances | Dmytro Kozhevin | Draft |
-| [CAP-0077](cap-0077.md) | Ability to freeze ledger keys via network configuration | Dmytro Kozhevin | Draft |
-| [CAP-0078](cap-0078.md) | Host functions for performing limited TTL extensions | Dmytro Kozhevin | Draft |
-| [CAP-0079](cap-0079.md) | Host functions for muxed address strkey conversions | Dmytro Kozhevin | Draft |
-| [CAP-0080](cap-0080.md) | Host functions for efficient ZK BN254 use cases | Siddharth Suresh | Draft |
+
+| Number | Title | Author | Status |
+| ----------------------- | ------------------------------------------------------- | ------------------------------- | -------- |
+| [CAP-0007](cap-0007.md) | Deterministic Account Creation | Jeremy Rubin | Draft |
+| [CAP-0008](cap-0008.md) | Self Identified Pre-Auth Transaction | Jeremy Rubin | Draft |
+| [CAP-0009](cap-0009.md) | Linear/Exterior Immutable Accounts | Jeremy Rubin | Draft |
+| [CAP-0010](cap-0010.md) | Fee Bump Account | Jeremy Rubin | Draft |
+| [CAP-0011](cap-0011.md) | Relative Account Freeze | Jeremy Rubin | Draft |
+| [CAP-0012](cap-0012.md) | Deterministic accounts and creatorTxID | David Mazières | Draft |
+| [CAP-0014](cap-0014.md) | Adversarial Transaction Set Ordering | Jeremy Rubin | Draft |
+| [CAP-0022](cap-0022.md) | Invalid transactions must have no effects | David Mazières | Draft |
+| [CAP-0032](cap-0032.md) | Trustline Preauthorization | Jonathan Jove | Draft |
+| [CAP-0037](cap-0037.md) | Automated Market Makers | OrbitLens | Draft |
+| [CAP-0041](cap-0041.md) | Concurrent Transactions | Leigh McCulloch, David Mazières | Draft |
+| [CAP-0043](cap-0043.md) | ECDSA Signers with P-256 and secp256k1 Curves | Leigh McCulloch | Draft |
+| [CAP-0044](cap-0044.md) | SPEEDEX - Configuration | Jonathan Jove | Draft |
+| [CAP-0045](cap-0045.md) | SPEEDEX - Pricing | Jonathan Jove | Draft |
+| [CAP-0057](cap-0057.md) | State Archival Persistent Entry Eviction | Garand Tyson | Draft |
+| [CAP-0060](cap-0060.md) | Update to Wasmi register machine | Graydon Hoare | Accepted |
+| [CAP-0071](cap-0071.md) | Authentication delegation for custom accounts | Dmytro Kozhevin | Draft |
+| [CAP-0072](cap-0072.md) | Contract signers for Stellar accounts | Dmytro Kozhevin | Draft |
+| [CAP-0073](cap-0073.md) | Allow SAC to create G-account balances | Dmytro Kozhevin | Draft |
+| [CAP-0077](cap-0077.md) | Ability to freeze ledger keys via network configuration | Dmytro Kozhevin | Draft |
+| [CAP-0078](cap-0078.md) | Host functions for performing limited TTL extensions | Dmytro Kozhevin | Draft |
+| [CAP-0079](cap-0079.md) | Host functions for muxed address strkey conversions | Dmytro Kozhevin | Draft |
+| [CAP-0080](cap-0080.md) | Host functions for efficient ZK BN254 use cases | Siddharth Suresh | Draft |
### Rejected Proposals
-| Number | Title | Author | Status |
-| --- | --- | --- | --- |
-| [CAP-0013](cap-0013.md) | Change Trustlines to Balances | Dan Robinson | Rejected |
-| [CAP-0016](cap-0016.md) | Cosigned assets: NopOp and COAUTHORIZED_FLAG | David Mazières | Rejected |
-| [CAP-0031](cap-0031.md) | Sponsored Reserve | Jonathan Jove | Rejected |
-| [CAP-0036](cap-0036.md) | Claimable Balance Clawback | Leigh McCulloch | Rejected |
-| [CAP-0039](cap-0039.md) | Not Auth Revocable Trustlines | Leigh McCulloch | Rejected |
-| [CAP-0048](cap-0048.md) | Smart Contract Asset Interoperability | Jonathan Jove | Rejected |
-| [CAP-0049](cap-0049.md) | Smart Contract Asset Interoperability with Wrapper | Jonathan Jove | Rejected |
-| [CAP-0050](cap-0050.md) | Smart Contract Interactions | Jonathan Jove | Rejected |
-| [CAP-0052](cap-0052.md) | Smart Contract Host Functionality: Base64 Encoding/Decoding | Leigh McCulloch | Rejected |
-| [CAP-0064](cap-0064.md) | Memo Authorization for Soroban | Dmytro Kozhevin | Rejected |
-| [CAP-0061](cap-0061.md) | Smart Contract Standardized Asset (Stellar Asset Contract) Extension: Memo | Tomer Weller | Rejected |
-# Contribution Process
+| Number | Title | Author | Status |
+| ----------------------- | -------------------------------------------------------------------------- | --------------- | -------- |
+| [CAP-0013](cap-0013.md) | Change Trustlines to Balances | Dan Robinson | Rejected |
+| [CAP-0016](cap-0016.md) | Cosigned assets: NopOp and COAUTHORIZED_FLAG | David Mazières | Rejected |
+| [CAP-0031](cap-0031.md) | Sponsored Reserve | Jonathan Jove | Rejected |
+| [CAP-0036](cap-0036.md) | Claimable Balance Clawback | Leigh McCulloch | Rejected |
+| [CAP-0039](cap-0039.md) | Not Auth Revocable Trustlines | Leigh McCulloch | Rejected |
+| [CAP-0048](cap-0048.md) | Smart Contract Asset Interoperability | Jonathan Jove | Rejected |
+| [CAP-0049](cap-0049.md) | Smart Contract Asset Interoperability with Wrapper | Jonathan Jove | Rejected |
+| [CAP-0050](cap-0050.md) | Smart Contract Interactions | Jonathan Jove | Rejected |
+| [CAP-0052](cap-0052.md) | Smart Contract Host Functionality: Base64 Encoding/Decoding | Leigh McCulloch | Rejected |
+| [CAP-0064](cap-0064.md) | Memo Authorization for Soroban | Dmytro Kozhevin | Rejected |
+| [CAP-0061](cap-0061.md) | Smart Contract Standardized Asset (Stellar Asset Contract) Extension: Memo | Tomer Weller | Rejected |
-The Stellar Protocol, like most software in the world, continues to evolve over time to meet the
-needs of our network's participants and to drive technology forward into new territory. Given the
-importance of the reliability and safety of the network, we ask that all of those who have ideas
-towards pushing Stellar's protocol development forward adhere to the following:
+# Contribution Process
-- Consider your idea and how it serves the fundamental goals of the Stellar Network and aligns with
- values of the Stellar Protocol (which are listed below). If you cannot show how your proposal
- aligns with those goals and values, it's unlikely to ever be implemented.
-- Gather feedback from discussion on the dev mailing list and other forums, and utilize it to begin
- a draft proposal, otherwise known as a CAP (Core Advancement Proposal).
+The Stellar protocol, like most software in the world, continues to evolve over
+time to meet the needs of our network's participants and to drive technology
+forward into new territory. Given the importance of the reliability and safety
+of the network, we ask that all of those who have ideas towards pushing
+Stellar's protocol development forward adhere to the following:
+
+- Consider your idea and how it serves the fundamental goals of the Stellar
+ network and aligns with values of the Stellar protocol (which are listed
+ below). If you cannot show how your proposal aligns with those goals and
+ values, it's unlikely to ever be implemented.
+- Gather feedback from discussion on the dev mailing list and other forums, and
+ utilize it to begin a draft proposal, otherwise known as a CAP (Core
+ Advancement Proposal).
- Follow the proposal process listed below.
## Stellar Network Goals
-- **The Stellar Network should be secure and reliable, and should bias towards safety, simplicity,
- reliability, and performance over new functionality.**
-- **The Stellar Network should run at scale and at low cost to all participants of the network.**
- * In support of this, the Stellar Network should support off-chain transactions, e.g. Starlight.
- * An explicit non-goal is limiting the hardware requirements of stellar-core to a personal
- computer.
-- **The Stellar Network should facilitate simplicity and interoperability with other protocols and
- networks.**
- * In support of this, the Stellar Network should facilitate side-chain transactions to enable
- sub-networks.
-- **The Stellar Network should enable cross-border payments, i.e. payments via exchange of assets,
- throughout the globe, enabling users to make payments between assets in a manner that is fast,
- cheap, and highly usable.**
- - In support of this, the Stellar Network should support an orderbook that values simplicity
- over functionality, and one that primarily serves to enable cross-border payments.
- - In support of this, the Stellar Network should facilitate liquidity as a means to enabling
- - cross-border payments.
- - In support of this, the Stellar Network should enable asset issuance, but as a means of
- - enabling cross-border payments.
-- **The Stellar Network should support decentralization wherever possible, but not at the expense
- of the majority of its values.**
- - There should be no privileged actors — we should support egalitarianism and everyone
- participating on the same playing field.
-- **The Stellar Network should enable users to easily exchange their non-Stellar based assets to
- Stellar-based assets, and vice versa.**
-- **The Stellar Network should make it easy for developers of Stellar projects to create highly
- usable products.**
+
+- **The Stellar network should be secure and reliable, and should bias towards
+ safety, simplicity, reliability, and performance over new functionality.**
+- **The Stellar network should run at scale and at low cost to all participants
+ of the network.**
+ - In support of this, the Stellar network should support off-chain
+ transactions, e.g. Starlight.
+ - An explicit non-goal is limiting the hardware requirements of stellar-core
+ to a personal computer.
+- **The Stellar network should facilitate simplicity and interoperability with
+ other protocols and networks.**
+ - In support of this, the Stellar network should facilitate side-chain
+ transactions to enable sub-networks.
+- **The Stellar network should enable cross-border payments, i.e. payments via
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.**
+ - In support of this, the Stellar network should support an orderbook that
+ values simplicity over functionality, and one that primarily serves to
+ enable cross-border payments.
+ - In support of this, the Stellar network should facilitate liquidity as a
+ means to enabling
+ - cross-border payments.
+ - In support of this, the Stellar network should enable asset issuance, but
+ as a means of
+ - enabling cross-border payments.
+- **The Stellar network should support decentralization wherever possible, but
+ not at the expense of the majority of its values.**
+ - There should be no privileged actors — we should support egalitarianism and
+ everyone participating on the same playing field.
+- **The Stellar network should enable users to easily exchange their
+ non-Stellar based assets to Stellar-based assets, and vice versa.**
+- **The Stellar network should make it easy for developers of Stellar projects
+ to create highly usable products.**
## Stellar Protocol Development Values
-- **The Stellar Protocol should serve the goals of the Stellar Network.**
-- **The Stellar Protocol should bias towards simplicity.**
- - When possible, solutions should be considered outside of core protocol changes such as via
- [SEPs (Stellar Ecosystem Proposals)](../ecosystem/README.md) to minimize complexity in the
- Stellar protocol.
- - When possible, proposals should minimize the impact of changes to the smallest surface area and
- shallowest depth (i.e. sticking to the higher levels of the software) of the protocol
- architecture possible to make changes predictable and easier to test and reason about. Changes
- should be surgical, and minimal invasive. As a result, changes that affect lower levels of the
- implementation have a higher bar for acceptance.
- - In order from the lowest level to the highest level systems, the systems are:
+
+- **The Stellar protocol should serve the goals of the Stellar network.**
+- **The Stellar protocol should bias towards simplicity.**
+ - When possible, solutions should be considered outside of core protocol
+ changes such as via
+ [SEPs (Stellar Ecosystem Proposals)](../ecosystem/README.md) to minimize
+ complexity in the Stellar protocol.
+ - When possible, proposals should minimize the impact of changes to the
+ smallest surface area and shallowest depth (i.e. sticking to the higher
+ levels of the software) of the protocol architecture possible to make
+ changes predictable and easier to test and reason about. Changes should be
+ surgical, and minimal invasive. As a result, changes that affect lower
+ levels of the implementation have a higher bar for acceptance.
+ - In order from the lowest level to the highest level systems, the systems
+ are:
- Historical / Ledger XDR
- Observable Transaction Semantics
- Consensus XDR
@@ -191,123 +214,149 @@ towards pushing Stellar's protocol development forward adhere to the following:
- Unobservable tx semantics (eg. performance or bug fixes)
- Horizon semantics
- Public APIs, Client Libraries/SDKs.
-- **The Stellar Protocol should be clear, concise, and opinionated.**
- - New operations and functionality should be opinionated, and straightforward to use.
+- **The Stellar protocol should be clear, concise, and opinionated.**
+ - New operations and functionality should be opinionated, and straightforward
+ to use.
- There should ideally be only one obvious way to accomplish a given task.
-- **The Stellar Protocol should bias towards broad use cases, and bias against niche
- functionality.**
-- **The Stellar Protocol should bias towards user safety.**
+- **The Stellar protocol should bias towards broad use cases, and bias against
+ niche functionality.**
+- **The Stellar protocol should bias towards user safety.**
## CAP Process
-These are the steps from [idea to deployment](https://www.youtube.com/watch?v=Otbml6WIQPo) on how
-to create a Core Advancement Proposal (CAP).
+
+These are the steps from
+[idea to deployment](https://www.youtube.com/watch?v=Otbml6WIQPo) on how to
+create a Core Advancement Proposal (CAP).
### Pre-CAP (Initial Discussion)
-Introduce your idea on the [stellar-dev mailing list](https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!forum/stellar-dev) or [GitHub Discussions].
+
+Introduce your idea on the
+[stellar-dev mailing list](https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!forum/stellar-dev)
+or [GitHub Discussions].
[GitHub Discussions]: https://github.com/stellar/stellar-protocol/discussions
-- Make sure to gather feedback and alternative ideas — it's useful before putting together a
- formal draft!
-- Consider contacting experts in a particular area for feedback while you're hashing out the
- details.
+- Make sure to gather feedback and alternative ideas — it's useful before
+ putting together a formal draft!
+- Consider contacting experts in a particular area for feedback while you're
+ hashing out the details.
### Creating a CAP Draft
-Draft a formal proposal using the [CAP Template](../cap-template.md), and submit a PR to this
-repository. You should make sure to adhere to the following:
+
+Draft a formal proposal using the [CAP Template](../cap-template.md), and
+submit a PR to this repository. You should make sure to adhere to the
+following:
- Make sure to place the draft in the `core/` folder.
- Your CAP should be named `cap-TBD.md`
-- If your CAP requires images or other supporting files, they should be included in a sub-directory
- of the `contents` folder for that CAP, such as `contents/cap-TBD/`. Links
- should be relative, for example a link to an image from your CAP would be
- `../contents/cap-TBD/image.png`.
+- If your CAP requires images or other supporting files, they should be
+ included in a sub-directory of the `contents` folder for that CAP, such as
+ `contents/cap-TBD/`. Links should be relative, for example a link to an image
+ from your CAP would be `../contents/cap-TBD/image.png`.
Finally, submit a PR of your draft via your fork of this repository.
#### Additional Tips
-- Use `TBD` for the protocol version. Don't assign a protocol version to the CAP — this will be
- established once the CAP has reached the state of *Final* and has been formally implemented.
+
+- Use `TBD` for the protocol version. Don't assign a protocol version to the
+ CAP — this will be established once the CAP has reached the state of _Final_
+ and has been formally implemented.
### Draft: Merging & Further Iteration
+
From there, the following process will happen.
#### CAP gets merged
+
If you properly followed the steps above, your PR will get merged.
-The CAP and associated files will get renamed based on the latest
-CAP draft number before merging.
+The CAP and associated files will get renamed based on the latest CAP draft
+number before merging.
#### Assembling a working group
-As your idea gets traction, you'll need to assemble a working group as
-to increase the chances of success that this CAP proceeds through the stages.
+As your idea gets traction, you'll need to assemble a working group as to
+increase the chances of success that this CAP proceeds through the stages.
-For more information on this, review the [working group section](../cap-template.md#working-group) of the CAP template.
+For more information on this, review the
+[working group section](../cap-template.md#working-group) of the CAP template.
#### Iterating on the CAP
-You should continue the discussion of the draft CAP on the mailing list
-with an attempt at reaching consensus.
+You should continue the discussion of the draft CAP on the mailing list with an
+attempt at reaching consensus.
When opening PRs to modify the draft:
-- changes have to either be submitted by one of the authors (Recommender or Owner) or
-signed off by the authors
-- avoid discussions in the PR itself as it makes it more difficult for future contributors to understand the rational for changes.
+
+- changes have to either be submitted by one of the authors (Recommender or
+ Owner) or signed off by the authors
+- avoid discussions in the PR itself as it makes it more difficult for future
+ contributors to understand the rational for changes.
- best is to always discuss in the mailing list.
- - alternatively, a recap of the discussion that happened in the PR could be posted in the mailing list (but it's easy to forget to do this).
+ - alternatively, a recap of the discussion that happened in the PR could be
+ posted in the mailing list (but it's easy to forget to do this).
### Draft -> Awaiting Decision
-When your CAP receives sufficient feedback from the community,
-you'll need to present it to a subset of the CAP Core Team for review.
+When your CAP receives sufficient feedback from the community, you'll need to
+present it to a subset of the CAP Core Team for review.
-For that, when you're ready, you should submit a PR changing the status
-in the draft to `Awaiting Decision`.
+For that, when you're ready, you should submit a PR changing the status in the
+draft to `Awaiting Decision`.
-The CAP will be scheduled to be discussed at a protocol meeting.
-As the owner of the CAP, you will be invited to share your CAP
-and participate in discussion during the meeting.
+The CAP will be scheduled to be discussed at a protocol meeting. As the owner
+of the CAP, you will be invited to share your CAP and participate in discussion
+during the meeting.
You may invite any other members of your working group.
The protocol meetings will be used to decide on next step:
- - If the CAP has received support and general consensus, it is moved to `Awaiting Decision` ;
- - If the CAP requires some adjustments or needs to receive more feedback from the community, the meeting is adjourned ;
- - If for any reason the CAP gets abandoned, it gets a status of `Rejected`.
+
+- If the CAP has received support and general consensus, it is moved to
+ `Awaiting Decision` ;
+- If the CAP requires some adjustments or needs to receive more feedback from
+ the community, the meeting is adjourned ;
+- If for any reason the CAP gets abandoned, it gets a status of `Rejected`.
### Awaiting Decision -> Final Comment Period (FCP)
+
- A vote will take place among the CAP Core Team.
- - A unanimous approval from the CAP Core Team will put the CAP in a `FCP: Accepted` status.
- - Otherwise, the CAP will be given feedback and head towards a `FCP: Rejected` status (if the
- majority of the CAP raises concerns) or a `Draft` status (if only a minority of the CAP
- raises concerns).
+ - A unanimous approval from the CAP Core Team will put the CAP in a
+ `FCP: Accepted` status.
+ - Otherwise, the CAP will be given feedback and head towards a
+ `FCP: Rejected` status (if the majority of the CAP raises concerns) or a
+ `Draft` status (if only a minority of the CAP raises concerns).
- It can take upwards of 3 meetings before a disposition is reached.
### FCP -> Accepted/Rejected
-- After a week of an Final Comment Period (FCP) where any major concerns that have not been
- previously addressed can be brought up, the CAP will head to its final disposition.
- - Concerns will be addressed on a case by case basis, and only major concerns that were not
- addressed earlier will move the CAP back to a `Draft` state.
+
+- After a week of an Final Comment Period (FCP) where any major concerns that
+ have not been previously addressed can be brought up, the CAP will head to
+ its final disposition.
+ - Concerns will be addressed on a case by case basis, and only major concerns
+ that were not addressed earlier will move the CAP back to a `Draft` state.
### CAP Implementation
-SDF will prioritize accepted CAPs among its priorities for a given year. However, if you want to
-ensure your CAP is implemented in a timely manner, it is likely best for you to attempt to
-implement it yourself.
+SDF will prioritize accepted CAPs among its priorities for a given year.
+However, if you want to ensure your CAP is implemented in a timely manner, it
+is likely best for you to attempt to implement it yourself.
-Once a CAP is implemented, a PR should be submitted to update its status to **Implementation
-Review**, along with the protocol version it was released in if applicable.
+Once a CAP is implemented, a PR should be submitted to update its status to
+**Implementation Review**, along with the protocol version it was released in
+if applicable.
-From here the proposal is brought up again before the protocol group for additional comment, where
-it is possible that the proposal is rejected based on the issues that arise from its
-implementation. If no issues arise, it will move to **Implemented** by a CAP team member.
+From here the proposal is brought up again before the protocol group for
+additional comment, where it is possible that the proposal is rejected based on
+the issues that arise from its implementation. If no issues arise, it will move
+to **Implemented** by a CAP team member.
### CAP Finalization
-Once an implemented CAP has been released in a specified version, the CAP should be updated with
-the protocol version that the implementation targets. From there, once a majority of validators on
-the network have accepted the implementation, it will move to **Final**.
+Once an implemented CAP has been released in a specified version, the CAP
+should be updated with the protocol version that the implementation targets.
+From there, once a majority of validators on the network have accepted the
+implementation, it will move to **Final**.
## CAP Team Members
diff --git a/core/cap-0001.md b/core/cap-0001.md
index d2cda7759..a026cce38 100644
--- a/core/cap-0001.md
+++ b/core/cap-0001.md
@@ -11,41 +11,44 @@ Protocol version: 10
```
## Simple Summary
-The Bump Sequence operation allows you to bump forward the sequence number of the source
-account of the operation.
+
+The Bump Sequence operation allows you to bump forward the sequence number of
+the source account of the operation.
If the specified bumpTo sequence number is greater than the source account's
sequence number, the account's sequence number is updated with that value,
otherwise it's not modified.
## Abstract
-The Bump sequence operation allows you to bump forward the sequence number of the source account
-of the operation.
+
+The Bump sequence operation allows you to bump forward the sequence number of
+the source account of the operation.
## Motivation
+
Addresses a need when dealing with a large number of pre-signed transactions
-where there is a need to invalidate an execution branch.
-The problem is solved by allowing the branches of pre-signed transactions
-to have non-overlapping sequence numbers and creating a new operation to
-change the sequence number of the account to an arbitrary number.
+where there is a need to invalidate an execution branch. The problem is solved
+by allowing the branches of pre-signed transactions to have non-overlapping
+sequence numbers and creating a new operation to change the sequence number of
+the account to an arbitrary number.
## Specification
-The Bump Sequence operation allows you to bump forward the sequence number of the source
-account of the operation.
+The Bump Sequence operation allows you to bump forward the sequence number of
+the source account of the operation.
If the specified `bumpTo` sequence number is greater than the source account's
- sequence number, the account's sequence number is updated with that value,
+sequence number, the account's sequence number is updated with that value,
otherwise it's not modified.
Threshold is "Low", in line with the weight required by a signer for the source
account to update the sequence number for all transactions.
-Note:
-This operation only allows bumping the sequence number up to
+Note: This operation only allows bumping the sequence number up to
`(current_ledger_number<<32) - 1`.
`BumpSequenceOp` specification:
+
```c++
struct BumpSequenceOp
{
@@ -72,6 +75,7 @@ default:
```
New error code for `AccountMerge`:
+
```c++
/******* AccountMerge Result ********/
@@ -89,6 +93,7 @@ enum AccountMergeResultCode
```
New error code at the operation level:
+
```c++
enum OperationResultCode
{
@@ -100,8 +105,9 @@ enum OperationResultCode
};
```
-Updated meta data format:
-Transactions now update the sequence number right before applying their operations.
+Updated meta data format: Transactions now update the sequence number right
+before applying their operations.
+
```c++
struct TransactionMetaV1
{
@@ -121,60 +127,64 @@ case 1:
```
Finally this change also switches `SequenceNumber` to be a signed integer:
+
```c++
typedef int64 SequenceNumber;
```
## Rationale
-`BumpSequenceOp` is a new operation, in order to properly reject the use of this
-new operation from nodes that understand the xdr but with the network still
-running an older protocol version, a new return value is added to operation
-result to communicate the failure. Note that this error code should never
-appear in results processed post consensus as operations failing that way
+`BumpSequenceOp` is a new operation, in order to properly reject the use of
+this new operation from nodes that understand the xdr but with the network
+still running an older protocol version, a new return value is added to
+operation result to communicate the failure. Note that this error code should
+never appear in results processed post consensus as operations failing that way
are deemed "invalid".
-In addition, to avoid sequence number reuse by re-creating an account that was merged,
-AccountMerge is modified to not allow merging the account if it would open the possibility
-of the account being re-created with a smaller sequence number.
+In addition, to avoid sequence number reuse by re-creating an account that was
+merged, AccountMerge is modified to not allow merging the account if it would
+open the possibility of the account being re-created with a smaller sequence
+number.
-The move to signed integers for `SequenceNumber` was driven by the same rationale
-than for why amounts are modeled as signed integers and the fact that `BumpSeqOp`
-makes it a lot likier to have sequence numbers in the high 64 bit range:
-many languages and systems (SQL) do not support unsigned integers properly which
-may lead to crashes or unexpected behaviors.
+The move to signed integers for `SequenceNumber` was driven by the same
+rationale than for why amounts are modeled as signed integers and the fact that
+`BumpSeqOp` makes it a lot likier to have sequence numbers in the high 64 bit
+range: many languages and systems (SQL) do not support unsigned integers
+properly which may lead to crashes or unexpected behaviors.
### Considerations on how transaction sets are applied to ledgers
#### pre v10 implementation
Currently a transaction set is processed in two phases:
-* fees and sequence numbers are collected globally
-* transactions (and their operations) are applied
+
+- fees and sequence numbers are collected globally
+- transactions (and their operations) are applied
The problem with this approach is that with the introduction of an operation
-like `BumpSequenceOp`, we have some inconsistencies in the way transactions
- are processed:
+like `BumpSequenceOp`, we have some inconsistencies in the way transactions are
+processed:
if a transaction bumps the sequence number of an account used in a later
transaction, the second transaction is expected to fail but with the current
implementation, it won't (as sequence number checks are performed while
collecting fees).
-One the reasons that `BumpSequenceOp` is introduced is to invalidate ranges
-of transactions, and with the current behavior it would make it difficult to
+One the reasons that `BumpSequenceOp` is introduced is to invalidate ranges of
+transactions, and with the current behavior it would make it difficult to
reason about the correctness of sequence of transactions.
#### Updated sequence number processing
Only process fees first:
-* fees are collected globally as they are now
-* transactions are applied, before applying individual transactions:
- * numbers are checked for validity
- * if the sequence number was valid, update the account's sequence number
-We would not change the logic to construct or validate a transaction set:
-a transaction set would still be built with transactions that have consecutive
+- fees are collected globally as they are now
+- transactions are applied, before applying individual transactions:
+ - numbers are checked for validity
+ - if the sequence number was valid, update the account's sequence number
+
+We would not change the logic to construct or validate a transaction set: a
+transaction set would still be built with transactions that have consecutive
sequence numbers.
The difference is that in the event that a transaction is invalidated by an
@@ -187,34 +197,34 @@ level changes when applying the transaction and its operations.
## Backwards Compatibility
-As the sequence number is updated as part of the regular processing of operations,
- it requires to emit transaction level meta data, which only existed as part of
-the fee processing (included in the `txfeehistory` table).
-The implementation will switch to using the new meta format for all transactions,
+As the sequence number is updated as part of the regular processing of
+operations, it requires to emit transaction level meta data, which only existed
+as part of the fee processing (included in the `txfeehistory` table). The
+implementation will switch to using the new meta format for all transactions,
including the ones for older versions of the protocol (which will not emit any
-transaction level meta data as expected).
-While this is not strictly necessary, it's safer as it makes it obvious that
-downstream systems (such as Horizon) need to be updated to support the
-new meta data format; the alternative would have been to change the meta data
-format with the protocol version, but as protocol version upgrades are not
-necessarily managed by the node operators it ends up being less safe.
-
-The shift to signed sequence numbers is backward compatible from a data
-point of view as the top 32 bits of sequence numbers are seeded with the
-legder sequence number in older versions of the protocol.
-Some SDKs may have to be slightly updated if they enforce strong typing.
-In addition, existing code even with the updated range will continue to work
-as sequence numbers are within a subset of the range that was supported
-before.
+transaction level meta data as expected). While this is not strictly necessary,
+it's safer as it makes it obvious that downstream systems (such as Horizon)
+need to be updated to support the new meta data format; the alternative would
+have been to change the meta data format with the protocol version, but as
+protocol version upgrades are not necessarily managed by the node operators it
+ends up being less safe.
+
+The shift to signed sequence numbers is backward compatible from a data point
+of view as the top 32 bits of sequence numbers are seeded with the legder
+sequence number in older versions of the protocol. Some SDKs may have to be
+slightly updated if they enforce strong typing. In addition, existing code even
+with the updated range will continue to work as sequence numbers are within a
+subset of the range that was supported before.
## Test Cases
-* `BumpSequenceOp` rejected on older versions of the protocol
-* bumps to a small number passed the current sequence number
-* bumps to `MAX_INT64`, at which point the account cannot be used as transaction source account
-* bumps to a number smaller than the current sequence number (should no op)
-* bumps to a sequence number that is negative
-* don't allow merge when the account sequence number is too high
+- `BumpSequenceOp` rejected on older versions of the protocol
+- bumps to a small number passed the current sequence number
+- bumps to `MAX_INT64`, at which point the account cannot be used as
+ transaction source account
+- bumps to a number smaller than the current sequence number (should no op)
+- bumps to a sequence number that is negative
+- don't allow merge when the account sequence number is too high
## Implementation
diff --git a/core/cap-0002.md b/core/cap-0002.md
index 992ead28a..59557e2b9 100644
--- a/core/cap-0002.md
+++ b/core/cap-0002.md
@@ -2,7 +2,7 @@
```
CAP: 0002
-Title: Transaction level signature verification
+Title: Transaction level signature verification
Author: Nicolas Barry, Rafal Malinowski
Status: Final
Created: 2018-05-03
@@ -11,54 +11,57 @@ Protocol Version: 10
```
## Simple Summary
-Make signature verification behave the same way pre and post consensus
- in order to make smart contracts easier to author.
+
+Make signature verification behave the same way pre and post consensus in order
+to make smart contracts easier to author.
## Abstract
-Perform signature verification (for each operation) before performing
-any of the transaction side effects.
+Perform signature verification (for each operation) before performing any of
+the transaction side effects.
-This may still allow certain transactions to invalidate future transactions
-in the same transaction set, while allowing operations in a transaction to
-safely manipulate signers.
+This may still allow certain transactions to invalidate future transactions in
+the same transaction set, while allowing operations in a transaction to safely
+manipulate signers.
## Motivation
Currently signatures are verified in two different ways:
-* when building a transaction set for consensus, verification is done without
-any of the operation side effects
-* when applying transactions post consensus, each operation checks again for
-signatures
+
+- when building a transaction set for consensus, verification is done without
+ any of the operation side effects
+- when applying transactions post consensus, each operation checks again for
+ signatures
The problem with this approach is that some operations may cause subsequent
operations in the same transaction to fail, making crafting pre-signed
-transactions that manipulate multiple signers or weights very complicated
-(or impossible) to implement in the context of multiple operations within
-a transaction.
+transactions that manipulate multiple signers or weights very complicated (or
+impossible) to implement in the context of multiple operations within a
+transaction.
## Specification
Transaction's `doApply` will be modified to perform in order:
+
1. transaction level changes
- 1. sequence number processing
- 2. signature verification
- 1. verify signatures for each operation
- 2. removal of one time signatures
-2. operations processing, for each operation:
- 1. validity checks (same as today except for the signature verification)
- 2. side effects
+ 1. sequence number processing
+ 2. signature verification
+ 1. verify signatures for each operation
+ 2. removal of one time signatures
+2. operations processing, for each operation:
+ 1. validity checks (same as today except for the signature verification)
+ 2. side effects
## Rationale
-This approach makes signature verification behave the same way than how sequence
-numbers are now processed (in v10 of the protocol as per cap-0001).
+This approach makes signature verification behave the same way than how
+sequence numbers are now processed (in v10 of the protocol as per cap-0001).
Removal of one time signatures are done first in order to avoid introducing a
new concept of "post transaction side effects" that are not currently modeled
in the meta data.
-Note that we *could* add this notion to protocol 10 as cap-001 has not been put
+Note that we _could_ add this notion to protocol 10 as cap-001 has not been put
in production yet but the added complexity doesn't seem to be necessary.
## Backwards Compatibility
@@ -68,9 +71,11 @@ This change makes certain transaction succeed that are now failing.
There are probably no good use cases for those failures, so it is deemed safe.
## Test Cases
+
Transactions that should now succeed:
### change thresholds twice
+
```json
// transaction that changes A thresholds twice
@@ -92,6 +97,7 @@ envelope:
Failing right now with `opBAD_AUTH` for second operation.
### lower master weight twice
+
```json
// A with weigths=[10,1,5,10]
@@ -114,6 +120,7 @@ envelope:
Failing right now with `opBAD_AUTH` for second operation.
### remove signer and do something
+
```json
// A with signers: {key: B, weight: 1}; weigths=[1,2,2,2]
envelope:
@@ -136,4 +143,5 @@ Failing right now with `opBAD_AUTH` for second operation.
## Implementation
-Commit [c9087d0cc4c0710c9129d473fcd22887c60e4653](https://github.com/stellar/stellar-core/commit/c9087d0cc4c0710c9129d473fcd22887c60e4653)
+Commit
+[c9087d0cc4c0710c9129d473fcd22887c60e4653](https://github.com/stellar/stellar-core/commit/c9087d0cc4c0710c9129d473fcd22887c60e4653)
diff --git a/core/cap-0003.md b/core/cap-0003.md
index d47352101..c1a62fcf8 100644
--- a/core/cap-0003.md
+++ b/core/cap-0003.md
@@ -11,25 +11,63 @@ Protocol version: 10
```
## Simple Summary
-Asset-backed offers is a proposal to resolve the issue that offers in the ledger might not be executable.
+
+Asset-backed offers is a proposal to resolve the issue that offers in the
+ledger might not be executable.
## Abstract
-Asset-backed offers is a proposal to resolve the issue that a single account might have liabilities, in the form of offers on the ledger, that exceeds the assets of the account. When this occurs offers in the ledger might not be executable, in the sense that there exists no crossing offer such that the entire amount of the offer is exchanged. Offers in the ledger that are not executable provide a false sense of liquidity.
-## Motivation
-We will say that an offer is "immediately executable in full" (IEIF in short) if, were it crossed by a hypothetical offer with no limits on amount bought or sold, the entire amount of selling asset would be exchanged. It is desirable that all offers are IEIF since this enables users to easily evaluate the amount of available liquidity.
+Asset-backed offers is a proposal to resolve the issue that a single account
+might have liabilities, in the form of offers on the ledger, that exceeds the
+assets of the account. When this occurs offers in the ledger might not be
+executable, in the sense that there exists no crossing offer such that the
+entire amount of the offer is exchanged. Offers in the ledger that are not
+executable provide a false sense of liquidity.
-The protocol requires that, upon creation, every offer satisfies the following two conditions:
+## Motivation
-* The amount offered to sell does not exceed the available balance of the selling asset
-* The amount offered to buy (computed implicitly) does not exceed the available limit of the buying asset
+We will say that an offer is "immediately executable in full" (IEIF in short)
+if, were it crossed by a hypothetical offer with no limits on amount bought or
+sold, the entire amount of selling asset would be exchanged. It is desirable
+that all offers are IEIF since this enables users to easily evaluate the amount
+of available liquidity.
+
+The protocol requires that, upon creation, every offer satisfies the following
+two conditions:
+
+- The amount offered to sell does not exceed the available balance of the
+ selling asset
+- The amount offered to buy (computed implicitly) does not exceed the available
+ limit of the buying asset
+
+We will now demonstrate that these conditions are not sufficient to ensure that
+an offer is IEIF. Suppose that an account creates an offer which is IEIF with
+the selling amount equal to the available balance of the selling asset. The
+account then creates a second offer with a worse price but otherwise identical
+to the first. Although each offer individually satisfies the above
+requirements, the second offer is not IEIF. For suppose that the second offer
+was crossed by a hypothetical offer with no limits. This crossing offer would
+initially cross the first offer, which leaves no available balance for the
+selling asset. When the second offer is then crossed, no assets can be
+exchanged.
+
+Analogous to the above example, it is possible to create multiple offers that
+individually meet the requirements but exceed the available limit when
+considered in aggregate. Suppose that an offer creates an offer which is IEIF
+with the buying amount equal to the available limit of the buying asset. The
+account then creates a second offer with a worse price but otherwise identical
+to the first. Although each offer individually satisfies the above
+requirements, the second offer is not IEIF. For suppose that the second offer
+was crossed by a hypothetical offer with no limits. This crossing offer would
+initially cross the first offer, which leaves no available limit for the buying
+asset. When the second offer is then crossed, no assets can be exchanged.
-We will now demonstrate that these conditions are not sufficient to ensure that an offer is IEIF. Suppose that an account creates an offer which is IEIF with the selling amount equal to the available balance of the selling asset. The account then creates a second offer with a worse price but otherwise identical to the first. Although each offer individually satisfies the above requirements, the second offer is not IEIF. For suppose that the second offer was crossed by a hypothetical offer with no limits. This crossing offer would initially cross the first offer, which leaves no available balance for the selling asset. When the second offer is then crossed, no assets can be exchanged.
+## Specification
-Analogous to the above example, it is possible to create multiple offers that individually meet the requirements but exceed the available limit when considered in aggregate. Suppose that an offer creates an offer which is IEIF with the buying amount equal to the available limit of the buying asset. The account then creates a second offer with a worse price but otherwise identical to the first. Although each offer individually satisfies the above requirements, the second offer is not IEIF. For suppose that the second offer was crossed by a hypothetical offer with no limits. This crossing offer would initially cross the first offer, which leaves no available limit for the buying asset. When the second offer is then crossed, no assets can be exchanged.
+This proposal will require XDR changes for `AccountEntry` and `TrustLineEntry`,
+as well as schema updates for the accounts and trustlines tables. The updated
+XDR is:
-## Specification
-This proposal will require XDR changes for `AccountEntry` and `TrustLineEntry`, as well as schema updates for the accounts and trustlines tables. The updated XDR is:
```c++
struct Liabilities
{
@@ -105,6 +143,7 @@ struct TrustLineEntry
```
The SQL required to update the schema is:
+
```sql
ALTER TABLE accounts ADD buyingliabilities BIGINT
CHECK (buyingliabilities >= 0);
@@ -117,6 +156,7 @@ ALTER TABLE trustlines ADD sellingliabilities BIGINT
```
The operation result code `ACCOUNT_MERGE_DEST_FULL` also must be added:
+
```c++
enum AccountMergeResultCode
{
@@ -134,133 +174,257 @@ enum AccountMergeResultCode
```
## Rationale
-The purpose of the asset-backed offers proposal is to maintain the invariant that every offer is IEIF. We begin with a discussion of what can cause offers to no longer be IEIF:
-
-* Fees
- * Account `A` is used to pay fees: offers owned by `A` and selling the native asset may no longer be IEIF
-* `AllowTrustOp`
- * Revoke authorization from account `A` to hold non-native asset `X`: all offers owned by `A` and either buying or selling `X` are no longer IEIF
-* `ChangeTrustOp`
- * Create trust line for account `A`: offers owned by `A` and selling the native asset may no longer be IEIF
- * Reduce the limit on a trust line for account `A` to hold a non-native asset `X`: offers owned by `A` and buying `X` may no longer be IEIF
-* `CreateAccountOp`
- * Create account using native assets from account `A`: offers owned by `A` and selling the native asset may no longer be IEIF
-* `InflationOp`
- * Account `W` is an inflation winner: offers owned by `W` and buying the native asset may no longer be IEIF
-* `ManageDataOp`
- * Create account data for account `A`: offers owned by `A` and selling the native asset may no longer be IEIF
-* `ManageOfferOp` (and `CreatePassiveOfferOp`)
- * Account `A` crosses offer owned by account `M` selling asset `Y` for asset `X`:
- * offers owned by `A` and selling `X` may no longer be IEIF
- * offers owned by `A` and buying `Y` may no longer be IEIF
- * offers owned by `M` and selling `Y` may no longer be IEIF
- * offers owned by `M` and buying `X` may no longer be IEIF
- * Create offer for account `A` selling asset `X` for asset `Y`:
- * offers owned by `A` and selling `X` may no longer be IEIF
- * offers owned by `A` and buying `Y` may no longer be IEIF
- * offers owned by `A` and selling the native asset may no longer be IEIF
-* `MergeOp`
- * Account `S` is merged into account `D`: offers owned by `D` and buying the native asset may no longer be IEIF
-* `PaymentOp`
- * Account `S` pays asset `X` to account `D`:
- * offers owned by `S` and selling `X` may no longer be IEIF
- * offers owned by `D` and buying `X` may no longer be IEIF
-* `PathPaymentOp`
- * Account `S` crosses offer owned by account `M` selling asset `Y` for asset `X`:
- * offers owned by `S` and selling `X` may no longer be IEIF
- * offers owned by `S` and buying `Y` may no longer be IEIF
- * offers owned by `M` and selling `Y` may no longer be IEIF
- * offers owned by `M` and buying `X` may no longer be IEIF
- * Account `S` pays asset `X` to account `D` arriving as asset `Y`:
- * offers owned by `S` and selling `X` may no longer be IEIF
- * offers owned by `D` and buying `Y` may no longer be IEIF
-* `SetOptionsOp`
- * Add signer to account `A`: offers owned by `A` and selling the native asset may no longer be IEIF
-
-From this analysis, it is clear that any proposal which attempts to modify or delete offers that are no longer IEIF would require maintaining the offer book after fee collection and after each operation. This would be both complicated and inefficient. Instead, we pursue a proposal which modifies the operations such that they guarantee offers remain IEIF. To achieve this, we first define new quantities which are derived data on the ledger:
-
-* `account.sellingLiabilities`
- * For account `A`: the amount of native asset offered to be sold, aggregated over all offers owned by `A`
-* `account.buyingLiabilities`
- * For account `A`: the amount of native asset offered to be bought, aggregated over all offers owned by `A`
-* `trustline.sellingLiabilities`
- * For account `A` and non-native asset `X`: the amount of `X` offered to be sold, aggregated over all offers owned by `A`
-* `trustline.buyingLiabilities`
- * For account `A` and non-native asset `X`: the amount of `X` offered to be bought, aggregated over all offers owned by `A`
-
-These quantities will be updated whenever an offer is created, modified, or deleted. When an offer is created, the liabilities for the offer will be calculated and added to `buyingLiabilities` and `sellingLiabilities` in the relevant account and/or trust lines. When an offer is deleted, the liabilities for the offer will be calculated and subtracted from `buyingLiabilities` and `sellingLiabilities` in the relevant account and/or trust lines. When an offer is modified, it can be viewed as a delete followed by a create so the `buyingLiabilities` and `sellingLiabilities` can be updated using the logic from those cases. As we already load accounts and trust lines when interacting with offers, the cost of maintaining these quantities should be minimal.
-
-We will now use these quantities to modify the operations such that they guarantee offers remain IEIF. In what follows, available limit is `INT64_MAX` for the native asset and `limit - buyingLiabilities` for non-native assets. Similarly, available balance is `balance - reserve - sellingLiabilities` for the native asset and `balance - sellingLiabilities` for non-native assets. In order for issuers to be able to buy or sell any quantity (even exceeding `INT64_MAX`) of an asset they issued, available limit and available balance will always be `INT64_MAX` in this case. The asset-backed offers proposal modifies the operations such that all offers remain IEIF after an operation:
-
-* Fees
- * Account `A` is used to pay fees: transaction is not valid with result `txINSUFFICIENT_BALANCE` if new available balance of native asset is negative
-* `AllowTrustOp`
- * Revoke authorization from account `A` to hold non-native asset `X`: all offers owned by `A` and either buying or selling `X` are deleted
-* `ChangeTrustOp`
- * Create trust line for account `A`: fails with result `CHANGE_TRUST_LOW_RESERVE` if new available balance of native asset is negative
- * Reduce the limit on a trust line for account `A` to hold a non-native asset `X`: fails with result `CHANGE_TRUST_INVALID_LIMIT` if new available limit is negative
-* `CreateAccountOp`
- * Create account using native assets from account `A`: fails with `CREATE_ACCOUNT_UNDERFUNDED` if new available balance of native asset is negative
-* `InflationOp`
- * Account `W` is an inflation winner: inflation winners receive the minimum of their winning and their available limit of native asset, with the residual returned to the inflation pool
-* `ManageDataOp`
- * Create account data for account `A`: fails with result `MANAGE_DATA_LOW_RESERVE` if new available balance of native asset is negative
-* `ManageOfferOp` (and `CreatePassiveOfferOp`)
- * Account `A` crosses offer owned by account `M` selling asset `Y` for asset `X`:
- * `A` does not buy more `Y` than available limit
- * `A` does not sell more `X` than available balance
- * `M` does not buy more `X` than available limit
- * `M` does not sell more `Y` than available balance
- * Create offer for account `A` selling asset `X` for asset `Y`:
- * `A` does not offer to sell more `X` than available balance
- * `A` does not offer to buy more `Y` than available limit
- * fails with result `MANAGE_OFFER_LOW_RESERVE` if new available balance of native asset is negative
-* `MergeOp`
- * Account `S` is merged into account `D`: fails with result `ACCOUNT_MERGE_DEST_FULL` if new available limit of native asset is negative
-* `PaymentOp`
- * Account `S` pays asset `X` to account `D`:
- * fails with result `PAYMENT_UNDERFUNDED` if new available balance of `X` in `S` is negative
- * fails with result `PAYMENT_LINE_FULL` if new available limit of `X` in `D` is negative
-* `PathPaymentOp`
- * Account `S` pays asset `X` to account `D` arriving as asset `Y`:
- * fails with result `PATH_PAYMENT_UNDERFUNDED` if new available balance of `X` in `S` is negative
- * fails with result `PATH_PAYMENT_LINE_FULL` if new available limit of `Y` in `D` is negative
- * Account `S` crosses offer owned by account `M` selling asset `Y` for asset `X`:
- * `S` does not buy more `Y` than available limit
- * `S` does not sell more `X` than available balance
- * `M` does not buy more `X` than available limit
- * `M` does not sell more `Y` than available balance
-* `SetOptionsOp`
- * Add signer to account `A`: fails with result `SET_OPTIONS_LOW_RESERVE` if new available balance of native asset is negative
-
-The behavior of `ManageOfferOp` (and `CreatePassiveOfferOp`) will undergo a considerable change in order to make the behavior predictable and performant with regard to liabilities. Before crossing any offers, both operations will now enforce the following requirements:
-
-* If modifying the offer `offerID`, then the liabilities associated with offer `offerID` are removed
-* If a new offer is being created, the number of subentries is updated
-* If the buying liabilities associated with the new offer exceed the available limit then the operation fails with `MANAGE_OFFER_LINE_FULL`
-* If the selling liabilities associated with the new offer exceed the available balance then the operation fails with `MANAGE_OFFER_UNDERFUNDED`
-
-These updates to `ManageOfferOp` (and `CreatePassiveOfferOp`) imply all of the modifications discussed in the previous list for these operations.
+
+The purpose of the asset-backed offers proposal is to maintain the invariant
+that every offer is IEIF. We begin with a discussion of what can cause offers
+to no longer be IEIF:
+
+- Fees
+ - Account `A` is used to pay fees: offers owned by `A` and selling the native
+ asset may no longer be IEIF
+- `AllowTrustOp`
+ - Revoke authorization from account `A` to hold non-native asset `X`: all
+ offers owned by `A` and either buying or selling `X` are no longer IEIF
+- `ChangeTrustOp`
+ - Create trust line for account `A`: offers owned by `A` and selling the
+ native asset may no longer be IEIF
+ - Reduce the limit on a trust line for account `A` to hold a non-native asset
+ `X`: offers owned by `A` and buying `X` may no longer be IEIF
+- `CreateAccountOp`
+ - Create account using native assets from account `A`: offers owned by `A`
+ and selling the native asset may no longer be IEIF
+- `InflationOp`
+ - Account `W` is an inflation winner: offers owned by `W` and buying the
+ native asset may no longer be IEIF
+- `ManageDataOp`
+ - Create account data for account `A`: offers owned by `A` and selling the
+ native asset may no longer be IEIF
+- `ManageOfferOp` (and `CreatePassiveOfferOp`)
+ - Account `A` crosses offer owned by account `M` selling asset `Y` for asset
+ `X`:
+ - offers owned by `A` and selling `X` may no longer be IEIF
+ - offers owned by `A` and buying `Y` may no longer be IEIF
+ - offers owned by `M` and selling `Y` may no longer be IEIF
+ - offers owned by `M` and buying `X` may no longer be IEIF
+ - Create offer for account `A` selling asset `X` for asset `Y`:
+ - offers owned by `A` and selling `X` may no longer be IEIF
+ - offers owned by `A` and buying `Y` may no longer be IEIF
+ - offers owned by `A` and selling the native asset may no longer be IEIF
+- `MergeOp`
+ - Account `S` is merged into account `D`: offers owned by `D` and buying the
+ native asset may no longer be IEIF
+- `PaymentOp`
+ - Account `S` pays asset `X` to account `D`:
+ - offers owned by `S` and selling `X` may no longer be IEIF
+ - offers owned by `D` and buying `X` may no longer be IEIF
+- `PathPaymentOp`
+ - Account `S` crosses offer owned by account `M` selling asset `Y` for asset
+ `X`:
+ - offers owned by `S` and selling `X` may no longer be IEIF
+ - offers owned by `S` and buying `Y` may no longer be IEIF
+ - offers owned by `M` and selling `Y` may no longer be IEIF
+ - offers owned by `M` and buying `X` may no longer be IEIF
+ - Account `S` pays asset `X` to account `D` arriving as asset `Y`:
+ - offers owned by `S` and selling `X` may no longer be IEIF
+ - offers owned by `D` and buying `Y` may no longer be IEIF
+- `SetOptionsOp`
+ - Add signer to account `A`: offers owned by `A` and selling the native asset
+ may no longer be IEIF
+
+From this analysis, it is clear that any proposal which attempts to modify or
+delete offers that are no longer IEIF would require maintaining the offer book
+after fee collection and after each operation. This would be both complicated
+and inefficient. Instead, we pursue a proposal which modifies the operations
+such that they guarantee offers remain IEIF. To achieve this, we first define
+new quantities which are derived data on the ledger:
+
+- `account.sellingLiabilities`
+ - For account `A`: the amount of native asset offered to be sold, aggregated
+ over all offers owned by `A`
+- `account.buyingLiabilities`
+ - For account `A`: the amount of native asset offered to be bought,
+ aggregated over all offers owned by `A`
+- `trustline.sellingLiabilities`
+ - For account `A` and non-native asset `X`: the amount of `X` offered to be
+ sold, aggregated over all offers owned by `A`
+- `trustline.buyingLiabilities`
+ - For account `A` and non-native asset `X`: the amount of `X` offered to be
+ bought, aggregated over all offers owned by `A`
+
+These quantities will be updated whenever an offer is created, modified, or
+deleted. When an offer is created, the liabilities for the offer will be
+calculated and added to `buyingLiabilities` and `sellingLiabilities` in the
+relevant account and/or trust lines. When an offer is deleted, the liabilities
+for the offer will be calculated and subtracted from `buyingLiabilities` and
+`sellingLiabilities` in the relevant account and/or trust lines. When an offer
+is modified, it can be viewed as a delete followed by a create so the
+`buyingLiabilities` and `sellingLiabilities` can be updated using the logic
+from those cases. As we already load accounts and trust lines when interacting
+with offers, the cost of maintaining these quantities should be minimal.
+
+We will now use these quantities to modify the operations such that they
+guarantee offers remain IEIF. In what follows, available limit is `INT64_MAX`
+for the native asset and `limit - buyingLiabilities` for non-native assets.
+Similarly, available balance is `balance - reserve - sellingLiabilities` for
+the native asset and `balance - sellingLiabilities` for non-native assets. In
+order for issuers to be able to buy or sell any quantity (even exceeding
+`INT64_MAX`) of an asset they issued, available limit and available balance
+will always be `INT64_MAX` in this case. The asset-backed offers proposal
+modifies the operations such that all offers remain IEIF after an operation:
+
+- Fees
+ - Account `A` is used to pay fees: transaction is not valid with result
+ `txINSUFFICIENT_BALANCE` if new available balance of native asset is
+ negative
+- `AllowTrustOp`
+ - Revoke authorization from account `A` to hold non-native asset `X`: all
+ offers owned by `A` and either buying or selling `X` are deleted
+- `ChangeTrustOp`
+ - Create trust line for account `A`: fails with result
+ `CHANGE_TRUST_LOW_RESERVE` if new available balance of native asset is
+ negative
+ - Reduce the limit on a trust line for account `A` to hold a non-native asset
+ `X`: fails with result `CHANGE_TRUST_INVALID_LIMIT` if new available limit
+ is negative
+- `CreateAccountOp`
+ - Create account using native assets from account `A`: fails with
+ `CREATE_ACCOUNT_UNDERFUNDED` if new available balance of native asset is
+ negative
+- `InflationOp`
+ - Account `W` is an inflation winner: inflation winners receive the minimum
+ of their winning and their available limit of native asset, with the
+ residual returned to the inflation pool
+- `ManageDataOp`
+ - Create account data for account `A`: fails with result
+ `MANAGE_DATA_LOW_RESERVE` if new available balance of native asset is
+ negative
+- `ManageOfferOp` (and `CreatePassiveOfferOp`)
+ - Account `A` crosses offer owned by account `M` selling asset `Y` for asset
+ `X`:
+ - `A` does not buy more `Y` than available limit
+ - `A` does not sell more `X` than available balance
+ - `M` does not buy more `X` than available limit
+ - `M` does not sell more `Y` than available balance
+ - Create offer for account `A` selling asset `X` for asset `Y`:
+ - `A` does not offer to sell more `X` than available balance
+ - `A` does not offer to buy more `Y` than available limit
+ - fails with result `MANAGE_OFFER_LOW_RESERVE` if new available balance of
+ native asset is negative
+- `MergeOp`
+ - Account `S` is merged into account `D`: fails with result
+ `ACCOUNT_MERGE_DEST_FULL` if new available limit of native asset is
+ negative
+- `PaymentOp`
+ - Account `S` pays asset `X` to account `D`:
+ - fails with result `PAYMENT_UNDERFUNDED` if new available balance of `X`
+ in `S` is negative
+ - fails with result `PAYMENT_LINE_FULL` if new available limit of `X` in
+ `D` is negative
+- `PathPaymentOp`
+ - Account `S` pays asset `X` to account `D` arriving as asset `Y`:
+ - fails with result `PATH_PAYMENT_UNDERFUNDED` if new available balance of
+ `X` in `S` is negative
+ - fails with result `PATH_PAYMENT_LINE_FULL` if new available limit of `Y`
+ in `D` is negative
+ - Account `S` crosses offer owned by account `M` selling asset `Y` for asset
+ `X`:
+ - `S` does not buy more `Y` than available limit
+ - `S` does not sell more `X` than available balance
+ - `M` does not buy more `X` than available limit
+ - `M` does not sell more `Y` than available balance
+- `SetOptionsOp`
+ - Add signer to account `A`: fails with result `SET_OPTIONS_LOW_RESERVE` if
+ new available balance of native asset is negative
+
+The behavior of `ManageOfferOp` (and `CreatePassiveOfferOp`) will undergo a
+considerable change in order to make the behavior predictable and performant
+with regard to liabilities. Before crossing any offers, both operations will
+now enforce the following requirements:
+
+- If modifying the offer `offerID`, then the liabilities associated with offer
+ `offerID` are removed
+- If a new offer is being created, the number of subentries is updated
+- If the buying liabilities associated with the new offer exceed the available
+ limit then the operation fails with `MANAGE_OFFER_LINE_FULL`
+- If the selling liabilities associated with the new offer exceed the available
+ balance then the operation fails with `MANAGE_OFFER_UNDERFUNDED`
+
+These updates to `ManageOfferOp` (and `CreatePassiveOfferOp`) imply all of the
+modifications discussed in the previous list for these operations.
## Backwards Compatibility
-We will denote the protocol version which enables this proposal as `PROPOSAL_VERSION`. The database schema can be updated to include `buyingLiabilities` and `sellingLiabilities`, where these values are set to `NULL` until the protocol version is at least `PROPOSAL_VERSION`.
+
+We will denote the protocol version which enables this proposal as
+`PROPOSAL_VERSION`. The database schema can be updated to include
+`buyingLiabilities` and `sellingLiabilities`, where these values are set to
+`NULL` until the protocol version is at least `PROPOSAL_VERSION`.
### Upgrading the Protocol Version
-When the protocol version is upgraded to `PROPOSAL_VERSION`, the values of `buyingLiabilities` and `sellingLiabilities` will need to be calculated for all accounts that own offers. For other accounts these values can either be left as `NULL` and updated lazily, or they can be updated globally to 0. It would be better to update the values lazily as this would require a much smaller bucket than updating globally to 0.
-It is possible, after the protocol version is upgraded to `PROPOSAL_VERSION`, that there are existing offers which are not IEIF. We propose to resolve this issue by deleting offers owned by accounts with excess liabilities. Specifically, for any account `A` and assets `X` and `Y`, this approach would delete any offer owned by `A` and selling `X` in exchange for `Y` if `A` has excess selling liabilities of `X` or excess buying liabilities of `Y`. As of ledger 18178688, there are a maximum of 6053 offers (out of 12734 total offers) that would be deleted, owned by a maximum of 983 accounts (out of 474454 total accounts). One disadvantage to this approach is that it would likely cause a considerable decrease in available liquidity for some time while new offers are created, although this impact would be smaller than in the alternative approach discussed below. A further disadvantage to this approach is that, for some accounts, some offers may be deleted while others remain which could be undesirable in some cases. Both of these disadvantages could potentially be mitigated by giving an advance notice of a few weeks to the community and developers so that they have time to update their offers such that they do not have excess liabilities. As in the alternative approach, it could occur that it is impossible to recreate some offers. But at least offers selling an asset issued by that account are less likely to be deleted, since there is no limit on liabilities for the issuer of an asset. Regarding the specific offers mentioned in the discussion of the alternative approach, none of the 3 that are selling an asset issued by that account would be deleted.
+When the protocol version is upgraded to `PROPOSAL_VERSION`, the values of
+`buyingLiabilities` and `sellingLiabilities` will need to be calculated for all
+accounts that own offers. For other accounts these values can either be left as
+`NULL` and updated lazily, or they can be updated globally to 0. It would be
+better to update the values lazily as this would require a much smaller bucket
+than updating globally to 0.
+
+It is possible, after the protocol version is upgraded to `PROPOSAL_VERSION`,
+that there are existing offers which are not IEIF. We propose to resolve this
+issue by deleting offers owned by accounts with excess liabilities.
+Specifically, for any account `A` and assets `X` and `Y`, this approach would
+delete any offer owned by `A` and selling `X` in exchange for `Y` if `A` has
+excess selling liabilities of `X` or excess buying liabilities of `Y`. As of
+ledger 18178688, there are a maximum of 6053 offers (out of 12734 total offers)
+that would be deleted, owned by a maximum of 983 accounts (out of 474454 total
+accounts). One disadvantage to this approach is that it would likely cause a
+considerable decrease in available liquidity for some time while new offers are
+created, although this impact would be smaller than in the alternative approach
+discussed below. A further disadvantage to this approach is that, for some
+accounts, some offers may be deleted while others remain which could be
+undesirable in some cases. Both of these disadvantages could potentially be
+mitigated by giving an advance notice of a few weeks to the community and
+developers so that they have time to update their offers such that they do not
+have excess liabilities. As in the alternative approach, it could occur that it
+is impossible to recreate some offers. But at least offers selling an asset
+issued by that account are less likely to be deleted, since there is no limit
+on liabilities for the issuer of an asset. Regarding the specific offers
+mentioned in the discussion of the alternative approach, none of the 3 that are
+selling an asset issued by that account would be deleted.
#### Alternative Approach: Delete all existing offers
-As the description suggests, this approach would delete all existing offers when the protocol is upgraded to `PROPOSAL_VERSION`. As of ledger 18178688, there are 12734 offers owned by 2653 accounts (out of 474454 total accounts). One disadvantage to this approach is that it would likely cause a considerable decrease in available liquidity for some time while new offers are created. Some offers which have been created belong to accounts that would not be able to recreate them. There are 5 offers owned by 4 accounts with no signers and a master key weight of 0, with 2 of these offers selling an asset issued by the account. There is 1 other offer owned by an account whose total weight of signers and master key does not exceed the medium threshold, and it is also selling an asset issued by the account. It is worth repeating that this is only a simple lower bound on the number of offers that could not be recreated.
+
+As the description suggests, this approach would delete all existing offers
+when the protocol is upgraded to `PROPOSAL_VERSION`. As of ledger 18178688,
+there are 12734 offers owned by 2653 accounts (out of 474454 total accounts).
+One disadvantage to this approach is that it would likely cause a considerable
+decrease in available liquidity for some time while new offers are created.
+Some offers which have been created belong to accounts that would not be able
+to recreate them. There are 5 offers owned by 4 accounts with no signers and a
+master key weight of 0, with 2 of these offers selling an asset issued by the
+account. There is 1 other offer owned by an account whose total weight of
+signers and master key does not exceed the medium threshold, and it is also
+selling an asset issued by the account. It is worth repeating that this is only
+a simple lower bound on the number of offers that could not be recreated.
### Base Reserve
-The previous section details only a single point of backward incompatibility, but the process of increasing the base reserve presents a similar issue of backward incompatibility which would be repeatedly possible in the future. The reason for this is that increasing the base reserve could cause offers selling the native asset to no longer be IEIF. The potential solutions presented in the previous section would also apply here, but the same disadvantages would still apply as well.
+
+The previous section details only a single point of backward incompatibility,
+but the process of increasing the base reserve presents a similar issue of
+backward incompatibility which would be repeatedly possible in the future. The
+reason for this is that increasing the base reserve could cause offers selling
+the native asset to no longer be IEIF. The potential solutions presented in the
+previous section would also apply here, but the same disadvantages would still
+apply as well.
## Test Cases
-* `buyingLiabilities` and `sellingLiabilities` are updated when offers are modified by `PathPaymentOp`, `ManageOfferOp`, `CreatePassiveOfferOp`, and `AllowTrustOp`
-* Each operation should have the new behavior described above
+
+- `buyingLiabilities` and `sellingLiabilities` are updated when offers are
+ modified by `PathPaymentOp`, `ManageOfferOp`, `CreatePassiveOfferOp`, and
+ `AllowTrustOp`
+- Each operation should have the new behavior described above
## Implementation
+
https://github.com/stellar/stellar-core/pull/1718
Corresponding commit is git: 4dab9625d42b252d3f11500151ffcc66a1cd5ad2
diff --git a/core/cap-0004.md b/core/cap-0004.md
index 85452c89c..dc9452943 100644
--- a/core/cap-0004.md
+++ b/core/cap-0004.md
@@ -11,68 +11,174 @@ Protocol version: 10
```
## Simple Summary
-As of protocol version 9, crossing offers can lead to unbounded relative rounding error and can even leave the book in a crossed state. We propose a new algorithm to resolve these issues.
-## Abstract
-As of protocol version 9, crossing offers can lead to unbounded relative rounding error and can even leave the book in a crossed state. We propose a new algorithm to resolve these issues. This algorithm will prevent unbounded relative rounding error by adding an error threshold, and will prevent the book becoming crossed by guaranteeing that the less valuable offer must always be removed from the book. The new algorithm also guarantees that any given offer can only suffer a single adverse rounding event by rounding in favor of the offer with more total value (which, equivalently, means the offer which remains in the book).
-
-## Motivation
-In what follows, quantities expressed like "100 stroop X" mean 100 times the minimum representable quantity of the asset X. Consider the following situation:
-
-- In transaction 1, account A creates an offer selling 100 stroop X at a price of 3 Y / 2 X.
-- In transaction 2, account B creates an offer selling 10 stroop Y at a price of 1 X / 2 Y.
+As of protocol version 9, crossing offers can lead to unbounded relative
+rounding error and can even leave the book in a crossed state. We propose a new
+algorithm to resolve these issues.
-Offer B executes against offer A, but it is impossible to execute the entire offer at the price of 3 Y / 2 X. The protocol uses a rounding algorithm to determine how this situation, and other situations like it, should be handled. As of protocol version 9, 10 stroop Y is exchanged for 6 stroop X meaning that the trade actually executes at a price of 5 Y / 3 X. The relative error in the price is over 11% when viewed as a price in Y / X, and is 10% when viewed as a price in X / Y. This situation is bad, but it is not nearly as bad as it can be: the rounding algorithm as of protocol version 9 actually has unbounded relative error. Consider, for illustration, the following worse situation:
-
-- In transaction 1, account A creates an offer selling 1 stroop X at a price of 1 Y / 50,000 X.
-- In transaction 2, account B creates an offer selling 100 Y at a price of 1 X / 1 Y.
+## Abstract
-As of protocol version 9, 1 stroop Y is exchanged for 1 stroop X meaning that the trade actually executes at a price of 1 Y / 1 X. The relative error in the price is 4999900% when viewed as a price in Y / X, and is 99.998% when viewed as a price in X / Y.
+As of protocol version 9, crossing offers can lead to unbounded relative
+rounding error and can even leave the book in a crossed state. We propose a new
+algorithm to resolve these issues. This algorithm will prevent unbounded
+relative rounding error by adding an error threshold, and will prevent the book
+becoming crossed by guaranteeing that the less valuable offer must always be
+removed from the book. The new algorithm also guarantees that any given offer
+can only suffer a single adverse rounding event by rounding in favor of the
+offer with more total value (which, equivalently, means the offer which remains
+in the book).
-There is still another issue with the rounding algorithm as of protocol version 9. Whenever offers cross, at least one of the offers must execute entirely in order to avoid a crossed book. There are situations, however, where the rounding algorithm as of protocol version 9 will allow the book to remain crossed. Consider the following situation:
+## Motivation
-- In transaction 1, account A creates an offer selling 100 X at a price of 10 Y / 1 X.
-- In transaction 2, account B creates an offer selling 1 stroop Y at a price of 1 X / 10 Y.
+In what follows, quantities expressed like "100 stroop X" mean 100 times the
+minimum representable quantity of the asset X. Consider the following
+situation:
+
+- In transaction 1, account A creates an offer selling 100 stroop X at a price
+ of 3 Y / 2 X.
+- In transaction 2, account B creates an offer selling 10 stroop Y at a price
+ of 1 X / 2 Y.
+
+Offer B executes against offer A, but it is impossible to execute the entire
+offer at the price of 3 Y / 2 X. The protocol uses a rounding algorithm to
+determine how this situation, and other situations like it, should be handled.
+As of protocol version 9, 10 stroop Y is exchanged for 6 stroop X meaning that
+the trade actually executes at a price of 5 Y / 3 X. The relative error in the
+price is over 11% when viewed as a price in Y / X, and is 10% when viewed as a
+price in X / Y. This situation is bad, but it is not nearly as bad as it can
+be: the rounding algorithm as of protocol version 9 actually has unbounded
+relative error. Consider, for illustration, the following worse situation:
+
+- In transaction 1, account A creates an offer selling 1 stroop X at a price of
+ 1 Y / 50,000 X.
+- In transaction 2, account B creates an offer selling 100 Y at a price of 1 X
+ / 1 Y.
+
+As of protocol version 9, 1 stroop Y is exchanged for 1 stroop X meaning that
+the trade actually executes at a price of 1 Y / 1 X. The relative error in the
+price is 4999900% when viewed as a price in Y / X, and is 99.998% when viewed
+as a price in X / Y.
+
+There is still another issue with the rounding algorithm as of protocol
+version 9. Whenever offers cross, at least one of the offers must execute
+entirely in order to avoid a crossed book. There are situations, however, where
+the rounding algorithm as of protocol version 9 will allow the book to remain
+crossed. Consider the following situation:
+
+- In transaction 1, account A creates an offer selling 100 X at a price of 10 Y
+ / 1 X.
+- In transaction 2, account B creates an offer selling 1 stroop Y at a price of
+ 1 X / 10 Y.
As of protocol version 9, nothing is exchanged and the book remains crossed.
## Specification
-We propose a new rounding algorithm that resolves the above issues. The algorithm proceeds through three phases. First, the total value associated with each offer must be computed. Second, rounding is conducted in such a manner that the price never becomes less favorable for the offer with more total value. Third, the offer which initially had less total value is removed from the book regardless of whether it has been executed entirely.
-In order to compute the total value associated with an offer, we must choose what this value will be denominated in. This choice is arbitrary, and we elected to use the selling asset of the offer which was already in the book. We define the total value associated with an offer to be the value of the goods on offer in terms of the selling asset of the offer, rescaled by the denominator of the price of the offer which was already in the book.
-
-The manner in which the rounding is conducted is the central aspect of this proposal. The rounding algorithm guarantees that the price never becomes less favorable for the offer with more total value. Since the offer with less total value is always removed from the book, this guarantees that a single offer never suffers adverse rounding more than once. The rounding algorithm is also price aware and attempts to minimize errors by rounding in the less valuable asset. In order to prevent unbounded relative error during rounding, we introduce a new error threshold. If the relative rounding error exceeds the error threshold, nothing is exchanged.
-
-The offer which initially had less total value is removed from the book regardless of whether it has been executed entirely, so it is guaranteed that the book never remains crossed. When the book is no longer crossed, whichever offer ultimately remained in the book is adjusted such that it can be executed entirely. This guarantees that, regardless of rounding and error thresholding, it is always possible to execute against an offer in the book by submitting an offer with more total value. It is possible that an offer cannot be adjusted to any offer that can be executed entirely, in which case that offer is removed from the book.
-
-There is an additional complication with regard to the error threshold in path payment. For path payment, the error threshold is applied asymmetrically in the sense that the price will never become more than 1% less favorable but could become arbitrarily more favorable for the offer which was already in the book. This is sensible as path payment has a max send parameter which determines the worst overall price that should be accepted.
-
-The technical details of implementing the above are subtle and difficult to discuss in the absence of working code. Please refer to the description and implementation of [exchangeV10](https://github.com/stellar/stellar-core/blob/c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9/src/transactions/OfferExchange.cpp#L173).
+We propose a new rounding algorithm that resolves the above issues. The
+algorithm proceeds through three phases. First, the total value associated with
+each offer must be computed. Second, rounding is conducted in such a manner
+that the price never becomes less favorable for the offer with more total
+value. Third, the offer which initially had less total value is removed from
+the book regardless of whether it has been executed entirely.
+
+In order to compute the total value associated with an offer, we must choose
+what this value will be denominated in. This choice is arbitrary, and we
+elected to use the selling asset of the offer which was already in the book. We
+define the total value associated with an offer to be the value of the goods on
+offer in terms of the selling asset of the offer, rescaled by the denominator
+of the price of the offer which was already in the book.
+
+The manner in which the rounding is conducted is the central aspect of this
+proposal. The rounding algorithm guarantees that the price never becomes less
+favorable for the offer with more total value. Since the offer with less total
+value is always removed from the book, this guarantees that a single offer
+never suffers adverse rounding more than once. The rounding algorithm is also
+price aware and attempts to minimize errors by rounding in the less valuable
+asset. In order to prevent unbounded relative error during rounding, we
+introduce a new error threshold. If the relative rounding error exceeds the
+error threshold, nothing is exchanged.
+
+The offer which initially had less total value is removed from the book
+regardless of whether it has been executed entirely, so it is guaranteed that
+the book never remains crossed. When the book is no longer crossed, whichever
+offer ultimately remained in the book is adjusted such that it can be executed
+entirely. This guarantees that, regardless of rounding and error thresholding,
+it is always possible to execute against an offer in the book by submitting an
+offer with more total value. It is possible that an offer cannot be adjusted to
+any offer that can be executed entirely, in which case that offer is removed
+from the book.
+
+There is an additional complication with regard to the error threshold in path
+payment. For path payment, the error threshold is applied asymmetrically in the
+sense that the price will never become more than 1% less favorable but could
+become arbitrarily more favorable for the offer which was already in the book.
+This is sensible as path payment has a max send parameter which determines the
+worst overall price that should be accepted.
+
+The technical details of implementing the above are subtle and difficult to
+discuss in the absence of working code. Please refer to the description and
+implementation of
+[exchangeV10](https://github.com/stellar/stellar-core/blob/c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9/src/transactions/OfferExchange.cpp#L173).
## Rationale
+
A variety of other proposals were considered, among them:
### Randomized Rounding
-This algorithm had three phases. First, it would determine which offer should remain in the book (for example using the same algorithm as described in Specification). Second, the error induced by rounding up and rounding down would be calculated. Third, the rounding would be performed stochastically such that the expected rounding error was 0. There were several disadvantages to this proposal:
-- Requires a source of randomness in the ledger that could not be exploited by validators
-- The limit price on any offer could be violated in both directions with unbounded relative error
+This algorithm had three phases. First, it would determine which offer should
+remain in the book (for example using the same algorithm as described in
+Specification). Second, the error induced by rounding up and rounding down
+would be calculated. Third, the rounding would be performed stochastically such
+that the expected rounding error was 0. There were several disadvantages to
+this proposal:
+
+- Requires a source of randomness in the ledger that could not be exploited by
+ validators
+- The limit price on any offer could be violated in both directions with
+ unbounded relative error
- Rounding errors average out over time but individuals could still be effected
### Lot Sizes
-This proposal focused on restructuring the offer book rather than improving the rounding algorithm. The idea was to split each market into many separate market segments distinguished by the lot size and the base asset (the asset used to express the lot size). The price of an offer would then be the quantity of the non-base asset that you are willing to exchange for lot size of the base asset. This forced the price to be an integer and guaranteed that crossing offers would always execute without any rounding. The advantages of this solution are that rounding never occurs and that each individual market segment is never crossed. There were several disadvantages to this proposal:
-- Trading is much more complicated since determining the best price requires looking at every market segment
-- Path payment is much more complicated since it needs to process not just every asset but every market segment of every asset
+This proposal focused on restructuring the offer book rather than improving the
+rounding algorithm. The idea was to split each market into many separate market
+segments distinguished by the lot size and the base asset (the asset used to
+express the lot size). The price of an offer would then be the quantity of the
+non-base asset that you are willing to exchange for lot size of the base asset.
+This forced the price to be an integer and guaranteed that crossing offers
+would always execute without any rounding. The advantages of this solution are
+that rounding never occurs and that each individual market segment is never
+crossed. There were several disadvantages to this proposal:
+
+- Trading is much more complicated since determining the best price requires
+ looking at every market segment
+- Path payment is much more complicated since it needs to process not just
+ every asset but every market segment of every asset
- Significant API changes required
## Backwards Compatibility
-This proposal will change the rounding behavior of offers. If any pre-signed transactions depended on the precise outcome of cross offer either through `ManageOffer` or `PathPayment`, it is possible that such a transaction will now fail.
-As of protocol version 10, every offer in the book must be immediately executable in full. For more information on this topic, refer to [CAP-0003](https://github.com/stellar/stellar-protocol/blob/335b11953904c9229327b95266201f405ae6c612/core/cap-0003.md). That proposal notes that offers which are not IEIF will be removed when upgrading to protocol version 10. As part of this process, offers will also be adjusted such that they can be executed entirely as described above. Analogous to what is mentioned in the Specification, offers which cannot be adjusted such that they can be executed entirely will be removed from the book during the upgrade.
+This proposal will change the rounding behavior of offers. If any pre-signed
+transactions depended on the precise outcome of cross offer either through
+`ManageOffer` or `PathPayment`, it is possible that such a transaction will now
+fail.
+
+As of protocol version 10, every offer in the book must be immediately
+executable in full. For more information on this topic, refer to
+[CAP-0003](https://github.com/stellar/stellar-protocol/blob/335b11953904c9229327b95266201f405ae6c612/core/cap-0003.md).
+That proposal notes that offers which are not IEIF will be removed when
+upgrading to protocol version 10. As part of this process, offers will also be
+adjusted such that they can be executed entirely as described above. Analogous
+to what is mentioned in the Specification, offers which cannot be adjusted such
+that they can be executed entirely will be removed from the book during the
+upgrade.
## Test Cases
+
Test cases for the new functionality were included in the implementation.
## Implementation
-Merged as of [stellar-core commit c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9](https://github.com/stellar/stellar-core/commit/c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9).
+
+Merged as of
+[stellar-core commit c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9](https://github.com/stellar/stellar-core/commit/c3c8fd2c95eae9daa8aab324d9ef3e07047aacc9).
diff --git a/core/cap-0005.md b/core/cap-0005.md
index d91f92d04..ed2e1863b 100644
--- a/core/cap-0005.md
+++ b/core/cap-0005.md
@@ -2,7 +2,7 @@
```
CAP: 0005
-Title: Throttling and transaction pricing improvements
+Title: Throttling and transaction pricing improvements
Author: Nicolas Barry
Status: Final
Created: 2018-Oct-05
@@ -12,59 +12,64 @@ Protocol version: 11
```
## Simple Summary
+
Combined set of changes that rationalize how we throttle the network, and also
-makes it easier for clients to craft transactions that will make it into a ledger
-even when network fees are changing rapidly.
+makes it easier for clients to craft transactions that will make it into a
+ledger even when network fees are changing rapidly.
## Abstract
-
-Goal of the updated design is to maximize the number of operations included
-in a _candidate_ transaction set, while preserving fairness.
+
+Goal of the updated design is to maximize the number of operations included in
+a _candidate_ transaction set, while preserving fairness.
Note that there are two mechanism at play here: one that is implemented to
-construct _candidate_ values by validators which happens outside of consensus, and
-the other mechanism that is used to pick between two candidate sets during
+construct _candidate_ values by validators which happens outside of consensus,
+and the other mechanism that is used to pick between two candidate sets during
consensus.
Fairness in how transactions are included in a candidate set is equivalent to
-designing a sorting scheme for the list of transactions _before_
-trimming (typically all accumulated transactions on the validator) such that:
-* accounts have the same odds of having their transactions included, regardless
-of the distribution of transactions per account and regardless of how many
-transactions are picked from the sorted set.
-* transactions with a higher per operation fee have a strict advantage over lower
-fee transactions.
+designing a sorting scheme for the list of transactions _before_ trimming
+(typically all accumulated transactions on the validator) such that:
-Fairness is also achieved by attempting to _reduce_ the fee charged to accounts.
+- accounts have the same odds of having their transactions included, regardless
+ of the distribution of transactions per account and regardless of how many
+ transactions are picked from the sorted set.
+- transactions with a higher per operation fee have a strict advantage over
+ lower fee transactions.
+
+Fairness is also achieved by attempting to _reduce_ the fee charged to
+accounts.
This is achieved by associating a value `baseFee` to each transaction set
-(greater than `ledgerHeader.baseFee`), and using that base fee to compute the actual fee charged.
-With this change, `tx.fee` becomes an upper bound instead of being the actual
-fee deducted from the source account.
+(greater than `ledgerHeader.baseFee`), and using that base fee to compute the
+actual fee charged. With this change, `tx.fee` becomes an upper bound instead
+of being the actual fee deducted from the source account.
## Motivation
Right now the network configuration that governs the maximum throughput of the
network is `ledgerHeader.maxTxSetSize`, that controls the maximum number of
- _transactions_ that can be included in a transaction set; yet a good approximation
-of work (reflected in how fees are computed), is the total number of _operations_
-included in a transaction set.
-As any transaction can contain up to 100 operations, this causes the network
-setting to be overly conservative (as it has to assume the worst case situation
-where all transactions would be 100 operations).
-
-Another motivation for changing how fees are computed is that right now the
-fee charged for a given transaction is equal to the amount specified when the
+_transactions_ that can be included in a transaction set; yet a good
+approximation of work (reflected in how fees are computed), is the total number
+of _operations_ included in a transaction set. As any transaction can contain
+up to 100 operations, this causes the network setting to be overly conservative
+(as it has to assume the worst case situation where all transactions would be
+100 operations).
+
+Another motivation for changing how fees are computed is that right now the fee
+charged for a given transaction is equal to the amount specified when the
transaction was crafted.
When surge pricing occurs, or simply if `ledgerHeader.baseFee` is raised, this
creates problems:
-* for the typical user, this leads to transactions rejected by validators if the
-specified fee is too small.
-* for pre-signed transactions (smart contracts), the fee has to be specified with
-a value that exceeds the future fee required to be included in a transaction set.
-* in both cases the model can lead to excessive fees charged to users if the
-specified fee is bigger than needed.
+
+- for the typical user, this leads to transactions rejected by validators if
+ the specified fee is too small.
+- for pre-signed transactions (smart contracts), the fee has to be specified
+ with a value that exceeds the future fee required to be included in a
+ transaction set.
+- in both cases the model can lead to excessive fees charged to users if the
+ specified fee is bigger than needed.
## Specification
@@ -76,6 +81,7 @@ In the following specification, we'll use `StellarValue v` with its associated
No changes in XDR
### Construction of the pair (`txSetBaseFee`, `txSet`)
+
#### Repurposing `ledgerHeader.maxTxSetSize`
For ledgers with a protocolVersion supporting CAP0005, this setting controls
@@ -85,28 +91,29 @@ controls the number of _transactions_ in the transaction set).
#### Updated "surge pricing" algorithm
1. pick a random number S
-2. for each account, construct a queue of transactions for that account,
-sorted by sequence number in ascending order
- * implementation note: there might be an opportunity to consolidate with
-the transaction holding tank.
-3. construct a heap of those queues, sorted by:
- * the fee rate (descending) of the first transaction in each queue (so that the queue
-whose first transaction has the highest fee rate is on top of the heap)
- * first transaction hash Xored with S (ascending)
+2. for each account, construct a queue of transactions for that account, sorted
+ by sequence number in ascending order \* implementation note: there might be
+ an opportunity to consolidate with the transaction holding tank.
+3. construct a heap of those queues, sorted by: _ the fee rate (descending) of
+ the first transaction in each queue (so that the queue whose first
+ transaction has the highest fee rate is on top of the heap) _ first
+ transaction hash Xored with S (ascending)
4. `nb_operations_to_add = maxTxSetSize`
5. while (`nb_operations_to_add > 0 && !heap.empty()`)
- * queue = heap.pop()
- * if nb_operations(first transaction "tx" from queue) <= nb_operations_to_add
- * push tx into txSet
- * nb_operations_to_add = nb_operations_to_add - nb_operations(tx)
- * pop tx from queue
- * if queue non empty, push it into the heap
+ - queue = heap.pop()
+ - if nb_operations(first transaction "tx" from queue) <=
+ nb_operations_to_add
+ - push tx into txSet
+ - nb_operations_to_add = nb_operations_to_add - nb_operations(tx)
+ - pop tx from queue
+ - if queue non empty, push it into the heap
6. if `count_ops(txSet) > max(0, ledgerHeader.maxTxSetSize-100)`
- * surge pricing in effect
+ - surge pricing in effect
NB: if `ledgerHeader.ledgerVersion < CAP_0005.protocolVersion`,
-* step 4 becomes `nb_operations_to_add = maxTxSetSize*100`
-* step 5 defaults `nb_operations(tx)` to `100`
+
+- step 4 becomes `nb_operations_to_add = maxTxSetSize*100`
+- step 5 defaults `nb_operations(tx)` to `100`
### Validity and usage of the effective base fee
@@ -115,23 +122,25 @@ NB: if `ledgerHeader.ledgerVersion < CAP_0005.protocolVersion`,
The effective base fee for protocol supporting CAP_0005 is defined as follows:
1. if `nb_operations(txSet) <= max(0, ledgerHeader.maxTxSetSize-100)`
- * surge pricing not in effect
- * effectiveBaseFee = `ledgerHeader.baseFee`
+ - surge pricing not in effect
+ - effectiveBaseFee = `ledgerHeader.baseFee`
2. else, we use the smallest possible base fee for that transaction set
- * effectiveBaseFee = `min(baseFeeForTx(for(tx in txSet)))`
+ - effectiveBaseFee = `min(baseFeeForTx(for(tx in txSet)))`
Where `baseFeeForTx` is defined as `tx.fee / tx.ops.length()` rounded up.
-NB: Surge pricing is triggered as soon as we can't assume that a transaction was not included in the transaction set given the limit `ledgerHeader.maxTxSetSize`, which comes to `ledgerHeader.maxTxSetSize-100`.
+NB: Surge pricing is triggered as soon as we can't assume that a transaction
+was not included in the transaction set given the limit
+`ledgerHeader.maxTxSetSize`, which comes to `ledgerHeader.maxTxSetSize-100`.
#### Computation of the fee charged per transaction
The computation of `fee = computedFee(tx, effectiveBaseFee)` is done as:
1. if `ledgerHeader.ledgerVersion < CAP_0005.protocolVersion`
- * fee = `tx.fee`
+ - fee = `tx.fee`
2. else
- * fee = `min(tx.fee, effectiveBaseFee*tx.ops.length())`
+ - fee = `min(tx.fee, effectiveBaseFee*tx.ops.length())`
#### Validity of a `txSet`
@@ -139,7 +148,8 @@ From a fee point of view, the only requirement is that each source account has
a balance sufficient to cover the combined computed fees of that account's
transactions included in `txSet`
-if `ledgerHeader.ledgerVersion < CAP_0005.protocolVersion` we enforce that `txSet.length() <= maxTxSetSize`.
+if `ledgerHeader.ledgerVersion < CAP_0005.protocolVersion` we enforce that
+`txSet.length() <= maxTxSetSize`.
Otherwise we enforce that `nb_operations(txSet) <= maxTxSetSize`
@@ -149,14 +159,15 @@ The ballot protocol requires a function to combine candidate values produced by
the nomination protocol.
For older versions of the protocol, we do not change this function, ie we keep
-the transaction set with the highest number of transactions, and break ties
- by comparing the hash of transaction sets (XORed to pseudo-randomize).
+the transaction set with the highest number of transactions, and break ties by
+comparing the hash of transaction sets (XORed to pseudo-randomize).
For newer versions of the protocol, we'll be following a similar scheme by
picking the highest value sorted in order by:
-* highest number of operations
-* highest total fee (sum of fees charged)
-* highest txset hash (XORed by the hash of all value as before)
+
+- highest number of operations
+- highest total fee (sum of fees charged)
+- highest txset hash (XORed by the hash of all value as before)
## Rationale
@@ -186,8 +197,8 @@ as part of their cleanup that doesn't depend on having a predetermined balance.
### Surge pricing implementation
-The exact value generated by surge pricing doesn't need to match even when
-the network is still operating on an older version of the protocol.
+The exact value generated by surge pricing doesn't need to match even when the
+network is still operating on an older version of the protocol.
As such, there is no concern to try to preserve the existing behavior.
@@ -202,13 +213,14 @@ represent transactions but operations instead); A subsequent vote by validators
will be need to be coordinated in order to adjust it to a new desired value.
Practically speaking the disruption should be minimal:
-* Most transactions are single operation transactions and won't be effected.
-* Disruption will be mostly for transactions with more operations than
-`maxTxSetSize`. As of this writing, this network parameter is set to `50` on
-the public network, which means that transactions with more than `50` operations
-will not be accepted by the network between the two upgrades.
-* Validators can coordinate a "double upgrade", where both the protocol version
-and the `maxTxSetSize` field gets updated.
+
+- Most transactions are single operation transactions and won't be effected.
+- Disruption will be mostly for transactions with more operations than
+ `maxTxSetSize`. As of this writing, this network parameter is set to `50` on
+ the public network, which means that transactions with more than `50`
+ operations will not be accepted by the network between the two upgrades.
+- Validators can coordinate a "double upgrade", where both the protocol version
+ and the `maxTxSetSize` field gets updated.
## Test Cases
diff --git a/core/cap-0006.md b/core/cap-0006.md
index ae0097ee1..05b9e3cb8 100644
--- a/core/cap-0006.md
+++ b/core/cap-0006.md
@@ -11,23 +11,26 @@ Protocol version: 11
```
## Simple Summary
+
We introduce the `ManageBuyOffer` operation with functionality similar to the
`ManageOffer` operation except that the amount is specified in terms of the
`buying` asset instead of the `selling` asset.
## Abstract
+
The `ManageOffer` operation specifies the maximum amount of the `selling` asset
that should be sold by the offer. It is not, however, possible to express the
maximum amount of the `buying` asset that should be bought by the offer. These
-constraints are not equivalent because at the time of offer submission it is not
-known at what price the offer will execute. We propose to add a new operation
-called `ManageBuyOffer` which specifies the maximum amount of the `buying` asset
-that should be bought by the offer. The price will be the "price of thing being
-bought in terms of what you are selling" rather than the "price of thing being
-sold in terms of what you are buying". The behavior is otherwise analogous to
-the extant `ManageOffer` operation.
+constraints are not equivalent because at the time of offer submission it is
+not known at what price the offer will execute. We propose to add a new
+operation called `ManageBuyOffer` which specifies the maximum amount of the
+`buying` asset that should be bought by the offer. The price will be the "price
+of thing being bought in terms of what you are selling" rather than the "price
+of thing being sold in terms of what you are buying". The behavior is otherwise
+analogous to the extant `ManageOffer` operation.
## Motivation
+
Many financial institutions have an obligation to faithfully execute customer
orders. Customer orders to sell a certain quantity of an asset in exchange for
the maximum quantity of a different asset are already easily expressed in terms
@@ -38,7 +41,9 @@ are not expressible in terms of the `ManageOffer` operation. We introduce the
order.
## Specification
+
`ManageBuyOfferOp` specification:
+
```c++
struct ManageBuyOfferOp
{
@@ -93,6 +98,7 @@ Name changes are binary compatible, so for better naming consistency:
- `ManageOfferResult` will be renamed to `ManageSellOfferResult`
Additionally, we will update naming for `ManageOfferResultCode` to be
+
```c++
enum ManageSellOfferResultCode
{
@@ -119,6 +125,7 @@ enum ManageSellOfferResultCode
```
Updated `Operation` specification:
+
```c++
enum OperationType
{
@@ -178,79 +185,86 @@ struct Operation
```
## Rationale
-Adding `ManageBuyOffer` will not require modifying what data is contained in the
-ledger. This can be understood by considering offer execution as two distinct
-processes. The first process begins when an offer is submitted. If this offer
-matches against an existing offer, then those offers must execute at the price
-of the existing offer. This repeats until either the submitted offer has
-executed entirely or the submitted offer does not match against any existing
-offer. During this first process, limits on the buying amount are not equivalent
-to limits on the selling amount since the execution price is variable.
+
+Adding `ManageBuyOffer` will not require modifying what data is contained in
+the ledger. This can be understood by considering offer execution as two
+distinct processes. The first process begins when an offer is submitted. If
+this offer matches against an existing offer, then those offers must execute at
+the price of the existing offer. This repeats until either the submitted offer
+has executed entirely or the submitted offer does not match against any
+existing offer. During this first process, limits on the buying amount are not
+equivalent to limits on the selling amount since the execution price is
+variable.
The second process begins with adding to the offer book the remainder of the
-offer submitted at the start of the first process, if that offer was not already
-executed entirely. Any subsequent execution of this offer will occur at the
-price of this offer, unless the offer is modified (in which case the first
+offer submitted at the start of the first process, if that offer was not
+already executed entirely. Any subsequent execution of this offer will occur at
+the price of this offer, unless the offer is modified (in which case the first
process begins anew). Therefore, a limit on the buying amount is equivalent to
a limit on the selling amount during the second process.
At this point, it is clear what the semantics of the `ManageBuyOffer` operation
-should be. During the first process, which is a subset of the apply-phase of the
-operation, the total amount that can be executed is limited by the `buyAmount`
-specified in the `ManageBuyOfferOp`. At the start of the second process, the
-remaining `buyAmount` is converted into a sell amount and stored in the ledger,
-analogous to what would be done with the remaining `amount` at the end of
-`ManageOffer`. The `price` must also be inverted before it is stored in the
-ledger.
+should be. During the first process, which is a subset of the apply-phase of
+the operation, the total amount that can be executed is limited by the
+`buyAmount` specified in the `ManageBuyOfferOp`. At the start of the second
+process, the remaining `buyAmount` is converted into a sell amount and stored
+in the ledger, analogous to what would be done with the remaining `amount` at
+the end of `ManageOffer`. The `price` must also be inverted before it is stored
+in the ledger.
There is, however, one important caveat to all of the above. At the end of the
day, offers are stored on the ledger as sell offers which means that the amount
-is a sell amount. When rounding occurs in favor of an offer, it may receive more
-of the asset that is not limited than would be otherwise expected. During the
-first process, this does not cause an issue for either `ManageBuyOffer` or
-`ManageSellOffer` as each has a limit in terms of the appropriate asset. But, as
-noted, in the ledger all limits are on the selling asset so it is possible for
-`ManageBuyOffer` to buy more than expected during the second process.
+is a sell amount. When rounding occurs in favor of an offer, it may receive
+more of the asset that is not limited than would be otherwise expected. During
+the first process, this does not cause an issue for either `ManageBuyOffer` or
+`ManageSellOffer` as each has a limit in terms of the appropriate asset. But,
+as noted, in the ledger all limits are on the selling asset so it is possible
+for `ManageBuyOffer` to buy more than expected during the second process.
### Why is the price inverted?
+
As noted in the abstract, the price will be the "price of thing being bought in
terms of what you are selling" rather than the "price of thing being sold in
terms of what you are buying". There are three main reasons for this interface:
1. When making a market, `ManageSellOfferOp` and `ManageBuyOfferOp` will have
-prices that appear in the same units:
- - The price in `ManageSellOfferOp{selling=X, buying=Y, amount=A, price=P}`
-is the "price of thing being sold in terms of what you are buying" so it is the
-"price of X in terms of Y"
- - The price in `ManageBuyOfferOp{selling=Y, buying=X, buyAmount=A, price=P}`
-is the "price of thing being bought in terms of what you are selling" so it is
-the "price of X in terms of Y"
+ prices that appear in the same units: - The price in
+ `ManageSellOfferOp{selling=X, buying=Y, amount=A, price=P}` is the "price of
+ thing being sold in terms of what you are buying" so it is the "price of X
+ in terms of Y" - The price in
+ `ManageBuyOfferOp{selling=Y, buying=X, buyAmount=A, price=P}` is the "price
+ of thing being bought in terms of what you are selling" so it is the "price
+ of X in terms of Y"
2. As an extension of (1), if `{selling=X, buying=Y, amount=A, price=P}`
-represents the best offer in a given market, then it can be exactly crossed by
-submitting `ManageBuyOfferOp{selling=Y, buying=X, buyAmount=A, price=P}`
-3. Converting the sell amount in `ManageSellOfferOp` to an equivalent buy amount
-is accomplished by computing `amount * price`; converting the buy amount in
-`ManageBuyOfferOp` to an equivalent sell amount is accomplished by computing
-`buyAmount * price`
+ represents the best offer in a given market, then it can be exactly crossed
+ by submitting `ManageBuyOfferOp{selling=Y, buying=X, buyAmount=A, price=P}`
+3. Converting the sell amount in `ManageSellOfferOp` to an equivalent buy
+ amount is accomplished by computing `amount * price`; converting the buy
+ amount in `ManageBuyOfferOp` to an equivalent sell amount is accomplished by
+ computing `buyAmount * price`
### Validation result codes
+
In implementing `ManageBuyOffer`, it was observed that `ManageOffer` does not
-respect the convention that failure to validate should only return an error code
-labeled `MALFORMED`. `ManageBuyOffer` should respect this convention, and for
-consistency `ManageSellOffer` should also respect this convention starting in
-the protocol version which implements this proposal. Specifically validation of
-`ManageSellOffer` will return `MANAGE_SELL_OFFER_MALFORMED` instead of
+respect the convention that failure to validate should only return an error
+code labeled `MALFORMED`. `ManageBuyOffer` should respect this convention, and
+for consistency `ManageSellOffer` should also respect this convention starting
+in the protocol version which implements this proposal. Specifically validation
+of `ManageSellOffer` will return `MANAGE_SELL_OFFER_MALFORMED` instead of
`MANAGE_SELL_OFFER_NOT_FOUND`.
## Backwards Compatibility
+
This proposal is fully backward compatible.
## Test Cases
+
Some test cases that must be considered include:
-* If `ManageBuyOffer` and `ManageSellOfferOp` have the same max send and max
-receive after crossing offers, then the same offer is added to the ledger
-* `ManageBuyOffer` properly accounts for [liabilities](cap-0003.md)
+- If `ManageBuyOffer` and `ManageSellOfferOp` have the same max send and max
+ receive after crossing offers, then the same offer is added to the ledger
+- `ManageBuyOffer` properly accounts for [liabilities](cap-0003.md)
## Implementation
+
No implementation yet.
diff --git a/core/cap-0007.md b/core/cap-0007.md
index 3d5d1cd20..ce4a19d95 100644
--- a/core/cap-0007.md
+++ b/core/cap-0007.md
@@ -11,31 +11,33 @@ Protocol version: TBD
```
## Simple Summary
+
We introduce CreateDeterministicAccount operation which creates an account that
could only be created by the transaction creating it, allowing it to have a
known starting sequence number and initialization.
## Abstract
+Deterministic accounts are a critical infrastructure piece for building
+reliable contracts for three key reasons:
-Deterministic accounts are a critical infrastructure piece for building reliable contracts for three key reasons:
-
-1) Predictable sequence numbers
-2) Never-fail creation
-3) Known initialized state
+1. Predictable sequence numbers
+2. Never-fail creation
+3. Known initialized state
-We create deterministic accounts with a few changes to account structures to support non-key account IDs.
+We create deterministic accounts with a few changes to account structures to
+support non-key account IDs.
## Motivation
-Currently, when a contract must create an account as a part of it's settlement (such as in Starlight or in an Account Transfer),
-creating the account results in an unpredictable sequence number which prevents the presigning of transactions for it. Furthermore,
-accounts can not be created and modified at the same time preventing initializing an account on behalf of another party.
-
+Currently, when a contract must create an account as a part of it's settlement
+(such as in Starlight or in an Account Transfer), creating the account results
+in an unpredictable sequence number which prevents the presigning of
+transactions for it. Furthermore, accounts can not be created and modified at
+the same time preventing initializing an account on behalf of another party.
## Specification
-
We extend the AccountID type:
```c++
@@ -64,9 +66,8 @@ case ACCOUNT_ID_TYPE_REF_NEW_DET_ACCOUNT:
```
-
-
We add the following operation:
+
```c++
struct CreateDeterministicAccountOp
{
@@ -75,6 +76,7 @@ struct CreateDeterministicAccountOp
```
The result of this operation is an account created with the following state:
+
```c++
AccountEntry
{
@@ -99,10 +101,9 @@ Therefore subsequent operations with source account set to
This operation works with Account Merge, but subsequently
`ACCOUNT_ID_TYPE_NEWEST_DET_ACCOUNT` refers to no account.
-
Alternatively, we may store a vector of pointers to the accounts being created
(in the implementation) and refer to them by creation order. In this case, we
-use `ACCOUNT_ID_TYPE_REF_NEW_DET_ACCOUNT`. `which=0` points to the first
+use `ACCOUNT_ID_TYPE_REF_NEW_DET_ACCOUNT`. `which=0` points to the first
account created, `1` the second, etc. `which= = -1` refers to the most recently
created account, `-2` the next most recently created, etc. Only one of
`ACCOUNT_ID_TYPE_REF_NEW_DET_ACCOUNT` or `ACCOUNT_ID_TYPE_NEWEST_DET_ACCOUNT`
@@ -111,44 +112,43 @@ should make it into the final draft of the spec.
The account has no master signer, therefore setting masterWeight has no effect
(but can be used as an extra data field if desired).
-Deterministic accounts may always be merged even if the sequence number is above the
-current ledger, as there is no way to recreate them after merge.
-
-
+Deterministic accounts may always be merged even if the sequence number is
+above the current ledger, as there is no way to recreate them after merge.
## Rationale
-CreateDeterministicAccount is a minimal deterministic account derivation scheme.
+CreateDeterministicAccount is a minimal deterministic account derivation
+scheme.
The newly created account is deterministically derived from
- The transaction creating it, which transitively commits to:
- - The Source Account
- - The Source Account Sequence
-- The index of the operation in the transaction (making a unique key if repeated CreateDeterministicAccount operations)
-
+ - The Source Account
+ - The Source Account Sequence
+- The index of the operation in the transaction (making a unique key if
+ repeated CreateDeterministicAccount operations)
Alternative schemes to this deterministic account proposal derive only on the
source account, sequence number, and operation index rather than the complete
transaction hash. While strictly speaking, this should work for many of the use
cases where deterministic accounts are desired, and does not encumber the
complexity of not knowing the account ID inside the transaction, there are two
-main drawbacks that leade to this approach being superior. The first drawback is
-that there are multiple possible transactions that *could* create the account,
-which makes it possible for a malicious actor to trick another agent in certain
-cases. For example, if a 2 party protocol is proposed by the malicious actor,
-signatures are acquired, but then the malicious actor aborts, and then the
-protocol is restarted with different values, the other party may not recall that
-they have already approved a transaction in the first protocol. The second
-drawback is that because of the multiplicity of generation of this variant of
-deterministic account, the existence of the account does not serve as a
-testament to the success of the operations in the transaction which created the
-account. Such testaments are useful for complex contracts as they can rely on
-state implied by the existence of an account (such as the current signer of
-another account modified in the generating transaction being the same signer as
-a third account). The abscence of these two drawbacks simultaneously makes this
-version of deterministic accounts less useful for attackers and more useful for
-contracting.
+main drawbacks that leade to this approach being superior. The first drawback
+is that there are multiple possible transactions that _could_ create the
+account, which makes it possible for a malicious actor to trick another agent
+in certain cases. For example, if a 2 party protocol is proposed by the
+malicious actor, signatures are acquired, but then the malicious actor aborts,
+and then the protocol is restarted with different values, the other party may
+not recall that they have already approved a transaction in the first protocol.
+The second drawback is that because of the multiplicity of generation of this
+variant of deterministic account, the existence of the account does not serve
+as a testament to the success of the operations in the transaction which
+created the account. Such testaments are useful for complex contracts as they
+can rely on state implied by the existence of an account (such as the current
+signer of another account modified in the generating transaction being the same
+signer as a third account). The abscence of these two drawbacks simultaneously
+makes this version of deterministic accounts less useful for attackers and more
+useful for contracting.
An example of using CreateDeterministicAccount is as follows:
@@ -178,54 +178,50 @@ Tx0:
The in-transaction setup guarantees that if the account is created it is in the
desired state.
-
Protocols around using CreateDeterministicAccount will be the subject of a
subsequent SEP.
-
-Because of the hash cycle (account ID is transaction hash, transaction therefore
-can't include it), pre-auth transactions will not work immediately for
-Deterministic Accounts as described. A subsequent CAP will propose allowing a
-preauth transaction to specify _self_ as the source account for a pre-auth, which
-relaxes this constraint.
+Because of the hash cycle (account ID is transaction hash, transaction
+therefore can't include it), pre-auth transactions will not work immediately
+for Deterministic Accounts as described. A subsequent CAP will propose allowing
+a preauth transaction to specify _self_ as the source account for a pre-auth,
+which relaxes this constraint.
The newest account account ID type is of limited use. There are certain cases
that it does not work for (such as making two deterministic accounts which
approve trust lines for each other). The alternative form adds more complexity
and bookkeeping cost, but provides a simpler API for implementers and supports
-all possible initializations. If the added complexity is not too much, it should
-be preferred. The ability to refer by negative indexes is useful for defining
-templates which should nest inside of other transactions without need to
-recompute indexes.
+all possible initializations. If the added complexity is not too much, it
+should be preferred. The ability to refer by negative indexes is useful for
+defining templates which should nest inside of other transactions without need
+to recompute indexes.
The decision to not include the master signer is a trade off. On the one hand,
it means deterministic accounts cannot include as many public key signers as
non-deterministic accounts. On the other hand 20 signers is likely enough for
most use cases, and the lack of the master key makes account handling code
simpler. MuSig based signature constructions also support constructing larger
-multisig circuits as well, so it is unclear how much utility is gained by having
-one more signer. Another field for a signer could be added to deterministic
-accounts, but this would bloat the account struct further and would break
-compatibility with older software. Potentially, the 20 signer limit could be
-changed to 21 and run time checked (somehow) to only be allowed for
+multisig circuits as well, so it is unclear how much utility is gained by
+having one more signer. Another field for a signer could be added to
+deterministic accounts, but this would bloat the account struct further and
+would break compatibility with older software. Potentially, the 20 signer limit
+could be changed to 21 and run time checked (somehow) to only be allowed for
deterministic accounts. This would allow SDK authors to provide identical
interfaces. If this is needed, it should be the subject of a separate CAP
finalized in conjunction with this CAP. The other ergonomics issue is that it
might be surprising to a implementer that there is no default signer and might
-result in them creating accounts in a frozen state. This is desirable however --
-for many types of smart contract, there is no such concept as a master signer
- (just a few determinisitc steps) and for issuing fixed supply or fixed
- schedule tokens you would only want to use pre signed transactions and a
- master signer would be superflous.
-
-
+result in them creating accounts in a frozen state. This is desirable however
+-- for many types of smart contract, there is no such concept as a master
+signer (just a few determinisitc steps) and for issuing fixed supply or fixed
+schedule tokens you would only want to use pre signed transactions and a master
+signer would be superflous.
## Backwards Compatibility
-This proposal requires updating existing APIs to accept the new key types.
+This proposal requires updating existing APIs to accept the new key types.
Future work should clean up the XDR AccountID typedef to be an enum.
-
## Implementation
+
No implementation yet.
diff --git a/core/cap-0008.md b/core/cap-0008.md
index a39a2db8d..399f395b5 100644
--- a/core/cap-0008.md
+++ b/core/cap-0008.md
@@ -12,7 +12,8 @@ Protocol version: TBD
## Simple Summary
-We introduce a new variant of Preauthorized Transaction which refers to the account it resides on automatically.
+We introduce a new variant of Preauthorized Transaction which refers to the
+account it resides on automatically.
## Abstract
@@ -23,8 +24,6 @@ yet known.
Self Identified Pre-Auth Transactions address this issue by allowing the source
ID to be a special value.
-
-
## Motivation
Adding Pre-Auth transactions to Deterministic accounts enables the creation of
@@ -35,10 +34,8 @@ increasing the throughput of channels created per second, and decreasing the
code complexity of such applications as such automata can be guaranteed to
succeed and not partially fail.
-
## Specification
-
We assume CAP-0007 is accepted.
We extend the AccountID type:
@@ -106,7 +103,6 @@ case SIGNER_KEY_TYPE_HASH_X:
```
-
`ACCOUNT_ID_TYPE_SELF` may be used generally in the body of any transaction --
not just pre-auth -- to refer to the source of a transaction (not the
operation).
@@ -116,24 +112,23 @@ signatures and there are `SIGNER_KEY_TYPE_PRE_AUTH_SELF_TX` entries, should set
the source account to `ACCOUNT_ID_TYPE_SELF` and hash it and see if there are
any matches, and treat them like a pre-auth transaction is treated otherwise.
-
## Rationale
This enables the adding of pre-auth transactions to deterministic accounts at
the time of creation.
-It also enables a general purpose shorthand for referring to the source account,
-which makes implementing certain contracts simpler (as there is no need to
-traverse the transaction and fill in all templated locations for self). This
-makes invoice creation simpler.
+It also enables a general purpose shorthand for referring to the source
+account, which makes implementing certain contracts simpler (as there is no
+need to traverse the transaction and fill in all templated locations for self).
+This makes invoice creation simpler.
An alternative approach could template more than just the source account, such
-as sequences and other fields. Such templates should be considered independently
-of this change even at the cost of potential redundancy because this feature is
-limited in scope and complexity and doesn't introduce transaction malleability
-issues. In a sense, it is not even a templating feature as it can't be used for
-anything except a self-reference -- it is purely a feature to address a hash
-cycle issue.
+as sequences and other fields. Such templates should be considered
+independently of this change even at the cost of potential redundancy because
+this feature is limited in scope and complexity and doesn't introduce
+transaction malleability issues. In a sense, it is not even a templating
+feature as it can't be used for anything except a self-reference -- it is
+purely a feature to address a hash cycle issue.
Before this proposal is finalized, it should be decided if
`SIGNER_KEY_TYPE_PRE_AUTH_SELF_TX` should be allowed to be used on non
@@ -142,14 +137,17 @@ regular accounts, but perhaps it simplifies downstream software if they do not
need to differentiate between normal and deterministic accounts.
It's also possible to not introduce a new type of pre-auth for this change, and
-just to overload the existing pre-auth to match. However, this makes preauth checking
-more expensive in many cases (because the hash needs to be recomputed with the self key).
-Furthermore, it is more explicit to use a new signer type, which makes it easier
-for spendability solvers to analyze pre-auths of both variants for pattern matching.
+just to overload the existing pre-auth to match. However, this makes preauth
+checking more expensive in many cases (because the hash needs to be recomputed
+with the self key). Furthermore, it is more explicit to use a new signer type,
+which makes it easier for spendability solvers to analyze pre-auths of both
+variants for pattern matching.
## Backwards Compatibility
+
This proposal requires updating existing APIs to accept the new key types and
updating siganture validation to handle the new pre-auth type.
## Implementation
+
No implementation yet.
diff --git a/core/cap-0009.md b/core/cap-0009.md
index f0b41b3e1..98ccf25c8 100644
--- a/core/cap-0009.md
+++ b/core/cap-0009.md
@@ -14,25 +14,25 @@ Protocol version: TBD
When we are aspiring to merge an account and remove trustlines, we need to get
our account in a predictable state. This CAP introduces Linear Accounts (or
-Exterior Immutable Accounts) which restricts an account to only allow transactions where
-the account is the source to modify the account.
+Exterior Immutable Accounts) which restricts an account to only allow
+transactions where the account is the source to modify the account.
## Abstract
Sometimes we want to be sure of exactly what the state of an account is when we
are generating certain operations: we want to know exactly how much balance
should be available, we want to know that no sequence bumps can occur
-externally, etc. Currently it's difficult to ensure this.
+externally, etc. Currently it's difficult to ensure this.
Linear Accounts are a sort of "critical section" mode for an account which
prevents outside operations from taking place.
## Motivation
-Currently, when you want to merge an account you send all of the available lumen
-balance to the merge recipient -- but what if a new payment just came in!
-They'll get more money than expected! This is ok sometimes, but usually is a big
-problem!
+Currently, when you want to merge an account you send all of the available
+lumen balance to the merge recipient -- but what if a new payment just came in!
+They'll get more money than expected! This is ok sometimes, but usually is a
+big problem!
This problem is even worse for trustlines. Trustlines have a limit. In order to
remove a trustline it must have no assets in it, otherwise it will fail. If a
@@ -44,7 +44,6 @@ to your account.
This prevents merging because all trustlines must be removed to merge.
-
## Specification
For Linear accounts, we introduce three new flags, `AUTH_EXTERIOR_IMMUTABLE`,
@@ -52,38 +51,37 @@ For Linear accounts, we introduce three new flags, `AUTH_EXTERIOR_IMMUTABLE`,
If `AUTH_EXTERIOR_IMMUTABLE` is set, then transactions which attempt to modify
the state of the account in any way are either invalid or fail (determined by
-`AUTH_EXTERIOR_IMMUTABLE_ACTION` -- set : fail, unset : invalid), unless the modification occurs as a result of
-an offer executing or a transaction with the account as the source.
-
-If `AUTH_PARTIAL_LINEAR` is set, then operations which modify the account simply
-encumber an additional signature obligation on behalf of the account being
-modified. This signature is unique in that if a EdDSA signature, it signs `SHA256(AUTH_PARTIAL_LINEAR || TX Hash || Account
-Modified)`. Such signatures replace signatures from the same key already on the
-transaction if present, and must come after all regular signatures in the
-DecoratedSignature list.
+`AUTH_EXTERIOR_IMMUTABLE_ACTION` -- set : fail, unset : invalid), unless the
+modification occurs as a result of an offer executing or a transaction with the
+account as the source.
-If `AUTH_IMMUTABLE` is set, then the flags may not be changed (continues to work
-as before). `AUTH_EXTERIOR_IMMUTABLE`, `AUTH_EXTERIOR_IMMUTABLE_ACTION`, and
-`AUTH_PARTIAL_LINEAR` may be set when `AUTH_IMMUTABLE` is set.
+If `AUTH_PARTIAL_LINEAR` is set, then operations which modify the account
+simply encumber an additional signature obligation on behalf of the account
+being modified. This signature is unique in that if a EdDSA signature, it signs
+`SHA256(AUTH_PARTIAL_LINEAR || TX Hash || Account Modified)`. Such signatures
+replace signatures from the same key already on the transaction if present, and
+must come after all regular signatures in the DecoratedSignature list.
+If `AUTH_IMMUTABLE` is set, then the flags may not be changed (continues to
+work as before). `AUTH_EXTERIOR_IMMUTABLE`, `AUTH_EXTERIOR_IMMUTABLE_ACTION`,
+and `AUTH_PARTIAL_LINEAR` may be set when `AUTH_IMMUTABLE` is set.
## Rationale
This design accomplishes several orthogonal goals:
1. Temporary suspensions of mutability (achieved via
- `AUTH_EXTERIOR_IMMUTABLE_ACTION=invalid`) which is assumed to
- quickly resume. This allowss for whatever critical section to be handled
- without needing to re-sign transactions
+ `AUTH_EXTERIOR_IMMUTABLE_ACTION=invalid`) which is assumed to quickly
+ resume. This allowss for whatever critical section to be handled without
+ needing to re-sign transactions
1. Permanent suspensions of mutability (achieved via
- `AUTH_EXTERIOR_IMMUTABLE_ACTION=fail`) which permanently
- prevents the transaction from succeeding.
+ `AUTH_EXTERIOR_IMMUTABLE_ACTION=fail`) which permanently prevents the
+ transaction from succeeding.
1. Receiver-approved transactions via `AUTH_PARTIAL_LINEAR`/not invalidating
things which have already been signed via a pre-signed transaction.
-1. Provides a mechanism (via `AUTH_IMMUTABLE`) to prove that this will *never*
+1. Provides a mechanism (via `AUTH_IMMUTABLE`) to prove that this will _never_
be enabled.
-
The EdDSA signatures are special cased to include the account they are signing
on to prevent the 'confused deputy' from accidentally authorizing a transaction
linearization where it was not desired. It is not particularly expensive given
@@ -91,19 +89,17 @@ the mandate that 'confused deputy safe' signatures come after regular
signatures. If a future CAP eliminates confused deputy issue, then these
signatures shall still be required to explicitly approve the partial linearity.
-
## Backwards Compatibility
-At first glance, it may seem like this introduces many new ways for transactions
-to fail or be invalid. But it does not, because simply merging an account has
-the same types of effects -- if the source account of an operation doesn't
-exist, then the transaction is invalid, and if the destination of an operation
-doesn't exist, then the transaction fails.
+At first glance, it may seem like this introduces many new ways for
+transactions to fail or be invalid. But it does not, because simply merging an
+account has the same types of effects -- if the source account of an operation
+doesn't exist, then the transaction is invalid, and if the destination of an
+operation doesn't exist, then the transaction fails.
Therefore this doesn't materially impact the status quo, other than making it
possible/easier for developers to control accounts.
-
## Implementation
None yet.
diff --git a/core/cap-0010.md b/core/cap-0010.md
index b809a2c7e..d1c5364ca 100644
--- a/core/cap-0010.md
+++ b/core/cap-0010.md
@@ -13,30 +13,30 @@ Protocol version: TBD
## Simple Summary
Transactions get stuck because of insufficient fee sometimes, especially if the
-protocol changes!
+protocol changes!
We partially address this with fee-bumping account.
## Abstract
-Transactions get stuck either because of insufficient fees being paid or because
-min fees increase.
+Transactions get stuck either because of insufficient fees being paid or
+because min fees increase.
CAP-10 specifies a 64 bit fee-only account (denominated in basefees) which can
be used to bump subsequent transactions from the account.
+
## Motivation
In protocols which transactions are presigned or preauth for long durations,
it's a major headache if they can't get in because of fee insuficiency. CAP-05
-helps with this issue a bit, but doesn't fully address the issue for when things
-are truly stuck because they are now invalid.
-
+helps with this issue a bit, but doesn't fully address the issue for when
+things are truly stuck because they are now invalid.
## Specification
-
We extend the Account with a `fee_balance` account. `fee_balance` is a receive
only account.
+
```c++
struct AccountEntry
{
@@ -78,11 +78,11 @@ Transactions should not be rejected for insufficient fee before querying to see
if a `fee_balance` exists and might cover the transaction.
When a transaction executes for a given source account, it bids a fee of `fee`.
-In this case, the fee is first charged to the account and then any excess to the
+In this case, the fee is first charged to the account and then any excess to
+the `fee_balance`. If the `fee` is insufficient for a given ledger, it then
+bids a fee of `fee + fee_balance`. In this case, an amount `fee` paid is first
+charged against the account, and then any excess is charged against the
`fee_balance`.
-If the `fee` is insufficient for a given ledger, it then bids a fee of `fee +
-fee_balance`. In this case, an amount `fee` paid is first charged against the
-account, and then any excess is charged against the `fee_balance`.
On merge, the fees are forwarded to the `fee_balance` of the merge target.
@@ -173,38 +173,35 @@ The semantics of which are as follows:
If the account does not exist, nothing happens.
-If the account sequence number is greater than `unless_passed`, nothing happens.
+If the account sequence number is greater than `unless_passed`, nothing
+happens.
Otherwise, `min(op.amount, op.source.balance - op.source.reserved)` is deducted
from the source account and added to the destination's `fee_balance`.
-
-
## Rationale
-It's not too expensive to add new entries to accounts, so we add a full 64 bits.
-Alternatively, we could store a separate table for accounts with a
+It's not too expensive to add new entries to accounts, so we add a full 64
+bits. Alternatively, we could store a separate table for accounts with a
`fee_balance` as a subentry, but this is an implementer's choice.
-
-We don't allow to recover the funds from the `fee_balance`, but we do allow them
-to transfer during merge. This is a sort of "fee monad", which prevents
+We don't allow to recover the funds from the `fee_balance`, but we do allow
+them to transfer during merge. This is a sort of "fee monad", which prevents
malapropriation of fee subsidies paid by third parties.
We asess fees against the account's balance first because the `fee_balance`
should only be touched in cases where the balance was insufficient to cover the
-expressed transaction fee, or the expressed transaction fee was insufficient for
-inclusion.
+expressed transaction fee, or the expressed transaction fee was insufficient
+for inclusion.
## Backwards Compatibility
+Transactions which don't pay base fee rate must now query to see if a
+fee_balance exists rather than being outright invalid.
-Transactions which don't pay base fee rate must now query to see if a fee_balance
-exists rather than being outright invalid.
-
-Previously, a user might expect that transactions signed with 0 fee would not be
-valid. Under this proposal, they may be. This doesn't really change the status
-quo because users are not given a guarantee about transaction fees never
+Previously, a user might expect that transactions signed with 0 fee would not
+be valid. Under this proposal, they may be. This doesn't really change the
+status quo because users are not given a guarantee about transaction fees never
decreasing.
## Implementation
diff --git a/core/cap-0011.md b/core/cap-0011.md
index df4babc2e..626fc197b 100644
--- a/core/cap-0011.md
+++ b/core/cap-0011.md
@@ -12,34 +12,36 @@ Protocol version: TBD
## Simple Summary
-This CAP introduces a locking signer which allows for relative time locks of accounts.
+This CAP introduces a locking signer which allows for relative time locks of
+accounts.
## Abstract
-In stellar, transactions are allowed to condition their validity based on time. However,
-because time is defined to be absolute, and the time at which events are confirmed into the
-ledger are non-deterministic, this makes it difficult to reason about the scheduling of events
-in complex contracts. Furthermore, transaction validity ranges don't exclude the possibility
-of another transaction with a different time range being availabke,
+In stellar, transactions are allowed to condition their validity based on time.
+However, because time is defined to be absolute, and the time at which events
+are confirmed into the ledger are non-deterministic, this makes it difficult to
+reason about the scheduling of events in complex contracts. Furthermore,
+transaction validity ranges don't exclude the possibility of another
+transaction with a different time range being availabke,
-
-To address this partially, we introduce the notion of a time lock at the account
-level which may be absolute or relative. This construct provides flexibility for
-contract designers to sequence time based events easily and circumvent the need
-for periodic updates in time based protocols.
+To address this partially, we introduce the notion of a time lock at the
+account level which may be absolute or relative. This construct provides
+flexibility for contract designers to sequence time based events easily and
+circumvent the need for periodic updates in time based protocols.
## Motivation
Currently, transactions may specify a valid after and valid before date range.
-However, this range is absolute so it does not permit protocols that specify for
-some action to happen *after* another action without knowledge of the exact
-timing. This makes writing channel protocols difficult as they typically require
-periodic updates. See
+However, this range is absolute so it does not permit protocols that specify
+for some action to happen _after_ another action without knowledge of the exact
+timing. This makes writing channel protocols difficult as they typically
+require periodic updates. See
[here](https://www.stellar.org/blog/lightning-on-stellar-roadmap/).
A relative timeout signer
## Specification
+
```c++
enum SignerKeyType
{
@@ -85,15 +87,15 @@ case SIGNER_KEY_TYPE_TIMEOUT:
When a timeout key is added to an account, the accounts seuence number may not
be increased until the current ledger sequence and most recent close time are
both greater than or equal to the times specified in the
-`SIGNER_KEY_TYPE_TIMEOUT`. The `actual_` fields may be set to an arbitrary value
-and are filled in upon receipt of the relative locktime with the actual computed
-time. The `original_` fields are set to the `actual_` fields value before they are modified. Transactions where the account is not the source may still succeed while
-the timeout is present unless otherwise specified.
-
+`SIGNER_KEY_TYPE_TIMEOUT`. The `actual_` fields may be set to an arbitrary
+value and are filled in upon receipt of the relative locktime with the actual
+computed time. The `original_` fields are set to the `actual_` fields value
+before they are modified. Transactions where the account is not the source may
+still succeed while the timeout is present unless otherwise specified.
If the relative seq and time flags are set then when the entry is added the
timeout is computed relative to the execution time of the transaction adding
-it. For example, were it to be 100 ledgers relatively and it was added at
+it. For example, were it to be 100 ledgers relatively and it was added at
ledger 64534, then the next sequence adjusting transaction could happen at
ledger 64634.
@@ -101,37 +103,33 @@ If the REMOVABLE flag is set, then the timeout may be removed by a transaction
which has a different source account. If it is not set, the timeout may not be
removed until it has matured.
-If `NO_AUTOREMOVE` is set, then the key does not delete itself automatically off
-of the account once satisfied. If it is unset, the signer removes itself
-automatically once satisfied. To manually remove a relative signer, it should be
-referred to with the `original_` fields set to the `acutal_` value it was set to be
-when added.
-
-If `ONLY_BUMPSEQ` is set, then the only operation that may use the account as a source
-is a BUMPSEQ.
-
-If `NO_BUMPSEQ` is set, then BUMPSEQ may not use the account as a source of an operation.
-
-If `ALLOW_MID` or `ALLOW_HI` are set, then the timeout may be overrided by a MID
-or HIGH threshold set of signers. `ALLOW_LOW` option is provided even though in *most*
-cases it is useless. However, if the account is set to have signers below the threshold,
-and a contract path has the effect of decreasing the threshold, perhaps it is desired to
-then ignore the timeout.
-
+If `NO_AUTOREMOVE` is set, then the key does not delete itself automatically
+off of the account once satisfied. If it is unset, the signer removes itself
+automatically once satisfied. To manually remove a relative signer, it should
+be referred to with the `original_` fields set to the `acutal_` value it was
+set to be when added.
+If `ONLY_BUMPSEQ` is set, then the only operation that may use the account as a
+source is a BUMPSEQ.
+If `NO_BUMPSEQ` is set, then BUMPSEQ may not use the account as a source of an
+operation.
+If `ALLOW_MID` or `ALLOW_HI` are set, then the timeout may be overrided by a
+MID or HIGH threshold set of signers. `ALLOW_LOW` option is provided even
+though in _most_ cases it is useless. However, if the account is set to have
+signers below the threshold, and a contract path has the effect of decreasing
+the threshold, perhaps it is desired to then ignore the timeout.
## Rationale
-
This design covers the various use cases discussed for timeouts.
For example, in a ratchet account for starlight channels, you Bump Sequence and
then add a relative timeout of the desired period. This gives the counterparty
-sufficient time to come online to counterclaim. The relative timeout removes the
-need to periodically sign update transactions. This improves the security and
-simplicity of channel implementations.
+sufficient time to come online to counterclaim. The relative timeout removes
+the need to periodically sign update transactions. This improves the security
+and simplicity of channel implementations.
Strictly speaking, for this use case we minimally need the relative timeout
version of only one time field (ledger sequence or time), and do not need the
@@ -140,15 +138,14 @@ signer reserves reserved until the end of the protocol.
If allowed to be set though, the other options allow for a more flexible model
for contracting with timeouts between when certain operations may take place.
-BUMPSEQ is exempted by default if the account should be restricted for outside
+BUMPSEQ is exempted by default if the account should be restricted for outside
operations, given that it's standard use is for timeout based protocols.
-
The complexity around the swapping of the `original_` and `actual_` values
-allows for a contract designer to have a time invariant identifier for identical
-relative timeouts added at different times. Without this, removing timeouts
-could only be done by transactions which are signed after observing the relative
-times computed.
+allows for a contract designer to have a time invariant identifier for
+identical relative timeouts added at different times. Without this, removing
+timeouts could only be done by transactions which are signed after observing
+the relative times computed.
## Backwards Compatibility
@@ -156,8 +153,9 @@ The signer is 32 bytes so should be compatible.
Old software must be able to understand when an account is locked.
-Technically, this change is equivalent to removing keys from an account from the perspective of another account.
+Technically, this change is equivalent to removing keys from an account from
+the perspective of another account.
+
## Implementation
None yet.
-
diff --git a/core/cap-0012.md b/core/cap-0012.md
index 684a34b8d..ab309d595 100644
--- a/core/cap-0012.md
+++ b/core/cap-0012.md
@@ -12,18 +12,17 @@ Protocol version: TBD
## Simple Summary
-Allow an account to be created with deterministic sequence numbers and
-proofs of the creating transaction.
+Allow an account to be created with deterministic sequence numbers and proofs
+of the creating transaction.
## Abstract
-Allow a new type of account to be created whose name is a
-deterministic function of the source account and sequence number of
-the creating transaction and whose sequence numbers are deterministic.
-Such deterministic accounts also contain a creation time and the
-transaction id of the creating account, allowing transactions to
-verify that an account was created at least some time in the past and
-that it was created by a specific account.
+Allow a new type of account to be created whose name is a deterministic
+function of the source account and sequence number of the creating transaction
+and whose sequence numbers are deterministic. Such deterministic accounts also
+contain a creation time and the transaction id of the creating account,
+allowing transactions to verify that an account was created at least some time
+in the past and that it was created by a specific account.
## Motivation
@@ -33,35 +32,33 @@ The goal is to enable several usage patterns:
- Sign transactions on an account that doesn't exist yet.
-- Allow arbitrarily nested pre-auth transactions that create accounts
- that have pre-auth transactions that create accounts and so forth.
+- Allow arbitrarily nested pre-auth transactions that create accounts that have
+ pre-auth transactions that create accounts and so forth.
-- If two operations in the same transaction both have such nested
- accounts with pre-auth transactions, the most deeply nested accounts
- resulting from the two operations should be able to reference each
- other's issued assets.
+- If two operations in the same transaction both have such nested accounts with
+ pre-auth transactions, the most deeply nested accounts resulting from the two
+ operations should be able to reference each other's issued assets.
-- Require that one disclose the intent to execute a transaction some
- minimum time before actually executing the transaction.
+- Require that one disclose the intent to execute a transaction some minimum
+ time before actually executing the transaction.
-- Pay the fee for another transaction if the original transaction's
- fee is too low.
+- Pay the fee for another transaction if the original transaction's fee is too
+ low.
## Specification
### Deterministic accounts
-There are now two ways to create an account: the original
-`CREATE_ACCOUNT` operation and a new `CREATE_DET_ACCOUNT` that creates
-an account whose sequence number is deterministically initialized to
-0x100000000 (2^{32}). A deterministically-created account has the
-current transaction automatically added as a pre-auth transaction,
-allowing the current transaction to add signers and otherwise
-manipulate options on the account. The public key specified in the
-account creation operation also gets added to the newly created
-account with signer weight 255.
-
-~~~ {.c}
+There are now two ways to create an account: the original `CREATE_ACCOUNT`
+operation and a new `CREATE_DET_ACCOUNT` that creates an account whose sequence
+number is deterministically initialized to 0x100000000 (2^{32}). A
+deterministically-created account has the current transaction automatically
+added as a pre-auth transaction, allowing the current transaction to add
+signers and otherwise manipulate options on the account. The public key
+specified in the account creation operation also gets added to the newly
+created account with signer weight 255.
+
+```{.c}
enum OperationType
{
/* ... */
@@ -110,16 +107,16 @@ case CREATE_ACCOUNT_SUCCESS:
default:
void;
};
-~~~
+```
### Modifications to `AccountID`
-There are now two account types, depending on how the account was
-created. To simplify the XDR, we also propose merging the public key,
-account type, and signer type constants into a single `enum`, since it
-will be convenient to keep the constants distinct.
+There are now two account types, depending on how the account was created. To
+simplify the XDR, we also propose merging the public key, account type, and
+signer type constants into a single `enum`, since it will be convenient to keep
+the constants distinct.
-~~~ {.c}
+```{.c}
enum AccountOrSigner {
// A Key can name a signer or an account (or both)
KEY_ED25519 = 0,
@@ -146,20 +143,19 @@ struct CreatorSeqPayload {
SequenceNumber seqNum; // Sequence number of tx creating account
unsigned opIndex; // Index of operation that created account
};
-~~~
+```
### Changes to `AccountEntry`
-Each newly created account now contains two extra pieces of
-information:
+Each newly created account now contains two extra pieces of information:
-* The transaction ID of the transaction that created the account (a
- hash of `TransactionSignaturePayload` for that transaction), and
+- The transaction ID of the transaction that created the account (a hash of
+ `TransactionSignaturePayload` for that transaction), and
-* The creation time of the account (`closeTime` from the ledger in
- which the creation transaction ran).
+- The creation time of the account (`closeTime` from the ledger in which the
+ creation transaction ran).
-~~~ {.c}
+```{.c}
struct AccountEntry {
/* ... */
// reserved for future use
@@ -183,16 +179,16 @@ struct AccountEntry {
}
ext;
};
-~~~
+```
### `CHECK_ACCOUNT`
-A new `CHECK_ACCOUNT` operation has no side effects, but is invalid if
-the source account does not exist or does not meet certain criteria.
-The `CHECK_ACCOUNT` operation does not require a signature from the
-operation's source account.
+A new `CHECK_ACCOUNT` operation has no side effects, but is invalid if the
+source account does not exist or does not meet certain criteria. The
+`CHECK_ACCOUNT` operation does not require a signature from the operation's
+source account.
-~~~ {.c}
+```{.c}
enum AccountConditionType {
ACC_MIN_AGE = 1,
ACC_CREATOR = 2,
@@ -216,118 +212,111 @@ struct AccountCondition switch (AccountConditionType type) {
typedef AccountConditionType CheckAccountOp<2>;
// Returns void, since it can never fail
-~~~
-
-Note that `CHECK_ACCOUNT` affects the validity of a transaction. In
-particular, a transaction is always invalid if the `sourceAccount` of
-a `CHECK_ACCOUNT` operation does not exist or does not satisfy the
-specified conditions at the time of transaction validation. Note,
-however, that this is different from guaranteeing that `CHECK_ACCOUNT`
-never fails. In particular, a set of transactions could be ordered so
-as to delete or modify the `sourceAccount`, making a previously valid
-`CHECK_ACCOUNT` operation fail. In that case the enclosing
-transaction will fail, consuming a fee and sequence number.
-
-Higher-level protocols may depend on a transaction with a
-`CHECK_ACCOUNT` operation not failing. To ensure the operation does
-not fail, such a protocol must ensure monotonicity of the
-conditions--in other words, an untrustworthy party may have the power
-to make the condition true (rendering the transaction valid), but must
-not subsequently have the power to make the condition false.
-
-If transaction _C_ refers to transaction _P_ using an `ACC_SEQ_MIN`
-condition, and _C_'s sequence number is one less than `seqMin`, then
-any extra fees in _C_ can contribute to executing _P_ if _P_ does not
-have a sufficient `fee`. This solves the problem of insufficient fees
-on a transaction that cannot be resigned.
+```
+
+Note that `CHECK_ACCOUNT` affects the validity of a transaction. In particular,
+a transaction is always invalid if the `sourceAccount` of a `CHECK_ACCOUNT`
+operation does not exist or does not satisfy the specified conditions at the
+time of transaction validation. Note, however, that this is different from
+guaranteeing that `CHECK_ACCOUNT` never fails. In particular, a set of
+transactions could be ordered so as to delete or modify the `sourceAccount`,
+making a previously valid `CHECK_ACCOUNT` operation fail. In that case the
+enclosing transaction will fail, consuming a fee and sequence number.
+
+Higher-level protocols may depend on a transaction with a `CHECK_ACCOUNT`
+operation not failing. To ensure the operation does not fail, such a protocol
+must ensure monotonicity of the conditions--in other words, an untrustworthy
+party may have the power to make the condition true (rendering the transaction
+valid), but must not subsequently have the power to make the condition false.
+
+If transaction _C_ refers to transaction _P_ using an `ACC_SEQ_MIN` condition,
+and _C_'s sequence number is one less than `seqMin`, then any extra fees in _C_
+can contribute to executing _P_ if _P_ does not have a sufficient `fee`. This
+solves the problem of insufficient fees on a transaction that cannot be
+resigned.
## Rationale
-These mechanisms solve a bunch of issues that come up in the context
-of payment channels. Because there are competing proposals already
-(CAP-0007 and CAP-0008), this document adopts the rationale of those
-documents by reference unless and until the protocol working group
-decides to move forward with account aliases.
+These mechanisms solve a bunch of issues that come up in the context of payment
+channels. Because there are competing proposals already (CAP-0007 and
+CAP-0008), this document adopts the rationale of those documents by reference
+unless and until the protocol working group decides to move forward with
+account aliases.
## Backwards Compatibility
-The data structures are all backwards compatible. However, the author
-suggests moving keys, account IDs and account aliases into a single
-namespace, namely the `AccountOrSigner` enum. There's nothing wrong
-with having unions that don't allow every value in an enum. By
-contrast, it will get confusing if we use multiple enums and try to
-keep all of their values in sync.
+The data structures are all backwards compatible. However, the author suggests
+moving keys, account IDs and account aliases into a single namespace, namely
+the `AccountOrSigner` enum. There's nothing wrong with having unions that don't
+allow every value in an enum. By contrast, it will get confusing if we use
+multiple enums and try to keep all of their values in sync.
## Example
-Consider a payment channel funded by an initial transaction TI, and
-intended to be closed by the last in a series of transactions T_1,
-T_2, ..., T_n. The channel will also involve a special declaration
-transaction TD that can be executed by any participant who wants to
-close the channel unilaterally. The T_i transactions can only be
-executed some time (e.g., 24 hours) after TD has been executed.
-Finally, for each T_i and user u, the participants sign a revocation
-transaction RT_{u,i} that allows user u to invalidate all T_j with j <
-i.
+Consider a payment channel funded by an initial transaction TI, and intended to
+be closed by the last in a series of transactions T*1, T_2, ..., T_n. The
+channel will also involve a special declaration transaction TD that can be
+executed by any participant who wants to close the channel unilaterally. The
+T_i transactions can only be executed some time (e.g., 24 hours) after TD has
+been executed. Finally, for each T_i and user u, the participants sign a
+revocation transaction RT*{u,i} that allows user u to invalidate all T_j with j
+< i.
-The participants first create TI, but do not sign it. Then they
-create, sign, and exchange TD, T_1, and RT_{u,1} for all u. Finally,
-the users sign and submit TI to place funds in escrow and make TD
-valid to submit.
+The participants first create TI, but do not sign it. Then they create, sign,
+and exchange TD, T*1, and RT*{u,1} for all u. Finally, the users sign and
+submit TI to place funds in escrow and make TD valid to submit.
-From this point forward, at each step i, the participants create and
-sign T_i, and after obtaining a signed T_i, sign R_{u,i} for each user
-u.
+From this point forward, at each step i, the participants create and sign T*i,
+and after obtaining a signed T_i, sign R*{u,i} for each user u.
-To close the channel unilaterally when T_i is the latest transaction,
-user u submits TD and R_{u,i}. Should any user u' believe T_j is
-valid for j>i, that user submits RT_{u',j} so as to invalidate T_i.
-Finally, 24 hours after TD has executed, any user can submit T_i (or
-T_j if j > i).
+To close the channel unilaterally when T*i is the latest transaction, user u
+submits TD and R*{u,i}. Should any user u' believe T*j is valid for j>i, that
+user submits RT*{u',j} so as to invalidate T_i. Finally, 24 hours after TD has
+executed, any user can submit T_i (or T_j if j > i).
-In constructing transactions for the channel, we will use the
-following accounts:
+In constructing transactions for the channel, we will use the following
+accounts:
-* D -- a declaration account, deterministically created from F, whose
- existence declares that some user has intent to close the channel.
+- D -- a declaration account, deterministically created from F, whose existence
+ declares that some user has intent to close the channel.
-* E -- an escrow account deterministically created by TI, with n-of-n
- multisig for all parties.
+- E -- an escrow account deterministically created by TI, with n-of-n multisig
+ for all parties.
-* F -- a fee account, also created by TI, also with n-of-n multisig
- for all parties, containing only as many XLM as channel owners are
- willing to pay to execute a transaction.
+- F -- a fee account, also created by TI, also with n-of-n multisig for all
+ parties, containing only as many XLM as channel owners are willing to pay to
+ execute a transaction.
The transactions are then constructed as follows:
-* TI deterministically creates and funds E and F.
-
-* TD has source account F, sequence number 2^{32}+1, and a very high
- fee (so that in the event of rising fees, any user can add funds to
- F to make TD go through). It has the following operations:
- - Deterministically create account D
- - Move enough XLM from E to F for another transaction
-
-* T_i has source account F and sequence number 2^{32}+3+i, a very high
- fee, and the following operations:
- - CHECK_ACCOUNT: ensure D has existed at least 24 hours
- - MERGE_ACCOUNT: D into E
- - MERGE_ACCOUNT: F into E
- - Whatever is needed to disburse funds after termination at step i
- - Note that if T_i is actually a series of k transactions, then
- the sequence should start at 2^{32}+3+ki and only the last
- transaction should merge the accounts.
-
-* R_{u,i} has a source account that belongs to u, a high fee (so u can
- increase the balance of that account as necessary to pay arbitrarily
- high fees), and the following operations:
- - CHECK_ACCOUNT: make sure D exists
- - BUMP_SEQUENCE E to 2^{32}+3+i (or 2^{32}+3+ki if k > 1)
-
-Note that this protocol satisfies the monotonicity property: Once
-account D exists, it cannot be deleted except by collaboration of all
-the users. Hence, the `CHECK_ACCOUNT` operations will never cause T_i
-or R_{u,i} to fail, only to be invalid.
+- TI deterministically creates and funds E and F.
+
+- TD has source account F, sequence number 2^{32}+1, and a very high fee (so
+ that in the event of rising fees, any user can add funds to F to make TD go
+ through). It has the following operations:
+ - Deterministically create account D
+ - Move enough XLM from E to F for another transaction
+
+- T_i has source account F and sequence number 2^{32}+3+i, a very high fee, and
+ the following operations:
+ - CHECK_ACCOUNT: ensure D has existed at least 24 hours
+ - MERGE_ACCOUNT: D into E
+ - MERGE_ACCOUNT: F into E
+ - Whatever is needed to disburse funds after termination at step i
+ - Note that if T_i is actually a series of k transactions, then the sequence
+ should start at 2^{32}+3+ki and only the last transaction should merge the
+ accounts.
+
+- R\_{u,i} has a source account that belongs to u, a high fee (so u can
+ increase the balance of that account as necessary to pay arbitrarily high
+ fees), and the following operations:
+ - CHECK_ACCOUNT: make sure D exists
+ - BUMP_SEQUENCE E to 2^{32}+3+i (or 2^{32}+3+ki if k > 1)
+
+Note that this protocol satisfies the monotonicity property: Once account D
+exists, it cannot be deleted except by collaboration of all the users. Hence,
+the `CHECK_ACCOUNT` operations will never cause T*i or R*{u,i} to fail, only to
+be invalid.
## Implementation
diff --git a/core/cap-0013.md b/core/cap-0013.md
index ac91429cd..a04358a9a 100644
--- a/core/cap-0013.md
+++ b/core/cap-0013.md
@@ -12,29 +12,70 @@ Protocol version: TBD
## Rejected
-Superceded by [CAP23](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0023.md)
+Superceded by
+[CAP23](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0023.md)
## Simple Summary
-This proposal would rename trustlines to "balances", and would add operations allowing any account to add a balance to any other account (as long as they also send the `base reserve` lumens to support that newly added balance), and to remove any of its own balances (including ones where the issuer has frozen the balance). It also adds an ALLOW_ADD_BALANCE flag to accounts, which, if unset, means that AddBalance operations that set that account as the `destination` will fail.
-
-This proposal would bring the behavior of Stellar assets and accounts somewhat closer to the behavior of ERC20 tokens on Ethereum, where, by default, any asset can be sent to any user without permission. Under these principles, any asset-specific differentiatxion from these rules should be enforced by the asset issuer, via the AUTHORIZATION_REQUIRED flag (or other flags we may introduce, such as co-signed assets or [immutable accounts](https://github.com/stellar/stellar-protocol/pull/210)). Any account-specific differentiation should be enforced by the ALLOW_ADD_BALANCE flag.
+This proposal would rename trustlines to "balances", and would add operations
+allowing any account to add a balance to any other account (as long as they
+also send the `base reserve` lumens to support that newly added balance), and
+to remove any of its own balances (including ones where the issuer has frozen
+the balance). It also adds an ALLOW_ADD_BALANCE flag to accounts, which, if
+unset, means that AddBalance operations that set that account as the
+`destination` will fail.
+
+This proposal would bring the behavior of Stellar assets and accounts somewhat
+closer to the behavior of ERC20 tokens on Ethereum, where, by default, any
+asset can be sent to any user without permission. Under these principles, any
+asset-specific differentiatxion from these rules should be enforced by the
+asset issuer, via the AUTHORIZATION_REQUIRED flag (or other flags we may
+introduce, such as co-signed assets or
+[immutable accounts](https://github.com/stellar/stellar-protocol/pull/210)).
+Any account-specific differentiation should be enforced by the
+ALLOW_ADD_BALANCE flag.
## Motivation
-This makes it easier for an issuer, exchange, or other service provider to send new assets to users without any interaction from that user. [SEP-0013](https://github.com/stellar/stellar-protocol/pull/205) is an alternative partial solution to this problem that does not involve protocol changes.
-
-The RemoveBalance operation also fixes some quirks in how the existing protocol handles merging accounts. Right now, it is impossible to presign or preauthorize transactions that will reliably merge an account into another account, because there is no way to reliably remove trustlines (since a ChangeTrust operation to remove a trustline can be foiled by anyone else sending you the asset) or merge accounts that still have trustlines. Additionally, in the current protocol, any issuer with which you have a trustline can make it impossible to merge your account, simply by freezing that asset. This would prevent you from recovering the `2*base reserve` XLM for the account as well as the `1*base reserve` XLM for that asset. (If we end up rejecting this proposal, we could create a new proposal that would solve these issues in a different way.)
+This makes it easier for an issuer, exchange, or other service provider to send
+new assets to users without any interaction from that user.
+[SEP-0013](https://github.com/stellar/stellar-protocol/pull/205) is an
+alternative partial solution to this problem that does not involve protocol
+changes.
+
+The RemoveBalance operation also fixes some quirks in how the existing protocol
+handles merging accounts. Right now, it is impossible to presign or
+preauthorize transactions that will reliably merge an account into another
+account, because there is no way to reliably remove trustlines (since a
+ChangeTrust operation to remove a trustline can be foiled by anyone else
+sending you the asset) or merge accounts that still have trustlines.
+Additionally, in the current protocol, any issuer with which you have a
+trustline can make it impossible to merge your account, simply by freezing that
+asset. This would prevent you from recovering the `2*base reserve` XLM for the
+account as well as the `1*base reserve` XLM for that asset. (If we end up
+rejecting this proposal, we could create a new proposal that would solve these
+issues in a different way.)
## Specification
### General changes
-Rename "trustline" to "balance" in the documentation, internal implementations, and newly created operations. Horizon's API already uses "Balances" to refer to trustlines. Any external APIs that currently use the term "Trustline" or "Lines" (particularly including the ChangeTrust and AllowTrust ops) should not be changed.
+Rename "trustline" to "balance" in the documentation, internal implementations,
+and newly created operations. Horizon's API already uses "Balances" to refer to
+trustlines. Any external APIs that currently use the term "Trustline" or
+"Lines" (particularly including the ChangeTrust and AllowTrust ops) should not
+be changed.
-The concept of limits on balances is deprecated, and we clearly communicate our intention to remove it in the future (in favor of all Balances having the "max" limit).
+The concept of limits on balances is deprecated, and we clearly communicate our
+intention to remove it in the future (in favor of all Balances having the "max"
+limit).
-The Change Trust operation is deprecated. Removing it from the protocol (even years after being deprecated) may not be worth the potential cost, but we should clearly discourage its use, and encourage users to use AddBalance even for adding balances to their own accounts. (To make this easier, SDKs could set the `destination` on AddBalance to be `sourceAccount` by default, if no destination is provided.)
+The Change Trust operation is deprecated. Removing it from the protocol (even
+years after being deprecated) may not be worth the potential cost, but we
+should clearly discourage its use, and encourage users to use AddBalance even
+for adding balances to their own accounts. (To make this easier, SDKs could set
+the `destination` on AddBalance to be `sourceAccount` by default, if no
+destination is provided.)
## New Operations
@@ -48,13 +89,19 @@ struct AddBalanceOp
};
```
-If `destination` does not have a balance for `asset`, the operation transfers base_reserve XLM from `sourceAccount` to `destination` (unless `sourceAccount` and `destination` are the same), and adds a balance for `asset` to `destination`.
+If `destination` does not have a balance for `asset`, the operation transfers
+base_reserve XLM from `sourceAccount` to `destination` (unless `sourceAccount`
+and `destination` are the same), and adds a balance for `asset` to
+`destination`.
-If `asset` has the AUTHORIZATION_REQUIRED flag, the trustline's authorized flag is initialized to false.
+If `asset` has the AUTHORIZATION_REQUIRED flag, the trustline's authorized flag
+is initialized to false.
-If `destination` already has a balance for `asset`, this operation does nothing.
+If `destination` already has a balance for `asset`, this operation does
+nothing.
-If `destination` has the ALLOW_ADD_BALANCE flag set to false, the operation fails.
+If `destination` has the ALLOW_ADD_BALANCE flag set to false, the operation
+fails.
#### RemoveBalance
@@ -65,36 +112,78 @@ struct AddBalanceOp
};
```
-Removes the `asset` balance from `sourceAccount`, sending any tokens stored in that balance to the issuer (i.e., burning them).
-If there is no balance for `asset` on `sourceAccount`, this operation does nothing.
-If there is a balance, this operation works regardless of whether the balance has the `authorized` flag set.
+Removes the `asset` balance from `sourceAccount`, sending any tokens stored in
+that balance to the issuer (i.e., burning them). If there is no balance for
+`asset` on `sourceAccount`, this operation does nothing. If there is a balance,
+this operation works regardless of whether the balance has the `authorized`
+flag set.
-This (unlike ChangeTrust) allows an account to successfully remove a balance even if the issuer has frozen it or if some third party has unexpectedly sent some tokens to it, thus fixing two of the warts in the current protocol.
+This (unlike ChangeTrust) allows an account to successfully remove a balance
+even if the issuer has frozen it or if some third party has unexpectedly sent
+some tokens to it, thus fixing two of the warts in the current protocol.
### New account flags
#### ALLOW_ADD_BALANCE
-This account flag, if set to false, prevents the AddBalance operation from adding balances to the account.
+This account flag, if set to false, prevents the AddBalance operation from
+adding balances to the account.
-This flag is set to true on accounts that are created after the protocol change takes effect. It is set to false on accounts that already existed before the protocol change takes effect.
+This flag is set to true on accounts that are created after the protocol change
+takes effect. It is set to false on accounts that already existed before the
+protocol change takes effect.
-This flag is necessary for some special cases because otherwise, when merging an account, any other user would be able to cause the merge to fail by using AddBalance to add some balance to your account. Wallets can use this flag to stop new balances from being added to an account, which gives them an opportunity to remove all existing balances with [RemoveBalance](#removebalance) before merging the account. This flag can also be set to false when an account is initially created, if that account will be used in any deterministic protocols that rely on AccountMerge working successfully.
+This flag is necessary for some special cases because otherwise, when merging
+an account, any other user would be able to cause the merge to fail by using
+AddBalance to add some balance to your account. Wallets can use this flag to
+stop new balances from being added to an account, which gives them an
+opportunity to remove all existing balances with
+[RemoveBalance](#removebalance) before merging the account. This flag can also
+be set to false when an account is initially created, if that account will be
+used in any deterministic protocols that rely on AccountMerge working
+successfully.
## Backwards Compatibility
-The ability to add balances to other users' accounts is a significant conceptual change in the protocol.
-
-Wallet software will have to be changed to correctly notice third-party addition of new balances to the account. Any lumen-only wallet (which previously was assured that the account it managed would not receive unexpected assets) will have to make a choice whether to support additional assets, or just ignore any incoming payments of other assets. Any wallets that fully support the AccountMerge operation will need to add support for locking the account and removing any stray balances before merging the account.
-
-Any protocol that relies on the deterministic behavior of AccountMerge will need to be changed. One such protocol is Starlight, which currently merges the channel accounts into a wallet account as the last step of the protocol, but we have already decided to remove AccountMerge from that protocol, in favor of setting the options on the channel accounts to give the recipient control over them. I am not aware of any other protocols that use AccountMerge (and it would be unwise for them to do so in most cases, since AccountMerge can already be caused to fail by the issuers of any assets that have trustlines on that account). Setting the ALLOW_ADD_BALANCE flag to false on all existing accounts should also reduce any compatibility issues caused by this change.
-
-I can't currently think of other ways that these changes could upset reasonable expectations, but the community might raise some.
+The ability to add balances to other users' accounts is a significant
+conceptual change in the protocol.
+
+Wallet software will have to be changed to correctly notice third-party
+addition of new balances to the account. Any lumen-only wallet (which
+previously was assured that the account it managed would not receive unexpected
+assets) will have to make a choice whether to support additional assets, or
+just ignore any incoming payments of other assets. Any wallets that fully
+support the AccountMerge operation will need to add support for locking the
+account and removing any stray balances before merging the account.
+
+Any protocol that relies on the deterministic behavior of AccountMerge will
+need to be changed. One such protocol is Starlight, which currently merges the
+channel accounts into a wallet account as the last step of the protocol, but we
+have already decided to remove AccountMerge from that protocol, in favor of
+setting the options on the channel accounts to give the recipient control over
+them. I am not aware of any other protocols that use AccountMerge (and it would
+be unwise for them to do so in most cases, since AccountMerge can already be
+caused to fail by the issuers of any assets that have trustlines on that
+account). Setting the ALLOW_ADD_BALANCE flag to false on all existing accounts
+should also reduce any compatibility issues caused by this change.
+
+I can't currently think of other ways that these changes could upset reasonable
+expectations, but the community might raise some.
## Alternatives
-This proposal previously skipped the ALLOW_ADD_BALANCE change, and would have changed the behavior of AccountMerge so that non-lumen balances were merged as well. However, it was pointed out that the change to AccountMerge would mean that a single AccountMerge operation could have up to ~N effects (where N is the number of assets on that account), which is undesirable behavior for denial-of-service reasons.
-
-[SEP-0013](https://github.com/stellar/stellar-protocol/pull/205), as mentioned above, is a potential solution to some of the same problems that does not involve protocol changes.
-
-If we decide not to make protocol changes to allow adding balances, we still might want to add the RemoveBalance operation (which works unconditionally) in order to allow accounts to be merged predictably, and to prevent an issuer with which you have a trustline from preventing you from ever merging your account.
+This proposal previously skipped the ALLOW_ADD_BALANCE change, and would have
+changed the behavior of AccountMerge so that non-lumen balances were merged as
+well. However, it was pointed out that the change to AccountMerge would mean
+that a single AccountMerge operation could have up to ~N effects (where N is
+the number of assets on that account), which is undesirable behavior for
+denial-of-service reasons.
+
+[SEP-0013](https://github.com/stellar/stellar-protocol/pull/205), as mentioned
+above, is a potential solution to some of the same problems that does not
+involve protocol changes.
+
+If we decide not to make protocol changes to allow adding balances, we still
+might want to add the RemoveBalance operation (which works unconditionally) in
+order to allow accounts to be merged predictably, and to prevent an issuer with
+which you have a trustline from preventing you from ever merging your account.
diff --git a/core/cap-0014.md b/core/cap-0014.md
index bb4a18f4e..acfb6046b 100644
--- a/core/cap-0014.md
+++ b/core/cap-0014.md
@@ -12,23 +12,21 @@ Protocol version: TBD
## Simple Summary
-As of protocol version 10, orders are sorted in protocol such that transactions
+As of protocol version 10, orders are sorted in protocol such that transactions
for an account are sorted by sequence number (ascending) the order between
accounts is randomized. We propose leaving the transactions un-sorted, but
checking that the order satisfies certain properties.
## Abstract
-
-As of protocol version 10, orders are sorted in protocol such that transactions
+As of protocol version 10, orders are sorted in protocol such that transactions
for an account are sorted by sequence number (ascending) the order between
accounts is randomized. We propose leaving the transactions un-sorted, but
checking that the order satisfies certain properties. The new properties ensure
-that transactions can apply in-order, but permit a malicious nominator to easily
-place a specific transaction to occur before another. This is not a change from
-current behavior, because a nominator may (with a small number of tries), adjust
-the TxSetFrame to place that transaction in front anyways.
-
+that transactions can apply in-order, but permit a malicious nominator to
+easily place a specific transaction to occur before another. This is not a
+change from current behavior, because a nominator may (with a small number of
+tries), adjust the TxSetFrame to place that transaction in front anyways.
## Motivation
@@ -36,31 +34,29 @@ The current requirement of a randomized sort is intended to prevent malicious
nominators from front-running a transaction, but it does not achieve that goal
because a nominator may front-run a transaction in small number of trials.
-Randomized ordering does, however, neccessitate that the result of a transaction
-is tri-valent (succeed, fail, invalid).
+Randomized ordering does, however, neccessitate that the result of a
+transaction is tri-valent (succeed, fail, invalid).
If instead, we force the order to be determined by the nominator according to
some rules, this opens the door to them only including transactions which
succeed in a TxSetFrame.
-It also, as a side-benefit, reduces the asymptotic latency of validating a ledger
-because the ordering must only be _verified_ by each node.
-
-
-
+It also, as a side-benefit, reduces the asymptotic latency of validating a
+ledger because the ordering must only be _verified_ by each node.
## Specification
In this version we iterate over the TxSet transactions and check that they are
in a valid order with respect to the sequences of each account such that each
-transaction can be applied. This implies nominators must propose the exact ordering
-validly.
+transaction can be applied. This implies nominators must propose the exact
+ordering validly.
We also eagerly consider BumpSequence operations during this check to ensure
that transactions are also properly linearized with respect to BumpSequence.
-This implies that certain types of transaction graphs with two BumpSequences may
-be impossible to linearize, however we specify that the ordering of transactions
-may change in future ledger versions so this cannot be depended on.
+This implies that certain types of transaction graphs with two BumpSequences
+may be impossible to linearize, however we specify that the ordering of
+transactions may change in future ledger versions so this cannot be depended
+on.
This ensures that the mTransactions are sorted in an order such that the
transactions can all be applied and consume a Sequence number.
@@ -70,8 +66,6 @@ decide the ordering.
For previous ledger versions we must maintain the old behavior.
-
-
## Rationale
Making this adjustment makes it more clear that relying on the randomization of
@@ -81,8 +75,6 @@ order that the nominator selects is arbitary and attacker-controlled.
Checking consistency given BumpSequences fixes an issue which can cause fees to
be paid unexpectedly with a contract written to use bump sequence.
-
-
## Backwards Compatibility
The old sorting algorithm for `sortForApply` and `sortForHash` must remain for
@@ -96,7 +88,8 @@ order though, any valid order suffices.
## Forwards Compatibility
-In new versions, we may want to enforce stricter rules on the order of transactions.
+In new versions, we may want to enforce stricter rules on the order of
+transactions.
The arbitary ordering at the nominator layer makes it easy for futures changes
to further constrict the behavior, e.g., enforcing that the ordering must be
@@ -106,16 +99,15 @@ grouped by account, etc.
Such changes are then something that downstream software must already be _able_
to handle witout surprise.
-It's possible that CAP-0014 does not specify a forwards compatible set of rules,
-in which case the rule should be incompatibly updated. Because we specify that
-the linearization properties shall *not* be relied on for future ledger
-versions, this does not break expectations but may require rewriting software
-designs.
-
-If there is a need for other orders for compact lookup proofs for light clients,
-the commitments should be generated and verified separately from the base
-ordering.
+It's possible that CAP-0014 does not specify a forwards compatible set of
+rules, in which case the rule should be incompatibly updated. Because we
+specify that the linearization properties shall _not_ be relied on for future
+ledger versions, this does not break expectations but may require rewriting
+software designs.
+If there is a need for other orders for compact lookup proofs for light
+clients, the commitments should be generated and verified separately from the
+base ordering.
## Implementation
diff --git a/core/cap-0015.md b/core/cap-0015.md
index 4840bdf3d..9f52b336b 100644
--- a/core/cap-0015.md
+++ b/core/cap-0015.md
@@ -12,10 +12,12 @@ Protocol version: 13
```
## Simple Summary
-This proposal introduces fee-bump transactions, which allow an arbitrary account
-to pay the fee for a transaction.
+
+This proposal introduces fee-bump transactions, which allow an arbitrary
+account to pay the fee for a transaction.
## Motivation
+
If a transaction has insufficient `fee`, for example due to either surge
pricing or an increase in the `baseFee`, that transaction will not be included
in a transaction set. If the transaction is only signed by the party that wants
@@ -24,38 +26,42 @@ fee, sign it, and submit it. But there are many circumstances where this is not
possible, such as when pre-signed and pre-authorized transactions are involved.
In these cases, it is possible that a high-value transaction (such as the
release of escrowed funds or the settlement of a payment channel) cannot
-execute as of protocol version 12. Fee-bump transactions will resolve this issue
-by enabling anyone to pay the fee for an already existing transaction.
-
-The mechanism described here will also facilitate another usage: when applications
-(such as games) are willing to pay user fees. As of protocol version 12, this
-could be resolved in two ways. In the first approach, funds could be sent
-directly to the users' account but there is no guarantee that the user will
-spend those funds on fees and there is no way to recover unspent funds. In the
-second approach, one or more accounts controlled by the application could be
-used as the source account for user transactions but this leads to sequence
-number management issues.
+execute as of protocol version 12. Fee-bump transactions will resolve this
+issue by enabling anyone to pay the fee for an already existing transaction.
+
+The mechanism described here will also facilitate another usage: when
+applications (such as games) are willing to pay user fees. As of protocol
+version 12, this could be resolved in two ways. In the first approach, funds
+could be sent directly to the users' account but there is no guarantee that the
+user will spend those funds on fees and there is no way to recover unspent
+funds. In the second approach, one or more accounts controlled by the
+application could be used as the source account for user transactions but this
+leads to sequence number management issues.
### Goals Alignment
+
This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should facilitate simplicity and interoperability with
-other protocols and networks.
-- The Stellar Network should make it easy for developers of Stellar projects
-to create highly usable products.
+ other protocols and networks.
+- The Stellar Network should make it easy for developers of Stellar projects to
+ create highly usable products.
## Abstract
+
`TransactionEnvelope` is transformed from an XDR `struct` to an XDR `union`
while preserving binary compatibility. `FeeBumpTransaction` is introduced with
corresponding envelope type `ENVELOPE_TYPE_TX_FEE_BUMP` as a new type of
-transaction. Fee-bump transactions as described in this proposal will enable any
-account to pay the fee for an existing transaction without the need to re-sign
-the existing transaction or manage sequence numbers.
+transaction. Fee-bump transactions as described in this proposal will enable
+any account to pay the fee for an existing transaction without the need to
+re-sign the existing transaction or manage sequence numbers.
## Specification
### XDR
+
The new transaction, transaction envelope, and related XDR types are:
+
```c++
enum EnvelopeType
{
@@ -145,6 +151,7 @@ struct TransactionSignaturePayload
```
The new transaction result XDR types are:
+
```c++
enum TransactionResultCode
{
@@ -225,8 +232,9 @@ struct TransactionResult
### Semantics
### How does the TransactionEnvelope transformation work?
-In order to create multiple types of transaction envelopes, we needed to perform
-a clever transformation of the XDR. We split the discriminant off
+
+In order to create multiple types of transaction envelopes, we needed to
+perform a clever transformation of the XDR. We split the discriminant off
`Transaction.sourceAccount` leaving a raw ed25519 public key (this type is
`TransactionV0`), then used the discriminant as the discriminant for the
`TransactionEnvelope` union. We then added a new type of transaction envelope,
@@ -235,6 +243,7 @@ them in the future. The third type of transaction is the fee-bump transaction,
which can wrap a new-style transaction envelope of type ENVELOPE_TYPE_TX.
#### Fee Rate
+
A fee-bump transaction has an effective number of operations equal to one plus
the number of operations in the inner transaction. Correspondingly, the minimum
fee for the fee-bump transaction is one base fee more than the minimum fee for
@@ -243,9 +252,10 @@ one plus the number of operations in the inner transaction rather than the
number of operations in the inner transaction alone.
#### Validity
-Prior to the protocol version in which this proposal is implemented,
-only a `TransactionEnvelope` of type `ENVELOPE_TYPE_TX_V0` can be valid whereas
-a `TransactionEnvelope` of any other type will be invalid with result
+
+Prior to the protocol version in which this proposal is implemented, only a
+`TransactionEnvelope` of type `ENVELOPE_TYPE_TX_V0` can be valid whereas a
+`TransactionEnvelope` of any other type will be invalid with result
`txNOT_SUPPORTED`. Starting in the protocol version in which this proposal is
implemented, only a `TransactionEnvelope` of type `ENVELOPE_TYPE_TX` or
`ENVELOPE_TYPE_TX_FEE_BUMP` can be valid whereas a `TransactionEnvelope` of any
@@ -254,9 +264,9 @@ other type will be invalid with result `txNOT_SUPPORTED`. Because
`TransactionEnvelope` of type `ENVELOPE_TYPE_TX_V0` can simply be converted to
`ENVELOPE_TYPE_TX`.
-Validity requirements for a `TransactionEnvelope` of type `ENVELOPE_TYPE_TX` are
-identical to the existing validity requirements for a `TransactionEnvelope` of
-type `ENVELOPE_TYPE_TX_V0`.
+Validity requirements for a `TransactionEnvelope` of type `ENVELOPE_TYPE_TX`
+are identical to the existing validity requirements for a `TransactionEnvelope`
+of type `ENVELOPE_TYPE_TX_V0`.
To validate a `TransactionEnvelope E` of type `ENVELOPE_TYPE_TX_FEE_BUMP` with
inner transaction envelope `F = E.feeBump().tx.innerTx`, check that
@@ -271,64 +281,73 @@ inner transaction envelope `F = E.feeBump().tx.innerTx`, check that
(pre-authorized transaction hashes are implicitly included here), otherwise
return `txBAD_AUTH`
- `E.feeBump().tx.feeSource` has sufficient available native balance (see
- CAP-0003) to pay `E.feeBump().tx.fee` in addition to fees that will be paid by
- this account for other transactions, otherwise return `txINSUFFICIENT_BALANCE`
+ CAP-0003) to pay `E.feeBump().tx.fee` in addition to fees that will be paid
+ by this account for other transactions, otherwise return
+ `txINSUFFICIENT_BALANCE`
- `F` is valid, except that
- - `F.v1().tx.fee` may be less than the minimum fee for `F`, but must be
- non-negative
- - `F.v1().tx.sourceAccount` may not have sufficient available native balance
+ - `F.v1().tx.fee` may be less than the minimum fee for `F`, but must be
+ non-negative
+ - `F.v1().tx.sourceAccount` may not have sufficient available native balance
otherwise return `txINNER_FAILED` with the inner result set to the result of
validating `F`
#### Replace-by-Fee
+
If a node receives a valid `TransactionEnvelope E'` of type
-`ENVELOPE_TYPE_TX_FEE_BUMP` with source account `A` and sequence number `N` when
-it already has a `TransactionEnvelope E` with source account `A` and sequence
-number `N` in the transaction queue, then it should replace `E` with `E'` if and
-only if the fee rate for `E'` is at least 10 times the fee rate for `E`. It
-should be emphasized that source account in this section refers specifically to
-the source account of the _sequence number_ of the transaction, although these
-transactions may still have different fee source accounts.
+`ENVELOPE_TYPE_TX_FEE_BUMP` with source account `A` and sequence number `N`
+when it already has a `TransactionEnvelope E` with source account `A` and
+sequence number `N` in the transaction queue, then it should replace `E` with
+`E'` if and only if the fee rate for `E'` is at least 10 times the fee rate for
+`E`. It should be emphasized that source account in this section refers
+specifically to the source account of the _sequence number_ of the transaction,
+although these transactions may still have different fee source accounts.
#### Surge Pricing
+
The logic for surge pricing is unchanged. The only new consideration is that a
`TransactionEnvelope E` of type `ENVELOPE_TYPE_TX_FEE_BUMP` should be included
in the queue for `E.feeBump().tx.innerTx.v1().sourceAccount` rather than the
queue for `E.feeBump().tx.feeSource`.
#### Application and Results
+
Even if the outer transaction of a fee-bump is invalid during application, we
will still apply the inner transaction. Specifically, the behavior is:
- Remove used one-time signers for the outer transaction
- Apply the inner transaction (as if there were no outer transaction)
-If the inner transaction succeeds, then the result is `txFEE_BUMP_INNER_SUCCESS`
-and the `innerResultPair` is what would have been produced by the inner
-transaction in the absence of the outer transaction. Analogously, if the inner
-transaction fails, then the result is `txFEE_BUMP_INNER_FAILED` and the
-`innerResultPair` is what would have been produced by the inner transaction in
-the absence of the outer transaction. No other results are possible.
+If the inner transaction succeeds, then the result is
+`txFEE_BUMP_INNER_SUCCESS` and the `innerResultPair` is what would have been
+produced by the inner transaction in the absence of the outer transaction.
+Analogously, if the inner transaction fails, then the result is
+`txFEE_BUMP_INNER_FAILED` and the `innerResultPair` is what would have been
+produced by the inner transaction in the absence of the outer transaction. No
+other results are possible.
## Rationale
### Make ENVELOPE_TYPE_TX_V0 Invalid
+
This proposal uses the same signatures for `TransactionEnvelope` of type
`ENVELOPE_TYPE_TX_V0` and `ENVELOPE_TYPE_TX`. This makes it possible to convert
a `TransactionEnvelope` of type `ENVELOPE_TYPE_TX_V0` into a
-`TransactionEnvelope` of type `ENVELOPE_TYPE_TX` without needing new signatures.
-The main advantage of this is it allows us to make `ENVELOPE_TYPE_TX_V0` invalid
-and only support `ENVELOPE_TYPE_TX` in `FeeBumpTransaction`. Furthermore, making
-`ENVELOPE_TYPE_TX_V0` invalid simplifies the possibility of having a "canonical"
-or "normalized" XDR representation of a `TransactionEnvelope` (this concept has
-arisen during the discussion of some CAPs in the past).
+`TransactionEnvelope` of type `ENVELOPE_TYPE_TX` without needing new
+signatures. The main advantage of this is it allows us to make
+`ENVELOPE_TYPE_TX_V0` invalid and only support `ENVELOPE_TYPE_TX` in
+`FeeBumpTransaction`. Furthermore, making `ENVELOPE_TYPE_TX_V0` invalid
+simplifies the possibility of having a "canonical" or "normalized" XDR
+representation of a `TransactionEnvelope` (this concept has arisen during the
+discussion of some CAPs in the past).
### Replay Prevention
+
`FeeBumpTransaction` does not contain an explicit sequence number because it
relies on the sequence number of the inner transaction for replay prevention.
### Fees
+
A fee-bump transaction has an effective number of operations strictly greater
than the number of operations in the inner transaction because it requires more
work for the network to process a fee-bump transaction than the inner
@@ -337,24 +356,25 @@ transaction alone.
The semantics specify that a fee-bump transaction is invalid if the fee rate of
the outer transaction does not exceed the fee rate of the inner transaction.
This restriction is designed to prevent an obvious misunderstanding of the
-semantics of `FeeBumpTransaction`. Suppose someone has a signed transaction with
-fee `F`, but they actually do not want to pay a fee greater than `F'`. So they
-use a `FeeBumpTransaction` with the outer fee set to `F'`. But if the outer
-fee rate is less than the inner fee rate, then in any case where the fee-bump
-could be included in the transaction set the inner transaction could also have
-been included. This completely defeats the purpose of submitting the
+semantics of `FeeBumpTransaction`. Suppose someone has a signed transaction
+with fee `F`, but they actually do not want to pay a fee greater than `F'`. So
+they use a `FeeBumpTransaction` with the outer fee set to `F'`. But if the
+outer fee rate is less than the inner fee rate, then in any case where the
+fee-bump could be included in the transaction set the inner transaction could
+also have been included. This completely defeats the purpose of submitting the
`FeeBumpTransaction` with fee `F'` because a malicious adversary could always
cause you to pay fee `F`. Therefore we prohibit this possibility entirely.
### Application and Results
+
The only purpose of a fee-bump transaction is to bid a higher fee for the inner
transaction to either make the transaction valid in the event that the fee rate
is less than the base fee, or to accelerate inclusion of the transaction in the
-event of surge pricing. In either case, the fee-bump has fulfilled its role once
-it has been included in the transaction set. The source account for each
+event of surge pricing. In either case, the fee-bump has fulfilled its role
+once it has been included in the transaction set. The source account for each
transaction is charged the fee before any transactions are actually applied, so
-all that remains when applying a fee-bump transaction is to remove used one-time
-signers and to apply the inner transaction.
+all that remains when applying a fee-bump transaction is to remove used
+one-time signers and to apply the inner transaction.
There are several reasons that the inner transaction must be applied regardless
of the validity of the outer transaction at apply time. The most important
@@ -362,13 +382,14 @@ reason is replay protection: as noted above, the sequence number of the inner
transaction provides replay protection for the fee-bump transaction. If the
inner transaction were not applied when the outer transaction became invalid at
apply time, then the sequence number would not be consumed in that case. This
-would allow the fee-bump transaction to be played again if the outer transaction
-were to become valid again.
+would allow the fee-bump transaction to be played again if the outer
+transaction were to become valid again.
Given the above, there is no reason to return the result of the fee-bump
transaction separately from the result of the inner transaction.
## Backwards Incompatibilities
+
All downstream systems which submit transactions to stellar-core will need to
transform `TransactionEnvelope` of type `ENVELOPE_TYPE_TX_V0` to type
`ENVELOPE_TYPE_TX` before submission. As a temporary bridge, stellar-core will
@@ -382,10 +403,14 @@ continue to function, but downstream systems that process historical
transactions will need to be updated with the new XDR.
## Security Concerns
+
None yet.
## Test Cases
+
None yet.
## Implementation
-This proposal was implemented in https://github.com/stellar/stellar-core/pull/2419.
+
+This proposal was implemented in
+https://github.com/stellar/stellar-core/pull/2419.
diff --git a/core/cap-0016.md b/core/cap-0016.md
index 99048c6a9..b61c369e6 100644
--- a/core/cap-0016.md
+++ b/core/cap-0016.md
@@ -12,27 +12,25 @@ Protocol version: TBD
# Motivation
-A number of Stellar asset issuers need greater control over assets
-than simply authorizing particular accounts to hold the asset. As a
-result, we are seeing people build solutions in which the asset issuer
-is actually a co-signer on asset holders' accounts. This solution has
-several drawbacks. In particular, the asset owner cannot unilaterally
-withdraw XLM or other assets from his or her account, and it is very
-hard to trade one such restricted asset for another (as both issuers
-would need to be cosigners on the account, giving one issuer
+A number of Stellar asset issuers need greater control over assets than simply
+authorizing particular accounts to hold the asset. As a result, we are seeing
+people build solutions in which the asset issuer is actually a co-signer on
+asset holders' accounts. This solution has several drawbacks. In particular,
+the asset owner cannot unilaterally withdraw XLM or other assets from his or
+her account, and it is very hard to trade one such restricted asset for another
+(as both issuers would need to be cosigners on the account, giving one issuer
permission to authorize transactions on the other's asset).
-This proposal is a first cut at attempting to address the problem
-through minimal stellar-core changes.
+This proposal is a first cut at attempting to address the problem through
+minimal stellar-core changes.
# Co-signer authorized trust lines
-To accommodate asset issuers with restrictions, we propose adding
-another mode for trustlines of `AUTH_REQUIRED` assets, called
-"cosigner authorized," that lies somewhere between being not
-authorized and fully authorized. The idea is to allow issuers to
-require asset holders to request co-signing of transactions involving
-the asset without being cosigners on asset holders' accounts.
+To accommodate asset issuers with restrictions, we propose adding another mode
+for trustlines of `AUTH_REQUIRED` assets, called "cosigner authorized," that
+lies somewhere between being not authorized and fully authorized. The idea is
+to allow issuers to require asset holders to request co-signing of transactions
+involving the asset without being cosigners on asset holders' accounts.
```c
enum TrustLineFlags
@@ -44,70 +42,63 @@ enum TrustLineFlags
};
```
-There are now three modes for the trustline of an `AUTH_REQUIRED`
-asset, based on `TrustLineEntry::flags`:
+There are now three modes for the trustline of an `AUTH_REQUIRED` asset, based
+on `TrustLineEntry::flags`:
-* If `(flags & 3) == 0`, the source account is not authorized. Any
- `PAYMENT`, `PATH_PAYMENT`, `MANAGE_OFFER`, or
- `CREATE_PASSIVE_OFFER`, with the source account causes the whole
- transaction to fail, with only two exceptions:
+- If `(flags & 3) == 0`, the source account is not authorized. Any `PAYMENT`,
+ `PATH_PAYMENT`, `MANAGE_OFFER`, or `CREATE_PASSIVE_OFFER`, with the source
+ account causes the whole transaction to fail, with only two exceptions:
+ - A `PATH_PAYMENT` is allowed to contain the asset in `path`, so long as it
+ does not apear in `sendAsset` or `destAsset`, and
- * A `PATH_PAYMENT` is allowed to contain the asset in `path`, so
- long as it does not apear in `sendAsset` or `destAsset`, and
+ - A `MANAGE_OFFER` is allowed if it sets `amount` to 0 (to delete the offer).
- * A `MANAGE_OFFER` is allowed if it sets `amount` to 0 (to delete
- the offer).
+ In addition, any operation with a different (even authorized) source account
+ will fail if it attempts to send the asset to an account with
+ `(flags & 3) == 0`. Finally, existing orders on the order book belonging to
+ the account with `(flags & 3) == 0` are immediately invalid and cannot be
+ filled. This behavior should be close or identical to the status quo.
- In addition, any operation with a different (even authorized) source
- account will fail if it attempts to send the asset to an account
- with `(flags & 3) == 0`. Finally, existing orders on the order book
- belonging to the account with `(flags & 3) == 0` are immediately
- invalid and cannot be filled. This behavior should be close or
- identical to the status quo.
+- If `(flags & 3) == COAUTHORIZED_FLAG` for an account, then the account has
+ certain additional permissions compared to when those bits are 0.
+ Specifically:
+ - The account's offers in the order book continue to be valid, and can be
+ filled at any time.
-* If `(flags & 3) == COAUTHORIZED_FLAG` for an account, then the
- account has certain additional permissions compared to when those
- bits are 0. Specifically:
+ - The account can use `MANAGE_OFFER` to reduce the `amount` of an offer
+ involving the asset (including canceling the offer with and `amount` of 0),
+ but not to increase the offer.
- * The account's offers in the order book continue to be valid, and
- can be filled at any time.
+ - The account can receive (but not send) payments and path payments in the
+ asset, up to the `limit` of the trustline.
- * The account can use `MANAGE_OFFER` to reduce the `amount` of an
- offer involving the asset (including canceling the offer with
- and `amount` of 0), but not to increase the offer.
+ However, any other operation on the asset requires that the transaction be
+ co-signed by the asset issuer at low threshold. Moreover, if the account
+ increases the `limit` on the trustline and the transaction is not cosigned by
+ the issuer, then the `COAUTHORIZED_FLAG` is cleared so `(flags & 3)` goes
+ back to 0.
- * The account can receive (but not send) payments and path
- payments in the asset, up to the `limit` of the trustline.
-
- However, any other operation on the asset requires that the
- transaction be co-signed by the asset issuer at low threshold.
- Moreover, if the account increases the `limit` on the trustline and
- the transaction is not cosigned by the issuer, then the
- `COAUTHORIZED_FLAG` is cleared so `(flags & 3)` goes back to 0.
-
-* If `(flags & 3) == AUTHORIZED_FLAG`, then the account can perform
- arbitrary transactions on the asset, including sending payments to
- accounts with `COAUTHORIZED_FLAG`.
+- If `(flags & 3) == AUTHORIZED_FLAG`, then the account can perform arbitrary
+ transactions on the asset, including sending payments to accounts with
+ `COAUTHORIZED_FLAG`.
# Operation changes
-Implementing cosigned assets requires changes to two operations.
-Because an asset issuer's signature may be out of place on a
-transaction requiring asset issuer coauthorization, we add a `NopOp`
-operation that requires a signature from an arbitrary source account.
-Such an operation will be useful in other contexts, too, as currently
-pre-authorized transactions sometimes require ugly hacks like having
-an account send one Stroup to itself. Second, we have to modify
-`ALLOW_TRUST` to enable issuers to set the new `COAUTHORIZED_FLAG`.
+Implementing cosigned assets requires changes to two operations. Because an
+asset issuer's signature may be out of place on a transaction requiring asset
+issuer coauthorization, we add a `NopOp` operation that requires a signature
+from an arbitrary source account. Such an operation will be useful in other
+contexts, too, as currently pre-authorized transactions sometimes require ugly
+hacks like having an account send one Stroup to itself. Second, we have to
+modify `ALLOW_TRUST` to enable issuers to set the new `COAUTHORIZED_FLAG`.
## `NO_OPERATION` (`NopOp`)
-The `NO_OPERATION` operation does nothing, but requires a valid
-signature from the operation's source account. Since the default
-source account is the source of the transaction, this will always
-succeed at low threshold if the operation's `sourceAccount` is
-`NULL`. However, it can be used to require a low threshold signature
-from an asset issuer.
+The `NO_OPERATION` operation does nothing, but requires a valid signature from
+the operation's source account. Since the default source account is the source
+of the transaction, this will always succeed at low threshold if the
+operation's `sourceAccount` is `NULL`. However, it can be used to require a low
+threshold signature from an asset issuer.
```c
enum NopOp {
@@ -153,18 +144,17 @@ default:
};
```
-`NopOp` is not strictly necessary, as a redundant `ALLOW_TRUST` can be
-used instead, but having `NopOp` is cleaner and has other applications
-to pre-authorized transactions.
+`NopOp` is not strictly necessary, as a redundant `ALLOW_TRUST` can be used
+instead, but having `NopOp` is cleaner and has other applications to
+pre-authorized transactions.
## `ALLOW_TRUST` flags
-Only one small change is required to `AllowTrustOp`. We change the
-`authorize` field from a `bool` to a `uint32`. This provides binary
-compatibility with clients that do not know about the
-`COAUTHORIZED_FLAG` (since `AUTHORIZED_FLAG == TRUE` in XDR), but
-having a `uint32` provides the additional option of setting it to
-`COAUTHORIZED_FLAG`.
+Only one small change is required to `AllowTrustOp`. We change the `authorize`
+field from a `bool` to a `uint32`. This provides binary compatibility with
+clients that do not know about the `COAUTHORIZED_FLAG` (since
+`AUTHORIZED_FLAG == TRUE` in XDR), but having a `uint32` provides the
+additional option of setting it to `COAUTHORIZED_FLAG`.
```c
struct AllowTrustOp
diff --git a/core/cap-0017.md b/core/cap-0017.md
index 1d044bcfb..b602616dd 100644
--- a/core/cap-0017.md
+++ b/core/cap-0017.md
@@ -11,49 +11,64 @@ Protocol version: TBD
```
## Simple Summary
-This proposal makes specifying and implementing the protocol easier by simplifying the semantics of
-`LedgerEntry.lastModifiedLedgerSeq`.
+
+This proposal makes specifying and implementing the protocol easier by
+simplifying the semantics of `LedgerEntry.lastModifiedLedgerSeq`.
## Abstract
-It is currently possible for `LedgerEntry.lastModifiedLedgerSeq` to be updated by an operation even
-if that operation did not make any modifications to the underlying data of that `LedgerEntry`. This
-document proposes changing the semantics of `lastModifiedLedgerSeq` to be updated by an operation
-if and only if the underlying data of that `LedgerEntry` has changed.
+
+It is currently possible for `LedgerEntry.lastModifiedLedgerSeq` to be updated
+by an operation even if that operation did not make any modifications to the
+underlying data of that `LedgerEntry`. This document proposes changing the
+semantics of `lastModifiedLedgerSeq` to be updated by an operation if and only
+if the underlying data of that `LedgerEntry` has changed.
## Motivation
-The main benefit of this proposal is that implementing the protocol would be simpler. The current
-behavior forces implementers to carefully manage whether `lastModifiedLedgerSeq` should or should
-not be updated in any given circumstance. The only reliable way for an implementer to determine
-when `lastModifiedLedgerSeq` should be updated in the current protocol version is by referring to
-an existing implementation. This proposal would unambiguously specify when `lastModifiedLedgerSeq`
-should and should not be updated.
-
-For example, using `AllowTrust` to authorize a trustline that is already authorized will update the
-`lastModifiedLedgerSeq` of the trustline without making any other modifications. In contrast, a
-tentative winner of `Inflation` that ends up winning nothing (due to, for example, having excessive
-native asset liabilities) is unchanged and does not receive an updated `lastModifiedLedgerSeq`.
+
+The main benefit of this proposal is that implementing the protocol would be
+simpler. The current behavior forces implementers to carefully manage whether
+`lastModifiedLedgerSeq` should or should not be updated in any given
+circumstance. The only reliable way for an implementer to determine when
+`lastModifiedLedgerSeq` should be updated in the current protocol version is by
+referring to an existing implementation. This proposal would unambiguously
+specify when `lastModifiedLedgerSeq` should and should not be updated.
+
+For example, using `AllowTrust` to authorize a trustline that is already
+authorized will update the `lastModifiedLedgerSeq` of the trustline without
+making any other modifications. In contrast, a tentative winner of `Inflation`
+that ends up winning nothing (due to, for example, having excessive native
+asset liabilities) is unchanged and does not receive an updated
+`lastModifiedLedgerSeq`.
## Specification
-The value of `lastModifiedLedgerSeq` should be updated by an operation if and only if the net
-effect of that operation includes updating the underlying data of a `LedgerEntry`. Specifically, if
-`leBefore` and `leAfter` are the `LedgerEntry` (excluding `lastModifiedLedgerSeq`) before and after
-the operation has been applied, respectively, then `lastModifiedLedgerSeq` should be updated to
-`LedgerHeader.ledgerSeq` if and only if `leBefore != leAfter`.
+
+The value of `lastModifiedLedgerSeq` should be updated by an operation if and
+only if the net effect of that operation includes updating the underlying data
+of a `LedgerEntry`. Specifically, if `leBefore` and `leAfter` are the
+`LedgerEntry` (excluding `lastModifiedLedgerSeq`) before and after the
+operation has been applied, respectively, then `lastModifiedLedgerSeq` should
+be updated to `LedgerHeader.ledgerSeq` if and only if `leBefore != leAfter`.
## Rationale
-This proposal is to be applied at the operation level as it guarantees that if the net effect of
-any operation in a transaction set includes updating the underlying data of a `LedgerEntry` then
-the value of `lastModifiedLedgerSeq` will be updated. This behavior is desirable from an
-implementation perspective because it allows each operation to correctly determine whether
-`lastModifiedLedgerSeq` should be updated without any knowledge of whether the `LedgerEntry` has
-been or will be modified by other operations in the same transaction set.
+
+This proposal is to be applied at the operation level as it guarantees that if
+the net effect of any operation in a transaction set includes updating the
+underlying data of a `LedgerEntry` then the value of `lastModifiedLedgerSeq`
+will be updated. This behavior is desirable from an implementation perspective
+because it allows each operation to correctly determine whether
+`lastModifiedLedgerSeq` should be updated without any knowledge of whether the
+`LedgerEntry` has been or will be modified by other operations in the same
+transaction set.
## Backwards Compatibility
-Downstream systems which rely on `lastModifiedLedgerSeq` could be effected as the semantics of that
-field will change.
+
+Downstream systems which rely on `lastModifiedLedgerSeq` could be effected as
+the semantics of that field will change.
## Test Cases
+
None yet.
## Implementation
+
No implementation yet.
diff --git a/core/cap-0018.md b/core/cap-0018.md
index 13e4e3394..6f8e2bbfc 100644
--- a/core/cap-0018.md
+++ b/core/cap-0018.md
@@ -11,18 +11,41 @@ Protocol version: 13
```
## Simple Summary
-This proposal provides issuers with a level of authorization between unauthorized and fully authorized. This level of authorization will allow a trustline to maintain liabilities (see CAP-0003) without permitting any other operations.
+
+This proposal provides issuers with a level of authorization between
+unauthorized and fully authorized. This level of authorization will allow a
+trustline to maintain liabilities (see CAP-0003) without permitting any other
+operations.
## Abstract
-This proposal adds a new flag to `TrustLineFlags` which offers a level of authorization intermediate between unauthorized and fully authorized. It is then shown how this new flag enables similar behavior to CAP-0016 by carefully setting and toggling the level of authorization. Additional flags could also be added, which would enable fine-grained control of authorization on a per-account basis.
-## Motivation
-A number of Stellar asset issuers need greater control over assets than simply authorizing particular accounts to hold the asset. The `TrustLineEntry.flags` field allows an issuer to toggle between the following two states:
+This proposal adds a new flag to `TrustLineFlags` which offers a level of
+authorization intermediate between unauthorized and fully authorized. It is
+then shown how this new flag enables similar behavior to CAP-0016 by carefully
+setting and toggling the level of authorization. Additional flags could also be
+added, which would enable fine-grained control of authorization on a
+per-account basis.
-- `TrustLineEntry.flags == 0`: The account can hold a balance but cannot receive payments, send payments, maintain offers, or manage offers
-- `TrustLineEntry.flags == AUTHORIZED_FLAG`: The account can hold a balance, receive payments, send payments, maintain offers, and manage offers
+## Motivation
-If the issuer does not intend to allow the account to maintain offers, then toggling between the two states described above can be used to control what accounts do with their assets. To achieve this, an issuer could leave accounts in the unauthorized state. In order to do anything with the assets an account holds, that account would need to become authorized. This would require the signature of the issuer. The owner of such an account could then request that the issuer sign a transaction; the issuer should refuse to sign any transaction that does not return the account to the unauthorized state. A transaction that an issuer might be willing to sign could look like
+A number of Stellar asset issuers need greater control over assets than simply
+authorizing particular accounts to hold the asset. The `TrustLineEntry.flags`
+field allows an issuer to toggle between the following two states:
+
+- `TrustLineEntry.flags == 0`: The account can hold a balance but cannot
+ receive payments, send payments, maintain offers, or manage offers
+- `TrustLineEntry.flags == AUTHORIZED_FLAG`: The account can hold a balance,
+ receive payments, send payments, maintain offers, and manage offers
+
+If the issuer does not intend to allow the account to maintain offers, then
+toggling between the two states described above can be used to control what
+accounts do with their assets. To achieve this, an issuer could leave accounts
+in the unauthorized state. In order to do anything with the assets an account
+holds, that account would need to become authorized. This would require the
+signature of the issuer. The owner of such an account could then request that
+the issuer sign a transaction; the issuer should refuse to sign any transaction
+that does not return the account to the unauthorized state. A transaction that
+an issuer might be willing to sign could look like
- Operation 1: Issuer uses `AllowTrust` to fully authorize account A, asset X
- Operation 2: Issuer uses `AllowTrust` to fully authorize account B, asset X
@@ -32,14 +55,25 @@ If the issuer does not intend to allow the account to maintain offers, then togg
which would require the signatures of the issuer and account A.
-But this approach does not work if the account should be allowed to maintain offers. As soon as the account becomes unauthorized, all of its offers will be removed from the ledger. So some issuers have taken a more drastic approach, where the issuer is actually a signer on the asset holders' accounts. This solution has several drawbacks:
+But this approach does not work if the account should be allowed to maintain
+offers. As soon as the account becomes unauthorized, all of its offers will be
+removed from the ledger. So some issuers have taken a more drastic approach,
+where the issuer is actually a signer on the asset holders' accounts. This
+solution has several drawbacks:
-1. The owner of an account cannot unilaterally utilize assets unrelated to the issuer without the signature of that issuer
-2. If multiple issuers want to become signers on a single account, then many signatures are potentially required for simple operations
-3. Issuers cannot easily rotate keys, because their keys are on every account holding their asset
+1. The owner of an account cannot unilaterally utilize assets unrelated to the
+ issuer without the signature of that issuer
+2. If multiple issuers want to become signers on a single account, then many
+ signatures are potentially required for simple operations
+3. Issuers cannot easily rotate keys, because their keys are on every account
+ holding their asset
## Specification
-This proposal requires the addition of `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` to `TrustLineFlags`, so the XDR becomes
+
+This proposal requires the addition of
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` to `TrustLineFlags`, so the XDR
+becomes
+
```c++
enum TrustLineFlags
{
@@ -51,7 +85,13 @@ enum TrustLineFlags
const MASK_TRUSTLINE_FLAGS = 3;
```
-In order to interact with these flags, the type of the `authorize` field of `AllowTrustOp` must be changed from `bool` to `uint32`. This provides binary compatibility with clients that do not know about the new flags (since `AUTHORIZED_FLAG == TRUE` in XDR), but having a `uint32` provides the additional option of setting it to any combination of `TrustLineFlags`. The XDR becomes
+In order to interact with these flags, the type of the `authorize` field of
+`AllowTrustOp` must be changed from `bool` to `uint32`. This provides binary
+compatibility with clients that do not know about the new flags (since
+`AUTHORIZED_FLAG == TRUE` in XDR), but having a `uint32` provides the
+additional option of setting it to any combination of `TrustLineFlags`. The XDR
+becomes
+
```c++
struct AllowTrustOp
{
@@ -74,60 +114,121 @@ struct AllowTrustOp
};
```
-The new behavior of `ALLOW_TRUST` is to set `flags = authorize` on the relevant trustline. Semantically, this is equivalent to the existing behavior of `ALLOW_TRUST` because
-
-- `authorize == FALSE` becomes `authorize == 0` which removes any authorization from the trustline
-- `authorize == TRUE` becomes `authorize == AUTHORIZED_FLAG` which makes the trustline fully authorized
-
-
-The combination `AUTHORIZED_FLAG | AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is not valid because `AUTHORIZED_FLAG` implies `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG`. Trying to set `authorize` to any value above `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is also invalid. `ALLOW_TRUST_MALFORMED` is the error code that will be returned.
-
-If `AUTH_REVOCABLE_FLAG` is not set, the transition from `AUTHORIZED_FLAG` to `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is invalid. `ALLOW_TRUST_CANT_REVOKE` is the error code that will be returned.
-
-
-If a trustline `tl` has `tl.flags == AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` then
-
-1. `tl.balance > 0` is permitted (this is always true for any value of `tl.flags`)
-2. `tl.liabilities.buying > 0` is permitted (this is not true if `tl.flags == 0`)
-3. `tl.liabilities.selling > 0` is permitted (this is not true if `tl.flags == 0`)
-4. `tl.balance` can only change if an existing liability is converted into a balance. (this is not true if `tl.flags == AUTHORIZED`)
-5. No operation which creates or modifies an offer buying or selling `tl.asset` is permitted but deleting such offers is permitted. (this is not true if `tl.flags == AUTHORIZED`)
-6. Upgrades should treat `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` the same way as `AUTHORIZED_FLAG` because liabilities can only be decreased on upgrades (since protocol version 11). An invariant for this should be added.
+The new behavior of `ALLOW_TRUST` is to set `flags = authorize` on the relevant
+trustline. Semantically, this is equivalent to the existing behavior of
+`ALLOW_TRUST` because
+
+- `authorize == FALSE` becomes `authorize == 0` which removes any authorization
+ from the trustline
+- `authorize == TRUE` becomes `authorize == AUTHORIZED_FLAG` which makes the
+ trustline fully authorized
+
+The combination `AUTHORIZED_FLAG | AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is
+not valid because `AUTHORIZED_FLAG` implies
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG`. Trying to set `authorize` to any
+value above `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is also invalid.
+`ALLOW_TRUST_MALFORMED` is the error code that will be returned.
+
+If `AUTH_REVOCABLE_FLAG` is not set, the transition from `AUTHORIZED_FLAG` to
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` is invalid. `ALLOW_TRUST_CANT_REVOKE`
+is the error code that will be returned.
+
+If a trustline `tl` has `tl.flags == AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG`
+then
+
+1. `tl.balance > 0` is permitted (this is always true for any value of
+ `tl.flags`)
+2. `tl.liabilities.buying > 0` is permitted (this is not true if
+ `tl.flags == 0`)
+3. `tl.liabilities.selling > 0` is permitted (this is not true if
+ `tl.flags == 0`)
+4. `tl.balance` can only change if an existing liability is converted into a
+ balance. (this is not true if `tl.flags == AUTHORIZED`)
+5. No operation which creates or modifies an offer buying or selling `tl.asset`
+ is permitted but deleting such offers is permitted. (this is not true if
+ `tl.flags == AUTHORIZED`)
+6. Upgrades should treat `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` the same way
+ as `AUTHORIZED_FLAG` because liabilities can only be decreased on upgrades
+ (since protocol version 11). An invariant for this should be added.
## Rationale
### How can this new flag be used?
-Using `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` enables issuers to control what accounts do with their assets even if the accounts should be allowed to maintain offers. To achieve this, an issuer could leave accounts in the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state. Such an account is allowed to maintain liabilities, meaning it can own offers but cannot otherwise do anything with the asset. In order to do anything with the assets an account holds, that account would need to become authorized. This would require the signature of the issuer. The owner of such an account could then request that the issuer sign a transaction; the issuer should refuse to sign any transaction that does not return the account to the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state. A transaction that an issuer might be willing to sign could look like
+
+Using `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` enables issuers to control what
+accounts do with their assets even if the accounts should be allowed to
+maintain offers. To achieve this, an issuer could leave accounts in the
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state. Such an account is allowed to
+maintain liabilities, meaning it can own offers but cannot otherwise do
+anything with the asset. In order to do anything with the assets an account
+holds, that account would need to become authorized. This would require the
+signature of the issuer. The owner of such an account could then request that
+the issuer sign a transaction; the issuer should refuse to sign any transaction
+that does not return the account to the
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state. A transaction that an issuer
+might be willing to sign could look like
- Operation 1: Issuer uses `AllowTrust` to fully authorize account A, asset X
- Operation 2: Issuer uses `AllowTrust` to fully authorize account B, asset X
- Operation 3: Payment from A to B
-- Operation 4: Issuer uses `AllowTrust` to set account B, asset X to `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
-- Operation 5: Issuer uses `AllowTrust` to set account A, asset X to `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
+- Operation 4: Issuer uses `AllowTrust` to set account B, asset X to
+ `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
+- Operation 5: Issuer uses `AllowTrust` to set account A, asset X to
+ `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
or
- Operation 1: Issuer uses `AllowTrust` to fully authorize account A, asset X
- Operation 2: Account A manages offer to buy or sell X
-- Operation 3: Issuer uses `AllowTrust` to set account A, asset X to `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
+- Operation 3: Issuer uses `AllowTrust` to set account A, asset X to
+ `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state
both of which would require the signatures of the issuer and account A.
-In comparison to CAP-0016 this proposal would prohibit a fully authorized account from sending to an account in the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state without the signature of the issuer, which could be a desirable feature because it means issuers entirely control their asset. But this solution is flexible in that it would be possible to add other flags to `TrustLineFlags` which would control other aspects of authorization. For example, one could add the flag `AUTHORIZED_TO_INCREASE_BALANCE_FLAG` which would permit an account to receive payments. The behavior of CAP-0016 could be emulated entirely with this additional flag. An appropriate set of such flags would provide issuers with fine-grained control of authorization on a per-account basis, which justifies the name of this proposal.
+In comparison to CAP-0016 this proposal would prohibit a fully authorized
+account from sending to an account in the
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state without the signature of the
+issuer, which could be a desirable feature because it means issuers entirely
+control their asset. But this solution is flexible in that it would be possible
+to add other flags to `TrustLineFlags` which would control other aspects of
+authorization. For example, one could add the flag
+`AUTHORIZED_TO_INCREASE_BALANCE_FLAG` which would permit an account to receive
+payments. The behavior of CAP-0016 could be emulated entirely with this
+additional flag. An appropriate set of such flags would provide issuers with
+fine-grained control of authorization on a per-account basis, which justifies
+the name of this proposal.
### Why requirement (5)?
+
Note that requirement (5) implies but is not equivalent to
6. No operation which increases `tl.liabilities.buying` is permitted
7. No operation which increases `tl.liabilities.selling` is permitted
-Although requirements (6) and (7) seem more natural than requirement (5), since they refer only to individual values in the ledger like the other requirements, they are actually insufficient. If requirements (6) and (7) were included instead of (5) then it would be possible for account A to modify an offer selling asset X for asset Y and change it into an offer selling asset X for asset Z without a signature from the issuers of X or Y even if A is only `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` for one or both of those assets. This would allow accounts to easily evade restrictions from the issuer on which assets can be exchanged for X. Requirements (6) and (7) would also make it possible for accounts to change the price of offers without a signature from the relevant issuer or issuers.
+Although requirements (6) and (7) seem more natural than requirement (5), since
+they refer only to individual values in the ledger like the other requirements,
+they are actually insufficient. If requirements (6) and (7) were included
+instead of (5) then it would be possible for account A to modify an offer
+selling asset X for asset Y and change it into an offer selling asset X for
+asset Z without a signature from the issuers of X or Y even if A is only
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` for one or both of those assets. This
+would allow accounts to easily evade restrictions from the issuer on which
+assets can be exchanged for X. Requirements (6) and (7) would also make it
+possible for accounts to change the price of offers without a signature from
+the relevant issuer or issuers.
## Backwards Compatibility
-The only backwards incompatibility with this proposal is if downstream systems relied on the fact that `!(TrustLineEntry.flags & AUTHORIZED_FLAG)` implies unauthorized. In this case, downstream systems might erroneously conclude that an account is unauthorized when it is in fact in the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state.
+
+The only backwards incompatibility with this proposal is if downstream systems
+relied on the fact that `!(TrustLineEntry.flags & AUTHORIZED_FLAG)` implies
+unauthorized. In this case, downstream systems might erroneously conclude that
+an account is unauthorized when it is in fact in the
+`AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state.
## Test Cases
+
None yet.
## Implementation
+
https://github.com/stellar/stellar-core/pull/2387
diff --git a/core/cap-0019.md b/core/cap-0019.md
index 983c07a26..d7d71f1c6 100644
--- a/core/cap-0019.md
+++ b/core/cap-0019.md
@@ -12,43 +12,41 @@ Protocol version: 13
## Simple Summary
-Allow future extensibility of transaction types by making
-`TransactionEnvelope` contain a union.
+Allow future extensibility of transaction types by making `TransactionEnvelope`
+contain a union.
## Abstract
-`TransactionEnvelope` now contains a union for the transaction type.
-For binary compatibility, legacy transactions are now of type
-`Transaction0` and can have an Ed25519 account ID only.
+`TransactionEnvelope` now contains a union for the transaction type. For binary
+compatibility, legacy transactions are now of type `Transaction0` and can have
+an Ed25519 account ID only.
## Motivation
-Right now, it will be very difficult to upgrade the `Transaction` type
-in a backwards compatible way. However, until we add a new account
-type, we can take advantage of the fact that all `Transaction`
-structures, when marshaled, start with a 0-valued 32-bit integer (part
-of the `AccountID` which can only be a `PublicKey` or type
-`PUBLIC_KEY_TYPE_ED25519`). We make `TransactionEnvelope` contain a
-union, and when the discriminant is 0, we have it contain a new type
+Right now, it will be very difficult to upgrade the `Transaction` type in a
+backwards compatible way. However, until we add a new account type, we can take
+advantage of the fact that all `Transaction` structures, when marshaled, start
+with a 0-valued 32-bit integer (part of the `AccountID` which can only be a
+`PublicKey` or type `PUBLIC_KEY_TYPE_ED25519`). We make `TransactionEnvelope`
+contain a union, and when the discriminant is 0, we have it contain a new type
`Transaction0` which is basically a `Transaction` with the
`PUBLIC_KEY_TYPE_ED25519` stripped off the beginning and the key type
hard-coded to Ed25519.
## Specification
-We need only two changes. `EnvelopeType` conveniently didn't have a
-0, so we now allocate that for legacy transaction envelopes. We then
-add a union inside `TransactionEnvelope`. Note that
-`TransactionSignaturePayload` already had a union, so we don't need to
-change it. In particularly, we *don't* add a case for
-`ENVELOPE_TYPE_TX0` because we don't want there to be multiple ways to
+We need only two changes. `EnvelopeType` conveniently didn't have a 0, so we
+now allocate that for legacy transaction envelopes. We then add a union inside
+`TransactionEnvelope`. Note that `TransactionSignaturePayload` already had a
+union, so we don't need to change it. In particularly, we _don't_ add a case
+for `ENVELOPE_TYPE_TX0` because we don't want there to be multiple ways to
compute a transaction ID.
-We expect implementations to provide a helper function for converting
-a `Transaction0` into a `Transaction`, as doing so is necessary for
-computing the transaction ID.
+We expect implementations to provide a helper function for converting a
+`Transaction0` into a `Transaction`, as doing so is necessary for computing the
+transaction ID.
-~~~~ {.c}
+```{.c}
enum EnvelopeType
{
ENVELOPE_TYPE_TX0 = 0, // new
@@ -88,31 +86,28 @@ case ENVELOPE_TYPE_TX:
DecoratedSignature signatures<20>;
} v1;
};
-~~~~
+```
## Rationale
-There have been a number of proposals to change the transaction
-format, or add different types of transaction. We have also discussed
-new `AccountID` types. Though we haven't decided on which proposals
-to adopt, changing the transaction format will become much harder if
-we do so after adopting a new `AccountID` type, so we might as well
-make this union change now.
+There have been a number of proposals to change the transaction format, or add
+different types of transaction. We have also discussed new `AccountID` types.
+Though we haven't decided on which proposals to adopt, changing the transaction
+format will become much harder if we do so after adopting a new `AccountID`
+type, so we might as well make this union change now.
## Backwards Compatibility
-The changes are backwards compatible with legacy binary transactions.
-The new code will be able to read old transactions, but old code
-cannot read the new `TransactionEnvelope` type. Hence, a phased
-deployment makes sense.
+The changes are backwards compatible with legacy binary transactions. The new
+code will be able to read old transactions, but old code cannot read the new
+`TransactionEnvelope` type. Hence, a phased deployment makes sense.
## Example
-Imagine we want to add a new `feeSource` field to transactions. We
-can simply introduce a new type `Transaction4` that contains this
-extra field, then:
+Imagine we want to add a new `feeSource` field to transactions. We can simply
+introduce a new type `Transaction4` that contains this extra field, then:
-~~~~ {.c}
+```{.c}
enum EnvelopeType
{
ENVELOPE_TYPE_TX0 = 0,
@@ -160,7 +155,7 @@ case ENVELOPE_TYPE_TX4:
DecoratedSignature signatures<20>;
} v4;
};
-~~~~
+```
## Implementation
diff --git a/core/cap-0020.md b/core/cap-0020.md
index 2a0a625fb..bfdb2db35 100644
--- a/core/cap-0020.md
+++ b/core/cap-0020.md
@@ -12,78 +12,90 @@ Protocol version: 11
## Simple Summary
-This CAP extends the `BucketEntryType` enum with two new values called `INITENTRY` and `METAENTRY`,
-and adds a new `metaEntry` field in the `BucketEntry` union.
-
-The semantics of the `INITENTRY` value are identical to the semantics of the `LIVEENTRY` value (and
-reuse the `liveEntry` field) except that `INITENTRY` also denotes the entry that is the
-(chronologically) first copy of the entry in any live range of the entry in the bucket list. In
-other words: a bucket entry marked `INITENTRY` implies that either no entry with the same ledger key
-exists in an older bucket, or else that the (chronologically) preceding entry with the same ledger
-key was `DEADENTRY`.
-
-The purpose of the `METAENTRY` type is to record the ledger protocol version in buckets and, in
-particular, to facilitate switching merge algorithm to accommodate buckets with `INITENTRY`
-semantics. Therefore the `METAENTRY` entry type (or something like it) is a prerequisite for the
-`INITENTRY` type.
+This CAP extends the `BucketEntryType` enum with two new values called
+`INITENTRY` and `METAENTRY`, and adds a new `metaEntry` field in the
+`BucketEntry` union.
+
+The semantics of the `INITENTRY` value are identical to the semantics of the
+`LIVEENTRY` value (and reuse the `liveEntry` field) except that `INITENTRY`
+also denotes the entry that is the (chronologically) first copy of the entry in
+any live range of the entry in the bucket list. In other words: a bucket entry
+marked `INITENTRY` implies that either no entry with the same ledger key exists
+in an older bucket, or else that the (chronologically) preceding entry with the
+same ledger key was `DEADENTRY`.
+
+The purpose of the `METAENTRY` type is to record the ledger protocol version in
+buckets and, in particular, to facilitate switching merge algorithm to
+accommodate buckets with `INITENTRY` semantics. Therefore the `METAENTRY` entry
+type (or something like it) is a prerequisite for the `INITENTRY` type.
## Abstract
-The ledger state in stellar-core is maintained in a special-purpose log-structured merge (LSM) tree
-called the bucket list. The design of this data structure is part of the overall protocol and its
-contents are defined in the protocol XDR files. This CAP proposes a very slight change to one of the
-constituent datatypes in the LSM tree to address a performance problem observed in the field.
-
-The current bucket list consists of a set of entries that can be in one of two states: **live** or
-**dead**. Dead entries (so-called "tombstones") exist strictly to override the live-ness of a live
-entry in an older level of the bucket list. If a tombstone is present in the bucket list for which
-no live entry exists in an older level, that tombstone is **redundant**: there is nothing for it to
-override.
-
-The original design of the bucket list assumed that most entries in the ledger would be relatively
-long-lived (such as accounts) and therefore the presence of redundant tombstones would not be a
-major performance issue. In practice, we observe that the great majority of ledger entries have
-turned out to be short-lived (primarily offers) and therefore buckets have accumulated many
+The ledger state in stellar-core is maintained in a special-purpose
+log-structured merge (LSM) tree called the bucket list. The design of this data
+structure is part of the overall protocol and its contents are defined in the
+protocol XDR files. This CAP proposes a very slight change to one of the
+constituent datatypes in the LSM tree to address a performance problem observed
+in the field.
+
+The current bucket list consists of a set of entries that can be in one of two
+states: **live** or **dead**. Dead entries (so-called "tombstones") exist
+strictly to override the live-ness of a live entry in an older level of the
+bucket list. If a tombstone is present in the bucket list for which no live
+entry exists in an older level, that tombstone is **redundant**: there is
+nothing for it to override.
+
+The original design of the bucket list assumed that most entries in the ledger
+would be relatively long-lived (such as accounts) and therefore the presence of
+redundant tombstones would not be a major performance issue. In practice, we
+observe that the great majority of ledger entries have turned out to be
+short-lived (primarily offers) and therefore buckets have accumulated many
redundant tombstones.
-The change in this CAP will eliminate the conditions that create redundant tombstones. They will
-then gradually be merged-out of the set of live buckets, as the ledger evolves and buckets are
-merged. Within a few months, the accumulated redundant tombstones will be eliminated from live
-buckets. Historical buckets containing redundant tombstones will remain, but new buckets will be
-**much** smaller.
+The change in this CAP will eliminate the conditions that create redundant
+tombstones. They will then gradually be merged-out of the set of live buckets,
+as the ledger evolves and buckets are merged. Within a few months, the
+accumulated redundant tombstones will be eliminated from live buckets.
+Historical buckets containing redundant tombstones will remain, but new buckets
+will be **much** smaller.
## Motivation
-At present, buckets in the existing network are overwhelmingly composed of redundant tombstones for
-short-lived offers. As a typical example, a recent second-from-oldest-level bucket contains 5.9m
-redundant offer tombstones and 850k live entries, of which only 4.7k are for live offers. These
-tombstones incur a significant performance cost in a variety of day-to-day operations of the
-network, including point-in-time catchup and regular bucket merge operations during transaction
-processing.
-
-The buildup of redundant tombstones occurs because the existing merge algorithm conservatively
-preserves tombstones until the final level of the bucket list. This conservative behavior is
-required because the existing representation of live entries in buckets does not indicate whether a
-live entry is the _oldest_ existing entry with a given key; the merge algorithm must therefore assume
-the possibility that any tombstone may be shadowing some other live entry in an older bucket, and
-preserve all tombstones.
-
-If the merge algorithm could determine that a tombstone was being merged with the oldest entry with
-a given key -- if it were being merged with a live entry that was marked as the _initial_ entry with
-its key -- then the merge algorithm could discard both the "initial" live entry and the tombstone,
-accumulating zero space in the merged bucket. This is exactly what this CAP proposes to do.
+At present, buckets in the existing network are overwhelmingly composed of
+redundant tombstones for short-lived offers. As a typical example, a recent
+second-from-oldest-level bucket contains 5.9m redundant offer tombstones and
+850k live entries, of which only 4.7k are for live offers. These tombstones
+incur a significant performance cost in a variety of day-to-day operations of
+the network, including point-in-time catchup and regular bucket merge
+operations during transaction processing.
+
+The buildup of redundant tombstones occurs because the existing merge algorithm
+conservatively preserves tombstones until the final level of the bucket list.
+This conservative behavior is required because the existing representation of
+live entries in buckets does not indicate whether a live entry is the _oldest_
+existing entry with a given key; the merge algorithm must therefore assume the
+possibility that any tombstone may be shadowing some other live entry in an
+older bucket, and preserve all tombstones.
+
+If the merge algorithm could determine that a tombstone was being merged with
+the oldest entry with a given key -- if it were being merged with a live entry
+that was marked as the _initial_ entry with its key -- then the merge algorithm
+could discard both the "initial" live entry and the tombstone, accumulating
+zero space in the merged bucket. This is exactly what this CAP proposes to do.
## Specification
-The ledger protocol number will be increased, to version TBD. This is a breaking change. Merging
-buckets in a ledger of the newer protocol version (and beyond) will need to use a revised merge
-algorithm (see below).
+The ledger protocol number will be increased, to version TBD. This is a
+breaking change. Merging buckets in a ledger of the newer protocol version (and
+beyond) will need to use a revised merge algorithm (see below).
### XDR changes
-The `BucketEntryType` enum will be extended with two new values: `INITENTRY` and `METAENTRY`.
+The `BucketEntryType` enum will be extended with two new values: `INITENTRY`
+and `METAENTRY`.
-The `BucketEntry` union will be extended with a corresponding new state `metaEntry` of type `MetaEntry`.
+The `BucketEntry` union will be extended with a corresponding new state
+`metaEntry` of type `MetaEntry`.
The updated relevant XDR definitions follow:
@@ -127,93 +139,102 @@ case METAENTRY:
### Bucket content changes
-Under protocol TBD, new buckets will have a single METAENTRY written as their first entry, which
-carries metadata that indicates the conditions under which the bucket was formed: currently only its
-protocol version. Absence of a METAENTRY implies that the bucket originates from before protocol
-version TBD.
+Under protocol TBD, new buckets will have a single METAENTRY written as their
+first entry, which carries metadata that indicates the conditions under which
+the bucket was formed: currently only its protocol version. Absence of a
+METAENTRY implies that the bucket originates from before protocol version TBD.
-Under protocol TBD, the semantics of adding a live entry to a fresh bucket at the head of the bucket
-list will be changed to reflect the lifecycle of the live entry: if the entry is being added because
-it is **new** (as the result of a creation event), it must be added in `INITENTRY` state rather than
-the `LIVEENTRY` state. If the entry is being added because of an **update** to the same key, the
-entry must be added in `LIVEENTRY` state.
+Under protocol TBD, the semantics of adding a live entry to a fresh bucket at
+the head of the bucket list will be changed to reflect the lifecycle of the
+live entry: if the entry is being added because it is **new** (as the result of
+a creation event), it must be added in `INITENTRY` state rather than the
+`LIVEENTRY` state. If the entry is being added because of an **update** to the
+same key, the entry must be added in `LIVEENTRY` state.
### Protocol version changes
-Any merge will be performed under the maximum protocol version of all of the input buckets and
-shadow buckets involved in the merge. If the protocol version selected by inspecting buckets
-involved in a merge exceeds the protocol version of the ledger at which the merge is being
-started, the merge will fail with an error.
+Any merge will be performed under the maximum protocol version of all of the
+input buckets and shadow buckets involved in the merge. If the protocol version
+selected by inspecting buckets involved in a merge exceeds the protocol version
+of the ledger at which the merge is being started, the merge will fail with an
+error.
### Merge algorithm changes
-Under protocol TBD, the semantics of merging buckets will be changed to the following:
-
- - If two entries have different keys, emit the lower-ordered one as we do today.
- - If the two entries have the same key and neither is `INITENTRY`, take the newer entry as we do
- today.
- - If the two entries have the same key and at least one is `INITENTRY`:
- - If the newer entry is of type `DEADENTRY`, output nothing. Consider both entries annihilated.
- - If the newer entry is of type `LIVEENTRY`, output an entry in `INITENTRY` state with the value
- of the newer `LIVEENTRY` entry.
- - If the newer entry is of type `INITENTRY`:
- - If the older entry is of type `DEADENTRY`, output an entry in `LIVEENTRY` state with the value
- of the newer `INITENTRY` entry.
- - Otherwise signal an error: an `INITENTRY` should never be the next lifecycle state for an
- entry in `INITENTRY` or `LIVEENTRY` state.
-
-
-The following table summarizes the rules for merging entries in `INITENTRY` state:
-
-
- | old | new | result |
- |---------------|--------------|---------------|
- | INITENTRY | DEADENTRY | empty |
- | INITENTRY=x | LIVEENTRY=y | INITENTRY=y |
- | DEADENTRY | INITENTRY=x | LIVEENTRY=x |
- | INITENTRY | INITENTRY | error |
- | LIVEENTRY | INITENTRY | error |
+Under protocol TBD, the semantics of merging buckets will be changed to the
+following:
+
+- If two entries have different keys, emit the lower-ordered one as we do
+ today.
+- If the two entries have the same key and neither is `INITENTRY`, take the
+ newer entry as we do today.
+- If the two entries have the same key and at least one is `INITENTRY`:
+ - If the newer entry is of type `DEADENTRY`, output nothing. Consider both
+ entries annihilated.
+ - If the newer entry is of type `LIVEENTRY`, output an entry in `INITENTRY`
+ state with the value of the newer `LIVEENTRY` entry.
+ - If the newer entry is of type `INITENTRY`:
+ - If the older entry is of type `DEADENTRY`, output an entry in `LIVEENTRY`
+ state with the value of the newer `INITENTRY` entry.
+ - Otherwise signal an error: an `INITENTRY` should never be the next
+ lifecycle state for an entry in `INITENTRY` or `LIVEENTRY` state.
+
+The following table summarizes the rules for merging entries in `INITENTRY`
+state:
+
+| old | new | result |
+| ----------- | ----------- | ----------- |
+| INITENTRY | DEADENTRY | empty |
+| INITENTRY=x | LIVEENTRY=y | INITENTRY=y |
+| DEADENTRY | INITENTRY=x | LIVEENTRY=x |
+| INITENTRY | INITENTRY | error |
+| LIVEENTRY | INITENTRY | error |
### Shadowed entry elision changes
-Under protocol TBD, the semantics of emitting shadowed entries during merges will be changed to
-preserve both `INITENTRY` and `DEADENTRY` entries. Only `LIVEENTRY` entries can be elided, in order
-to retain the lifecycle structure of each ledger key over time.
+Under protocol TBD, the semantics of emitting shadowed entries during merges
+will be changed to preserve both `INITENTRY` and `DEADENTRY` entries. Only
+`LIVEENTRY` entries can be elided, in order to retain the lifecycle structure
+of each ledger key over time.
## Rationale
-The existing bucket list does compact-out entries that have been shadowed at _newer_ levels; it was
-simply an oversight in the initial design to not compact-out tombstones that are redundant with
-respect to _older_ levels.
+The existing bucket list does compact-out entries that have been shadowed at
+_newer_ levels; it was simply an oversight in the initial design to not
+compact-out tombstones that are redundant with respect to _older_ levels.
-Such redundant tombstone compaction is a standard feature of LSM trees, for example see the logic in
-LevelDB:
+Such redundant tombstone compaction is a standard feature of LSM trees, for
+example see the logic in LevelDB:
https://github.com/google/leveldb/blob/master/db/db_impl.cc#L965-L974
-We could follow a similar approach to this code, using (for example) ledger sequence numbers and
-deducing that a given tombstone is not relevant based on the ledger number of the bucket it is being
-merged into; but this would be a more invasive (and more fragile) change. The proposed change in
-this CAP is the simplest possible that we could think of.
+We could follow a similar approach to this code, using (for example) ledger
+sequence numbers and deducing that a given tombstone is not relevant based on
+the ledger number of the bucket it is being merged into; but this would be a
+more invasive (and more fragile) change. The proposed change in this CAP is the
+simplest possible that we could think of.
## Backwards Compatibility
-This change will produce ledgers that contain buckets that have a `BucketEntryType` value
-(`INITENTRY`) that is unknown to older versions of stellar-core. If those versions try to process
-such a bucket, they will fail with an error, but this should not occur since they will fail earlier
-with a protocol-version mismatch error.
-
-Since each ledger indicates the protocol version in its header, new versions of stellar-core will be
-able to process both old and new buckets appropriately, enabling the new logic only when forming a
-bucket for a new-version ledger. It should not need to employ version-sensitive logic when _reading_
-buckets, since the old and new behavior are identical on old input buckets (those without
+This change will produce ledgers that contain buckets that have a
+`BucketEntryType` value (`INITENTRY`) that is unknown to older versions of
+stellar-core. If those versions try to process such a bucket, they will fail
+with an error, but this should not occur since they will fail earlier with a
+protocol-version mismatch error.
+
+Since each ledger indicates the protocol version in its header, new versions of
+stellar-core will be able to process both old and new buckets appropriately,
+enabling the new logic only when forming a bucket for a new-version ledger. It
+should not need to employ version-sensitive logic when _reading_ buckets, since
+the old and new behavior are identical on old input buckets (those without
`INITENTRY` entries).
-Semantically, very little will otherwise change: the high level _meaning_ of the bucket list will
-remain unchanged, as will be the contents of the active SQL database against-which transactions
-execute. Only the representation of entries in the bucket list will change: newly-created entries
-will be differentiated from updated entries, and redundant tombstones will thereby be compressed-out
-of buckets.
+Semantically, very little will otherwise change: the high level _meaning_ of
+the bucket list will remain unchanged, as will be the contents of the active
+SQL database against-which transactions execute. Only the representation of
+entries in the bucket list will change: newly-created entries will be
+differentiated from updated entries, and redundant tombstones will thereby be
+compressed-out of buckets.
## Test Cases
@@ -221,4 +242,5 @@ Extensive testcases will accompany the implementation.
## Implementation
-Prototype implementation is present in https://github.com/stellar/stellar-core/pull/1950
+Prototype implementation is present in
+https://github.com/stellar/stellar-core/pull/1950
diff --git a/core/cap-0021.md b/core/cap-0021.md
index c5c6686a0..f2d040c9e 100644
--- a/core/cap-0021.md
+++ b/core/cap-0021.md
@@ -15,64 +15,61 @@ Protocol version: 19
## Simple Summary
-This proposal generalizes the `timeBounds` field in `Transaction` to
-support other conditions, including conditions that relax sequence
-number checking and provide relative timelocks.
+This proposal generalizes the `timeBounds` field in `Transaction` to support
+other conditions, including conditions that relax sequence number checking and
+provide relative timelocks.
## Motivation
-Sequence numbers are tricky for anything other than simple payments.
-For instance, pre-authorized transactions can only execute when the
-source account has a specific sequence number. Worse yet, sequence
-numbers make it difficult for protocols such as payment channels to
-guarantee that one participant can execute a transaction signed by all
-participants. In general, an N-party protocol requires N auxiliary
-accounts, one for each participant; each logical transaction
-pre-signed by all N participants must actually be implemented as N
-pre-signed transactions using each auxiliary account at a source, so
-that one participant can still submit a pre-signed transaction even if
-another participant has changed the sequence number on a different
-auxiliary account. This is further complicated by the need to
-maintain a reserve balance on each auxiliary account.
+Sequence numbers are tricky for anything other than simple payments. For
+instance, pre-authorized transactions can only execute when the source account
+has a specific sequence number. Worse yet, sequence numbers make it difficult
+for protocols such as payment channels to guarantee that one participant can
+execute a transaction signed by all participants. In general, an N-party
+protocol requires N auxiliary accounts, one for each participant; each logical
+transaction pre-signed by all N participants must actually be implemented as N
+pre-signed transactions using each auxiliary account at a source, so that one
+participant can still submit a pre-signed transaction even if another
+participant has changed the sequence number on a different auxiliary account.
+This is further complicated by the need to maintain a reserve balance on each
+auxiliary account.
### Goals Alignment
-This proposal advances network scalability by facilitating off-chain
-payment channels. It advances security and simplicity and
-interoperability with other networks by enabling relative timelocks.
-Finally, the proposal makes it easier for developers to create highly
-usable products by enabling time-delayed key recovery.
+This proposal advances network scalability by facilitating off-chain payment
+channels. It advances security and simplicity and interoperability with other
+networks by enabling relative timelocks. Finally, the proposal makes it easier
+for developers to create highly usable products by enabling time-delayed key
+recovery.
## Abstract
-This proposal extends `AccountEntry` to keep track of the time and
-ledger number at which the account's sequence number was last changed.
-It also replaces the `timeBounds` field of `Transaction` with a union
-that allows more general transaction preconditions. One of these
-preconditions requires that the sequence number of `sourceAccount`
-have been modified at least some period of time in the past,
-effectively providing a relative timelock. Another precondition
-optionally weakens sequence number checking so as to allow a
+This proposal extends `AccountEntry` to keep track of the time and ledger
+number at which the account's sequence number was last changed. It also
+replaces the `timeBounds` field of `Transaction` with a union that allows more
+general transaction preconditions. One of these preconditions requires that the
+sequence number of `sourceAccount` have been modified at least some period of
+time in the past, effectively providing a relative timelock. Another
+precondition optionally weakens sequence number checking so as to allow a
transaction to execute when the `sourceAccount` is within some range.
## Specification
`AccountEntryExtensionV2`'s `ext` field is extended to keep track of
-`seqLedger` and `seqTime`--the ledger number and time at which the
-sequence number was set to its present value. These values are updated
-in two situations:
+`seqLedger` and `seqTime`--the ledger number and time at which the sequence
+number was set to its present value. These values are updated in two
+situations:
1. Transaction: For the `sourceAccount` of every executed transaction.
-2. `BumpSequenceOp` operation: For the `sourceAccount` of every
-successfully executed `BumpSequenceOp` operation, regardless of whether
-the `BumpSequenceOp` actually increased or modified the sequence number
-of the account. This allows an account to update it's `seqLedger`
-or `seqTime` without using an additional sequence number.
+2. `BumpSequenceOp` operation: For the `sourceAccount` of every successfully
+ executed `BumpSequenceOp` operation, regardless of whether the
+ `BumpSequenceOp` actually increased or modified the sequence number of the
+ account. This allows an account to update it's `seqLedger` or `seqTime`
+ without using an additional sequence number.
-If an account does not have an `AccountEntryExtensionV3` because it
-hasn't been upgraded yet, then it behaves as if `seqLedger` and
-`seqTime` are both 0.
+If an account does not have an `AccountEntryExtensionV3` because it hasn't been
+upgraded yet, then it behaves as if `seqLedger` and `seqTime` are both 0.
```c++
// An ExtensionPoint is always marshaled as a 32-bit 0 value. At a
@@ -113,28 +110,25 @@ struct AccountEntryExtensionV2
};
```
-Preconditions are represented by a new `Preconditions` union with
-discriminant `type`. Values `PRECOND_NONE` and `PRECOND_TIME` are
-binary compatible with the current `timeBounds` field (which is of
-type `TimeBounds*`). Value `PRECOND_V2` is the new type of
-precondition. Note that `minSeqNum`, if non-NULL, relaxes the range
-of sequence numbers at which a transaction can be executed. However,
-after executing a transaction, `sourceAccount`'s sequence number is
-always set to the transaction's `seqNum`--like an implicit
-`BUMP_SEQUENCE` operation. This guarantees transactions cannot be
-replayed, even when the previous account `seqNum` is well below the
-transaction's `seqNum`. The final element of `Preconditions` is an
-array of extra signers required for the transaction. This can be used
-with `SIGNER_KEY_TYPE_HASH_X` to sign a transaction that can only be
-executed in exchange for disclosing a hash preimage.
-
-Note that a `TransactionV1Envelope` may contain at most 20 signatures.
-Any signatures required by the `extraSigners` field reside in the
-`TransactionV1Envelope` and hence must reside in the same 20 signature
-slots. As a consequence, a transaction that would require 20
-signatures without an `extraSigners` field generally cannot contain
-`extraSigners` unless the `extraSigners` are satisfied by the same
-signatures as the `sourceAccount`s.
+Preconditions are represented by a new `Preconditions` union with discriminant
+`type`. Values `PRECOND_NONE` and `PRECOND_TIME` are binary compatible with the
+current `timeBounds` field (which is of type `TimeBounds*`). Value `PRECOND_V2`
+is the new type of precondition. Note that `minSeqNum`, if non-NULL, relaxes
+the range of sequence numbers at which a transaction can be executed. However,
+after executing a transaction, `sourceAccount`'s sequence number is always set
+to the transaction's `seqNum`--like an implicit `BUMP_SEQUENCE` operation. This
+guarantees transactions cannot be replayed, even when the previous account
+`seqNum` is well below the transaction's `seqNum`. The final element of
+`Preconditions` is an array of extra signers required for the transaction. This
+can be used with `SIGNER_KEY_TYPE_HASH_X` to sign a transaction that can only
+be executed in exchange for disclosing a hash preimage.
+
+Note that a `TransactionV1Envelope` may contain at most 20 signatures. Any
+signatures required by the `extraSigners` field reside in the
+`TransactionV1Envelope` and hence must reside in the same 20 signature slots.
+As a consequence, a transaction that would require 20 signatures without an
+`extraSigners` field generally cannot contain `extraSigners` unless the
+`extraSigners` are satisfied by the same signatures as the `sourceAccount`s.
```c++
typedef uint64 Duration;
@@ -193,8 +187,8 @@ union Preconditions switch (PreconditionType type) {
Note we add an unsigned `Duration` type, used by `minSeqAge`.
-We make use of the new `Preconditions` type by replacing `timeBounds`
-in the `Transaction` structure as follows:
+We make use of the new `Preconditions` type by replacing `timeBounds` in the
+`Transaction` structure as follows:
```c++
struct Transaction
@@ -215,103 +209,97 @@ struct Transaction
};
```
-A transaction whose preconditions are not satisfied is
-_non-executable_. In most cases, non-executable transactions should
-not be included in blocks. However, it is possible that a prior
-transaction in the same block can turn a executable transaction into a
-non-executable one. If this happens, the non-executable transaction
-still incurs a fee and increments the `sourceAccount` sequence number.
-
-To minimize the presence of non-executable transactions in blocks, a
-block may not contain both a transaction with a non-zero
-`minSeqLedgerGap` or `minSeqAge` and one with a lower `seqNum` on the
-same `sourceAccount`. Unfortunately, this does not entirely eliminate
-the possibility of non-executable transactions in blocks; for
-instance, a `BUMP_SEQUENCE` operation in a transaction from a
-different `sourceAccount` can invalidate the `minSeqAge` or
-`minSeqLedgerGap` on another transaction.
+A transaction whose preconditions are not satisfied is _non-executable_. In
+most cases, non-executable transactions should not be included in blocks.
+However, it is possible that a prior transaction in the same block can turn a
+executable transaction into a non-executable one. If this happens, the
+non-executable transaction still incurs a fee and increments the
+`sourceAccount` sequence number.
+
+To minimize the presence of non-executable transactions in blocks, a block may
+not contain both a transaction with a non-zero `minSeqLedgerGap` or `minSeqAge`
+and one with a lower `seqNum` on the same `sourceAccount`. Unfortunately, this
+does not entirely eliminate the possibility of non-executable transactions in
+blocks; for instance, a `BUMP_SEQUENCE` operation in a transaction from a
+different `sourceAccount` can invalidate the `minSeqAge` or `minSeqLedgerGap`
+on another transaction.
### Transaction forwarding and ordering
-A transaction submitted to the network is valid only if it is part of
-a valid series of pending transactions on the same `sourceAccount`
-that can all be valid in the same block. For example, if a source
-account has `seqNum` 10, then a submitted transaction with `seqNum` 12
-and no preconditions is valid (and should be forwarded) only if there
-is also a pending valid transaction with sequence number 11. The
-`minSeqNum` field in this proposal relaxes validity to allow a valid
-series of transactions on the same `sourceAccount` with discontinuous
-`seqNum` fields. The gaps, however, cannot be filled in (if the queue
-already had `seqNum` 10 and 12 with a valid gap, 11 should not be
-accepted and forwarded). Regardless of these gaps, all transactions on the
-same `sourceAccount` in the same block must be executed in order of
-increasing `seqNum`. Hence, the presence of the `minSeqNum` field may
-make transactions valid that would not otherwise be valid, but cannot
-invalidate otherwise valid transactions, since lower `seqNum` fields
-always execute first before higher ones that would invalidate them.
+A transaction submitted to the network is valid only if it is part of a valid
+series of pending transactions on the same `sourceAccount` that can all be
+valid in the same block. For example, if a source account has `seqNum` 10, then
+a submitted transaction with `seqNum` 12 and no preconditions is valid (and
+should be forwarded) only if there is also a pending valid transaction with
+sequence number 11. The `minSeqNum` field in this proposal relaxes validity to
+allow a valid series of transactions on the same `sourceAccount` with
+discontinuous `seqNum` fields. The gaps, however, cannot be filled in (if the
+queue already had `seqNum` 10 and 12 with a valid gap, 11 should not be
+accepted and forwarded). Regardless of these gaps, all transactions on the same
+`sourceAccount` in the same block must be executed in order of increasing
+`seqNum`. Hence, the presence of the `minSeqNum` field may make transactions
+valid that would not otherwise be valid, but cannot invalidate otherwise valid
+transactions, since lower `seqNum` fields always execute first before higher
+ones that would invalidate them.
A transaction with a non-zero `minSeqAge` or `minSeqLedgerGap` must be
-discarded and not forwarded--as if its `minTime` has not yet
-arrived--if either A) the appropriate condition (`minSeqAge` or
-`minSeqLedgerGap`) does not yet hold, or B) there are pending valid
-transactions with lower sequence numbers on the same `sourceAccount`.
-Conversely, after receiving and forwarding a valid transaction with a
-non-zero `minSeqAge` or `minSeqLedgerGap`, subsequently received
-transactions with earlier sequence numbers must be discarded.
-However, a nominated block is valid so long as its transactions can be
-executed. This means a validator can vote for a block containing
-transactions that the validator would have discarded. For example,
-consider the following two transactions on the same `sourceAccount`
-which currently has `seqNum` 10:
-
-* T1 has `seqNum` 11 and no preconditions.
-* T2 has `seqNum` 12, `minSeqNum` 10, and `minSeqLedgerGap` 1.
-
-Any validator that receives both of these transactions will keep the
-first one and discard the second one that it receives. However, if a
-validator sees a nomination vote for a block that contains T2 but not
-T1, the validator will nonetheless vote for the block. The logic is
-identical to a situation in which T1 and T2 have the same sequence
-number and fee--validators seeing both will discard the second one
-that they receive.
+discarded and not forwarded--as if its `minTime` has not yet arrived--if either
+A) the appropriate condition (`minSeqAge` or `minSeqLedgerGap`) does not yet
+hold, or B) there are pending valid transactions with lower sequence numbers on
+the same `sourceAccount`. Conversely, after receiving and forwarding a valid
+transaction with a non-zero `minSeqAge` or `minSeqLedgerGap`, subsequently
+received transactions with earlier sequence numbers must be discarded. However,
+a nominated block is valid so long as its transactions can be executed. This
+means a validator can vote for a block containing transactions that the
+validator would have discarded. For example, consider the following two
+transactions on the same `sourceAccount` which currently has `seqNum` 10:
+
+- T1 has `seqNum` 11 and no preconditions.
+- T2 has `seqNum` 12, `minSeqNum` 10, and `minSeqLedgerGap` 1.
+
+Any validator that receives both of these transactions will keep the first one
+and discard the second one that it receives. However, if a validator sees a
+nomination vote for a block that contains T2 but not T1, the validator will
+nonetheless vote for the block. The logic is identical to a situation in which
+T1 and T2 have the same sequence number and fee--validators seeing both will
+discard the second one that they receive.
### Transaction validation
-The `Preconditions` in each transaction of a block are validated
-twice.
-
-The first validation occurs when checking that a block itself is valid
-and can be nominated by the consensus protocol. As part of the
-validation, for each `sourceAccount` there can be only one transaction
-with a given sequence number and the `seqNum` fields must either be
-consecutive or any gaps must be permitted by non-NULL `minSeqNum`
-fields. All but the transaction with the lowest `seqNum` on a given
-`sourceAccount` must have 0 for the `minSeqAge` and `minSeqLedgerGap`
-fields.
-
-Once a block is externalized by the consensus algorithm, the block is
-applied. Before executing any operations, fees are charged to the
-source account for all transactions. Once fees have been deducted
-from all accounts, transactions are one-by-one validated a second time
-then executed. It is possible for a previously valid transaction to
-fail the second validation, for instance if a `BUMP_SEQUENCE`
-operation made the sequence number invalid. Whenever a transaction
-fails validation during execution, the `sourceAccount` loses the fee.
+The `Preconditions` in each transaction of a block are validated twice.
+
+The first validation occurs when checking that a block itself is valid and can
+be nominated by the consensus protocol. As part of the validation, for each
+`sourceAccount` there can be only one transaction with a given sequence number
+and the `seqNum` fields must either be consecutive or any gaps must be
+permitted by non-NULL `minSeqNum` fields. All but the transaction with the
+lowest `seqNum` on a given `sourceAccount` must have 0 for the `minSeqAge` and
+`minSeqLedgerGap` fields.
+
+Once a block is externalized by the consensus algorithm, the block is applied.
+Before executing any operations, fees are charged to the source account for all
+transactions. Once fees have been deducted from all accounts, transactions are
+one-by-one validated a second time then executed. It is possible for a
+previously valid transaction to fail the second validation, for instance if a
+`BUMP_SEQUENCE` operation made the sequence number invalid. Whenever a
+transaction fails validation during execution, the `sourceAccount` loses the
+fee.
Because `PreconditionsV2` specifies multiple pre-conditions, there may be
multiple reasons why a transaction is invalid. If `extraSigners` contains
duplicate signers, the transaction is rejected with `txMALFORMED` (Note that
-signer overlap between `extraSigners` and `AccountEntry` signers is allowed). If
-the `maxTime` (inclusive) or `maxLedger` (exclusive) have not been satisfied--
-then the transaction is rejected with `TransactionResultCode` `txTOO_LATE`. If
-`minTime` or `minLedger` have not been reached yet, then the transaction is
-rejected with `txTOO_EARLY`. If `minSeqNum` is set, but the relaxed sequence
-number validation still fails, then the transaction is rejected with
-`txBAD_SEQ`. If the failure is due to `minSeqAge` or `minSeqLedgerGap`, then the
-transaction is rejected with the new `txBAD_MIN_SEQ_AGE_OR_GAP` error code. If
-none of the above conditions holds (`txTOO_EARLY`, `txBAD_MIN_SEQ_AGE_OR_GAP`,
-`txMALFORMED`, `txBAD_SEQ`, and `txTOO_LATE` do not apply), but one of the
-`extraSigners` is unsatisfied, then the transaction fails with `txBAD_AUTH`.
+signer overlap between `extraSigners` and `AccountEntry` signers is allowed).
+If the `maxTime` (inclusive) or `maxLedger` (exclusive) have not been
+satisfied-- then the transaction is rejected with `TransactionResultCode`
+`txTOO_LATE`. If `minTime` or `minLedger` have not been reached yet, then the
+transaction is rejected with `txTOO_EARLY`. If `minSeqNum` is set, but the
+relaxed sequence number validation still fails, then the transaction is
+rejected with `txBAD_SEQ`. If the failure is due to `minSeqAge` or
+`minSeqLedgerGap`, then the transaction is rejected with the new
+`txBAD_MIN_SEQ_AGE_OR_GAP` error code. If none of the above conditions holds
+(`txTOO_EARLY`, `txBAD_MIN_SEQ_AGE_OR_GAP`, `txMALFORMED`, `txBAD_SEQ`, and
+`txTOO_LATE` do not apply), but one of the `extraSigners` is unsatisfied, then
+the transaction fails with `txBAD_AUTH`.
### XDR diff
@@ -327,11 +315,11 @@ index c870fe09..5c772f1c 100644
+typedef uint64 Duration;
typedef opaque DataValue<64>;
typedef Hash PoolID; // SHA256(LiquidityPoolParameters)
-
+
@@ -133,6 +134,19 @@ const MAX_SIGNERS = 20;
-
+
typedef AccountID* SponsorshipDescriptor;
-
+
+struct AccountEntryExtensionV3
+{
+ // We can use this to add more fields, or because it is first, to
@@ -364,7 +352,7 @@ index 1a4e491a..811e4786 100644
@@ -576,6 +576,58 @@ struct TimeBounds
TimePoint maxTime; // 0 here means no maxTime
};
-
+
+struct LedgerBounds
+{
+ uint32 minLedger;
@@ -419,20 +407,20 @@ index 1a4e491a..811e4786 100644
+
// maximum number of operations per transaction
const MAX_OPS_PER_TX = 100;
-
+
@@ -627,8 +679,8 @@ struct Transaction
// sequence number to consume in the account
SequenceNumber seqNum;
-
+
- // validity range (inclusive) for the last ledger close time
- TimeBounds* timeBounds;
+ // validity conditions
+ Preconditions cond;
-
+
Memo memo;
-
+
@@ -1508,7 +1560,9 @@ enum TransactionResultCode
-
+
txNOT_SUPPORTED = -12, // transaction type not supported
txFEE_BUMP_INNER_FAILED = -13, // fee bump inner transaction failed
- txBAD_SPONSORSHIP = -14 // sponsorship not confirmed
@@ -440,7 +428,7 @@ index 1a4e491a..811e4786 100644
+ txBAD_MIN_SEQ_AGE_OR_GAP = -15, //minSeqAge or minSeqLedgerGap conditions not met
+ txMALFORMED = 16 // precondition is invalid
};
-
+
// InnerTransactionResult must be binary compatible with TransactionResult
@@ -1537,6 +1591,8 @@ struct InnerTransactionResult
case txNOT_SUPPORTED:
@@ -458,7 +446,7 @@ index 8f7d5c20..caa41d7f 100644
@@ -14,6 +14,14 @@ typedef int int32;
typedef unsigned hyper uint64;
typedef hyper int64;
-
+
+// An ExtensionPoint is always marshaled as a 32-bit 0 value. At a
+// later point, it can be replaced by a different union so as to
+// extend a structure.
@@ -474,396 +462,359 @@ index 8f7d5c20..caa41d7f 100644
## Design Rationale
-Relative timelocks are a known mechanism for simplifying payment
-channels, implemented by Bitcoin and used in lightning payment
-channels. Stellar's lack of UTXOs combined with transaction sequence
-numbers make payment channels harder to implement. This proposal
-rectifies the problem in a way that is not too hard to implement in
-stellar-core and provides a good degree of backwards compatibility.
-
-Fundamentally, a payment channel requires a way to enforce a time
-separation between declaring that one wants to execute a pre-signed
-transaction T and actually executing T. Furthermore, between the
-declaration and execution, other parties need a chance to object and
-invalidate T if there is a later T' superseding T. The relative
-timelock provides this separation, while the relaxing of sequence
-numbers makes it easy to object by pre-signing a transaction
-invalidating T that can be submitted at a variety of sequence numbers.
-Without such a mechanism, multiple auxiliary accounts are required.
-
-An earlier version of the proposal did not contain the
-`minSeqLedgerGap` field. However, members of the payment channel
-working group were concerned that the network could, in a worst-case
-scenario, experience downtime right after someone incorrectly closes a
-payment channel, precluding the other party from correcting the
-problem. `minSeqLedgerGap` guarantees that there will be an
-opportunity to correct the problem when the network comes back up,
-because the pre-signed transaction with a `minSeqLedgerGap` will still
-not be immediately executable.
-
-It's worth asking whether we need `minSeqAge` if we have
-`minSeqLedgerGap`. One reason to keep it is that, under heavy load,
-the network could start processing ledgers faster than once every 5
-seconds. This might happen after periods of downtime.
-
-One possible efficiency problem is that transactions with a
-`minSeqAge` or `minSeqLedgerGap` cannot be pipelined behind other
-transactions on the same `sourceAccount`. Though this might seem to
-reduce efficiency, in fact such time-delayed transactions are intended
-to be delayed for some "disclosure period" during which the account
-remains idle. Typically such time-delayed transactions are intended
-to correct an abnormal situation (e.g., one end of a payment channel
-failing, or an account owner losing the key) and so don't actually get
-submitted in the common case.
+Relative timelocks are a known mechanism for simplifying payment channels,
+implemented by Bitcoin and used in lightning payment channels. Stellar's lack
+of UTXOs combined with transaction sequence numbers make payment channels
+harder to implement. This proposal rectifies the problem in a way that is not
+too hard to implement in stellar-core and provides a good degree of backwards
+compatibility.
+
+Fundamentally, a payment channel requires a way to enforce a time separation
+between declaring that one wants to execute a pre-signed transaction T and
+actually executing T. Furthermore, between the declaration and execution, other
+parties need a chance to object and invalidate T if there is a later T'
+superseding T. The relative timelock provides this separation, while the
+relaxing of sequence numbers makes it easy to object by pre-signing a
+transaction invalidating T that can be submitted at a variety of sequence
+numbers. Without such a mechanism, multiple auxiliary accounts are required.
+
+An earlier version of the proposal did not contain the `minSeqLedgerGap` field.
+However, members of the payment channel working group were concerned that the
+network could, in a worst-case scenario, experience downtime right after
+someone incorrectly closes a payment channel, precluding the other party from
+correcting the problem. `minSeqLedgerGap` guarantees that there will be an
+opportunity to correct the problem when the network comes back up, because the
+pre-signed transaction with a `minSeqLedgerGap` will still not be immediately
+executable.
+
+It's worth asking whether we need `minSeqAge` if we have `minSeqLedgerGap`. One
+reason to keep it is that, under heavy load, the network could start processing
+ledgers faster than once every 5 seconds. This might happen after periods of
+downtime.
+
+One possible efficiency problem is that transactions with a `minSeqAge` or
+`minSeqLedgerGap` cannot be pipelined behind other transactions on the same
+`sourceAccount`. Though this might seem to reduce efficiency, in fact such
+time-delayed transactions are intended to be delayed for some "disclosure
+period" during which the account remains idle. Typically such time-delayed
+transactions are intended to correct an abnormal situation (e.g., one end of a
+payment channel failing, or an account owner losing the key) and so don't
+actually get submitted in the common case.
### Two-way payment channel
-The proposed mechanism can be used to implement a payment channel
-between two parties, an initiator I and a responder R. The protocol
-assumes some _synchrony period_, S, such that both parties are
-guaranteed to be able to observe the blockchain state and submit
-transactions within any period of length S.
-
-The payment channel consists of a 2-of-2 multisig escrow account E,
-initially created and configured by I, and a series of pairs of
-_declaration_ and _closing_ transactions on E signed by both parties.
-The two parties maintain the following two variables during the
-lifetime of the channel:
-
-* s - the _starting sequence number_, is initialized to one greater
- than the sequence number of the escrow account E after E has been
- created and configured. It is increased only when withdrawing from
- or topping up the escrow account E.
-
-* i - the _iteration number_ of the payment channel, is initialized to
- (s/2)+1. It is incremented with every off-chain update of the
- payment channel state.
-
-To update the payment channel state, the parties 1) increment i, 2)
-sign and exchange a closing transaction C_i, and finally 3) sign and
-exchange a declaration transaction D_i. The transactions are
-constructed as follows:
-
-* D_i, the _declaration transaction_, declares an intent to execute
- the corresponding closing transaction C_i. D_i has source account
- E, sequence number 2i, and `minSeqNum` set to s. Hence, D_i can
- execute at any time, so long as E's sequence number n satisfies s <=
- n < 2i. D_i always leaves E's sequence number at 2i after
- executing. Because C_i has source account E and sequence number
- 2i+1, D_i leaves E in a state where C_i can execute. Note that D_i
- does not require any operations, but since Stellar disallows empty
+The proposed mechanism can be used to implement a payment channel between two
+parties, an initiator I and a responder R. The protocol assumes some _synchrony
+period_, S, such that both parties are guaranteed to be able to observe the
+blockchain state and submit transactions within any period of length S.
+
+The payment channel consists of a 2-of-2 multisig escrow account E, initially
+created and configured by I, and a series of pairs of _declaration_ and
+_closing_ transactions on E signed by both parties. The two parties maintain
+the following two variables during the lifetime of the channel:
+
+- s - the _starting sequence number_, is initialized to one greater than the
+ sequence number of the escrow account E after E has been created and
+ configured. It is increased only when withdrawing from or topping up the
+ escrow account E.
+
+- i - the _iteration number_ of the payment channel, is initialized to (s/2)+1.
+ It is incremented with every off-chain update of the payment channel state.
+
+To update the payment channel state, the parties 1) increment i, 2) sign and
+exchange a closing transaction C_i, and finally 3) sign and exchange a
+declaration transaction D_i. The transactions are constructed as follows:
+
+- D*i, the \_declaration transaction*, declares an intent to execute the
+ corresponding closing transaction C_i. D_i has source account E, sequence
+ number 2i, and `minSeqNum` set to s. Hence, D_i can execute at any time, so
+ long as E's sequence number n satisfies s <= n < 2i. D_i always leaves E's
+ sequence number at 2i after executing. Because C_i has source account E and
+ sequence number 2i+1, D_i leaves E in a state where C_i can execute. Note
+ that D_i does not require any operations, but since Stellar disallows empty
transactions, it contains a `BUMP_SEQUENCE` operation as a no-op.
-* C_i, the _closing transaction_, disburses funds to R and changes the
- signing weights on E such that I unilaterally controls E. C_i has
- source account E, sequence number 2i+1, and a `minSeqAge` of S (the
- synchrony period). The `minSeqAge` prevents a misbehaving party
- from executing C_i when the channel state has already progressed to
- a later iteration number, as the other party can always invalidate
- C_i by submitting D_i' for some i' > i. C_i contains one or more
- `CREATE_CLAIMABLE_BALANCE` operations disbursing funds to R, plus a
- `SET_OPTIONS` operation adjusting signing weights to give I full
- control of E.
-
-For R to top-up or withdraw excess funds from the escrow account E,
-the participants skip a generation. They set s = 2(i+1), and i = i+2.
-They then exchange C_i and D_i (which unlike the update case, can be
-exchanged in a single phase of communication because D_i is not yet
-executable while E's sequence number is below the new s). Finally,
-they create a top-up transaction (on some source account other than E,
-in case it fails) that atomically adjusts E's balance and uses
-`BUMP_SEQUENCE` to increase E's sequence number to s.
-
-To close the channel cooperatively, the parties re-sign C_i with a
-`minSeqNum` of s and a `minSeqAge` of 0, then submit this transaction.
+- C*i, the \_closing transaction*, disburses funds to R and changes the signing
+ weights on E such that I unilaterally controls E. C_i has source account E,
+ sequence number 2i+1, and a `minSeqAge` of S (the synchrony period). The
+ `minSeqAge` prevents a misbehaving party from executing C_i when the channel
+ state has already progressed to a later iteration number, as the other party
+ can always invalidate C_i by submitting D_i' for some i' > i. C_i contains
+ one or more `CREATE_CLAIMABLE_BALANCE` operations disbursing funds to R, plus
+ a `SET_OPTIONS` operation adjusting signing weights to give I full control of
+ E.
+
+For R to top-up or withdraw excess funds from the escrow account E, the
+participants skip a generation. They set s = 2(i+1), and i = i+2. They then
+exchange C_i and D_i (which unlike the update case, can be exchanged in a
+single phase of communication because D_i is not yet executable while E's
+sequence number is below the new s). Finally, they create a top-up transaction
+(on some source account other than E, in case it fails) that atomically adjusts
+E's balance and uses `BUMP_SEQUENCE` to increase E's sequence number to s.
+
+To close the channel cooperatively, the parties re-sign C_i with a `minSeqNum`
+of s and a `minSeqAge` of 0, then submit this transaction.
### Two-way payment channel supporting uncoordinated deposits
-The proposed mechanism can be used to implement a payment channel
-between two parties, an initiator I and a responder R. The protocol
-assumes some _synchrony period_, S, such that both parties are
-guaranteed to be able to observe the blockchain state and submit
-transactions within any period of length S.
+The proposed mechanism can be used to implement a payment channel between two
+parties, an initiator I and a responder R. The protocol assumes some _synchrony
+period_, S, such that both parties are guaranteed to be able to observe the
+blockchain state and submit transactions within any period of length S.
The payment channel consists of two 2-of-2 multisig escrow accounts:
-* EI - created and configured by I, holding all amounts contributed by
- I.
-
-* ER - created and configured by R, holding all amounts contributed by
- R.
-
-The payment channel updates state using a series of _declaration_ and
-_closing_ transactions with EI as the source account. The two parties
-maintain the following two variables during the lifetime of the
-channel:
-
-* s - the _starting sequence number_, is initialized to one greater
- than the sequence number of the escrow account EI after EI has been
- created and configured. It is increased only when withdrawing.
-
-* i - the _iteration number_ of the payment channel, is initialized to
- (s/2)+1. It is incremented with every off-chain update of the
- payment channel state.
-
-To update the payment channel state, the parties 1) increment i, 2)
-sign and exchange a closing transaction C_i, and finally 3) sign and
-exchange a declaration transaction D_i. The transactions are
-constructed as follows:
-
-* D_i, the _declaration transaction_, declares an intent to execute
- the corresponding closing transaction C_i. D_i has source account
- EI, sequence number 2i, and `minSeqNum` set to s. Hence, D_i can
- execute at any time, so long as EI's sequence number n satisfies s <=
- n < 2i. D_i always leaves EI's sequence number at 2i after
- executing. Because C_i has source account EI and sequence number
- 2i+1, D_i leaves EI in a state where C_i can execute. Note that D_i
- does not require any operations, but since Stellar disallows empty
+- EI - created and configured by I, holding all amounts contributed by I.
+
+- ER - created and configured by R, holding all amounts contributed by R.
+
+The payment channel updates state using a series of _declaration_ and _closing_
+transactions with EI as the source account. The two parties maintain the
+following two variables during the lifetime of the channel:
+
+- s - the _starting sequence number_, is initialized to one greater than the
+ sequence number of the escrow account EI after EI has been created and
+ configured. It is increased only when withdrawing.
+
+- i - the _iteration number_ of the payment channel, is initialized to (s/2)+1.
+ It is incremented with every off-chain update of the payment channel state.
+
+To update the payment channel state, the parties 1) increment i, 2) sign and
+exchange a closing transaction C_i, and finally 3) sign and exchange a
+declaration transaction D_i. The transactions are constructed as follows:
+
+- D*i, the \_declaration transaction*, declares an intent to execute the
+ corresponding closing transaction C_i. D_i has source account EI, sequence
+ number 2i, and `minSeqNum` set to s. Hence, D_i can execute at any time, so
+ long as EI's sequence number n satisfies s <= n < 2i. D_i always leaves EI's
+ sequence number at 2i after executing. Because C_i has source account EI and
+ sequence number 2i+1, D_i leaves EI in a state where C_i can execute. Note
+ that D_i does not require any operations, but since Stellar disallows empty
transactions, it contains a `BUMP_SEQUENCE` operation as a no-op.
-* C_i, the _closing transaction_, disburses funds from EI to ER,
- and/or from ER to EI such that the balances of the escrow accounts
- match the final agreed state of the channel at the time C_i is
- generated. C_i also changes the signing weights on EI and ER such
- that I unilaterally controls EI and R unilaterally controls ER. C_i
- has source account EI, sequence number 2i+1, and a `minSeqAge` of S
- (the synchrony period). The `minSeqAge` prevents a misbehaving
- party from executing C_i when the channel state has already
- progressed to a later iteration number, as the other party can
- always invalidate C_i by submitting D_i' for some i' > i. C_i
- contains one or more `PAYMENT` operations disbursing funds between
- escrow accounts, plus `SET_OPTIONS` operations adjusting signing
- weights of each escrow account.
-
-I and R may top-up their respective escrow accounts by making a
-payment into them directly.
-
-I and R may adjust the relative balances of EI and ER as well as
-withdraw excess funds from these accounts by skipping a
-generation. They set s = 2(i+1), and i = i+2. They then exchange C_i
-and D_i (which unlike the update case, can be exchanged in a single
-phase of communication because D_i is not yet executable while EI's
-sequence number is below the new s). Finally, they create a withdraw
-transaction that atomically shifts funds between EI and ER, withdraws
-any desired excess funds with `CREATE_CLAIMABLE_BALANCE`, and uses
+- C*i, the \_closing transaction*, disburses funds from EI to ER, and/or from
+ ER to EI such that the balances of the escrow accounts match the final agreed
+ state of the channel at the time C_i is generated. C_i also changes the
+ signing weights on EI and ER such that I unilaterally controls EI and R
+ unilaterally controls ER. C_i has source account EI, sequence number 2i+1,
+ and a `minSeqAge` of S (the synchrony period). The `minSeqAge` prevents a
+ misbehaving party from executing C_i when the channel state has already
+ progressed to a later iteration number, as the other party can always
+ invalidate C_i by submitting D_i' for some i' > i. C_i contains one or more
+ `PAYMENT` operations disbursing funds between escrow accounts, plus
+ `SET_OPTIONS` operations adjusting signing weights of each escrow account.
+
+I and R may top-up their respective escrow accounts by making a payment into
+them directly.
+
+I and R may adjust the relative balances of EI and ER as well as withdraw
+excess funds from these accounts by skipping a generation. They set s = 2(i+1),
+and i = i+2. They then exchange C_i and D_i (which unlike the update case, can
+be exchanged in a single phase of communication because D_i is not yet
+executable while EI's sequence number is below the new s). Finally, they create
+a withdraw transaction that atomically shifts funds between EI and ER,
+withdraws any desired excess funds with `CREATE_CLAIMABLE_BALANCE`, and uses
`BUMP_SEQUENCE` to increase EI's sequence number to s.
-To close the channel cooperatively, the parties re-sign C_i with a
-`minSeqNum` of s and a `minSeqAge` of 0, then submit this transaction.
+To close the channel cooperatively, the parties re-sign C_i with a `minSeqNum`
+of s and a `minSeqAge` of 0, then submit this transaction.
### One-way payment channel
-A one-way payment channel enables an initiator I to make repeated
-payments to a recipient R. Unlike the two-way payment channel, I can
-unilaterally set up the payment channel without R's cooperation.
-Moreover, R can unilaterally withdraw funds from the payment channel
-at any point with no close delay.
-
-The channel consists of a an escrow account E, initially created by I.
-Let s be E's sequence number after it has been created and configured.
-Define the following transactions with source account E:
-
-* D, the _disclosure transaction_, has sequence number s+1 and a
- vacuous `BUMP_SEQUENCE` operation.
-
-* C_i, version i of the _closing transaction_, has sequence number
- s+2. It disburses funds to R through one or more
- `CREATE_CLAIMABLE_BALANCE` operations, and uses `SET_OPTIONS` to
- increase I's signing weight to 2. Each C_i disburses more funds to
- R than C_{i-1}. Only one C_i can execute since they all have the
- same sequence number.
-
-* F, the _fault-recovery transaction_, allows I to recover E in case R
- fails. It has sequence number s+2, a `minSeqAge` of S (some
- synchrony period), and gives I signing weight 2 on the account.
-
-After adding appropriate trustlines and funding the escrow account E,
-I issues a transaction configuring E to have signing threshold 2 (for
-low, medium, and high) and to have the following signers all with
-weight 1: I, R, D, and F (the latter two as
-`SIGNER_KEY_TYPE_PRE_AUTH_TX`).
-
-To submit series of payments, I sends R successive C_i transactions
-each of which reflects the cumulative sum of all previous payments. R
-accepts these so long as E has a sufficient balance. To close the
-channel, R submits D and C_i. If R fails, I can close the channel by
-submitting D, waiting S time, and then submitting F.
+A one-way payment channel enables an initiator I to make repeated payments to a
+recipient R. Unlike the two-way payment channel, I can unilaterally set up the
+payment channel without R's cooperation. Moreover, R can unilaterally withdraw
+funds from the payment channel at any point with no close delay.
+
+The channel consists of a an escrow account E, initially created by I. Let s be
+E's sequence number after it has been created and configured. Define the
+following transactions with source account E:
+
+- D, the _disclosure transaction_, has sequence number s+1 and a vacuous
+ `BUMP_SEQUENCE` operation.
+
+- C*i, version i of the \_closing transaction*, has sequence number s+2. It
+ disburses funds to R through one or more `CREATE_CLAIMABLE_BALANCE`
+ operations, and uses `SET_OPTIONS` to increase I's signing weight to 2. Each
+ C*i disburses more funds to R than C*{i-1}. Only one C_i can execute since
+ they all have the same sequence number.
+
+- F, the _fault-recovery transaction_, allows I to recover E in case R fails.
+ It has sequence number s+2, a `minSeqAge` of S (some synchrony period), and
+ gives I signing weight 2 on the account.
+
+After adding appropriate trustlines and funding the escrow account E, I issues
+a transaction configuring E to have signing threshold 2 (for low, medium, and
+high) and to have the following signers all with weight 1: I, R, D, and F (the
+latter two as `SIGNER_KEY_TYPE_PRE_AUTH_TX`).
+
+To submit series of payments, I sends R successive C_i transactions each of
+which reflects the cumulative sum of all previous payments. R accepts these so
+long as E has a sufficient balance. To close the channel, R submits D and C_i.
+If R fails, I can close the channel by submitting D, waiting S time, and then
+submitting F.
### Hash Time Locked Contract (HTLC)
HTLCs are a key building block for many blockchain protocols such as
-cross-chain atomic swaps and payment channels. An HTLC is a
-transaction _T_ characterized by two values: a hash _h_ and an
-expiration time _t_. Before the expiration time, anyone who knows the
-hash preimage of _h_ can execute _T_ in exchange for disclosing that
-preimage. Typically, disclosing the preimage unlocks a different
-transaction on the same or a different blockchain.
+cross-chain atomic swaps and payment channels. An HTLC is a transaction _T_
+characterized by two values: a hash _h_ and an expiration time _t_. Before the
+expiration time, anyone who knows the hash preimage of _h_ can execute _T_ in
+exchange for disclosing that preimage. Typically, disclosing the preimage
+unlocks a different transaction on the same or a different blockchain.
-To make a transaction into an HTLC, the following preconditions should
-be set:
+To make a transaction into an HTLC, the following preconditions should be set:
-* `timeBounds->maxTime` should be set to the expiration time _t_.
+- `timeBounds->maxTime` should be set to the expiration time _t_.
-* `extraSigners[0]` should be set to a `SIGNER_KEY_TYPE_HASH_X` with
- the hash value _h_.
+- `extraSigners[0]` should be set to a `SIGNER_KEY_TYPE_HASH_X` with the hash
+ value _h_.
-Note that the maximum size of a hash pre-image on Stellar is 64
-bytes. On Bitcoin, a hash preimage could potentially be up to 520
-bytes. Hence, when pairing Stellar HTLCs with transactions on other
-blockchains for cross-chain operation, care must be taken to ensure
-that the other blockchain does not accept preimages larger than 64
-bytes. Otherwise, a larger preimage disclosed on another blockchain
-would fail to unlock an HTLC on Stellar.
+Note that the maximum size of a hash pre-image on Stellar is 64 bytes. On
+Bitcoin, a hash preimage could potentially be up to 520 bytes. Hence, when
+pairing Stellar HTLCs with transactions on other blockchains for cross-chain
+operation, care must be taken to ensure that the other blockchain does not
+accept preimages larger than 64 bytes. Otherwise, a larger preimage disclosed
+on another blockchain would fail to unlock an HTLC on Stellar.
### Key recovery
-The owner of account A may wish for a friend with key K to gain access
-to A in the event that the owner loses her keys, but not
-otherwise. This scenario can be accommodated with pre-authorized
-transactions as follows.
+The owner of account A may wish for a friend with key K to gain access to A in
+the event that the owner loses her keys, but not otherwise. This scenario can
+be accommodated with pre-authorized transactions as follows.
-Let s be a sequence number much higher than any that will be used in
-the future on A (e.g., A's current sequence number plus 2^{32}). The
-owner constructs the following 2 transactions:
+Let s be a sequence number much higher than any that will be used in the future
+on A (e.g., A's current sequence number plus 2^{32}). The owner constructs the
+following 2 transactions:
-* The _recovery transaction_ T_R has source account A, sequence number
- s+1, and `minSeqAge` one week. It contains a `SET_OPTIONS`
- operation giving K signing weight on A.
+- The _recovery transaction_ T_R has source account A, sequence number s+1, and
+ `minSeqAge` one week. It contains a `SET_OPTIONS` operation giving K signing
+ weight on A.
-* The _declaration transaction_ T_D has source account A, sequence
- number s, and `minSeqNum` 0. It doesn't need to contain any
- operations, but since Stellar requires at least one operation per
- transaction, it contains a `BUMP_SEQUENCE` as a no-op.
+- The _declaration transaction_ T_D has source account A, sequence number s,
+ and `minSeqNum` 0. It doesn't need to contain any operations, but since
+ Stellar requires at least one operation per transaction, it contains a
+ `BUMP_SEQUENCE` as a no-op.
-The owner of A signs T_R and T_D, and gives them to the friend for
-safe keeping. If the owner loses her keys, the friend submits T_D,
-then a week later submits T_R, and finally uses key K to help the user
-recover her funds.
+The owner of A signs T_R and T_D, and gives them to the friend for safe
+keeping. If the owner loses her keys, the friend submits T_D, then a week later
+submits T_R, and finally uses key K to help the user recover her funds.
-If T_D and K are ever compromised and an attacker unexpectedly submits
-T_D, then the user simply submits any transaction on A to consume
-sequence number s+1 and invalidate T_R.
+If T_D and K are ever compromised and an attacker unexpectedly submits T_D,
+then the user simply submits any transaction on A to consume sequence number
+s+1 and invalidate T_R.
### Parallel transaction submission
-A farm of 100 servers is constantly submitting transactions on the
-same source account, and wishes to coordinate use of sequence numbers.
-This can be achieved by having server number N always submit
-transactions with sequence numbers congruent to N modulo 100. Sending
-the transaction at s with `minSeqNum` s-99 ensures that if any of the
-servers do not submit transactions, the gap will not prevent other
-transactions from executing.
+A farm of 100 servers is constantly submitting transactions on the same source
+account, and wishes to coordinate use of sequence numbers. This can be achieved
+by having server number N always submit transactions with sequence numbers
+congruent to N modulo 100. Sending the transaction at s with `minSeqNum` s-99
+ensures that if any of the servers do not submit transactions, the gap will not
+prevent other transactions from executing.
### Deterministic account sequence numbers at creation
-The proposed `ledgerBounds` field can be used to create an account with
-a predictable sequence number that is guaranteed if the account creation
+The proposed `ledgerBounds` field can be used to create an account with a
+predictable sequence number that is guaranteed if the account creation
succeeds.
-Assuming the user plans to create the account between ledgers 0 and N,
-they can specify `ledgerBounds` as 0 and N + 1, and include a
-`BUMP_SEQUENCE` operation that bumps the sequence of the created account
-to N<<32. The transaction will be guaranteed to only succeed with the
-created account having a sequence number of N<<32.
+Assuming the user plans to create the account between ledgers 0 and N, they can
+specify `ledgerBounds` as 0 and N + 1, and include a `BUMP_SEQUENCE` operation
+that bumps the sequence of the created account to N<<32. The transaction will
+be guaranteed to only succeed with the created account having a sequence number
+of N<<32.
The sequence number is guaranteed because the account is created with a
sequence number derived from the current ledger's sequence number. The
`BUMP_SEQUENCE` operation is a no-op if the account's sequence number is
-greater than the `bumpTo` sequence number. The `ledgerBounds` restricts
-the creation to occur only up to the `bumpTo` to ensure that creation
-results with the account having the determined sequence number.
+greater than the `bumpTo` sequence number. The `ledgerBounds` restricts the
+creation to occur only up to the `bumpTo` to ensure that creation results with
+the account having the determined sequence number.
It is also possible to eliminate the `BUMP_SEQUENCE` operation from the
-transaction is a subsequent transaction uses `minSeqNum` with a value
-matching the `minLedger` of `ledgerBounds`.
+transaction is a subsequent transaction uses `minSeqNum` with a value matching
+the `minLedger` of `ledgerBounds`.
This property makes it possible to setup contracts using pre-authorized
-transactions where the pre-authorized transaction has the created
-account as its source account.
+transactions where the pre-authorized transaction has the created account as
+its source account.
## Protocol Upgrade Transition
### Backwards Incompatibilities
-Previously signed transactions containing time points greater than
-2^{63} are no longer valid with this proposal. However, given that
-the number 0 already represents no time bounds, this is unlikely to
-cause problems in practice.
+Previously signed transactions containing time points greater than 2^{63} are
+no longer valid with this proposal. However, given that the number 0 already
+represents no time bounds, this is unlikely to cause problems in practice.
-The binary XDR of any other previously valid transactions will unmarshal
-to a valid transaction under the current proposal. Obviously legacy
-software will not be able to parse transactions with the new
-preconditions, however.
+The binary XDR of any other previously valid transactions will unmarshal to a
+valid transaction under the current proposal. Obviously legacy software will
+not be able to parse transactions with the new preconditions, however.
### Resource Utilization
-Transaction sizes will increase nominally, but only for transactions
-that use the new preconditions.
+Transaction sizes will increase nominally, but only for transactions that use
+the new preconditions.
-All account ledger entries will increase in size nominally with the
-addition of the account extension.
+All account ledger entries will increase in size nominally with the addition of
+the account extension.
-The maximum number of signatures that must be verified for each
-transaction will not change.
+The maximum number of signatures that must be verified for each transaction
+will not change.
-The introduction of `extraSigners` makes the use of
-`SIGNER_KEY_TYPE_HASH_X` signers more efficient by making them
-stateless, moving them from the account signers to the transaction.
-For any use cases utilizing this signer this may reduce the number of
-ledger entries and reduce the number of transactions since there would
-be no transactions to setup a `SIGNER_KEY_TYPE_HASH_X` signer before
-its use, and no transactions to remove it after its use.
+The introduction of `extraSigners` makes the use of `SIGNER_KEY_TYPE_HASH_X`
+signers more efficient by making them stateless, moving them from the account
+signers to the transaction. For any use cases utilizing this signer this may
+reduce the number of ledger entries and reduce the number of transactions since
+there would be no transactions to setup a `SIGNER_KEY_TYPE_HASH_X` signer
+before its use, and no transactions to remove it after its use.
## Security Concerns
-The security concerns stem primarily from new types of transaction
-making use of the new features. As such, the new preconditions,
-particularly `minSeqNum`, should make pre-signed transactions less
-brittle and simplify protocols. Nonetheless, there is still a lot of
-room for error in protocols.
-
-The fact that `BUMP_SEQUENCE` operations are executed after all
-transactions have been validated leads to a counterintuitive situation
-in which two operations can execute in the same block although both
-may not succeed. This is because the `BUMP_SEQUENCE` can affect is
-the `seqNum` attribute of the `AccountEntry`. This proposal introduces
-two new attributes that may be affected, `seqAge` and `seqLedgerGap`.
-Changes in any of these fields as an effect of a `BUMP_SEQUENCE` may
-cause other transactions that passed validation to fail during apply.
+The security concerns stem primarily from new types of transaction making use
+of the new features. As such, the new preconditions, particularly `minSeqNum`,
+should make pre-signed transactions less brittle and simplify protocols.
+Nonetheless, there is still a lot of room for error in protocols.
+
+The fact that `BUMP_SEQUENCE` operations are executed after all transactions
+have been validated leads to a counterintuitive situation in which two
+operations can execute in the same block although both may not succeed. This is
+because the `BUMP_SEQUENCE` can affect is the `seqNum` attribute of the
+`AccountEntry`. This proposal introduces two new attributes that may be
+affected, `seqAge` and `seqLedgerGap`. Changes in any of these fields as an
+effect of a `BUMP_SEQUENCE` may cause other transactions that passed validation
+to fail during apply.
An example of this is if a source account has a valid transaction with
-`minSeqAge` or `minSeqLedgerGap` and a second transaction, containing
-a `BUMP_SEQUENCE` that bumps the sequence of the source account, is
-created that is also valid. Any protocol that does this risks both
-transactions being accepted as valid in the same ledger. If both
-transactions execute in the same ledger and the bump sequence
-transaction is executed first, the other transaction will fail as its
-`minSeqAge` or `minSeqLedgerGap` will no longer be satisfied.
-
-Any protocol that specifies for a source account a transaction with
-`minSeqAge` or `minSeqLedgerGap`, should not allow another transaction
-to be valid at the same moment unless the intent of that other
-transaction is to cause the first to fail or become invalid. Any
-transaction that is valid in the same moment as a transaction with
-`minSeqAge` or `minSeqLedgerGap` can cause the transaction to fail
-during execution even if it passed validation. Once the transaction
-has failed during execution it cannot be executed again as its
-sequence number will have been consumed.
-
-Fortunately, it appears that in most useful protocols time-delayed
-"closing" transactions use a NULL `minSeqNum`, while transactions with
-non-NULL `minSeqNum` are "disclosure" transactions intended to be
-valid at any time.
-
-The design rationale includes several multi-party protocols that
-require all parties to sign a transaction for it to be valid.
-This section does not discuss all possible security concerns with
-these protocols. It is at least worth noting that like most
-multi-party protocols there exists a period of time where a
-free-option may exist, where one party has authorized a transaction
-and another party can wait some period of time to decide if they
-also will authorize it, or fallback to some previously valid
-transaction.
+`minSeqAge` or `minSeqLedgerGap` and a second transaction, containing a
+`BUMP_SEQUENCE` that bumps the sequence of the source account, is created that
+is also valid. Any protocol that does this risks both transactions being
+accepted as valid in the same ledger. If both transactions execute in the same
+ledger and the bump sequence transaction is executed first, the other
+transaction will fail as its `minSeqAge` or `minSeqLedgerGap` will no longer be
+satisfied.
+
+Any protocol that specifies for a source account a transaction with `minSeqAge`
+or `minSeqLedgerGap`, should not allow another transaction to be valid at the
+same moment unless the intent of that other transaction is to cause the first
+to fail or become invalid. Any transaction that is valid in the same moment as
+a transaction with `minSeqAge` or `minSeqLedgerGap` can cause the transaction
+to fail during execution even if it passed validation. Once the transaction has
+failed during execution it cannot be executed again as its sequence number will
+have been consumed.
+
+Fortunately, it appears that in most useful protocols time-delayed "closing"
+transactions use a NULL `minSeqNum`, while transactions with non-NULL
+`minSeqNum` are "disclosure" transactions intended to be valid at any time.
+
+The design rationale includes several multi-party protocols that require all
+parties to sign a transaction for it to be valid. This section does not discuss
+all possible security concerns with these protocols. It is at least worth
+noting that like most multi-party protocols there exists a period of time where
+a free-option may exist, where one party has authorized a transaction and
+another party can wait some period of time to decide if they also will
+authorize it, or fallback to some previously valid transaction.
## Test Cases
diff --git a/core/cap-0022.md b/core/cap-0022.md
index f57aacb1e..83b2fe543 100644
--- a/core/cap-0022.md
+++ b/core/cap-0022.md
@@ -12,164 +12,144 @@ Protocol version: TBD
## Simple Summary
-Invalid transactions lack sufficient signatures for proper
-authorization, have sequence numbers that have already been used, or
-have invalid time bounds. Certain edge conditions cause invalid
-transactions to be included in the transaction set produced by
-consensus. Currently, Stellar executes and fails invalid transactions
-in the transaction set, which changes ledger state by increasing
-sequence numbers and debiting transaction fees. This specification
-changes Stellar so that invalid transactions have no effect on the
-ledger.
+Invalid transactions lack sufficient signatures for proper authorization, have
+sequence numbers that have already been used, or have invalid time bounds.
+Certain edge conditions cause invalid transactions to be included in the
+transaction set produced by consensus. Currently, Stellar executes and fails
+invalid transactions in the transaction set, which changes ledger state by
+increasing sequence numbers and debiting transaction fees. This specification
+changes Stellar so that invalid transactions have no effect on the ledger.
## Motivation
-Allowing invalid--especially unauthorized--transactions to change
-ledger state can lead to vulnerabilities in higher-layer protocols.
-Consider a protocol in which two parties, A and B, execute a
-transaction that contributes funds to an escrow account E and makes E
-into a 2-of-2 multisig account. The parties might be willing to this
-given post-dated pre-signed transactions T1, T2 on E that allow each
-of A and B to recover escrowed funds after a certain delay.
-Unfortunately, if the previous owner of E can cause an invalid
-(unauthorized) transaction to use up T1's sequence number, one of the
-two users will be unable to recover funds.
+Allowing invalid--especially unauthorized--transactions to change ledger state
+can lead to vulnerabilities in higher-layer protocols. Consider a protocol in
+which two parties, A and B, execute a transaction that contributes funds to an
+escrow account E and makes E into a 2-of-2 multisig account. The parties might
+be willing to this given post-dated pre-signed transactions T1, T2 on E that
+allow each of A and B to recover escrowed funds after a certain delay.
+Unfortunately, if the previous owner of E can cause an invalid (unauthorized)
+transaction to use up T1's sequence number, one of the two users will be unable
+to recover funds.
### Goals Alignment
-The changes described in this document help network security by
-preventing unauthorized transactions from changing account state.
-They also help scalability by facilitating the design of robust
-payment channels.
+The changes described in this document help network security by preventing
+unauthorized transactions from changing account state. They also help
+scalability by facilitating the design of robust payment channels.
## Abstract
-We define three categories of transaction: successful, failed, and
-invalid. Invalid transactions must never change ledger state, even if
-they are included in the transaction set output by consensus. New,
-conservative restrictions rule out current ways of passing invalid
-transactions through consensus. However, if invalid transactions do
-make it through consensus through oversight or subsequently added
-features, they must have no effects on the ledger.
+We define three categories of transaction: successful, failed, and invalid.
+Invalid transactions must never change ledger state, even if they are included
+in the transaction set output by consensus. New, conservative restrictions rule
+out current ways of passing invalid transactions through consensus. However, if
+invalid transactions do make it through consensus through oversight or
+subsequently added features, they must have no effects on the ledger.
## Specification
-We define the following categories of transaction at the time of
-execution:
-
-* A **successful** transaction is one that meets all transaction- and
- operation-level prerequisites at the time of its execution. The
- effects of a successful transaction's operations are applied to the
- ledger. Successful transactions yield a result in which
- `TransactionResult.code` is `txSUCCESS`. This document does not
- change which transactions are considered successful or the effects
- of executing such transactions.
-
-* A **failed** transaction meets all valid transaction-level
- preconditions, including a valid transaction-level source account,
- valid sequence number, valid time bounds, and low signing weight for
- the source account. However, one or more of a failed transaction's
- operations cannot execute---for instance because the `destination`
- of a `PAYMENT` no longer exists. Failed transactions increase the
- sequence number of the transaction-level `sourceAccount`, charge a
- fee to the transaction-level `sourceAccount`, and yield a result
- with `TransactionResult.code` `txFAILED`.
-
-* An **invalid** transaction fails to meet transaction-level
- preconditions at the time of execution, for instance because the
- sequence number is invalid or the signatures are insufficient to
- meet the `sourceAccount`'s low signing threshold. Currently,
- invalid transactions are executed just like failed ones. This
- document changes that behavior so that invalid transactions no
- longer have an effect on the ledger and do not produce a
- `TransactionResult`. If an invalid transaction later becomes valid,
- it may be included again in a subsequent ledger.
-
-A ledger that contains too many invalid transactions will reduce the
-number of operations available to successful transactions and
-negatively impact the ledger. Since the source of an invalid
-transaction does not incur any transaction cost, and since it may be
-difficult in the general case to decide if a transaction is valid at
-the time its fee is charged, we place restrictions on the composition
-of the transaction set in a single ledger. These rules are
-conservative; they may force two valid transactions that could have
-succeeded in the same ledger to be included in different ledgers.
-
-If a transaction set S contains a transaction T, we use S[<=T] to
-denote the subset of S consisting of transactions with the same
-`sourceAccount` as T and a `seqNum` less than or equal to that of T (a
-set that includes T itself). A set S is **admissible**, and hence can
-be a candidate for the consensus transaction set, if all of the
-following hold for each transaction T in S:
-
-* T's `sourceAccount` must exist and must have sufficient funds to pay
- the offered transaction fees for all of S[<=T]. (This restriction
- exists today.)
-
-* T's sequence number will be valid if all other transactions in
- S[<=T] are executed. (This restriction exists today, and among other
- things implies a transaction set may not include a transaction with
- a stale sequence number or two distinct transactions with the same
- source account and sequence number.)
-
-* Any transaction in S other than T that contains a `SET_OPTIONS` or
+We define the following categories of transaction at the time of execution:
+
+- A **successful** transaction is one that meets all transaction- and
+ operation-level prerequisites at the time of its execution. The effects of a
+ successful transaction's operations are applied to the ledger. Successful
+ transactions yield a result in which `TransactionResult.code` is `txSUCCESS`.
+ This document does not change which transactions are considered successful or
+ the effects of executing such transactions.
+
+- A **failed** transaction meets all valid transaction-level preconditions,
+ including a valid transaction-level source account, valid sequence number,
+ valid time bounds, and low signing weight for the source account. However,
+ one or more of a failed transaction's operations cannot execute---for
+ instance because the `destination` of a `PAYMENT` no longer exists. Failed
+ transactions increase the sequence number of the transaction-level
+ `sourceAccount`, charge a fee to the transaction-level `sourceAccount`, and
+ yield a result with `TransactionResult.code` `txFAILED`.
+
+- An **invalid** transaction fails to meet transaction-level preconditions at
+ the time of execution, for instance because the sequence number is invalid or
+ the signatures are insufficient to meet the `sourceAccount`'s low signing
+ threshold. Currently, invalid transactions are executed just like failed
+ ones. This document changes that behavior so that invalid transactions no
+ longer have an effect on the ledger and do not produce a `TransactionResult`.
+ If an invalid transaction later becomes valid, it may be included again in a
+ subsequent ledger.
+
+A ledger that contains too many invalid transactions will reduce the number of
+operations available to successful transactions and negatively impact the
+ledger. Since the source of an invalid transaction does not incur any
+transaction cost, and since it may be difficult in the general case to decide
+if a transaction is valid at the time its fee is charged, we place restrictions
+on the composition of the transaction set in a single ledger. These rules are
+conservative; they may force two valid transactions that could have succeeded
+in the same ledger to be included in different ledgers.
+
+If a transaction set S contains a transaction T, we use S[<=T] to denote the
+subset of S consisting of transactions with the same `sourceAccount` as T and a
+`seqNum` less than or equal to that of T (a set that includes T itself). A set
+S is **admissible**, and hence can be a candidate for the consensus transaction
+set, if all of the following hold for each transaction T in S:
+
+- T's `sourceAccount` must exist and must have sufficient funds to pay the
+ offered transaction fees for all of S[<=T]. (This restriction exists today.)
+
+- T's sequence number will be valid if all other transactions in S[<=T] are
+ executed. (This restriction exists today, and among other things implies a
+ transaction set may not include a transaction with a stale sequence number or
+ two distinct transactions with the same source account and sequence number.)
+
+- Any transaction in S other than T that contains a `SET_OPTIONS` or
`BUMP_SEQUENCE` operation on T's `sourceAccount` must have the same
- `sourceAccount` as T and a greater sequence number than T. This
- guarantees that a `SET_OPTIONS` or `BUMP_SEQUENCE` on T's
- `sourceAccount` cannot be ordered before T. This new restriction
- specified by this document is not enforced today.
-
-In addition to placing these restrictions on transaction sets, we
-restore the behavior prior to `BUMP_SEQUENCE` in which sequence
-numbers are increased at exactly the same time that the fee is
-debited, before any operations are executed. Currently, fees are
-charged up front before any operations from any transactions execute,
-while sequence numbers are increased at the time an operation
-executes. Now that we know a `BUMP_SEQUENCE` cannot be ordered before
-an operation on the source account whose sequence is being bumped, we
-can increase the sequence numbers up front when charging fees.
+ `sourceAccount` as T and a greater sequence number than T. This guarantees
+ that a `SET_OPTIONS` or `BUMP_SEQUENCE` on T's `sourceAccount` cannot be
+ ordered before T. This new restriction specified by this document is not
+ enforced today.
+
+In addition to placing these restrictions on transaction sets, we restore the
+behavior prior to `BUMP_SEQUENCE` in which sequence numbers are increased at
+exactly the same time that the fee is debited, before any operations are
+executed. Currently, fees are charged up front before any operations from any
+transactions execute, while sequence numbers are increased at the time an
+operation executes. Now that we know a `BUMP_SEQUENCE` cannot be ordered before
+an operation on the source account whose sequence is being bumped, we can
+increase the sequence numbers up front when charging fees.
## Design Rationale
-This design prevents people who are no longer authorized signers an on
-account from affecting the account state. However, it does so in a
-way that avoids the ability to clog the ledger with invalid
-transactions.
+This design prevents people who are no longer authorized signers an on account
+from affecting the account state. However, it does so in a way that avoids the
+ability to clog the ledger with invalid transactions.
## Backwards Incompatibilities
-There are some minor incompatibilities that should not impact users.
-First, certain invalid transactions will no longer execute as failed
-transactions because they will not execute at all. However, in all
-such cases, there was no guarantee the transactions would execute
-anyway, because they could only execute when they happened to land in
-the same ledger as another transaction with a `SET_OPTIONS` or
-`BUMP_SEQUENCE` operation. Hence the most likely effect of this
-change is to thwart attacks on vulnerable higher-layer protocols.
+There are some minor incompatibilities that should not impact users. First,
+certain invalid transactions will no longer execute as failed transactions
+because they will not execute at all. However, in all such cases, there was no
+guarantee the transactions would execute anyway, because they could only
+execute when they happened to land in the same ledger as another transaction
+with a `SET_OPTIONS` or `BUMP_SEQUENCE` operation. Hence the most likely effect
+of this change is to thwart attacks on vulnerable higher-layer protocols.
-Second, certain transactions can no longer execute in the same
-ledger. Again, there is never a guarantee that an operation can
-execute in a particular ledger, so applications could not have relied
-on this happening anyway.
+Second, certain transactions can no longer execute in the same ledger. Again,
+there is never a guarantee that an operation can execute in a particular
+ledger, so applications could not have relied on this happening anyway.
-Finally, sequence number increases will appear in
-`TransactionMetaV1.txChanges` instead of
-`TransactionMetaV1.operations[0]`. This should be more intuitive.
+Finally, sequence number increases will appear in `TransactionMetaV1.txChanges`
+instead of `TransactionMetaV1.operations[0]`. This should be more intuitive.
## Security Concerns
-The changes outlined in this document should for the most part improve
-security by providing more consistent authorization of changes to
-accounts. The one potential risk is that attackers could clog the
-network with invalid transactions without paying nearly the
-corresponding amount of transaction fees. That risk is mitigated by
-the restrictions on transaction sets, but is something that must be
-kept in mind when future CAPs add additional operations.
-
-Any future operations or other transaction features added to the
-network that can render transactions invalid may need to revise the
-transaction set restrictions to prevent invalid transactions from
-being admissible.
+The changes outlined in this document should for the most part improve security
+by providing more consistent authorization of changes to accounts. The one
+potential risk is that attackers could clog the network with invalid
+transactions without paying nearly the corresponding amount of transaction
+fees. That risk is mitigated by the restrictions on transaction sets, but is
+something that must be kept in mind when future CAPs add additional operations.
+
+Any future operations or other transaction features added to the network that
+can render transactions invalid may need to revise the transaction set
+restrictions to prevent invalid transactions from being admissible.
## Test Cases
diff --git a/core/cap-0023.md b/core/cap-0023.md
index 835161836..bf77dd1f0 100644
--- a/core/cap-0023.md
+++ b/core/cap-0023.md
@@ -12,6 +12,7 @@ Protocol version: 14
```
## Simple Summary
+
Payments can fail depending on the state of the destination account. This
proposal introduces new operations that separate sending a payment from
receiving the payment. Then the success of sending depends only on the state of
@@ -19,15 +20,17 @@ the sending account and success of receiving depends only on the state of the
receiving account.
## Motivation
+
This proposal seeks to solve the following problem: it should be easy to send a
payment to an account that is not necessarily prepared to receive the payment.
There are several manifestations of this problem, the two most important being
1. it should be easy for protocols (like an implementation of payment channels)
-to pay out to participants, and
+ to pay out to participants, and
2. it should be easy for issuers to issue assets non-interactively.
### Goals Alignment
+
This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should facilitate simplicity and interoperability with
@@ -35,26 +38,30 @@ This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should enable cross-border payments, i.e. payments via
exchange of assets, throughout the globe, enabling users to make payments
between assets in a manner that is fast, cheap, and highly usable.
- - In support of this, the Stellar Network should enable asset issuance, but
- as a means of enabling cross-border payments.
+ - In support of this, the Stellar Network should enable asset issuance, but
+ as a means of enabling cross-border payments.
## Abstract
+
We introduce `ClaimableBalanceEntry` as a new type of `LedgerEntry` which
represents the transfer of ownership of some amount of an asset. The operations
`CreateClaimableBalanceOp` and `ClaimClaimableBalanceOp` allow the creation and
consumption of claimable balance entries, which permits temporal separation of
initiating and reciving a payment. Existing proposals, such as those for
deterministic accounts, can provide a similar mechanism but are not able to
-handle authorization restricted assets as easily. A specific and simple protocol
-that will be facilitated is the asset issuance protocol that issues an asset to
-a given account, regardless of whether it exists or is prepared to receive the
-funds.
+handle authorization restricted assets as easily. A specific and simple
+protocol that will be facilitated is the asset issuance protocol that issues an
+asset to a given account, regardless of whether it exists or is prepared to
+receive the funds.
## Specification
### XDR
-First, we introduce `ClaimableBalanceEntry`(Note that the XDR was updated in https://github.com/stellar/stellar-protocol/blob/master/core/cap-0033.md#claimablebalanceentry) and the corresponding changes for
-`LedgerEntryType` and `LedgerEntry`.
+
+First, we introduce `ClaimableBalanceEntry`(Note that the XDR was updated in
+https://github.com/stellar/stellar-protocol/blob/master/core/cap-0033.md#claimablebalanceentry)
+and the corresponding changes for `LedgerEntryType` and `LedgerEntry`.
+
```c++
enum LedgerEntryType
{
@@ -178,8 +185,10 @@ case CLAIMABLE_BALANCE:
Second, we introduce the new operations `CreateClaimableBalanceOp` and
`ClaimClaimableBalanceOp` as well as the corresponding changes to
-`OperationType` and `Operation`. We also introduce the type `OperationID`
-to represent the hash preimage for `ClaimableBalanceID`, along with a new `EnvelopeType`.
+`OperationType` and `Operation`. We also introduce the type `OperationID` to
+represent the hash preimage for `ClaimableBalanceID`, along with a new
+`EnvelopeType`.
+
```c++
enum OperationType
{
@@ -240,6 +249,7 @@ enum EnvelopeType
Third, we introduce the result types `CreateClaimableBalanceResult` and
`ClaimClaimableBalanceResult` as well as the corresponding changes to
`OperationResult`.
+
```c++
enum CreateClaimableBalanceResultCode
{
@@ -299,6 +309,7 @@ struct OperationResult
### Semantics
#### CreateClaimableBalanceOp
+
A `ClaimableBalanceEntry` can only be created by the `CreateClaimableBalanceOp`
operation. `CreateClaimableBalanceOp` is invalid with
`CREATE_CLAIMABLE_BALANCE_MALFORMED` if
@@ -310,39 +321,40 @@ operation. `CreateClaimableBalanceOp` is invalid with
- `claimants[i].predicate` has depth greater than 4 (for any `i`)
- `claimants[i].predicate` contains a predicate of type `CLAIM_PREDICATE_AND`
with `andPredicates.size() != 2`, `CLAIM_PREDICATE_OR` with
- `orPredicates.size() != 2`, or `CLAIM_PREDICATE_NOT` with a null `notPredicate` (for any `i`)
+ `orPredicates.size() != 2`, or `CLAIM_PREDICATE_NOT` with a null
+ `notPredicate` (for any `i`)
- `claimants[i].predicate` contains a predicate of type
`CLAIM_PREDICATE_BEFORE_ABSOLUTE_TIME` or
- `CLAIM_PREDICATE_BEFORE_RELATIVE_TIME` with
- `absBefore < 0` or `relBefore < 0` (for any `i`)
+ `CLAIM_PREDICATE_BEFORE_RELATIVE_TIME` with `absBefore < 0` or
+ `relBefore < 0` (for any `i`)
The behavior of `CreateClaimableBalanceOp` is as follows:
1. Fail with `CREATE_CLAIMABLE_BALANCE_LOW_RESERVE` if the `sourceAccount` does
not have at least `claimants.size() * baseReserve` available balance of
native asset
-2. Deduct `claimants.size() * baseReserve` of native asset from
- `sourceAccount`
-3. Fail with `CREATE_CLAIMABLE_BALANCE_NO_TRUST` if the `sourceAccount` does not
- have a trust line for `asset`
+2. Deduct `claimants.size() * baseReserve` of native asset from `sourceAccount`
+3. Fail with `CREATE_CLAIMABLE_BALANCE_NO_TRUST` if the `sourceAccount` does
+ not have a trust line for `asset`
4. Fail with `CREATE_CLAIMABLE_BALANCE_NOT_AUTHORIZED` if the `sourceAccount`
trust line for `asset` does not have `AUTHORIZED_FLAG` set
5. Fail with `CREATE_CLAIMABLE_BALANCE_UNDERFUNDED` if the `sourceAccount` does
not have at least `amount` available balance of `asset`
6. Deduct `amount` of `asset` from `sourceAccount`
7. Create a claimable balance entry with the following properties:
- - `balanceID` of type `CLAIMABLE_BALANCE_ID_TYPE_V0`.[^id-arithmatic]
- - `createdBy = sourceAccount` (of the transaction, not the operation)
- - `claimants` as specified, with the exception that
- - `CLAIM_PREDICATE_BEFORE_RELATIVE_TIME` will be converted to
- `CLAIM_PREDICATE_BEFORE_ABSOLUTE_TIME` by adding `relBefore` to
- the `closeTime` in the `LedgerHeader`. If this addition exceeds
- `INT64_MAX` then use `INT64_MAX`.
- - `asset` as specified in the operation
- - `amount` as specified in the operation
- - `reserve` equal to `claimants.size() * baseReserve`
-
-[^id-arithmatic]: ```javascript
+ - `balanceID` of type `CLAIMABLE_BALANCE_ID_TYPE_V0`.[^id-arithmatic]
+ - `createdBy = sourceAccount` (of the transaction, not the operation)
+ - `claimants` as specified, with the exception that
+ - `CLAIM_PREDICATE_BEFORE_RELATIVE_TIME` will be converted to
+ `CLAIM_PREDICATE_BEFORE_ABSOLUTE_TIME` by adding `relBefore` to the
+ `closeTime` in the `LedgerHeader`. If this addition exceeds `INT64_MAX`
+ then use `INT64_MAX`.
+ - `asset` as specified in the operation
+ - `amount` as specified in the operation
+ - `reserve` equal to `claimants.size() * baseReserve`
+
+[^id-arithmatic]:
+ ```javascript
HashIDPreimage = (
sourceAccount;
seqNum;
@@ -352,18 +364,21 @@ The behavior of `CreateClaimableBalanceOp` is as follows:
balanceID.v0() = OperationID // Hash
clientDisplayID = hex(HashIDPreimage)
```
+
- `HashIDPreimage`: a switch within the new `type` `ENVELOPE_TYPE_OP_ID`
- `OperationID`: hash of `ENVELOPE_TYPE_OP_ID` precomputation data
- `sourceAccount`: unmuxed public key of the transaction's source
- `seqNum`: the transaction source account's sequence number
- `opNum`: position index of this operation in the transaction
-8. Succeed with `CREATE_CLAIMABLE_BALANCE_SUCCESS` and the `balanceID` from the previous step.
+8. Succeed with `CREATE_CLAIMABLE_BALANCE_SUCCESS` and the `balanceID` from the
+ previous step.
`CreateClaimableBalanceOp` requires medium threshold because it can be used to
send funds.
#### ClaimClaimableBalanceOp
+
A `ClaimableBalanceEntry` can only be deleted by the `ClaimClaimableBalanceOp`
operation. `ClaimClaimableBalanceOp` cannot be invalid.
@@ -371,22 +386,23 @@ The behavior of `ClaimClaimableBalanceOp` is as follows:
1. Fail with `CLAIM_CLAIMABLE_BALANCE_DOES_NOT_EXIST` if there is no
`ClaimableBalanceEntry` matching `balanceID`.
-2. Fail with `CLAIM_CLAIMABLE_BALANCE_CANNOT_CLAIM` if there is no `i` such that
- `claimants[i].destination = sourceAccount` or if `claimants[i].predicate`
- is not satisfied
+2. Fail with `CLAIM_CLAIMABLE_BALANCE_CANNOT_CLAIM` if there is no `i` such
+ that `claimants[i].destination = sourceAccount` or if
+ `claimants[i].predicate` is not satisfied
3. Skip to step 7 if `createdBy` does not exist
4. Skip to step 7 if `createdBy` does not have at least `reserve` available
limit of native asset
5. Add `reserve` of native asset to `createdBy`
6. Skip to step 9
-7. Fail with `CLAIM_CLAIMABLE_BALANCE_LINE_FULL` if the `sourceAccount` does not
- have at least `reserve` available limit of native asset
+7. Fail with `CLAIM_CLAIMABLE_BALANCE_LINE_FULL` if the `sourceAccount` does
+ not have at least `reserve` available limit of native asset
8. Add `reserve` of native asset to `sourceAccount`
-9. Fail with `CLAIM_CLAIMABLE_BALANCE_NO_TRUST` if `asset` is not of type
- `ASSET_TYPE_NATIVE` and the `sourceAccount` trust line for `asset` does not exist
-10. Fail with `CLAIM_CLAIMABLE_BALANCE_NOT_AUTHORIZED` if `asset` is not of type
+9. Fail with `CLAIM_CLAIMABLE_BALANCE_NO_TRUST` if `asset` is not of type
`ASSET_TYPE_NATIVE` and the `sourceAccount` trust line for `asset` does not
- have the `AUTHORIZED_FLAG` flag set
+ exist
+10. Fail with `CLAIM_CLAIMABLE_BALANCE_NOT_AUTHORIZED` if `asset` is not of
+ type `ASSET_TYPE_NATIVE` and the `sourceAccount` trust line for `asset`
+ does not have the `AUTHORIZED_FLAG` flag set
11. Fail with `CLAIM_CLAIMABLE_BALANCE_LINE_FULL` if the `sourceAccount` does
not have at least `amount` available limit of `asset`
12. Add `amount` of `asset` to the `sourceAccount`
@@ -399,6 +415,7 @@ transfer funds from a `ClaimableBalanceEntry` to a trust line.
## Design Rationale
### ClaimableBalanceEntry is not a sub-entry
+
Each `ClaimableBalanceEntry` exists as an independent entity on the ledger. It
is clear that a `ClaimableBalanceEntry` cannot be a sub-entry of any its
`claimants`, because it is a security risk for accounts to be able to add
@@ -408,10 +425,11 @@ them? There are two main benefits of this design:
1. Sending accounts are not limited in the number of claimable balance entries
they can create
-2. Sending accounts can be merged even if they created claimable balance entries
- that have not yet been claimed
+2. Sending accounts can be merged even if they created claimable balance
+ entries that have not yet been claimed
### ClaimableBalanceEntry claimants are accounts
+
For each `ClaimableBalanceEntry`, `claimants` contains a finite and immutable
list of accounts that could potentially claim the `ClaimableBalanceEntry`. Even
if the conditions are satisfiable (which is not guaranteed), it is still
@@ -428,9 +446,9 @@ would fail. This would allow the appropriate party to claim the
`ClaimableBalanceEntry` into any account that they control. But this would also
make it considerably easier to circumvent authorization restrictions on assets.
For instance, an authorized account could create a `ClaimableBalanceEntry` with
-a recipient public key whose private key is known only to some other party. That
-party would then control the funds in the `ClaimableBalanceEntry` and could
-claim them into any account that is authorized. A similar scheme could be
+a recipient public key whose private key is known only to some other party.
+That party would then control the funds in the `ClaimableBalanceEntry` and
+could claim them into any account that is authorized. A similar scheme could be
executed today by changing the signers on an account, but this would only be
possible once per authorized account and cannot separate out a fraction of the
funds. In summary, an approach that could allow `ClaimableBalanceEntry` to be
@@ -438,35 +456,42 @@ claimable into any account would significantly weaken the strength of
authorization restrictions.
### Should it be possible to increase the amount of a ClaimableBalanceEntry?
+
One issue which has been discussed during the development of this proposal is
the absence of a mechanism to increase the `amount` of a
`ClaimableBalanceEntry`. The specific scenario which would warrant this
-functionality is when a single account sends many identical payments to a single
-account that is not prepared to receive them and does not claim any of the
-payments. However, this case is sufficiently specific that we recommend pursuing
-it in a separate proposal once this proposal has been implemented. Delaying this
-feature presents minimal additional difficulty because `ClaimableBalanceEntry`
-has an extension point.
+functionality is when a single account sends many identical payments to a
+single account that is not prepared to receive them and does not claim any of
+the payments. However, this case is sufficiently specific that we recommend
+pursuing it in a separate proposal once this proposal has been implemented.
+Delaying this feature presents minimal additional difficulty because
+`ClaimableBalanceEntry` has an extension point.
-This issue has also been slightly mitigated relative to earlier versions of this
-proposal because `ClaimableBalanceEntry` now returns the reserve to the sending
-account, whenever possible.
+This issue has also been slightly mitigated relative to earlier versions of
+this proposal because `ClaimableBalanceEntry` now returns the reserve to the
+sending account, whenever possible.
### Memo
+
Everything proposed in this document takes the same stance as existing features
-of the protocol with regard to memo: memo is a property of a transaction, not of
-an operation or a ledger entry.
+of the protocol with regard to memo: memo is a property of a transaction, not
+of an operation or a ledger entry.
## Backwards Incompatibilities
+
All downstream systems will need updated XDR in order to recognize the new
operations and ledger entries.
## Security Concerns
-This proposal will slightly reduce the efficacy of base reserve changes, because
-a `ClaimableBalanceEntry` that has insufficient reserve is still usable.
+
+This proposal will slightly reduce the efficacy of base reserve changes,
+because a `ClaimableBalanceEntry` that has insufficient reserve is still
+usable.
## Test Cases
+
None yet.
## Implementation
+
https://github.com/stellar/stellar-core/pull/2591
diff --git a/core/cap-0024.md b/core/cap-0024.md
index 79f6e803c..68fbac675 100644
--- a/core/cap-0024.md
+++ b/core/cap-0024.md
@@ -11,50 +11,56 @@ Protocol version: 12
```
## Simple Summary
+
Right now `PathPaymentOp` lets you specify how much the recipient will receive
while the amount sent can vary. There are use cases where you really want to
specify the amount send while the amount received can vary.
## Motivation
+
The motivation to add `PathPaymentStrictSendOp` is analogous to that for adding
-`ManageBuyOfferOp`: many financial institutions have an obligation to faithfully
-carry out customer orders. As a concrete example, suppose that an individual
-whose native currency is X is selling a house. A potential buyer whose native
-currency is Y approaches the seller. They agree to a contract where the buyer
-must deposit a certain amount of currency X with an escrow agent chosen by the
-seller. The escrowed amount will contribute to the purchase price if the
-transaction is completed, will be returned to the buyer (in currency Y) in the
-event that seller defaults, and will be credited to the seller as damages in the
-event that buyer defaults. The buyer can easily use `PathPaymentOp` to deposit
-the agreed amount of currency X with the escrow agent. If the escrow agent needs
-to transfer the escrowed funds to the seller, this can be done with `PaymentOp`.
-But if the escrow agent needs to transfer the escrowed funds to the buyer (in
-currency Y) then `PathPaymentOp` will not be effective because the escrow agent
-would be required to guess the `destAmount` in order to send the entire escrowed
-amount. In general, there is no value for the `destAmount` that guarantees that
-the entire `maxSend` will be sent, so the escrow agent will not be able to meet
-his obligations.
+`ManageBuyOfferOp`: many financial institutions have an obligation to
+faithfully carry out customer orders. As a concrete example, suppose that an
+individual whose native currency is X is selling a house. A potential buyer
+whose native currency is Y approaches the seller. They agree to a contract
+where the buyer must deposit a certain amount of currency X with an escrow
+agent chosen by the seller. The escrowed amount will contribute to the purchase
+price if the transaction is completed, will be returned to the buyer (in
+currency Y) in the event that seller defaults, and will be credited to the
+seller as damages in the event that buyer defaults. The buyer can easily use
+`PathPaymentOp` to deposit the agreed amount of currency X with the escrow
+agent. If the escrow agent needs to transfer the escrowed funds to the seller,
+this can be done with `PaymentOp`. But if the escrow agent needs to transfer
+the escrowed funds to the buyer (in currency Y) then `PathPaymentOp` will not
+be effective because the escrow agent would be required to guess the
+`destAmount` in order to send the entire escrowed amount. In general, there is
+no value for the `destAmount` that guarantees that the entire `maxSend` will be
+sent, so the escrow agent will not be able to meet his obligations.
### Goals Alignment
+
This proposal is aligned with the following Stellar Network Goal: The Stellar
Network should enable cross-border payments, i.e. payments via exchange of
-assets, throughout the globe, enabling users to make payments between assets
-in a manner that is fast, cheap, and highly usable.
+assets, throughout the globe, enabling users to make payments between assets in
+a manner that is fast, cheap, and highly usable.
## Abstract
+
This proposal introduces a new operation `PathPaymentStrictSendOp` that allows
-a form of path payment with a strict equality constraint on the send amount
-and an inequality constraint on the destination amount. The existing
-`PathPayment` operation is renamed to `PathPaymentStrictReceiveOp` in order to
-reflect that it allows a form of path payment with a strict equality constraint
-on the destination amount and an inequality constraint on the send amount.
+a form of path payment with a strict equality constraint on the send amount and
+an inequality constraint on the destination amount. The existing `PathPayment`
+operation is renamed to `PathPaymentStrictReceiveOp` in order to reflect that
+it allows a form of path payment with a strict equality constraint on the
+destination amount and an inequality constraint on the send amount.
## Specification
### XDR
+
We first introduce the XDR for operations `PathPaymentStrictReceiveOp` and
`PathPaymentStrictSendOp`, as well as the corresponding changes to
`OperationType` and `Operation`.
+
```c++
enum OperationType
{
@@ -125,6 +131,7 @@ struct Operation
We next introduce the result types `PathPaymentStrictReceiveResult` and
`PathPaymentStrictSendResult`, as well as the corresponding changes to
`OperationResult`.
+
```c++
enum PathPaymentStrictReceiveResultCode
{
@@ -213,78 +220,87 @@ default:
```
### Semantics
+
`PathPaymentStrictSendOp` returns
- `PATH_PAYMENT_STRICT_SEND_NO_DESTINATION` if issuer checks are not bypassed
-and `destAccount` does not exist
-- `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if issuer checks are not bypassed and the
-issuer of `sendAsset` does not exist
+ and `destAccount` does not exist
+- `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if issuer checks are not bypassed and
+ the issuer of `sendAsset` does not exist
- `PATH_PAYMENT_STRICT_SEND_SRC_NO_TRUST` if `sendAsset` is not native and
-`sourceAccount` does not own a trust line for `sendAsset`
-- `PATH_PAYMENT_STRICT_SEND_SRC_NOT_AUTHORIZED` if `sendAsset` is not native and
-the trust line for `sendAsset` owned by `sourceAccount` is not authorized
-- `PATH_PAYMENT_STRICT_SEND_UNDERFUNDED` if `sourceAccount` does not have sufficient
-available balance of `sendAsset` after accounting for selling liabilities and
-base reserve (if `sendAsset` is native)
-- For each `(S, R)` in `(sendAsset, path[0]), (path[0], path[1]), ...,
-(path[n-1], path[n]), (path[n], destAsset)` with `S != R`
- - `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if `R` is not native and the issuer
-of `R` does not exist
- - `PATH_PAYMENT_STRICT_SEND_OFFER_CROSS_SELF` if an offer owned by
-`sourceAccount` was encountered between `S` and `R` before sending the required
-amount of `S`
- - `PATH_PAYMENT_STRICT_SEND_TOO_FEW_OFFERS` if less than the required amount
-of `S` was sent before exhausting all offers between `S` and `R`
-- `PATH_PAYMENT_STRICT_SEND_UNDER_DESTMIN` if the amount sent to the destination
-does not exceed `destMin`
-- `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if issuer checks are not bypassed and the
-issuer of `destAsset` does not exist
-- `PATH_PAYMENT_STRICT_SEND_NO_TRUST` if `destAsset` is not native and `destAccount`
-does not own a trust line for `destAsset`
-- `PATH_PAYMENT_STRICT_SEND_NOT_AUTHORIZED` if `destAsset` is not native and the
-trust line for `destAsset` owned by `destAccount` is not authorized
-- `PATH_PAYMENT_STRICT_SEND_LINE_FULL` if `destAccount` does not have sufficient
-available limit of `destAsset` after accounting for buying liabilities
+ `sourceAccount` does not own a trust line for `sendAsset`
+- `PATH_PAYMENT_STRICT_SEND_SRC_NOT_AUTHORIZED` if `sendAsset` is not native
+ and the trust line for `sendAsset` owned by `sourceAccount` is not authorized
+- `PATH_PAYMENT_STRICT_SEND_UNDERFUNDED` if `sourceAccount` does not have
+ sufficient available balance of `sendAsset` after accounting for selling
+ liabilities and base reserve (if `sendAsset` is native)
+- For each `(S, R)` in
+ `(sendAsset, path[0]), (path[0], path[1]), ..., (path[n-1], path[n]), (path[n], destAsset)`
+ with `S != R` - `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if `R` is not native and
+ the issuer of `R` does not exist -
+ `PATH_PAYMENT_STRICT_SEND_OFFER_CROSS_SELF` if an offer owned by
+ `sourceAccount` was encountered between `S` and `R` before sending the
+ required amount of `S` - `PATH_PAYMENT_STRICT_SEND_TOO_FEW_OFFERS` if less
+ than the required amount of `S` was sent before exhausting all offers between
+ `S` and `R`
+- `PATH_PAYMENT_STRICT_SEND_UNDER_DESTMIN` if the amount sent to the
+ destination does not exceed `destMin`
+- `PATH_PAYMENT_STRICT_SEND_NO_ISSUER` if issuer checks are not bypassed and
+ the issuer of `destAsset` does not exist
+- `PATH_PAYMENT_STRICT_SEND_NO_TRUST` if `destAsset` is not native and
+ `destAccount` does not own a trust line for `destAsset`
+- `PATH_PAYMENT_STRICT_SEND_NOT_AUTHORIZED` if `destAsset` is not native and
+ the trust line for `destAsset` owned by `destAccount` is not authorized
+- `PATH_PAYMENT_STRICT_SEND_LINE_FULL` if `destAccount` does not have
+ sufficient available limit of `destAsset` after accounting for buying
+ liabilities
- `PATH_PAYMENT_STRICT_SEND_SUCCESS` otherwise
-If `PathPaymentStrictSendOp` succeeds then the source account is debited exactly
-`sendAmount` of `sendAsset` and the `destAccount` is credited at least `destMin`
-of `destAsset`. In order to achieve this goal, it was required to introduce a
-new rounding mode (see CAP-0004 for context). We provide an informal description
-of what occurs and why; for a detailed proof please refer to the implementation.
-This rounding mode may only differ from the typical rounding behavior if the offer
-is larger than the remnants of the conversion (this can only occur for the last
-offer crossed in each step of the path). In this case, the remaining quantity of
-`S` will be converted into the maximum amount of `R` that is possible (given
-limits on the conversion and the offer) such that the price remains favorable to
-the owner of the offer. This is the correct behavior because
-
-- The entire amount available to be sent is in fact sent if it is possible to do
-so
+If `PathPaymentStrictSendOp` succeeds then the source account is debited
+exactly `sendAmount` of `sendAsset` and the `destAccount` is credited at least
+`destMin` of `destAsset`. In order to achieve this goal, it was required to
+introduce a new rounding mode (see CAP-0004 for context). We provide an
+informal description of what occurs and why; for a detailed proof please refer
+to the implementation. This rounding mode may only differ from the typical
+rounding behavior if the offer is larger than the remnants of the conversion
+(this can only occur for the last offer crossed in each step of the path). In
+this case, the remaining quantity of `S` will be converted into the maximum
+amount of `R` that is possible (given limits on the conversion and the offer)
+such that the price remains favorable to the owner of the offer. This is the
+correct behavior because
+
+- The entire amount available to be sent is in fact sent if it is possible to
+ do so
- The received amount is the maximum possible while continuing to meet the
-requirement that it must favor the owner of the offer
+ requirement that it must favor the owner of the offer
## Design Rationale
-Every design decision concerning `PathPaymentStrictSendOp` was decided to make the
-operation "dual" to `PathPaymentStrictReceiveOp` in as many ways as possible. With
-that context in mind, the central design decision for `PathPaymentStrictSendOp`
-was enforcing the requirement that it must send exactly the specified `sendAmount`.
-This decision has the following advantages, analogous to the advantages of having
-`PathPaymentStrictReceiveOp` receive exactly the specified `destAmount`
+
+Every design decision concerning `PathPaymentStrictSendOp` was decided to make
+the operation "dual" to `PathPaymentStrictReceiveOp` in as many ways as
+possible. With that context in mind, the central design decision for
+`PathPaymentStrictSendOp` was enforcing the requirement that it must send
+exactly the specified `sendAmount`. This decision has the following advantages,
+analogous to the advantages of having `PathPaymentStrictReceiveOp` receive
+exactly the specified `destAmount`
- The semantics of the operation are simple to explain
- The state of the `sourceAccount` and `destAccount` is predictable after the
-operation executes
+ operation executes
## Backwards Incompatibilities
+
All downstream systems will need updated XDR in order to recognize the new
operation.
## Security Concerns
+
None yet.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0025.md b/core/cap-0025.md
index 04c1e9dc0..9543fa8f3 100644
--- a/core/cap-0025.md
+++ b/core/cap-0025.md
@@ -12,114 +12,133 @@ Protocol version: 12
## Simple Summary
-This proposal makes simplifications to the bucket list data structure in stellar-core, such that the
-new bucket merge logic results in different buckets, than ones produced by previous versions.
+This proposal makes simplifications to the bucket list data structure in
+stellar-core, such that the new bucket merge logic results in different
+buckets, than ones produced by previous versions.
-The main simplification is removal of `shadows`, which are older versions of the bucket list.
-Shadows are used to avoid storing all updates to the same ledger entry, and keeping only the most
-recent one instead.
+The main simplification is removal of `shadows`, which are older versions of
+the bucket list. Shadows are used to avoid storing all updates to the same
+ledger entry, and keeping only the most recent one instead.
## Abstract
-Bucket list is a log-structured merge (LSM) tree used to store the complete state of stellar-core.
-As new entries are added, bucket list merges its existing buckets to produce new buckets, which
-incorporate the new data. Additionally, bucket list stores its previous versions, called shadows.
-The purpose of shadows is to handle high volume of changes to the same ledger entries (i.e., entries
-of `LIVEENTRY` type). That is, if a `LIVEENTRY` entry exists at a higher (younger) level, another
-`LIVEENTRY` at a lower (older) level is elided during a merge. This proposal aims to remove shadows,
-by showing that they:
+Bucket list is a log-structured merge (LSM) tree used to store the complete
+state of stellar-core. As new entries are added, bucket list merges its
+existing buckets to produce new buckets, which incorporate the new data.
+Additionally, bucket list stores its previous versions, called shadows. The
+purpose of shadows is to handle high volume of changes to the same ledger
+entries (i.e., entries of `LIVEENTRY` type). That is, if a `LIVEENTRY` entry
+exists at a higher (younger) level, another `LIVEENTRY` at a lower (older)
+level is elided during a merge. This proposal aims to remove shadows, by
+showing that they:
1. Have a high storage cost.
2. Significantly increase bucket merge latency.
-3. Are only valuable for a niche range of scenarios. Additionally, their usefulness degrades
-at lower levels.
+3. Are only valuable for a niche range of scenarios. Additionally, their
+ usefulness degrades at lower levels.
-The changes proposed will not affect bucket semantics. It will merely change how buckets are merged,
-producing different outputs compared to previous protocol versions.
+The changes proposed will not affect bucket semantics. It will merely change
+how buckets are merged, producing different outputs compared to previous
+protocol versions.
## Motivation
-This change was motivated by the performance analysis done on shadows. In the current protocol, for
-level i, shadows consist of all levels above level i - 1. Every level, starting with level 2, stores
-such a list of shadows. During bucket merge, aside from reading the contents of the two buckets
-being merged, all shadows are iterated through to check whether an elision of a particular ledger
-entry is needed. This slows down the merge latency significantly. The assessment of current public
-network traffic shows that merge times for lowest-level buckets complete approximately 3 times
-faster without shadows than with shadows.
-
-Additionally, shadows create a significant storage burden. On one hand, they prevent constantly
-churning ledger entries from propagating all the way down to lowest levels, avoiding redundant
-entries. On the other hand, the data from the public network suggests that the overhead of such
-spilling is not particularly significant. For example, the resulting buckets without shadows were at
-most twice bigger than ones that used shadows. However, the total size of shadows stored for lower
-levels still outweighed the overhead of larger resulting buckets.
-
-Lastly, there are a few very specific cases when a particular level can be fully shadowed. That is,
-for shadows to be the most useful at level i, it must be assumed that nothing above level i is
-shadowed. This also means that storing shadows for all previous levels is wasteful, since nothing is
-shadowed. At lower levels, shadows are less useful, since the bucket list incurs the overhead of
-unnecessary storage of shadows at higher levels. Moreover, the argument is based on an assumption
-that all the network traffic follows a specific, unlikely pattern: it updates a certain number of
-same ledger entries continuously.
+This change was motivated by the performance analysis done on shadows. In the
+current protocol, for level i, shadows consist of all levels above level i - 1.
+Every level, starting with level 2, stores such a list of shadows. During
+bucket merge, aside from reading the contents of the two buckets being merged,
+all shadows are iterated through to check whether an elision of a particular
+ledger entry is needed. This slows down the merge latency significantly. The
+assessment of current public network traffic shows that merge times for
+lowest-level buckets complete approximately 3 times faster without shadows than
+with shadows.
+
+Additionally, shadows create a significant storage burden. On one hand, they
+prevent constantly churning ledger entries from propagating all the way down to
+lowest levels, avoiding redundant entries. On the other hand, the data from the
+public network suggests that the overhead of such spilling is not particularly
+significant. For example, the resulting buckets without shadows were at most
+twice bigger than ones that used shadows. However, the total size of shadows
+stored for lower levels still outweighed the overhead of larger resulting
+buckets.
+
+Lastly, there are a few very specific cases when a particular level can be
+fully shadowed. That is, for shadows to be the most useful at level i, it must
+be assumed that nothing above level i is shadowed. This also means that storing
+shadows for all previous levels is wasteful, since nothing is shadowed. At
+lower levels, shadows are less useful, since the bucket list incurs the
+overhead of unnecessary storage of shadows at higher levels. Moreover, the
+argument is based on an assumption that all the network traffic follows a
+specific, unlikely pattern: it updates a certain number of same ledger entries
+continuously.
## Specification
-The ledger protocol number will be increased, to version 12. This is a breaking change. The bucket
-list will produce buckets differing from buckets of previous protocols. This difference will affect
-the bucket list hash, which is used for consensus.
+The ledger protocol number will be increased, to version 12. This is a breaking
+change. The bucket list will produce buckets differing from buckets of previous
+protocols. This difference will affect the bucket list hash, which is used for
+consensus.
### Bucket Content
-Bucket semantics remain unchanged. The only difference is potentially more frequent
-occurrences of `LIVEENTRY` types of bucket entries across multiple buckets for the same ledger entry.
+Bucket semantics remain unchanged. The only difference is potentially more
+frequent occurrences of `LIVEENTRY` types of bucket entries across multiple
+buckets for the same ledger entry.
### Merge Algorithm Changes
-Under protocol 12, new style bucket merges will not consider shadows, so less bucket entries will be
-elided. In order to perform a new style merge, nodes will compare versions of the inputs.
-Specifically, a new style merge will be performed if the input snap is of ledger version 12 or
-higher. This implies that nodes will keep performing old style merges with shadows until input snaps
+Under protocol 12, new style bucket merges will not consider shadows, so less
+bucket entries will be elided. In order to perform a new style merge, nodes
+will compare versions of the inputs. Specifically, a new style merge will be
+performed if the input snap is of ledger version 12 or higher. This implies
+that nodes will keep performing old style merges with shadows until input snaps
are of the right version.
### Protocol Upgrade Changes
-To avoid delays while adding the new data to the bucket list, old buckets are merged in the
-background as early as possible. Some of those merges are completed long before they are needed.
-After the protocol 12 upgrade, all existing in-progress or completed (but not yet needed) merges
-will remain relevant. The implementation will use these merges at appropriate ledgers, then,
-depending on the input versions for each level, will start old style or new style merges.
-Eventually, all bucket list levels will be performing new style merges. Because new style merges are
-started gradually, letting merges of older versions finish, nodes may upgrade at any ledger without
-delays.
+To avoid delays while adding the new data to the bucket list, old buckets are
+merged in the background as early as possible. Some of those merges are
+completed long before they are needed. After the protocol 12 upgrade, all
+existing in-progress or completed (but not yet needed) merges will remain
+relevant. The implementation will use these merges at appropriate ledgers,
+then, depending on the input versions for each level, will start old style or
+new style merges. Eventually, all bucket list levels will be performing new
+style merges. Because new style merges are started gradually, letting merges of
+older versions finish, nodes may upgrade at any ledger without delays.
### History Archive Changes
-Starting protocol 12, nodes will not publish inputs or outputs to new style merges. With shadows
-removed, inputs to bucket merges are completely reconstructible from the bucket list itself. Note,
-inputs to merges remain stable and derivable from the current bucket list until the future bucket is
-promoted into the bucket list. Due to this property, it is possible to re-start merges at any ledger
-between the initial merge trigger and the completed merge promotion.
+Starting protocol 12, nodes will not publish inputs or outputs to new style
+merges. With shadows removed, inputs to bucket merges are completely
+reconstructible from the bucket list itself. Note, inputs to merges remain
+stable and derivable from the current bucket list until the future bucket is
+promoted into the bucket list. Due to this property, it is possible to re-start
+merges at any ledger between the initial merge trigger and the completed merge
+promotion.
## Design Rationale
-The initial bucket list design did not have a comprehensive analysis of shadows,
-showing that it is not a general optimization, but rather an improvement to a very specific ledger
-traffic scenario.
+The initial bucket list design did not have a comprehensive analysis of
+shadows, showing that it is not a general optimization, but rather an
+improvement to a very specific ledger traffic scenario.
-Additionally, other known implementations of LSM trees suggest that per-level compaction is
-sufficient. For example, LevelDB gives an overview of its compactions:
+Additionally, other known implementations of LSM trees suggest that per-level
+compaction is sufficient. For example, LevelDB gives an overview of its
+compactions:
https://github.com/google/leveldb/blob/master/doc/impl.md#compactions
## Backwards Incompatibilities
-This is a breaking change, even though there are no semantic changes to the bucket list. The updated
-merge mechanism can be regarded as an “implementation detail”. Because of that, older versions will
-not error when processing new buckets. However, they will produce a different ledger hash,
-preventing them from reaching consensus, and making progress.
+This is a breaking change, even though there are no semantic changes to the
+bucket list. The updated merge mechanism can be regarded as an “implementation
+detail”. Because of that, older versions will not error when processing new
+buckets. However, they will produce a different ledger hash, preventing them
+from reaching consensus, and making progress.
-The new versions of stellar-core will be able to process old and new buckets, and pick the
-appropriate merge technique based on the version number in the ledger header.
+The new versions of stellar-core will be able to process old and new buckets,
+and pick the appropriate merge technique based on the version number in the
+ledger header.
## Test Cases
diff --git a/core/cap-0026.md b/core/cap-0026.md
index a02e332ef..1ae7d1433 100644
--- a/core/cap-0026.md
+++ b/core/cap-0026.md
@@ -17,40 +17,43 @@ This CAP disables the inflation mechanism.
## Motivation
-Inflation mechanism was originally planned as a simple way for users to support important
-ecosystem projects and keep the overall XLM supply slightly inflationary.
-
-- Currently, it doesn’t serve its original purpose, as users mostly prefer to claim the
-inflation payouts through the inflation pools instead of sponsoring ecosystem projects.
-As a result, inflation micropayouts from XLM pools generate a significant validators
-load and clog the network.
-- Payouts get more and more resource consuming for validators over time due to the total
-lumens circulation supply increase.
-- Once the validators vote for the significant base fee increase, such payouts became much
-less profitable for most lumen holders, and XLM pools will be forced to raise the minimum
-required account balance to more than 1000XLM to cover transaction fee loses.
-- Inflation payouts may lead to additional complications in some edge-cases when
-programming smart contracts.
-- Inflation deprecation opens new possibilities for the more effective targeted reward
-distributions that require complex logic, like stimulating DEX liquidity providers.
+Inflation mechanism was originally planned as a simple way for users to support
+important ecosystem projects and keep the overall XLM supply slightly
+inflationary.
+
+- Currently, it doesn’t serve its original purpose, as users mostly prefer to
+ claim the inflation payouts through the inflation pools instead of sponsoring
+ ecosystem projects. As a result, inflation micropayouts from XLM pools
+ generate a significant validators load and clog the network.
+- Payouts get more and more resource consuming for validators over time due to
+ the total lumens circulation supply increase.
+- Once the validators vote for the significant base fee increase, such payouts
+ became much less profitable for most lumen holders, and XLM pools will be
+ forced to raise the minimum required account balance to more than 1000XLM to
+ cover transaction fee loses.
+- Inflation payouts may lead to additional complications in some edge-cases
+ when programming smart contracts.
+- Inflation deprecation opens new possibilities for the more effective targeted
+ reward distributions that require complex logic, like stimulating DEX
+ liquidity providers.
## Abstract
-Turning off inflation requires a minor change in Stellar Core, namely `Inflation`
-operation behavior. At the same time, it can be implemented without XDR changes and
-breaking protocol changes.
+Turning off inflation requires a minor change in Stellar Core, namely
+`Inflation` operation behavior. At the same time, it can be implemented without
+XDR changes and breaking protocol changes.
## Specification
-This proposal requires a single Core behavior change.
-Transaction containing `Inflation` operation should always return
-`opNOT_SUPPORTED` result code.
+This proposal requires a single Core behavior change. Transaction containing
+`Inflation` operation should always return `opNOT_SUPPORTED` result code.
## Design Rationale
-The proposed approach does not require breaking protocol changes and allows turning on
-the inflation mechanism in the future if needed. Due to the simplicity of proposed changes,
-the implementation potentially requires minimum efforts.
+The proposed approach does not require breaking protocol changes and allows
+turning on the inflation mechanism in the future if needed. Due to the
+simplicity of proposed changes, the implementation potentially requires minimum
+efforts.
## Security Concerns
@@ -58,4 +61,4 @@ None.
## Backwards Incompatibilities
-This CAP contains no breaking changes and is fully backward compatible.
\ No newline at end of file
+This CAP contains no breaking changes and is fully backward compatible.
diff --git a/core/cap-0027.md b/core/cap-0027.md
index b382699e5..a32c92cc9 100644
--- a/core/cap-0027.md
+++ b/core/cap-0027.md
@@ -12,52 +12,49 @@ Protocol version: 13
## Simple Summary
-A new type of Account ID includes a 64-bit memo ID. This memo ID has
-no effect on the semantics of operations or their authorization, but
-it facilitates multiplexing a single account across multiple users.
+A new type of Account ID includes a 64-bit memo ID. This memo ID has no effect
+on the semantics of operations or their authorization, but it facilitates
+multiplexing a single account across multiple users.
## Motivation
-A common pattern in the Stellar ecosystem is for services to share a
-single Stellar account ID across many users, relying on the memo ID to
-disambiguate incoming payments.
+A common pattern in the Stellar ecosystem is for services to share a single
+Stellar account ID across many users, relying on the memo ID to disambiguate
+incoming payments.
Experience shows that people frequently forget to include the memo ID,
-resulting in either lost funds or onerous support calls. Moreover,
-memo IDs are per transaction, not per occurrence of an account ID,
-which imposes restrictions on the use of multiplexed accounts. For
-example, it is not possible to include multiple payments to different
-multiplexed accounts in the same transaction. Similarly, it is not
-possible to refund payments from a multiplexed account ID, as the
-transaction's memo ID by convention describes only the destination,
-not the source of funds.
-
-By adding an optional memo ID to the account ID type, we make
-multiplexed accounts a first-class abstraction that can be used
-anywhere a normal account ID can be used.
+resulting in either lost funds or onerous support calls. Moreover, memo IDs are
+per transaction, not per occurrence of an account ID, which imposes
+restrictions on the use of multiplexed accounts. For example, it is not
+possible to include multiple payments to different multiplexed accounts in the
+same transaction. Similarly, it is not possible to refund payments from a
+multiplexed account ID, as the transaction's memo ID by convention describes
+only the destination, not the source of funds.
+
+By adding an optional memo ID to the account ID type, we make multiplexed
+accounts a first-class abstraction that can be used anywhere a normal account
+ID can be used.
### Goals Alignment
-First-class multiplexed accounts help scalability by eliminating an
-incentive for users to create many accounts when virtual accounts
-would suffice. They also significantly improve usability by
-addressing the pain point of support costs for users who forget memo
-IDs.
+First-class multiplexed accounts help scalability by eliminating an incentive
+for users to create many accounts when virtual accounts would suffice. They
+also significantly improve usability by addressing the pain point of support
+costs for users who forget memo IDs.
## Abstract
-A new type, `MuxedAccount`, replaces `AccountID` in many places. A
-`MuxedAccount` can contain either a plain Ed25519 public key, or a
-public key and a 64-bit subaccount ID. The subaccount ID has no
-effect on the semantics of transactions, but can be used by
-higher-layer software to multiplex a single stellar account among
-multiple users.
+A new type, `MuxedAccount`, replaces `AccountID` in many places. A
+`MuxedAccount` can contain either a plain Ed25519 public key, or a public key
+and a 64-bit subaccount ID. The subaccount ID has no effect on the semantics of
+transactions, but can be used by higher-layer software to multiplex a single
+stellar account among multiple users.
## Specification
The multiplexed account type is represented by a new XDR union:
-~~~ {.c}
+```{.c}
enum CryptoKeyType
{
KEY_TYPE_ED25519 = 0,
@@ -76,80 +73,74 @@ union MuxedAccount switch (CryptoKeyType type) {
uint256 ed25519;
} med25519;
};
-~~~
-
-The following fields, which were previously an `AccountID` or
-`AccountID*`, are now a `MuxedAccount` or `MuxedAccount*`
-(respectively):
-
-* `PaymentOp::destination`
-* `PathPaymentStrictReceiveOp::destination`
-* `PathPaymentStrictSendOp::destination`
-* `Operation::sourceAccount`
-* `Operation::destination` (for `ACCOUNT_MERGE`)
-* `Transaction::sourceAccount`
-* `FeeBumpTransaction::feeSource`
-
-Note, however, that this must not be implemented before CAP-0015 or
-CAP-0019 (which updates the transaction format), as these other CAPs
-depend on all existing transactions starting with 4 zero bytes (which
-will no longer be the case when the transaction's `sourceAccount` is a
-`MuxedAccount`).
+```
+
+The following fields, which were previously an `AccountID` or `AccountID*`, are
+now a `MuxedAccount` or `MuxedAccount*` (respectively):
+
+- `PaymentOp::destination`
+- `PathPaymentStrictReceiveOp::destination`
+- `PathPaymentStrictSendOp::destination`
+- `Operation::sourceAccount`
+- `Operation::destination` (for `ACCOUNT_MERGE`)
+- `Transaction::sourceAccount`
+- `FeeBumpTransaction::feeSource`
+
+Note, however, that this must not be implemented before CAP-0015 or CAP-0019
+(which updates the transaction format), as these other CAPs depend on all
+existing transactions starting with 4 zero bytes (which will no longer be the
+case when the transaction's `sourceAccount` is a `MuxedAccount`).
## Design Rationale
-A previous ecosystem-only proposal had too many limitations, including
-the inability to send payments to several virtual accounts, the
-inability to specify virtual accounts as a source, and increased
-cognitive load for developers. The CAP approach seems cleaner, with
-very little added complexity in the server.
+A previous ecosystem-only proposal had too many limitations, including the
+inability to send payments to several virtual accounts, the inability to
+specify virtual accounts as a source, and increased cognitive load for
+developers. The CAP approach seems cleaner, with very little added complexity
+in the server.
-The particular set of fields promoted to `MuxedAccount` were chosen to
-avoid any changes to the database. Hence, assets and offers are still
-associated with an `AccountID` rather than a `MuxedAccount`.
+The particular set of fields promoted to `MuxedAccount` were chosen to avoid
+any changes to the database. Hence, assets and offers are still associated with
+an `AccountID` rather than a `MuxedAccount`.
-As for the strkey update, there were 3 unused bits at the bottom of
-each version byte that do not affect the first character, so we
-decided to reserve these to facilitate future crypto agility. A
-different letter was chosen for multiplexed accounts because these are
-not completely interchangable with traditional `AccountID` values.
-(For instance, a multiplexed account cannot issue assets, only the
-base account can do so.)
+As for the strkey update, there were 3 unused bits at the bottom of each
+version byte that do not affect the first character, so we decided to reserve
+these to facilitate future crypto agility. A different letter was chosen for
+multiplexed accounts because these are not completely interchangable with
+traditional `AccountID` values. (For instance, a multiplexed account cannot
+issue assets, only the base account can do so.)
## Backwards Incompatibilities
-All existing transactions will continue to be valid, but transactions
-with a `MuxedAccount` will not be parsable by old software. Hence,
-the best time to roll out this change will be at the same time as
-CAP-0015. Software that converts new-style transactions to old can
-also strip out the identifiers from `MuxedAccount` structures.
+All existing transactions will continue to be valid, but transactions with a
+`MuxedAccount` will not be parsable by old software. Hence, the best time to
+roll out this change will be at the same time as CAP-0015. Software that
+converts new-style transactions to old can also strip out the identifiers from
+`MuxedAccount` structures.
## Security Concerns
-Certain addresses that are identical may not look identical. This
-could confuse client software. For instance, sending an asset to a
-multiplexed account tied to the issuer will destroy the asset.
+Certain addresses that are identical may not look identical. This could confuse
+client software. For instance, sending an asset to a multiplexed account tied
+to the issuer will destroy the asset.
Code that uses a denylist to block specific accounts from receiving
-`AUTH\_REQUIRED` assets will need to ensure that multiplexed
-accounts cannot be used to bypass the denylist. This is not an
-issue for non-`AUTH\_REQUIRED` assets, as anyone can already evade
-such denylists by creating new accounts. There is no issue for
-allowlists, since failure to accommodate multiplexed accounts just
-prohibits people from using them, preserving the status quo ante.
-
-People commonly assume that base-32 decoding libraries will reject
-inputs with invalid lengths or invalid trailing bits, but this is
-often not the case, particularly when padding is disabled. If
-implementations forget to check this, they will parse invalid strkeys.
-This could lead to problems, particularly if strkeys are used as
-indexes in a hash table, where an attacker could create multiple
-entries for the same account.
+`AUTH\_REQUIRED` assets will need to ensure that multiplexed accounts cannot be
+used to bypass the denylist. This is not an issue for non-`AUTH\_REQUIRED`
+assets, as anyone can already evade such denylists by creating new accounts.
+There is no issue for allowlists, since failure to accommodate multiplexed
+accounts just prohibits people from using them, preserving the status quo ante.
+
+People commonly assume that base-32 decoding libraries will reject inputs with
+invalid lengths or invalid trailing bits, but this is often not the case,
+particularly when padding is disabled. If implementations forget to check this,
+they will parse invalid strkeys. This could lead to problems, particularly if
+strkeys are used as indexes in a hash table, where an attacker could create
+multiple entries for the same account.
## Implementation
-An implementation can be fetched to `FETCH_HEAD` with the following
-command:
+An implementation can be fetched to `FETCH_HEAD` with the following command:
```
git fetch git@github.com:xdrpp/stellar-core dm/muxacct
diff --git a/core/cap-0028.md b/core/cap-0028.md
index 85780aef7..a5e3da0ac 100644
--- a/core/cap-0028.md
+++ b/core/cap-0028.md
@@ -11,53 +11,113 @@ Protocol version: 13
```
## Simple Summary
-Pre-auth signers are only removed from the source account if signature verification on the transaction succeeds [during transaction application](#Caveat). The signer is left on the account otherwise. This proposal will remove the signer from the source account when the transaction is being applied, regardless of the outcome of that transaction.
+
+Pre-auth signers are only removed from the source account if signature
+verification on the transaction succeeds
+[during transaction application](#Caveat). The signer is left on the account
+otherwise. This proposal will remove the signer from the source account when
+the transaction is being applied, regardless of the outcome of that
+transaction.
## Motivation
-If the pre-auth transaction fails before signature verification succeeds, the pre-auth signer needs to be removed manually using the Set Options operation. The fee for that transaction will have already been consumed, so it should never be applied again. The pre-auth signer can never be used again due to this, so there's no reason to keep it around.
-CAP-0015 (Fee-Bump Transactions) also introduces behavior that can make it harder to clean up the obsolete pre-auth signers. If the outer fee bump transaction has an invalid signature, the inner transaction will still need to be applied. The pre-auth signer will not be removed due to the outer transaction failing, but the inner transaction can return `txSUCCESS`, so the account owner won't know to remove the signer.
+If the pre-auth transaction fails before signature verification succeeds, the
+pre-auth signer needs to be removed manually using the Set Options operation.
+The fee for that transaction will have already been consumed, so it should
+never be applied again. The pre-auth signer can never be used again due to
+this, so there's no reason to keep it around.
+
+CAP-0015 (Fee-Bump Transactions) also introduces behavior that can make it
+harder to clean up the obsolete pre-auth signers. If the outer fee bump
+transaction has an invalid signature, the inner transaction will still need to
+be applied. The pre-auth signer will not be removed due to the outer
+transaction failing, but the inner transaction can return `txSUCCESS`, so the
+account owner won't know to remove the signer.
### Goals Alignment
-The Stellar Network should facilitate simplicity and interoperability with other protocols and networks.
+
+The Stellar Network should facilitate simplicity and interoperability with
+other protocols and networks.
## Specification
-This proposal will add functionality to remove a pre-auth signer even if the signer has not been checked yet. A method will be added to `TransactionFrame` that will check every transaction and operation source account for the pre-auth signer, and remove it if found. This method will be called every time a transaction enters the **application stage** (even if the transaction fails for any reason).
+
+This proposal will add functionality to remove a pre-auth signer even if the
+signer has not been checked yet. A method will be added to `TransactionFrame`
+that will check every transaction and operation source account for the pre-auth
+signer, and remove it if found. This method will be called every time a
+transaction enters the **application stage** (even if the transaction fails for
+any reason).
### Caveat
-The existing functionality along with what's being added is only executed when the transaction is in the **application stage**. The application stage is where the transaction will be used to execute it's operations and modify the ledger. The transaction will not enter the application stage if it isn't accepted into the transaction set, which means the signatures on the source accounts of the transaction/operations won't be considered for removal. The transactions must have valid signatures and sequence number at the time of submission to be accepted into the transaction set. Here are some examples to make this clearer.
+
+The existing functionality along with what's being added is only executed when
+the transaction is in the **application stage**. The application stage is where
+the transaction will be used to execute it's operations and modify the ledger.
+The transaction will not enter the application stage if it isn't accepted into
+the transaction set, which means the signatures on the source accounts of the
+transaction/operations won't be considered for removal. The transactions must
+have valid signatures and sequence number at the time of submission to be
+accepted into the transaction set. Here are some examples to make this clearer.
#### An example of signer NOT being removed on sequence number failure
+
1. Source account `B` with a pre-auth signer is at sequence number `X`.
-2. A transaction that corresponds to the signer on `B` is submitted for source account `B` with sequence number `X`.
-3. This sequence number is invalid, so the transaction will not be included in the transaction set to be applied. The signer will not be removed.
+2. A transaction that corresponds to the signer on `B` is submitted for source
+ account `B` with sequence number `X`.
+3. This sequence number is invalid, so the transaction will not be included in
+ the transaction set to be applied. The signer will not be removed.
#### An example of signer being removed on sequence number failure
+
1. Source account `B` with a pre auth signer is at sequence number `X`.
-2. A transaction for source account B is submitted with sequence number `X + 1`, with a `BUMP_SEQUENCE` operation that sets the sequence number to `X + 2`. This transaction makes it into the transaction set. **It hasn't been applied yet.**
-3. A transaction that corresponds to the signer on `B` is submitted for source account `B` with sequence number `X + 2`. This transaction makes it into the transaction set because the sequence number is right.
-4. Transaction set is being applied. The first transaction with the `BUMP_SEQUENCE` operation is applied succesfully, which sets the sequence number of source account `B` to `X + 2`.
-5. Now the second transaction is being applied. The sequence number check on the transaction will fail because it is equivalent to the sequence number on the account (both are `X + 2`). The signer will be removed in this case.
+2. A transaction for source account B is submitted with sequence number
+ `X + 1`, with a `BUMP_SEQUENCE` operation that sets the sequence number to
+ `X + 2`. This transaction makes it into the transaction set. **It hasn't
+ been applied yet.**
+3. A transaction that corresponds to the signer on `B` is submitted for source
+ account `B` with sequence number `X + 2`. This transaction makes it into the
+ transaction set because the sequence number is right.
+4. Transaction set is being applied. The first transaction with the
+ `BUMP_SEQUENCE` operation is applied succesfully, which sets the sequence
+ number of source account `B` to `X + 2`.
+5. Now the second transaction is being applied. The sequence number check on
+ the transaction will fail because it is equivalent to the sequence number on
+ the account (both are `X + 2`). The signer will be removed in this case.
#### Removing signer on signature verification failure
-A similar scenario to the sequence number failure above can happen with a signature verification failure. To remove a signer on signature verification failure -
-1. Source account `B` has pre-auth signer with weight `1`. All thresholds on account are also set to `1`.
-2. A transaction set with two transactions for source account `B` are being applied.
- 1. Transaction #1 - `SET_OPTIONS` operation that sets all thresholds to some high value (say `255`)
- 2. Transaction #2 - Pre-auth transaction that corresponds to the signer that was added to `B`
-3. Transaction #2 will fail during application because the signer weight isn't high enough, and the pre-auth signer will be removed from account `B`.
+
+A similar scenario to the sequence number failure above can happen with a
+signature verification failure. To remove a signer on signature verification
+failure -
+
+1. Source account `B` has pre-auth signer with weight `1`. All thresholds on
+ account are also set to `1`.
+2. A transaction set with two transactions for source account `B` are being
+ applied.
+ 1. Transaction #1 - `SET_OPTIONS` operation that sets all thresholds to some
+ high value (say `255`)
+ 2. Transaction #2 - Pre-auth transaction that corresponds to the signer that
+ was added to `B`
+3. Transaction #2 will fail during application because the signer weight isn't
+ high enough, and the pre-auth signer will be removed from account `B`.
## Design Rationale
+
The proposed solution is simple and maintains backwards compatibility.
## Backwards Incompatibilities
+
None
## Security Concerns
-There are no security concerns here, as this is a small change that removes a signer from a source account.
+
+There are no security concerns here, as this is a small change that removes a
+signer from a source account.
## Test Cases
+
None yet
## Implementation
+
https://github.com/stellar/stellar-core/pull/2379
diff --git a/core/cap-0029.md b/core/cap-0029.md
index c2235314d..75769a81e 100644
--- a/core/cap-0029.md
+++ b/core/cap-0029.md
@@ -14,44 +14,85 @@ Protocol version: 16
```
## Simple Summary
+
This CAP addresses the following authorization semantics requirements:
-- An issuer should always be able to authorize a trustline regardless of any issuer flags.
-- An issuer should always be able to revoke a trustline for an asset that is set as revocable.
+
+- An issuer should always be able to authorize a trustline regardless of any
+ issuer flags.
+- An issuer should always be able to revoke a trustline for an asset that is
+ set as revocable.
## Working Group
-This protocol change was authored by Tomer Weller, with input from the consulted individuals
-mentioned at the top of this document.
+This protocol change was authored by Tomer Weller, with input from the
+consulted individuals mentioned at the top of this document.
## Motivation
-Trustline authorization is an important feature of the Stellar protocol. It allows issuers to handle various regulatory requirements. However, it's current behavior is not sensible with regards to configuration changes and revocable assets:
-- The authorize (`ALLOW_TRUST, Authorize=AUTHORIZED_FLAG`) operation fails if the issuer does not have any flags set, even when the trustline is unauthorized. This complicates asset configuration changes.
-- The revoke (`ALLOW_TRUST, Authorize=0` or `ALLOW_TRUST, Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when `AUTHORIZED_FLAG` is set) operation fails if the issuer does not have the `AUTH_REQUIRED` flag set. This defeats the purpose of having revocable assets that default to authorized trustlines ("Blacklist authorization").
+
+Trustline authorization is an important feature of the Stellar protocol. It
+allows issuers to handle various regulatory requirements. However, it's current
+behavior is not sensible with regards to configuration changes and revocable
+assets:
+
+- The authorize (`ALLOW_TRUST, Authorize=AUTHORIZED_FLAG`) operation fails if
+ the issuer does not have any flags set, even when the trustline is
+ unauthorized. This complicates asset configuration changes.
+- The revoke (`ALLOW_TRUST, Authorize=0` or
+ `ALLOW_TRUST, Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when
+ `AUTHORIZED_FLAG` is set) operation fails if the issuer does not have the
+ `AUTH_REQUIRED` flag set. This defeats the purpose of having revocable assets
+ that default to authorized trustlines ("Blacklist authorization").
### Goals Alignment
+
This CAP is aligned with the following Stellar Network Goals:
-- The Stellar Network should make it easy for developers of Stellar projects to create highly usable products
+- The Stellar Network should make it easy for developers of Stellar projects to
+ create highly usable products
## Specification
-This CAP introduces two changes to `ALLOW_TRUST` semantics:
-- Allow `ALLOW_TRUST` operations that upgrade authorization (`Authorize=AUTHORIZED_FLAG` or `Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when the trustline is unauthorized) to be performed regardless of any issuer account flags.
-- Allow `ALLOW_TRUST` revoke (`ALLOW_TRUST, Authorize=0` or `ALLOW_TRUST, Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when `AUTHORIZED_FLAG` is set) operations to be performed on trustlines to assets that have the `AUTH_REVOCABLE` flag set, **regardless of whether or not their `AUTH_REQUIRED` flag is set**.
+
+This CAP introduces two changes to `ALLOW_TRUST` semantics:
+
+- Allow `ALLOW_TRUST` operations that upgrade authorization
+ (`Authorize=AUTHORIZED_FLAG` or
+ `Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when the trustline is
+ unauthorized) to be performed regardless of any issuer account flags.
+- Allow `ALLOW_TRUST` revoke (`ALLOW_TRUST, Authorize=0` or
+ `ALLOW_TRUST, Authorize=AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` when
+ `AUTHORIZED_FLAG` is set) operations to be performed on trustlines to assets
+ that have the `AUTH_REVOCABLE` flag set, **regardless of whether or not their
+ `AUTH_REQUIRED` flag is set**.
## Backwards Incompatibilities
-This change is backward compatible for sensible consumers. It is not backward compatible for consumers that rely on the above operations failing and returning the `ALLOW_TRUST_TRUST_NOT_REQUIRED` result code.
-## Design Rationale
+This change is backward compatible for sensible consumers. It is not backward
+compatible for consumers that rely on the above operations failing and
+returning the `ALLOW_TRUST_TRUST_NOT_REQUIRED` result code.
-[CAP-0035](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0035.md) introduces the `SET_TRUST_LINE_FLAGS` operation, which provides a better way to interface with the trustline flags. This operation will allow the authorization transitions specified in this CAP that currently return `ALLOW_TRUST_TRUST_NOT_REQUIRED`. While we could just leave `ALLOW_TRUST` the way it is and use `SET_TRUST_LINE_FLAGS` to get the desired behavior, making sure the possible authorization transitions are the same between operations would make it easier for the ecosystem to continue using `ALLOW_TRUST`. They can choose which operation to use, instead of being forced to switch. Keeping the logic the same will also make it easier for everyone to reason about the possible authorization transitions.
+## Design Rationale
+[CAP-0035](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0035.md)
+introduces the `SET_TRUST_LINE_FLAGS` operation, which provides a better way to
+interface with the trustline flags. This operation will allow the authorization
+transitions specified in this CAP that currently return
+`ALLOW_TRUST_TRUST_NOT_REQUIRED`. While we could just leave `ALLOW_TRUST` the
+way it is and use `SET_TRUST_LINE_FLAGS` to get the desired behavior, making
+sure the possible authorization transitions are the same between operations
+would make it easier for the ecosystem to continue using `ALLOW_TRUST`. They
+can choose which operation to use, instead of being forced to switch. Keeping
+the logic the same will also make it easier for everyone to reason about the
+possible authorization transitions.
## Security Concerns
-There are no security concerns here. This CAP just allows the issuer to perform more sensible authorization transitions for trustlines.
+There are no security concerns here. This CAP just allows the issuer to perform
+more sensible authorization transitions for trustlines.
## Test Cases
+
//TBD
## Implementation
+
https://github.com/stellar/stellar-core/pull/2988
diff --git a/core/cap-0030.md b/core/cap-0030.md
index e6eb8c374..442be63f3 100644
--- a/core/cap-0030.md
+++ b/core/cap-0030.md
@@ -11,29 +11,60 @@ Protocol version: 13
```
## Simple Summary
-There are operations that unnecessarily load the issuer, and return an error result if the issuer of an asset was not found. These errors are not necessary, and this proposal aims to remove them.
+
+There are operations that unnecessarily load the issuer, and return an error
+result if the issuer of an asset was not found. These errors are not necessary,
+and this proposal aims to remove them.
## Motivation
-The following operation results indicate that an operation failed because the issuer of an asset does not exist: `PAYMENT_NO_ISSUER`, `PATH_PAYMENT_STRICT_RECEIVE_NO_ISSUER`, `PATH_PAYMENT_STRICT_SEND_NO_ISSUER`, `MANAGE_SELL_OFFER_SELL_NO_ISSUER`, `MANAGE_SELL_OFFER_BUY_NO_ISSUER`, `MANAGE_BUY_OFFER_SELL_NO_ISSUER`, `MANAGE_BUY_OFFER_BUY_NO_ISSUER`, and `CHANGE_TRUST_NO_ISSUER`. Each of the operations that can produce these results other than `ChangeTrustOp` does not otherwise depend on the existence of the issuer. The issuer is only required when creating a trustline with `ChangeTrustOp`. Removing the issuer check from all other operations will standardize the protocol on not requiring the issuer outside of this one case.
-Removing the issuer from the operations that produce the `*_NO_ISSUER` results will also prevent `stellar-core` developers from using the `AUTH_REQUIRED` flag incorrectly. If `AUTH_REQUIRED` is not set on the issuer, then the `TrustLine` will be authorized on it's creation. The name `AUTH_REQUIRED`, however, implies that the flag determines if authorization should be checked, which is not the actual logic.
+The following operation results indicate that an operation failed because the
+issuer of an asset does not exist: `PAYMENT_NO_ISSUER`,
+`PATH_PAYMENT_STRICT_RECEIVE_NO_ISSUER`, `PATH_PAYMENT_STRICT_SEND_NO_ISSUER`,
+`MANAGE_SELL_OFFER_SELL_NO_ISSUER`, `MANAGE_SELL_OFFER_BUY_NO_ISSUER`,
+`MANAGE_BUY_OFFER_SELL_NO_ISSUER`, `MANAGE_BUY_OFFER_BUY_NO_ISSUER`, and
+`CHANGE_TRUST_NO_ISSUER`. Each of the operations that can produce these results
+other than `ChangeTrustOp` does not otherwise depend on the existence of the
+issuer. The issuer is only required when creating a trustline with
+`ChangeTrustOp`. Removing the issuer check from all other operations will
+standardize the protocol on not requiring the issuer outside of this one case.
+
+Removing the issuer from the operations that produce the `*_NO_ISSUER` results
+will also prevent `stellar-core` developers from using the `AUTH_REQUIRED` flag
+incorrectly. If `AUTH_REQUIRED` is not set on the issuer, then the `TrustLine`
+will be authorized on it's creation. The name `AUTH_REQUIRED`, however, implies
+that the flag determines if authorization should be checked, which is not the
+actual logic.
-This proposal will also make the CAP-0023 (Two-Part Payments) implementation simpler because we won't need to return the `*_NO_ISSUER` results there to maintain consistency.
+This proposal will also make the CAP-0023 (Two-Part Payments) implementation
+simpler because we won't need to return the `*_NO_ISSUER` results there to
+maintain consistency.
### Goals Alignment
-The Stellar Network should facilitate simplicity and interoperability with other protocols and networks.
+
+The Stellar Network should facilitate simplicity and interoperability with
+other protocols and networks.
## Specification
-For every operation that can return a `*_NO_ISSUER` result except `ChangeTrustOp`, don't load the issuer or return the `*_NO_ISSUER` result.
+
+For every operation that can return a `*_NO_ISSUER` result except
+`ChangeTrustOp`, don't load the issuer or return the `*_NO_ISSUER` result.
## Backwards Incompatibilities
-The `*_NO_ISSUER` results will no longer be returned for the affected operations, so anyone relying on these results will need to modify their behavior. These error results aren't meaningful anyways because anyone can create the issuer account to bypass the issuer check.
+
+The `*_NO_ISSUER` results will no longer be returned for the affected
+operations, so anyone relying on these results will need to modify their
+behavior. These error results aren't meaningful anyways because anyone can
+create the issuer account to bypass the issuer check.
## Security Concerns
+
None
## Test Cases
+
None yet
## Implementation
+
https://github.com/stellar/stellar-core/pull/2389
diff --git a/core/cap-0031.md b/core/cap-0031.md
index f0acb7036..5406c2d07 100644
--- a/core/cap-0031.md
+++ b/core/cap-0031.md
@@ -11,9 +11,11 @@ Protocol version: TBD
```
## Simple Summary
+
This proposal makes it possible to pay reserves for another account.
## Motivation
+
This proposal seeks to solve the following problem: an entity should be able to
provide the reserve for accounts controlled by other parties without giving
those parties control of the reserve.
@@ -30,32 +32,36 @@ the trust line and merging the account.
This proposal is in many ways analogous to CAP-0015:
- CAP-0015 makes it possible to pay transaction fees for other accounts without
-giving control of the underlying funds
+ giving control of the underlying funds
- CAP-0031 makes it possible to pay reserves for other accounts without giving
-control of the underlying funds
+ control of the underlying funds
-The combination of these two proposals should greatly facilitate the development
-of non-custodial uses of the Stellar Network.
+The combination of these two proposals should greatly facilitate the
+development of non-custodial uses of the Stellar Network.
### Goals Alignment
+
This proposal is aligned with the following Stellar Network Goal:
- The Stellar Network should make it easy for developers of Stellar projects to
create highly usable products.
## Abstract
+
We introduce `SponsorshipEntry` as a new type of `LedgerEntry` which represents
an offer to pay the reserve for a `LedgerEntry` described by `descriptor`. The
-operation `CreateSponsorshipOp` makes it possible to create a `SponsorshipEntry`
-whereas the operation `RemoveSponsorshipOp` makes it possible to remove a
-`SponsorshipEntry`. These operations are the only ways in which a
-`SponsorshipEntry` can be created or removed, and they are otherwise immutable.
+operation `CreateSponsorshipOp` makes it possible to create a
+`SponsorshipEntry` whereas the operation `RemoveSponsorshipOp` makes it
+possible to remove a `SponsorshipEntry`. These operations are the only ways in
+which a `SponsorshipEntry` can be created or removed, and they are otherwise
+immutable.
## Specification
### XDR
#### AccountEntry
+
```c++
struct AccountEntry
{
@@ -85,6 +91,7 @@ struct AccountEntry
```
#### SponsorshipEntry
+
```c++
struct LedgerEntryType
{
@@ -215,6 +222,7 @@ case SPONSORSHIP:
```
#### Operations
+
```c++
enum OperationType
{
@@ -256,6 +264,7 @@ struct Operation
```
#### Operation Results
+
```c++
enum CreateSponsorshipResultCode
{
@@ -311,38 +320,41 @@ struct OperationResult
### Semantics
#### Available Balance and Limit of Native Asset
+
This proposal changes the definition of available balance of native asset to:
`balance - (2 + numSubEntries - sponsoredReserves) * baseReserve`. The
definition of available limit of native asset is unchanged, and remains
`INT64_MAX - balance`.
#### CreateSponsorshipOp
-A `SponsorshipEntry` can only be created by the `CreateSponsorshipOp` operation.
-`CreateSponsorshipOp` is invalid with `CREATE_SPONSORSHIP_MALFORMED` if
+
+A `SponsorshipEntry` can only be created by the `CreateSponsorshipOp`
+operation. `CreateSponsorshipOp` is invalid with `CREATE_SPONSORSHIP_MALFORMED`
+if
- `descriptor.type() == TRUSTLINE` and any of
- - `descriptor.trustLine().asset` is of type `ASSET_TYPE_NATIVE`
- - `descriptor.trustLine().asset` is invalid
+ - `descriptor.trustLine().asset` is of type `ASSET_TYPE_NATIVE`
+ - `descriptor.trustLine().asset` is invalid
- `descriptor.type() == OFFER` and any of
- - `descriptor.offer().buying` is invalid
- - `descriptor.offer().selling` is invalid
- - `descriptor.offer().buying == descriptor.offer().selling`
+ - `descriptor.offer().buying` is invalid
+ - `descriptor.offer().selling` is invalid
+ - `descriptor.offer().buying == descriptor.offer().selling`
- `descriptor.type() == DATA` and
- - `descriptor.data().dataName` is empty or invalid
+ - `descriptor.data().dataName` is empty or invalid
The behavior of `CreateSponsorshipOp` is as follows:
1. Calculate `Multiplier` as
- - 3 if `descriptor.type() == ACCOUNT`
- - 2 otherwise
+ - 3 if `descriptor.type() == ACCOUNT`
+ - 2 otherwise
2. Fail with `CREATE_SPONSORSHIP_LOW_RESERVE` if the `sourceAccount` does not
have at least `Multiplier * baseReserve` available balance of native asset
3. Deduct `Multiplier * baseReserve` of native asset from `sourceAccount`
4. Create a `SponsorshipEntry` as `sponsorship` with the following properties:
- - `sponsorship.createdBy = sourceAccount`
- - `sponsorship.sponsorshipID` as the next available
- - `sponsorship.descriptor = descriptor`
- - `sponsorship.reserve = Multiplier * baseReserve`
+ - `sponsorship.createdBy = sourceAccount`
+ - `sponsorship.sponsorshipID` as the next available
+ - `sponsorship.descriptor = descriptor`
+ - `sponsorship.reserve = Multiplier * baseReserve`
5. Count the number of existing `LedgerEntry` described by `descriptor` as
`Sponsorable`
6. Count the number of existing `SponsorshipEntry` with
@@ -350,11 +362,11 @@ The behavior of `CreateSponsorshipOp` is as follows:
`sponsorshipID < sponsorship.sponsorshipID` as `Sponsors`
7. Succeed with `CREATE_SPONSORSHIP_SUCCESS` if `Sponsors >= Sponsorable`
8. Let `SponsoredAccount` be
- - `descriptor.account().accountID` if `descriptor.type() == ACCOUNT`
- - `descriptor.signer().accountID` if `descriptor.type() == SIGNER`
- - `descriptor.trustLine().accountID` if `descriptor.type() == TRUSTLINE`
- - `descriptor.offer().sellerID` if `descriptor.type() == OFFER`
- - `descriptor.data().accountID` if `descriptor.type() == DATA`
+ - `descriptor.account().accountID` if `descriptor.type() == ACCOUNT`
+ - `descriptor.signer().accountID` if `descriptor.type() == SIGNER`
+ - `descriptor.trustLine().accountID` if `descriptor.type() == TRUSTLINE`
+ - `descriptor.offer().sellerID` if `descriptor.type() == OFFER`
+ - `descriptor.data().accountID` if `descriptor.type() == DATA`
9. Succeed with `CREATE_SPONSORSHIP_SUCCESS` if `SponsoredAccount` does not
exist
10. Load `SponsoredAccount` and increment `SponsoredAccount.sponsoredReserves`
@@ -365,8 +377,10 @@ The behavior of `CreateSponsorshipOp` is as follows:
funds.
#### RemoveSponsorshipOp
-A `SponsorshipEntry` can only be removed by the `RemoveSponsorshipOp` operation.
-`RemoveSponsorshipOp` is invalid with `REMOVE_SPONSORSHIP_MALFORMED` if
+
+A `SponsorshipEntry` can only be removed by the `RemoveSponsorshipOp`
+operation. `RemoveSponsorshipOp` is invalid with `REMOVE_SPONSORSHIP_MALFORMED`
+if
- `sponsorshipID <= 0`
@@ -377,28 +391,30 @@ The behavior of `RemoveSponsorshipOp` is as follows:
2. Load the `SponsorshipEntry` as `sponsorship`
3. Fail with `REMOVE_SPONSORSHIP_NOT_CREATOR` if
`sponsorship.createdBy != sourceAccount`
-3. Count the number of existing `LedgerEntry` described by `descriptor` as
+4. Count the number of existing `LedgerEntry` described by `descriptor` as
`Sponsorable`
-4. Count the number of existing `SponsorshipEntry` with
+5. Count the number of existing `SponsorshipEntry` with
`descriptor = sponsorship.descriptor` and
`sponsorshipID < sponsorship.sponsorshipID` as `Sponsors`
-5. Fail with `REMOVE_SPONSORSHIP_IN_USE` if `Sponsorable > Sponsors`
-6. Fail with `REMOVE_SPONSORSHIP_LINE_FULL` if the `sourceAccount` does not have
- `reserve` available limit of native asset
-7. Add `reserve` of native asset to `sourceAccount`
-8. Remove `sponsorship`
-9. Succeed with `REMOVE_SPONSORSHIP_SUCCESS`
+6. Fail with `REMOVE_SPONSORSHIP_IN_USE` if `Sponsorable > Sponsors`
+7. Fail with `REMOVE_SPONSORSHIP_LINE_FULL` if the `sourceAccount` does not
+ have `reserve` available limit of native asset
+8. Add `reserve` of native asset to `sourceAccount`
+9. Remove `sponsorship`
+10. Succeed with `REMOVE_SPONSORSHIP_SUCCESS`
`RemoveSponsorshipOp` requires medium threshold because it is related to
`CreateSponsorshipOp`.
#### CreateAccountOp
+
We now return `CREATE_ACCOUNT_LOW_RESERVE` conditionally
1. ...
2. Skip to step 4 if a `SponsorshipEntry` with `descriptor.type() == ACCOUNT`
and `descriptor.account().accountID = destination` exists
-3. Fail with `CREATE_ACCOUNT_LOW_RESERVE` if `startingBalance < 2 * baseReserve`
+3. Fail with `CREATE_ACCOUNT_LOW_RESERVE` if
+ `startingBalance < 2 * baseReserve`
4. ...
When creating the account, we now
@@ -410,12 +426,13 @@ When creating the account, we now
3. ...
#### SetOptionsOp
+
We now return `SET_OPTIONS_LOW_RESERVE` conditionally
1. ...
2. Count the number of signers on `sourceAccount` as `Signers`
-3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER` and
- `descriptor.signer().accountID = sourceAccount` as `Sponsors`
+3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER`
+ and `descriptor.signer().accountID = sourceAccount` as `Sponsors`
4. Skip to step 7 if `Signers >= Sponsors`
5. Increment `sourceAccount.sponsoredReserves`
6. Skip to step 8
@@ -428,28 +445,31 @@ When deleting a signer, we now
1. ...
2. Count the number of signers on `sourceAccount` as `Signers`
-3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER` and
- `descriptor.signer().accountID = sourceAccount` as `Sponsors`
+3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER`
+ and `descriptor.signer().accountID = sourceAccount` as `Sponsors`
4. Decrement `sourceAccount.sponsoredReserves` if `Signers <= Sponsors`
5. Decrement `sourceAccount.numSubEntries`
6. ...
#### Removing Used One-Time Signers
+
When deleting a signer, we now
1. ...
2. Count the number of signers on `sourceAccount` as `Signers`
-3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER` and
- `descriptor.signer().accountID = sourceAccount` as `Sponsors`
+3. Count the number of `SponsorshipEntry` with `descriptor.type() == SIGNER`
+ and `descriptor.signer().accountID = sourceAccount` as `Sponsors`
4. Decrement `sourceAccount.sponsoredReserves` if `Signers <= Sponsors`
5. Decrement `sourceAccount.numSubEntries`
6. ...
#### ChangeTrustOp
+
We now return `CHANGE_TRUST_LOW_RESERVE` conditionally
1. ...
-2. Skip to step 5 if a `SponsorshipEntry` with `descriptor.type() == TRUSTLINE`,
+2. Skip to step 5 if a `SponsorshipEntry` with
+ `descriptor.type() == TRUSTLINE`,
`descriptor.trustLine().accountID = sourceAccount`, and
`descriptor.trustLine().asset = asset` does not exist
3. Increment `sourceAccount.sponsoredReserves`
@@ -470,26 +490,28 @@ When deleting a trust line, we now
4. ...
#### AllowTrustOp
+
When deleting offers after revoking authorization, we now
1. ...
-2. For each asset pair `(Buying, Selling)` of an offer that was deleted
- a. Count the number of offers that were deleted as `OffersDeleted`
- b. Count the number of `SponsorshipEntry` with `descriptor.type() == OFFER`,
- `descriptor.offer().sellerID = trustor`,
- `descriptor.offer().buying = Buying`, and
- `descriptor.offer().selling = Selling` as `Sponsors`
- c. Decrement `trustor.sponsoredReserves` by `min(OffersDeleted, Sponsors)`
- d. Decrement `trustor.numSubEntries` by `OffersDeleted`
-5. ...
+2. For each asset pair `(Buying, Selling)` of an offer that was deleted a.
+ Count the number of offers that were deleted as `OffersDeleted` b. Count the
+ number of `SponsorshipEntry` with `descriptor.type() == OFFER`,
+ `descriptor.offer().sellerID = trustor`,
+ `descriptor.offer().buying = Buying`, and
+ `descriptor.offer().selling = Selling` as `Sponsors` c. Decrement
+ `trustor.sponsoredReserves` by `min(OffersDeleted, Sponsors)` d. Decrement
+ `trustor.numSubEntries` by `OffersDeleted`
+3. ...
#### ManageSellOfferOp, ManageBuyOfferOp, and CreatePassiveSellOfferOp
+
When releasing liabilities before modifying an existing offer with asset pair
`(Buying, Selling)`, we now
1. ...
-2. Count the number of offers with `sellerID = sourceAccount`, `buying = Buying`,
- and `selling = Selling` as `Sponsorable`
+2. Count the number of offers with `sellerID = sourceAccount`,
+ `buying = Buying`, and `selling = Selling` as `Sponsorable`
3. Count the number of `SponsorshipEntry` with `descriptor.type() == OFFER`,
`descriptor.offer().sellerID = sourceAccount`,
`descriptor.offer().buying = Buying`, and
@@ -499,12 +521,12 @@ When releasing liabilities before modifying an existing offer with asset pair
6. ...
When computing the amount of `Buying` that can be bought and the amount of
-`Selling` that can be sold (with `Buying` and `Selling` not necessarily equal to
-the above), we now
+`Selling` that can be sold (with `Buying` and `Selling` not necessarily equal
+to the above), we now
1. ...
-2. Count the number of offers with `sellerID = sourceAccount`, `buying = Buying`,
- and `selling = Selling` as `Sponsorable`
+2. Count the number of offers with `sellerID = sourceAccount`,
+ `buying = Buying`, and `selling = Selling` as `Sponsorable`
3. Count the number of `SponsorshipEntry` with `descriptor.type() == OFFER`,
`descriptor.offer().sellerID = sourceAccount`,
`descriptor.offer().buying = Buying`, and
@@ -531,10 +553,11 @@ adjusted to 0, we now
6. ...
When creating the offer, we now follow the same process as for computing the
-amount that can be bought and sold. Note that the failure in step 6 should never
-happen in this case.
+amount that can be bought and sold. Note that the failure in step 6 should
+never happen in this case.
#### PathPaymentStrictSend and PathPaymentStrictReceive
+
When erasing an offer that was either taken entirely or partially taken and
adjusted to 0, we now
@@ -550,6 +573,7 @@ adjusted to 0, we now
6. ...
#### Increasing the Base Reserve
+
When preparing to update offers, the balance above reserve should be calculated
as `balance - (2 + numSubEntries - sponsoredReserves) * baseReserve`.
@@ -567,6 +591,7 @@ When erasing an offer or adjusting an offer to 0, we now
6. ...
#### ManageDataOp
+
We now return `MANAGE_DATA_LOW_RESERVE` conditionally
1. ...
@@ -592,6 +617,7 @@ When deleting data, we now
## Design Rationale
### How are sponsorship entries paired with the ledger entries they sponsor?
+
Sponsorship entries are paired with the ledger entries they sponsor implicitly.
Sponsorship entries do not record what ledger entry they are currently
sponsoring, nor do ledger entries record what sponsorship entry is currently
@@ -620,6 +646,7 @@ created, this is equivalent to the `N` oldest sponsorship entries that still
exist.
### Why do sponsorship entries sponsor reserve for only a single ledger entry?
+
It is reasonable to think that a single sponsorship entry might be able to
sponsor reserves for multiple ledger entries, such as a single sponsorship
entry sponsoring up to 5 signers. In fact, the earliest drafts of this proposal
@@ -635,38 +662,42 @@ sponsorship entry can actually sponsor reserves for multiple ledger entries.
This led conceptually to two categories of sponsorship entries, which increased
the complexity of both the mental model and the implementation.
-Second, it led to the introduction of a `ManageSponsorshipOp` operation
-that was able to modify the number of reserves that a given sponsorship entry
-could sponsor. This was required because it is not permitted to delete a
-sponsorship entry that is providing reserves, so without the operation a
-sponsorship entry that was configured to provide 10 reserves but was actually
-only providing 1 could not be modified to release the other 9 reserves. The
-semantics of this operation were quite complex, since it contained aspects of
-both `CreateSponsorshipOp` and `RemoveSponsorshipOp`.
+Second, it led to the introduction of a `ManageSponsorshipOp` operation that
+was able to modify the number of reserves that a given sponsorship entry could
+sponsor. This was required because it is not permitted to delete a sponsorship
+entry that is providing reserves, so without the operation a sponsorship entry
+that was configured to provide 10 reserves but was actually only providing 1
+could not be modified to release the other 9 reserves. The semantics of this
+operation were quite complex, since it contained aspects of both
+`CreateSponsorshipOp` and `RemoveSponsorshipOp`.
### Sponsorship entries always provide a full reserve
+
Suppose there exists an entity that creates accounts and trust lines for its
-clients, using sponsorship entry to retain control of the reserve. At some point
-in the future, the base reserve is increased. If the sponsorship entry provided
-an actual amount of reserve based on the base reserve when it was created,
-rather than a full reserve unconditionally, then the entity would now need to
-increase the sponsorship for every client. For a large entity, this could be
-many thousands of sponsorships to manage which would take time. In the interim,
-their service would be degraded and the user experience for their clients
-greatly harmed. The solution in this proposal avoids this issue entirely.
+clients, using sponsorship entry to retain control of the reserve. At some
+point in the future, the base reserve is increased. If the sponsorship entry
+provided an actual amount of reserve based on the base reserve when it was
+created, rather than a full reserve unconditionally, then the entity would now
+need to increase the sponsorship for every client. For a large entity, this
+could be many thousands of sponsorships to manage which would take time. In the
+interim, their service would be degraded and the user experience for their
+clients greatly harmed. The solution in this proposal avoids this issue
+entirely.
### Accounts record the total number of sponsored reserves
+
Theoretically, it is not necessary for accounts to record the total number of
sponsored reserves. The data is purely derived and can always be calculated at
any time. That being said, calculating it on demand is not particularly easy
-because it requires iterating over all of the sub-entries of the account.
-It is therefore likely that any performant implementation would store this data
+because it requires iterating over all of the sub-entries of the account. It is
+therefore likely that any performant implementation would store this data
either persistently or in a large-scale cache. But if the data is going to be
stored anyway, then it might as well be recorded in the ledger where it can be
utilized by downstream systems. Exactly the same arguments apply, for example,
to liabilities and `numSubEntries`.
## Backwards Incompatibilities
+
All downstream systems will need updated XDR in order to recognize the new
operations and ledger entries.
@@ -675,10 +706,13 @@ potentially calculate a value that is too high. While inconvenient, this should
not cause any systems to fail.
## Security Concerns
+
None.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0032.md b/core/cap-0032.md
index 859dca62c..d9e42f137 100644
--- a/core/cap-0032.md
+++ b/core/cap-0032.md
@@ -11,9 +11,11 @@ Protocol version: TBD
```
## Simple Summary
+
This proposal makes it possible to authorize a trust line before it is created.
## Motivation
+
This proposal seeks to solve the following problem: an issuer should be able to
authorize a trust line without waiting for the trust line to be created.
@@ -22,10 +24,11 @@ an account that does not have a trust line for the asset. With the current
version of the protocol, the issuer will need to wait until the account has
created a trust line before authorizing the trust line. This presents friction
to the issuer, which must now employ additional machinery to either monitor the
-ledger or use pre-signed/pre-authorized transactions. In either case, complexity
-is increased for an operation fundamental to the network.
+ledger or use pre-signed/pre-authorized transactions. In either case,
+complexity is increased for an operation fundamental to the network.
### Goals Alignment
+
This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should make it easy for developers of Stellar projects to
@@ -33,25 +36,27 @@ This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should enable cross-border payments, i.e. payments via
exchange of assets, throughout the globe, enabling users to make payments
between assets in a manner that is fast, cheap, and highly usable.
- - In support of this, the Stellar Network should enable asset issuance, but
- as a means of enabling cross-border payments.
+ - In support of this, the Stellar Network should enable asset issuance, but
+ as a means of enabling cross-border payments.
## Abstract
+
We introduce `PreauthorizationEntry` as a new type of `LedgerEntry` which
represents authorization to hold an asset, potentially before the corresponding
trust line has been created. The operation `CreatePreauthorizationOp` makes it
possible to create a `PreauthorizationEntry` whereas the operation
-`RemovePreauthorizationOp` makes it possible to remove a `PreauthorizationEntry`.
-When creating a trust line with `ChangeTrustOp`, the `flags` will now be set
-from a corresponding `PreauthorizationEntry` if it exists. `AllowTrustOp` will
-also be updated to modify just a trust line, just a `PreauthorizationEntry`, or
-both depending on which exist.
+`RemovePreauthorizationOp` makes it possible to remove a
+`PreauthorizationEntry`. When creating a trust line with `ChangeTrustOp`, the
+`flags` will now be set from a corresponding `PreauthorizationEntry` if it
+exists. `AllowTrustOp` will also be updated to modify just a trust line, just a
+`PreauthorizationEntry`, or both depending on which exist.
## Specification
### XDR
#### Refactor AllowTrustOp
+
```c++
union NonNativeAssetCode switch (AssetType type)
{
@@ -74,6 +79,7 @@ struct AllowTrustOp
```
#### PreauthorizationEntry
+
```c++
enum LedgerEntryType
{
@@ -139,6 +145,7 @@ case PREAUTHORIZATION:
```
#### Operations
+
```c++
enum OperationType
{
@@ -186,6 +193,7 @@ struct Operation
```
#### Operation Results
+
```c++
enum CreatePreauthorizationResultCode
{
@@ -240,6 +248,7 @@ struct OperationResult
### Semantics
#### CreatePreauthorizationOp
+
A `PreauthorizationEntry` can only be created by the `CreatePreauthorizationOp`
operation. `CreatePreauthorizationOp` is invalid with
`CREATE_PREAUTHORIZATION_MALFORMED` if `asset` is invalid.
@@ -254,10 +263,10 @@ The behavior of `CreatePreauthorizationOp` is as follows:
3. Deduct `baseReserve` of native asset from `sourceAccount`
4. Create a `PreauthorizationEntry` as `preauthorization` with the following
properties:
- - `preauthorization.accountID = accountID`
- - `preauthorization.asset = asset`
- - `preauthorization.flags = 0` if `sourceAccount.flags & AUTH_REQUIRED_FLAG`
- and `preauthorization.flags = AUTHORIZED_FLAG` otherwise
+ - `preauthorization.accountID = accountID`
+ - `preauthorization.asset = asset`
+ - `preauthorization.flags = 0` if `sourceAccount.flags & AUTH_REQUIRED_FLAG`
+ and `preauthorization.flags = AUTHORIZED_FLAG` otherwise
5. If a trust line `tl` with the specified `accountID` and `asset` exists, then
set `preauthorization.flags = tl.flags`
6. Succeed with `CREATE_PREAUTHORIZATION_SUCCESS`
@@ -266,6 +275,7 @@ The behavior of `CreatePreauthorizationOp` is as follows:
send funds.
#### RemovePreauthorizationOp
+
A `PreauthorizationEntry` can only be removed by the `RemovePreauthorizationOp`
operation. `RemovePreauthorizationOp` is invalid with
`REMOVE_PREAUTHORIZATION_MALFORMED` if `asset` is invalid.
@@ -274,8 +284,8 @@ The behavior of `RemovePreauthorizationOp` is as follows:
1. Fail with `REMOVE_PREAUTHORIZATION_DOES_NOT_EXIST` if there does not exist a
`PreauthorizationEntry` with the specified `accountID` and `asset`
-2. Fail with `REMOVE_PREAUTHORIZATION_LINE_FULL` if the `sourceAccount` does not
- have at least `reserve` available limit of native asset
+2. Fail with `REMOVE_PREAUTHORIZATION_LINE_FULL` if the `sourceAccount` does
+ not have at least `reserve` available limit of native asset
3. Add `reserve` of native asset to `sourceAccount`
4. Remove the specified `PreauthorizationEntry`
5. Succeed with `REMOVE_PREAUTHORIZATION_SUCCESS`
@@ -284,6 +294,7 @@ The behavior of `RemovePreauthorizationOp` is as follows:
send funds.
#### ChangeTrustOp
+
The behavior of `ChangeTrustOp` is unchanged except when creating a trust line.
In this case, we add one additional step immediately before success:
@@ -293,6 +304,7 @@ In this case, we add one additional step immediately before success:
3. Succeed with `CHANGE_TRUST_SUCCESS`
#### AllowTrustOp
+
The behavior of `AllowTrustOp` must be modified to maintain the invariant that
a trust line and a preauthorization entry for the same `accountID` and `asset`
must have the same `flags`.
@@ -306,8 +318,8 @@ and preauthorization entry do not exist:
3. Fail with `ALLOW_TRUST_NO_TRUST_LINE` if neither exists
4. ...
-Second, immediately before success we must set the `flags` on the trust line and
-the preauthorization entry if they exist:
+Second, immediately before success we must set the `flags` on the trust line
+and the preauthorization entry if they exist:
1. ...
2. If the trust line exists with the `sourceAccount` and specified `asset`
@@ -319,32 +331,39 @@ the preauthorization entry if they exist:
## Design Rationale
### PreauthorizationEntry is not a sub-entry
+
Each `PreauthorizationEntry` exists as an independent entity on the ledger. It
is clear that a `PreauthorizationEntry` cannot be a sub-entry of `accountID`,
-because it is a security risk for accounts to be able to add
-sub-entries to other accounts. But why should these entries be independent
-entities on the ledger rather than sub-entries of the accounts that created
-them? The main benefit of this design is that issuers are not limited in the
-number of preauthorization entries they can create.
+because it is a security risk for accounts to be able to add sub-entries to
+other accounts. But why should these entries be independent entities on the
+ledger rather than sub-entries of the accounts that created them? The main
+benefit of this design is that issuers are not limited in the number of
+preauthorization entries they can create.
### TrustLines and Preauthorizations Can Exist Simultaneously
+
This proposal makes it possible for a trust line and a preauthorization entry
with the same `accountID` and `asset` to exist simultaneously. We avoid any
ambiguity in the authorization state by guaranteeing that if both do exist
-simultaneously, then they must have the same `flags`. It is possible to maintain
-this property because there is at most one trust line and one preauthorization
-entry for a given `accountID` and `asset`.
+simultaneously, then they must have the same `flags`. It is possible to
+maintain this property because there is at most one trust line and one
+preauthorization entry for a given `accountID` and `asset`.
## Backwards Incompatibilities
+
All downstream systems will need updated XDR in order to recognize the new
operations and ledger entries.
## Security Concerns
-This proposal will slightly reduce the efficacy of base reserve changes, because
-a `PreauthorizationEntry` that has insufficient reserve is still usable.
+
+This proposal will slightly reduce the efficacy of base reserve changes,
+because a `PreauthorizationEntry` that has insufficient reserve is still
+usable.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0033.md b/core/cap-0033.md
index f83d53e3e..87005b73a 100644
--- a/core/cap-0033.md
+++ b/core/cap-0033.md
@@ -12,9 +12,11 @@ Protocol version: 14/15
```
## Simple Summary
+
This proposal makes it possible to pay reserves for another account.
## Motivation
+
This proposal seeks to solve the following problem: an entity should be able to
provide the reserve for accounts controlled by other parties without giving
those parties control of the reserve.
@@ -31,39 +33,43 @@ the trust line and merging the account.
This proposal is in many ways analogous to CAP-0015:
- CAP-0015 makes it possible to pay transaction fees for other accounts without
-giving control of the underlying funds
+ giving control of the underlying funds
- CAP-0033 makes it possible to pay reserves for other accounts without giving
-control of the underlying funds
+ control of the underlying funds
-The combination of these two proposals should greatly facilitate the development
-of non-custodial uses of the Stellar Network.
+The combination of these two proposals should greatly facilitate the
+development of non-custodial uses of the Stellar Network.
### Goals Alignment
+
This proposal is aligned with the following Stellar Network Goal:
- The Stellar Network should make it easy for developers of Stellar projects to
create highly usable products.
## Abstract
+
We introduce the sponsoring-future-reserves relation, in which an account (the
-sponsoring account) pays any reserve that another account (the sponsored account)
-would have to pay. This relation is initiated by `BeginSponsoringFutureReservesOp`,
-where the **sponsoring** account is the source account, and is terminated by
-`EndSponsoringFutureReservesOp`, where the **sponsored** account is the source
-account. Both operations must appear in a single transaction, which guarantees
-that both the sponsoring and sponsored accounts agree to every sponsorship. We
-also introduce `RevokeSponsorshipOp`, which can be used to modify the
-sponsorship of existing ledger entries and signers. To support this, we add new
-extensions to `AccountEntry` and `LedgerEntry` which record pertinent
-information about sponsorships.
+sponsoring account) pays any reserve that another account (the sponsored
+account) would have to pay. This relation is initiated by
+`BeginSponsoringFutureReservesOp`, where the **sponsoring** account is the
+source account, and is terminated by `EndSponsoringFutureReservesOp`, where the
+**sponsored** account is the source account. Both operations must appear in a
+single transaction, which guarantees that both the sponsoring and sponsored
+accounts agree to every sponsorship. We also introduce `RevokeSponsorshipOp`,
+which can be used to modify the sponsorship of existing ledger entries and
+signers. To support this, we add new extensions to `AccountEntry` and
+`LedgerEntry` which record pertinent information about sponsorships.
## Specification
+
This specification assumes CAP-0023, in order to show how sponsorships would
work for claimable balance entries.
### XDR
#### AccountEntry
+
```c++
typedef AccountID* SponsorshipDescriptor;
@@ -117,8 +123,9 @@ struct AccountEntry
```
#### ClaimableBalanceEntry
-Note that `ClaimableBalanceEntry` is not in the current protocol, so the XDR can
-still be modified. `reserve` has been removed, and `sponsoringID` has been
+
+Note that `ClaimableBalanceEntry` is not in the current protocol, so the XDR
+can still be modified. `reserve` has been removed, and `sponsoringID` has been
replaced by `sponsoringID` in `LedgerEntryExtensionV1`.
```c++
@@ -147,6 +154,7 @@ struct ClaimableBalanceEntry
```
#### LedgerEntry
+
```c++
struct LedgerEntryExtensionV1
{
@@ -178,6 +186,7 @@ struct LedgerEntry
```
#### Operations
+
```c++
enum OperationType
{
@@ -238,6 +247,7 @@ struct Operation
```
#### Operation Results
+
```c++
enum AccountMergeResultCode
{
@@ -329,6 +339,7 @@ default:
```
#### Transaction Results
+
```c++
enum TransactionResultCode
{
@@ -357,24 +368,29 @@ struct InnerTransactionResult
### Semantics
#### Reserve Requirement
+
No operation can cause an account to have
`balance < (2 + numSubEntries + numSponsoring - numSponsored) * baseReserve + liabilities.selling`.
#### Sponsoring-Future-Reserves
+
When account `A` is sponsoring-future-reserves for account `B`, any reserve
requirements that would normally accumulate on `B` will instead accumulate on
-`A`. This is achieved by updating `A.numSponsoring` and `B.numSponsored` (unless
-the reserve requirement is accumulating due to a `ClaimableBalance` entry).
+`A`. This is achieved by updating `A.numSponsoring` and `B.numSponsored`
+(unless the reserve requirement is accumulating due to a `ClaimableBalance`
+entry).
An account `A` begins sponsoring-future-reserves for an account `B` upon a
successful `BeginSponsoringFutureReservesOp` with `sourceAccount = A` and
`sponsoredID = B`. `A` stops sponsoring-future-reserves for `B` upon a
-successful `EndSponsoringFutureReserves` with `sourceAccount = B`. These are the
-only two operations which can impact the sponsoring-future-reserves state of an
-account.
+successful `EndSponsoringFutureReserves` with `sourceAccount = B`. These are
+the only two operations which can impact the sponsoring-future-reserves state
+of an account.
#### Sponsoring-Future-Reserves Invariants
+
There are two invariants related to sponsoring-future-reserves:
+
- If an account `A` is sponsoring-future-reserves for an account `B`, then `B`
is not sponsoring-future-reserves for any account. Specifically, this
prevents an account from sponsoring-future-reserves for itself.
@@ -383,35 +399,40 @@ There are two invariants related to sponsoring-future-reserves:
account).
#### Sponsorship Invariants
+
There are three invariants related to sponsorships:
+
- (Global) The sum of all `numSponsoring` is equal to the sum of all
`numSponsored` plus the sum of all `ClaimableBalance.claimants.size()`.
- (Local) For an account `A`, `numSponsoring` is equal to the count of all
`LedgerEntry le` with `le.ext.v1().sponsoringID == A` weighted by the number
- of reserves required for that `LedgerEntry` (2 for `ACCOUNT`, `claimants.size()`
- for `CLAIMABLE_BALANCE`, 1 otherwise) plus the count of all `A` in
- `signerSponsoringIDs`.
+ of reserves required for that `LedgerEntry` (2 for `ACCOUNT`,
+ `claimants.size()` for `CLAIMABLE_BALANCE`, 1 otherwise) plus the count of
+ all `A` in `signerSponsoringIDs`.
- (Local) For an account `A`, `numSponsored` is equal to the count of all
- `LedgerEntry le` which are sub-entries of `A` (including `A` itself) that have
- `le.ext.v1().sponsoringID != null` weighted by the number of reserves
- required for that `LedgerEntry` (2 for `ACCOUNT`, 1 otherwise) plus the count of all `s`
- in `A.ext.v1().ext.v2().signerSponsoringIDs` with `s != null`. Note that
- Claimable balances are not sub-entries, so they do not affect `numSponsored`.
-
+ `LedgerEntry le` which are sub-entries of `A` (including `A` itself) that
+ have `le.ext.v1().sponsoringID != null` weighted by the number of reserves
+ required for that `LedgerEntry` (2 for `ACCOUNT`, 1 otherwise) plus the count
+ of all `s` in `A.ext.v1().ext.v2().signerSponsoringIDs` with `s != null`.
+ Note that Claimable balances are not sub-entries, so they do not affect
+ `numSponsored`.
#### BeginSponsoringFutureReservesOp
+
`BeginSponsoringFutureReservesOp` is the only operation that can initiate the
sponsoring-future-reserves relation. It is forbidden for A to be
sponsoring-future-reserves for B, and B to be sponsoring-future-reserves for C,
and this operation enforces this constraint.
To check validity of `BeginSponsoringFutureReservesOp op`:
+
```
If op.sponsoredID == op.sourceAccount
Invalid with BEGIN_SPONSORING_FUTURE_RESERVES_MALFORMED
```
The behavior of `BeginSponsoringFutureReservesOp op` is:
+
```
If an account is sponsoring future reserves for op.sponsoredID
Fail with BEGIN_SPONSORING_FUTURE_RESERVES_ALREADY_SPONSORED
@@ -428,6 +449,7 @@ Succeed with BEGIN_SPONSORING_FUTURE_RESERVES_SUCCESS
`BeginSponsoringFutureReservesOp` requires medium threshold.
#### EndSponsoringFutureReservesOp
+
`EndSponsoringFutureReservesOp` is the only operation that can terminate the
sponsoring-future-reserves relation. This can only be done if some account is
sponsoring-future-reserves for the source account.
@@ -435,6 +457,7 @@ sponsoring-future-reserves for the source account.
`EndSponsoringFutureReservesOp` is always valid.
The behavior of `EndSponsoringFutureReservesOp op` is:
+
```
If an account is not sponsoring future reserves for op.sourceAccount
Fail with END_SPONSORING_FUTURE_RESERVES_NOT_SPONSORED
@@ -446,6 +469,7 @@ Succeed with END_SPONSORING_FUTURE_RESERVES_SUCCESS
`EndSponsoringFutureReservesOp` requires medium threshold.
#### RevokeSponsorshipOp
+
`RevokeSponsorshipOp` allows a ledger entry or signer
- that is not sponsored to be sponsored,
@@ -453,6 +477,7 @@ Succeed with END_SPONSORING_FUTURE_RESERVES_SUCCESS
- that is sponsored to no longer be sponsored.
To check validity of `RevokeSponsorshipOp op`:
+
```
If ledgerVersion != 14
If op.type() == REVOKE_SPONSORSHIP_LEDGER_ENTRY
@@ -477,6 +502,7 @@ If ledgerVersion != 14
The behavior of `RevokeSponsorshipOp op` is as follows if
`op.type() == REVOKE_SPONSORSHIP_LEDGER_ENTRY`:
+
```
Load op.ledgerKey() as le
If le does not exist
@@ -548,6 +574,7 @@ Succeed with REVOKE_SPONSORSHIP_SUCCESS
The behavior of `RevokeSponsorshipOp op` is as follows if
`op.type() == REVOKE_SPONSORSHIP_SIGNER`:
+
```
Load op.signer().accountID as le
If le does not exist
@@ -627,6 +654,7 @@ Succeed with REVOKE_SPONSORSHIP_SUCCESS
`RevokeSponsorshipOp` requires medium threshold.
#### AccountMergeOp
+
`AccountMergeOp` will fail with `ACCOUNT_MERGE_IS_SPONSOR` if attempting to
merge an account that is-sponsoring-future-reserves-for another account. This
guarantees that the sponsoring account always exists.
@@ -636,21 +664,25 @@ attempting to merge an account that has non-zero `numSponsoring`. This is
required for sponsorship bookkeeping.
#### CreateAccountOp
+
`CreateAccountOp` will now be valid if `startingBalance >= 0`, whereas prior to
this proposal it was valid if `startingBalance > 0`.
#### ManageSellOfferOp and ManageBuyOfferOp
-Starting in protocol version 15, `ManageSellOfferOp` and `ManageBuyOfferOp` will
-be invalid if `offerID < 0`.
+
+Starting in protocol version 15, `ManageSellOfferOp` and `ManageBuyOfferOp`
+will be invalid if `offerID < 0`.
#### Operations that can change numSubEntries
+
Any operation that can change `numSubEntries` can now fail with
-`opTOO_MANY_SPONSORING`, if any `numSponsoring` or
-`numSponsored` would exceed `UINT32_MAX`.
+`opTOO_MANY_SPONSORING`, if any `numSponsoring` or `numSponsored` would exceed
+`UINT32_MAX`.
## Design Rationale
### Sponsorship Logic is Off-Chain
+
In CAP-0031, an alternative approach to sponsorship, the logic for determining
what can be sponsored is stored on the ledger. Not only is this complicated to
implement and reason about, but it also introduces a variety of limitations in
@@ -659,6 +691,7 @@ the "sandwich approach", analogous to what is done in CAP-0018, eliminates all
of these disadvantages.
### Why Should Sponsorship be Ephemeral?
+
There are a variety of reasons that the sponsoring-future-reserves relation is
ephemeral (by which I mean contained within a single transaction). From a
practical perspective, it would be deeply unwise to delegate to another party
@@ -680,6 +713,7 @@ relation, and if you didn't want revocation to occur then you shouldn't have
accepted the sponsorship in the first place.
### Sponsoring Accounts Cannot be Merged
+
An account that is sponsoring-future-reserves for another account cannot be
merged. This does not constrain functionality at all, but simplifies the
implementation and reduces the number of possible errors that can be
@@ -694,6 +728,7 @@ be merged. If you want to merge such an account, then you can use
this restriction greatly simplifies the implementation and semantics.
### Sequence Number Utilization and Sponsoring Account Creation
+
A typical use case for sponsorship is an enterprise sponsoring the reserves for
customers. Because sponsorship requires signatures from both the sponsoring
account and the sponsored account, this requires multi-signature coordination.
@@ -705,35 +740,38 @@ number. This will likely require a pool of channel accounts, which is a source
of complexity.
Despite the complexity that will be required for large-scale creation of
-sponsored accounts, we still believe that this approach is justified by its many
-benefits. Furthermore, the need for channel accounts during multi-signature
-coordination is an area in which the Stellar protocol can be generally improved.
-Already there are discussions of ideas which may mitigate some of these issues
-such as David Mazieres' proposal for Authenticated Operations, which can be found
-at https://groups.google.com/forum/#!msg/stellar-dev/zpO0Eppn8ks/e1ULbV_lAgAJ.
+sponsored accounts, we still believe that this approach is justified by its
+many benefits. Furthermore, the need for channel accounts during
+multi-signature coordination is an area in which the Stellar protocol can be
+generally improved. Already there are discussions of ideas which may mitigate
+some of these issues such as David Mazieres' proposal for Authenticated
+Operations, which can be found at
+https://groups.google.com/forum/#!msg/stellar-dev/zpO0Eppn8ks/e1ULbV_lAgAJ.
### Why are Signer Sponsoring IDs Stored Separately from Signers?
-For ledger entries, the sponsoring ID is stored within the ledger entry. But for
-signers, the sponsoring ID is stored separately. Why take different approaches?
-The reason is that `LedgerEntry` has an extension point but `Signer` does not.
-So if we wanted to store the sponsoring ID in the signer, then we would need to
-extend the `SignerKey` union. But this would force any downstream system that
-interacts with signers to update as well, introducing complexity throughout the
-ecosystem. Storing the sponsoring IDs for signers separately avoids this problem
-entirely, but it is perhaps slightly less elegant. Still, the trade-off is more
-than justified.
+
+For ledger entries, the sponsoring ID is stored within the ledger entry. But
+for signers, the sponsoring ID is stored separately. Why take different
+approaches? The reason is that `LedgerEntry` has an extension point but
+`Signer` does not. So if we wanted to store the sponsoring ID in the signer,
+then we would need to extend the `SignerKey` union. But this would force any
+downstream system that interacts with signers to update as well, introducing
+complexity throughout the ecosystem. Storing the sponsoring IDs for signers
+separately avoids this problem entirely, but it is perhaps slightly less
+elegant. Still, the trade-off is more than justified.
### Why Doesn't RevokeSponsorshipOp Obey Typical Rules of Sponsorship?
+
The relationship between sponsoring account and sponsored account can only be
created by mutual agreement. When this relationship is established, the
sponsoring account is endowed with the right to unilaterally end the
-relationship (ie. revoke the sponsorship) as long as doing so will not leave the
-sponsored account below the reserve requirement. But revoking the sponsorship
-is strictly worse for the sponsored account than transferring the sponsorship,
-because the worst thing that the new sponsoring account can do is revoke the
-sponsorship. Therefore, the sponsoring account should be able to transfer the
-sponsorship with the consent of the new sponsoring account but unilaterally with
-respect to the sponsored account.
+relationship (ie. revoke the sponsorship) as long as doing so will not leave
+the sponsored account below the reserve requirement. But revoking the
+sponsorship is strictly worse for the sponsored account than transferring the
+sponsorship, because the worst thing that the new sponsoring account can do is
+revoke the sponsorship. Therefore, the sponsoring account should be able to
+transfer the sponsorship with the consent of the new sponsoring account but
+unilaterally with respect to the sponsored account.
So how would a transfer work if `RevokeSponsorshipOp` were to obey the typical
rules of sponsorship? Let `S1` be the current sponsor, `S2` be the new sponsor,
@@ -752,11 +790,13 @@ This also resolves an issue for `ClaimableBalanceEntry`, because there is no
notion of an account that controls a `ClaimableBalanceEntry`.
### There is no opTOO_MANY_SPONSORED
-It initially seems strange that there is no `opTOO_MANY_SPONSORED` in analogy to
-`opTOO_MANY_SPONSORING`. But this case is already covered by the constraint that
-`numSponsored <= numSubEntries + 2 < UINT32_MAX`.
+
+It initially seems strange that there is no `opTOO_MANY_SPONSORED` in analogy
+to `opTOO_MANY_SPONSORING`. But this case is already covered by the constraint
+that `numSponsored <= numSubEntries + 2 < UINT32_MAX`.
### Example: Sponsoring Account Creation
+
In this example, we demonstrate how an account can be sponsored upon creation.
Let `S` be the sponsoring account, `C` be the creating account, and `A` the
newly created account (`S` and `C` may be the same account). Then the following
@@ -786,11 +826,12 @@ operations[2]:
type: END_SPONSORING_FUTURE_RESERVES
```
-where ``, ``, ``, and `` should all
-be substituted appropriately. Note that this requires a signature from `A` even
-though that account is being created.
+where ``, ``, ``, and `` should
+all be substituted appropriately. Note that this requires a signature from `A`
+even though that account is being created.
### Example: Two Trust Lines with Different Sponsors
+
In this example, we demonstrate how a single account can create two trust lines
which are sponsored by different accounts in a single transaction. Let `S1` and
`S2` be the sponsoring accounts. Let `A` be the sponsored account. Then the
@@ -839,10 +880,11 @@ where ``, ``, and `` should all be substituted
appropriately.
### Example: Revoke Sponsorship
-In this example, we demonstrate how a sponsorship can be revoked. Let `S`
-be the sponsoring account. Let `K` be the `LedgerKey` for an entry which
-is currently sponsored by `S`. Then the following transaction achieves the
-desired goal:
+
+In this example, we demonstrate how a sponsorship can be revoked. Let `S` be
+the sponsoring account. Let `K` be the `LedgerKey` for an entry which is
+currently sponsored by `S`. Then the following transaction achieves the desired
+goal:
```
sourceAccount: S
@@ -862,6 +904,7 @@ where ``, ``, and `` should all be substituted
appropriately.
### Example: Transfer Sponsorship
+
In this example, we demonstrate how a sponsorship can be transferred. Let `S1`
and `S2` be the sponsoring accounts. Let `K` be the `LedgerKey` for an entry
which is currently sponsored by `S1`. Then the following transaction achieves
@@ -896,22 +939,27 @@ appropriately.
## Backwards Incompatibilities
### New XDR
+
All downstream systems will need updated XDR in order to recognize the new
operations and the modified ledger entries.
### Operation Validity Changes
+
Any downstream system relying on any of the following facts will be affected:
- `CreateAccountOp` is invalid if `startingBalance = 0`
- Manage offer operations can be valid if `offerID < 0`
## Security Concerns
-This proposal will slightly reduce the efficacy of base reserve changes, because
-sponsored ledger entries cannot cause an account to pass below the reserve
-requirement.
+
+This proposal will slightly reduce the efficacy of base reserve changes,
+because sponsored ledger entries cannot cause an account to pass below the
+reserve requirement.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0034.md b/core/cap-0034.md
index 77de352a2..21ae5bfd2 100644
--- a/core/cap-0034.md
+++ b/core/cap-0034.md
@@ -26,8 +26,8 @@ that smart contracts can not, with the current protocol, safely be written as
chains of dependent transactions with incrementing sequence numbers, because
there is no way for a client to guarantee that a transaction will succeed if it
consumes a sequence number. There is always a possibility that it will return
-`txTOO_LATE`. But returning `txTOO_LATE` while consuming a sequence number
-(and being charged a fee) violates our
+`txTOO_LATE`. But returning `txTOO_LATE` while consuming a sequence number (and
+being charged a fee) violates our
[API documentation](https://www.stellar.org/developers/guides/concepts/transactions.html),
which states that "If the transaction is invalid, it will be immediately
rejected by stellar-core based on the validity rules of a transaction, the
@@ -35,10 +35,10 @@ account’s sequence number will not be incremented, and no fee will be consumed
from the source account", where the referenced
["validity rules of a transaction"](https://www.stellar.org/developers/guides/concepts/transactions.html#validity-of-a-transaction)
include "The transaction must be submitted within the set time bounds of the
-transaction, otherwise it will be considered invalid".
-There may therefore _be_ smart contracts which are structured this way, and are
-allowed to be structured this way according to our published API, yet are
-vulnerable to inconsistencies because of this race.
+transaction, otherwise it will be considered invalid". There may therefore _be_
+smart contracts which are structured this way, and are allowed to be structured
+this way according to our published API, yet are vulnerable to inconsistencies
+because of this race.
A less catastrophic problem, but an inefficiency, is that externalizing
transaction sets that contain significant numbers of transactions that are
@@ -63,15 +63,15 @@ desirable effects on both good-faith transactions and bad-faith (spam)
transactions:
- Good-faith transactions should not be charged a fee without being included in
-a ledger, and should certainly not be subject to potential inconsistencies when
-part of smart contracts that depend upon sequence numbers to manage
-dependencies.
+ a ledger, and should certainly not be subject to potential inconsistencies
+ when part of smart contracts that depend upon sequence numbers to manage
+ dependencies.
- Bad-faith transactions should not be allowed into fill up ledgers, starving
-out good-faith transactions. This CAP ensures that consensus gets the
-opportunity to select transaction sets from among transactions that would be
-guaranteed not to return `txTOO_LATE` if they were externalized, so ledgers
-would only be filled by transactions that could actually be applied.
+ out good-faith transactions. This CAP ensures that consensus gets the
+ opportunity to select transaction sets from among transactions that would be
+ guaranteed not to return `txTOO_LATE` if they were externalized, so ledgers
+ would only be filled by transactions that could actually be applied.
### Goals Alignment
@@ -89,22 +89,22 @@ It also aligns with the following Stellar Network Value:
Currently, the nomination protocol produces, from a set of candidate
`StellarValue`s, a nominated `StellarValue` comprising the composited
-transaction set (as selected by a deterministic heuristic which chooses
-one particular input set and favors larger sets), the maximum `closeTime` of any
+transaction set (as selected by a deterministic heuristic which chooses one
+particular input set and favors larger sets), the maximum `closeTime` of any
candidate, and a set of "maximal" ledger `upgrades` from all candidates.
We propose to change the protocol to take the `closeTime` from the same
candidate `StellarValue` as the chosen transaction set (the heuristic which
decides which transaction set to choose does not change; nor does the method of
-generating `upgrades`). The protocol would then validate all transaction sets
+generating `upgrades`). The protocol would then validate all transaction sets
against their associated `closeTime`s, and could use `SIGNED` `StellarValue`s
throughout the ballot protocol as well as the nomination protocol.
The effect is that all trimming and validating of transaction sets during the
nomination and ballot protocols use the exact same conditions as the validation
-of transactions does during ledger close. (Today, they differ: the nomination
+of transactions does during ledger close. (Today, they differ: the nomination
and ballot protocols use the last ledger close time, whereas ledger close uses
-the new ledger close time. This CAP allows this precise alignment because it
+the new ledger close time. This CAP allows this precise alignment because it
allows the nomination and ballot protocols to predict exactly what the next
ledger close time will be _if_ the transaction set that they are validating is
ultimately externalized.)
@@ -113,7 +113,7 @@ In particular, this affects how soon the core notices when transactions expire.
## Specification
-There are no changes to any XDR in this CAP. The treatment of the `closeTime`
+There are no changes to any XDR in this CAP. The treatment of the `closeTime`
in the `StellarValue` XDR in some code paths changes, as does the use of
`SIGNED` `StellarValue`s in some places where `BASIC` ones are currently used,
but the XDR itself does not change.
@@ -121,43 +121,43 @@ but the XDR itself does not change.
This CAP proposes to change the compositing function, which chooses a
`StellarValue` to start the ballot protocol on, to remove the current combining
of closetimes and simply select the one from the same `StellarValue` as the
-selected transaction set. (This CAP proposes to preserve the existing selection
+selected transaction set. (This CAP proposes to preserve the existing selection
heuristic for "composited transaction set" unchanged.)
This CAP also proposes to trim and validate transaction sets in `StellarValue`s
(in all places where such trimming or validating is currently done) against the
-`closeTime` in the same `StellarValue`. The `closeTime` affects whether a
+`closeTime` in the same `StellarValue`. The `closeTime` affects whether a
transaction with an upper time bound (`maxTime`) returns `txTOO_LATE`, and
-whether a transaction with a lower time bound (`minTime`) returns `txTOO_EARLY`.
-Those are therefore the two transaction-validity tests which are affected by
-the change in which `closeTime` is used to validate transactions.
+whether a transaction with a lower time bound (`minTime`) returns
+`txTOO_EARLY`. Those are therefore the two transaction-validity tests which are
+affected by the change in which `closeTime` is used to validate transactions.
-This CAP also proposes to make the nomination protocol produce a signed
-value (currently we nominate an unsigned, or "basic", value, because, as a
+This CAP also proposes to make the nomination protocol produce a signed value
+(currently we nominate an unsigned, or "basic", value, because, as a
combination of candidate values, it may not be equal to any one candidate value
for which we have a signature). It does not propose any specific use of that
-signature yet, but preserving the signature as part of the same protocol
-change that allows it to be preserved will allow us to use it in the future if
-we discover a way to do so.
+signature yet, but preserving the signature as part of the same protocol change
+that allows it to be preserved will allow us to use it in the future if we
+discover a way to do so.
-As with any protocol change, the new code must remember and maintain
-older protocols' behavior, and continue to use old behavior until after
-the network externalizes the ledger upgrade to the new protocol, through
-consensus.
+As with any protocol change, the new code must remember and maintain older
+protocols' behavior, and continue to use old behavior until after the network
+externalizes the ledger upgrade to the new protocol, through consensus.
The changes in this CAP build upon changes already made (without a CAP, since
they were not protocol changes, but changes to the heuristics that a node uses
to decide which transactions to flood and which to include in its first
nominated transaction set in a new ledger) in
-[PR 2608](https://github.com/stellar/stellar-core/pull/2608). Those changes
-already reduce the potential network burden of flooding transactions that appear
-likely to expire before getting into transaction sets, and they introduce some
-interfaces into the code which the code for this CAP can naturally re-use.
+[PR 2608](https://github.com/stellar/stellar-core/pull/2608). Those changes
+already reduce the potential network burden of flooding transactions that
+appear likely to expire before getting into transaction sets, and they
+introduce some interfaces into the code which the code for this CAP can
+naturally re-use.
-Therefore, we present the semantics in three stages: the behavior as released,
+Therefore, we present the semantics in three stages: the behavior as released,
the latest unreleased behavior (which contains heuristic but no protocol
changes, and therefore involved no CAP), and the behavior as proposed in this
-CAP. **Bold** text indicates a semantic change from the previous stage. The
+CAP. **Bold** text indicates a semantic change from the previous stage. The
proposal in this CAP embodies the **bold** semantics in the last column only;
the **bold** semantics in the middle column are for context.
@@ -179,156 +179,161 @@ set of candidates, and all of those questions must be answered by the Core
through consensus.
1. The proposal prevents the race that motivated the CAP; it ensures in all
-cases that a transaction that returns `txTOO_LATE` does not consume a sequence
-number and does not pay a fee. This is ensured because before a transaction
-set gets to the point of having its transaction fees paid (which happens when a
-ledger is closing), we composite the candidate `` pairs into
-one, and with the CAP behavior we do so by simply selecting one candidate.
-And every candidate has by the time of compositing been validated, including
-against the new condition that it contains no transactions that are expired
-with respect to its `closeTime`.
+ cases that a transaction that returns `txTOO_LATE` does not consume a
+ sequence number and does not pay a fee. This is ensured because before a
+ transaction set gets to the point of having its transaction fees paid (which
+ happens when a ledger is closing), we composite the candidate
+ `` pairs into one, and with the CAP behavior we do so by
+ simply selecting one candidate. And every candidate has by the time of
+ compositing been validated, including against the new condition that it
+ contains no transactions that are expired with respect to its `closeTime`.
2. The proposal prevents an ill-behaved validator from intentionally triggering
-the race that motivated the CAP through what we shall call "maximum `closeTime`
-injection": the ill-behaved validator could previously try to force transactions
-in transaction sets proposed by other nodes to fail during ledger close by
-proposing as large a `closeTime` as allowed (the maximum time slip is currently
-one minute).
+ the race that motivated the CAP through what we shall call "maximum
+ `closeTime` injection": the ill-behaved validator could previously try to
+ force transactions in transaction sets proposed by other nodes to fail
+ during ledger close by proposing as large a `closeTime` as allowed (the
+ maximum time slip is currently one minute).
3. This proposal refines
-[PR 2608](https://github.com/stellar/stellar-core/pull/2608)'s
-trimming of transactions prior to initial nomination by changing the
-next-ledger-`closeTime` estimate (which PR2608 itself had changed from
-last-ledger-`closeTime`) to `closeTime`-within-`StellarValue`. Given this CAP's
-semantics, we know at this point that that `closeTime` is the _exact_ one that
-will be chosen as the ledger close time _if_ the transaction set is ultimately
-externalized, so we can trim precisely the most efficient set of transactions:
-we trim all of those which would have later returned `txTOO_LATE` if the
-transaction set were ultimately externalized, and we are guaranteed that none of
-those which survives trimming will return `txTOO_LATE` if the transaction set is
-ultimately externalized.
-
-4. This CAP in general makes changes to transaction set composition and validity
-in the earliest protocol phases possible, making use of knowledge as soon as we
-have it. The previous point is an example -- we trim a transaction set prior to
-first nomination precisely when we decide on which `closeTime` to nominate
-in the same `StellarValue` with it, which also tells us precisely which
-transactions we may as well trim because they'll be expired at ledger close time
-if that `StellarValue` is ultimately externalized. The change in the validation
-of transaction sets in the nomination and ballot protocols is a similar example;
-we can do more accurate validation than we could before this CAP, when all we
-could validate against was the last ledger close time.
+ [PR 2608](https://github.com/stellar/stellar-core/pull/2608)'s trimming of
+ transactions prior to initial nomination by changing the
+ next-ledger-`closeTime` estimate (which PR2608 itself had changed from
+ last-ledger-`closeTime`) to `closeTime`-within-`StellarValue`. Given this
+ CAP's semantics, we know at this point that that `closeTime` is the _exact_
+ one that will be chosen as the ledger close time _if_ the transaction set is
+ ultimately externalized, so we can trim precisely the most efficient set of
+ transactions: we trim all of those which would have later returned
+ `txTOO_LATE` if the transaction set were ultimately externalized, and we are
+ guaranteed that none of those which survives trimming will return
+ `txTOO_LATE` if the transaction set is ultimately externalized.
+
+4. This CAP in general makes changes to transaction set composition and
+ validity in the earliest protocol phases possible, making use of knowledge
+ as soon as we have it. The previous point is an example -- we trim a
+ transaction set prior to first nomination precisely when we decide on which
+ `closeTime` to nominate in the same `StellarValue` with it, which also tells
+ us precisely which transactions we may as well trim because they'll be
+ expired at ledger close time if that `StellarValue` is ultimately
+ externalized. The change in the validation of transaction sets in the
+ nomination and ballot protocols is a similar example; we can do more
+ accurate validation than we could before this CAP, when all we could
+ validate against was the last ledger close time.
5. This CAP makes the `closeTime`-related transaction validity checks (the
-tests for `txTOO_EARLY` and `txTOO_LATE`) throughout consensus exactly
-equivalent to those used during ledger close. Previously, the tests used during
-consensus (which this CAP changes to align with those used during ledger close)
-were weaker than the tests used during ledger close with respect to
-`maxTime`/`txTOO_LATE` (the consensus checks could admit transactions which,
-if they were ultimately externalized, ledger close would later reject with
-`txTOO_LATE`), and stronger than the tests used during ledger close with respect
-to `minTime`/`txTOO_EARLY` (the consensus checks could reject transactions with
-`txTOO_EARLY` which, had they been allowed and ultimately externalized, would
-_not_ have been rejected with `txTOO_EARLY` during ledger close).
+ tests for `txTOO_EARLY` and `txTOO_LATE`) throughout consensus exactly
+ equivalent to those used during ledger close. Previously, the tests used
+ during consensus (which this CAP changes to align with those used during
+ ledger close) were weaker than the tests used during ledger close with
+ respect to `maxTime`/`txTOO_LATE` (the consensus checks could admit
+ transactions which, if they were ultimately externalized, ledger close would
+ later reject with `txTOO_LATE`), and stronger than the tests used during
+ ledger close with respect to `minTime`/`txTOO_EARLY` (the consensus checks
+ could reject transactions with `txTOO_EARLY` which, had they been allowed
+ and ultimately externalized, would _not_ have been rejected with
+ `txTOO_EARLY` during ledger close).
6. This CAP, in both the change it proposes to protocol semantics and the
-changes it would induce in the code structure, facilitates the option to
-perform a follow-on change to the work done in PR 2608 which would further
-refine our heuristic for choosing which transactions to flood by allowing
-some transactions to be flooded which would be `txTOO_EARLY` if the next ledger
-were to close immediately, but which we estimate will no longer be `txTOO_EARLY`
-by the time the next ledger actually does close. (That would not introduce any
-race analogous to the one that this CAP fixes with respect to `txTOO_LATE`,
-because the nomination and ballot protocols would still discover that a
-transaction would be invalid with `txTOO_EARLY` before it reached the point of
-being in a closing ledger and therefore failing validation while nevertheless
-consuming a sequence number and being charged a fee.)
+ changes it would induce in the code structure, facilitates the option to
+ perform a follow-on change to the work done in PR 2608 which would further
+ refine our heuristic for choosing which transactions to flood by allowing
+ some transactions to be flooded which would be `txTOO_EARLY` if the next
+ ledger were to close immediately, but which we estimate will no longer be
+ `txTOO_EARLY` by the time the next ledger actually does close. (That would
+ not introduce any race analogous to the one that this CAP fixes with respect
+ to `txTOO_LATE`, because the nomination and ballot protocols would still
+ discover that a transaction would be invalid with `txTOO_EARLY` before it
+ reached the point of being in a closing ledger and therefore failing
+ validation while nevertheless consuming a sequence number and being charged
+ a fee.)
7. This CAP has had a modest "test" in that it is the third proposal that we
-have considered, and appears not to suffer from any of the weaknesses which led
-us to reject the first two; see "Rejected alternatives" below for details.
+ have considered, and appears not to suffer from any of the weaknesses which
+ led us to reject the first two; see "Rejected alternatives" below for
+ details.
### Detailed illustration of failure mode with current protocol
With the current protocol, the following sequence of events can occur:
1. A smart-contract client submits a series of transactions `T1`, `T2` with
-`T2`'s sequence number one greater than `T1`'s. `T2` is intended have its
-operations applied if and only if `T1`'s are applied first; the smart contract
-is depending upon `T2` having the wrong sequence number if `T1`'s operations
-are not applied (in which case the smart contract expects that `T1` will not
-have consumed a sequence number). The smart contract sets an expiration time on
-`T1` (as our
-[documentation](https://www.stellar.org/developers/guides/concepts/transactions.html)
-"highly advises" that clients do).
+ `T2`'s sequence number one greater than `T1`'s. `T2` is intended have its
+ operations applied if and only if `T1`'s are applied first; the smart
+ contract is depending upon `T2` having the wrong sequence number if `T1`'s
+ operations are not applied (in which case the smart contract expects that
+ `T1` will not have consumed a sequence number). The smart contract sets an
+ expiration time on `T1` (as our
+ [documentation](https://www.stellar.org/developers/guides/concepts/transactions.html)
+ "highly advises" that clients do).
2. The ledger happens first to have capacity to accept `T1` into a transaction
-set between `T1`'s expiration time and the time at which it will turn out (of
-course the network can not foresee that this will eventually be the case) that
-the next ledger will close.
+ set between `T1`'s expiration time and the time at which it will turn out
+ (of course the network can not foresee that this will eventually be the
+ case) that the next ledger will close.
3. `T1` happens at that point to be in the transaction queue of the validator
-who (though again this is not predictable yet) will turn out to nominate the
-`StellarValue` that will ultimately be externalized. That node builds a
-transaction set that contains `T1`.
+ who (though again this is not predictable yet) will turn out to nominate the
+ `StellarValue` that will ultimately be externalized. That node builds a
+ transaction set that contains `T1`.
4. The transaction set containing `T1` is externalized, but (at least) one of
-the candidate `closeTime`s is greater than `T1`'s expiration time.
+ the candidate `closeTime`s is greater than `T1`'s expiration time.
5. Transactions are applied using the maximum of all candidate `closeTime`s as
-the new last ledger close time. `T1` therefore returns `txTOO_LATE`, and its
-operations are not applied. However, as it reached ledger close before being
-failed, it consumes a sequence number (and is charged a fee).
+ the new last ledger close time. `T1` therefore returns `txTOO_LATE`, and its
+ operations are not applied. However, as it reached ledger close before being
+ failed, it consumes a sequence number (and is charged a fee).
6. `T2` gets into an externalized transaction set (possibly, but not
-necessarily, the same one that `T1` got into) before it too expires. It
-has the correct sequence number, because `T1` consumed a sequence number.
-`T2`'s operations are therefore applied -- even though its preconditions were
-intended to include guarantees that `T1`'s operations had ensured, so the
-actual postconditions of `T2` could violate any of the smart contract's intended
-invariants which had depended upon `T1`'s operations having succeeded before
-`T2`'s operations could be applied.
+ necessarily, the same one that `T1` got into) before it too expires. It has
+ the correct sequence number, because `T1` consumed a sequence number. `T2`'s
+ operations are therefore applied -- even though its preconditions were
+ intended to include guarantees that `T1`'s operations had ensured, so the
+ actual postconditions of `T2` could violate any of the smart contract's
+ intended invariants which had depended upon `T1`'s operations having
+ succeeded before `T2`'s operations could be applied.
So `T` consumes a sequence number (and is charged a fee) but is never applied.
There is a design pattern in some smart contracts which breaks, allowing
-inconsistent transactions to be committed, if it encounters this race: a smart
+inconsistent transactions to be committed, if it encounters this race: a smart
contract might submit a chain of transactions, with incrementing sequence
-numbers, each intended to be applied only if the previous ones succeeded. If
-there were transactions that were intended to be constrained by the incrementing
-sequence numbers only to be applied if `T` succeeded, they could do so because
-`T` had consumed its sequence number, even though it was never applied. The
-dependent transactions would then perform operations which the smart contract
-had intended to be performed only if `T` had succeeded. This would
-potentially be arbitrarily bad for the smart contract.
-
-With the behavior proposed in this CAP, step #3 -- a node building a transaction
-set containing `T1` -- would only occur if `T1` were not expired with respect to
-the `closeTime` in the same proposed `StellarValue` as that transaction set.
-Otherwise, `T1` would not make it into a transaction set, and would therefore
-never consume a sequence number (or be charged a fee), and `T2` would fail
-validation with a bad sequence number, as the smart contract intended in that
-case. If `T1` did make it into a transaction set, then, under the new behavior
-in this CAP, step #5 would change -- if the transaction set containing `T1` won
-nomination, then the `closeTime` of the new ledger would be the `closeTime` from
-the same `StellarValue` as `T1`, with respect to which `T1` is in this case not
-expired. Hence, `T1` would be applied during ledger close; it would not return
-`txTOO_LATE`. `T2` would therefore have the opportunity to be applied (assuming
-it was valid in the other respects in addition to its sequence number), and in
-this case that would be as expected, as `T1` had previously succeeded.
+numbers, each intended to be applied only if the previous ones succeeded. If
+there were transactions that were intended to be constrained by the
+incrementing sequence numbers only to be applied if `T` succeeded, they could
+do so because `T` had consumed its sequence number, even though it was never
+applied. The dependent transactions would then perform operations which the
+smart contract had intended to be performed only if `T` had succeeded. This
+would potentially be arbitrarily bad for the smart contract.
+
+With the behavior proposed in this CAP, step #3 -- a node building a
+transaction set containing `T1` -- would only occur if `T1` were not expired
+with respect to the `closeTime` in the same proposed `StellarValue` as that
+transaction set. Otherwise, `T1` would not make it into a transaction set, and
+would therefore never consume a sequence number (or be charged a fee), and `T2`
+would fail validation with a bad sequence number, as the smart contract
+intended in that case. If `T1` did make it into a transaction set, then, under
+the new behavior in this CAP, step #5 would change -- if the transaction set
+containing `T1` won nomination, then the `closeTime` of the new ledger would be
+the `closeTime` from the same `StellarValue` as `T1`, with respect to which
+`T1` is in this case not expired. Hence, `T1` would be applied during ledger
+close; it would not return `txTOO_LATE`. `T2` would therefore have the
+opportunity to be applied (assuming it was valid in the other respects in
+addition to its sequence number), and in this case that would be as expected,
+as `T1` had previously succeeded.
Note that the duration that this race window in the current protocol remains
-open can be lengthened (up to one minute) by the increase of any _one_ candidate
-`closeTime`, since the current protocol combines candidate `closeTime`s by
-choosing the maximum. That means in particular that a single bad _validator_
-can open this race window significantly, with the consequences including both
-the failure of more transactions with `txTOO_LATE` and the potential for
-inconsistent smart contract behavior. This reflects that the current
-protocol's choice of the maximum candidate `closeTime` is, in a sense, too
-sensitive: it can externalize a value that could have been manipulated by a
-single bad actor. We refer to such manipulation as "maximum `closeTime`
+open can be lengthened (up to one minute) by the increase of any _one_
+candidate `closeTime`, since the current protocol combines candidate
+`closeTime`s by choosing the maximum. That means in particular that a single
+bad _validator_ can open this race window significantly, with the consequences
+including both the failure of more transactions with `txTOO_LATE` and the
+potential for inconsistent smart contract behavior. This reflects that the
+current protocol's choice of the maximum candidate `closeTime` is, in a sense,
+too sensitive: it can externalize a value that could have been manipulated by a
+single bad actor. We refer to such manipulation as "maximum `closeTime`
injection". The proposal in this CAP is less sensitive: a node can affect the
composite `closeTime` only if it manages to provide a transaction set that the
-network as a whole selects as a composited one for the ballot protocol. We
+network as a whole selects as a composited one for the ballot protocol. We
force a node to do a "good deed" (putting together a transaction set which the
compositing function selects over any other node's candidate) for the network's
clients in order to influence the eventual externalized `closeTime`. In the
@@ -340,131 +345,132 @@ the validity of transactions in transaction sets proposed by other nodes.
### Detailed argument in favor of this proposal
-Here we argue that this CAP would represent a clear improvement in behavior
-by arguing individually for each of the semantic changes in the table above, in
-the order presented (we shall use the "index" column for reference), so that the
-desirability of the first change depends only on the state of the current
+Here we argue that this CAP would represent a clear improvement in behavior by
+arguing individually for each of the semantic changes in the table above, in
+the order presented (we shall use the "index" column for reference), so that
+the desirability of the first change depends only on the state of the current
protocol and code, and the desirability of each further change may depend upon
that of earlier changes as well, in effect assuming that they have been made
because they are desirable (thus constructing an inductive argument for the
desirability of the whole CAP).
-1. The first listed change was one of the optimizations made in PR 2608,
-without requiring a protocol change (or, therefore, CAP), so we do not need to
-argue for it in this CAP, but we explain it for context: by estimating when
-the next ledger will close and avoiding flooding any transactions which will
-have expired by that time, we can save the network and memory resources that we
-might have spent on behalf of transactions which were unlikely ever to be
-applied anyway. This CAP could be seen in part as propagating a similar style
-of change to some later stages in the protocol; those changes _do_ require a
-protocol upgrade.
-
-2. The second listed decision point was changed in PR 2608, and we propose to
-refine it further in this CAP. The PR 2608 change was similar to the one made
-in the first decision point 1, at a different place: when we trim transactions
-before choosing which `StellarValue` to nominate first when triggering a new
-ledger. The change had the same idea as the aforementioned one, to minimize the
-use of resources on behalf of likely-useless transactions. In this CAP, we
-propose changing this decision point further to do the trimming based on the
-exact `closeTime` that we are nominating. Since the CAP behavior would allow us
-to know that that would be the exact externalized `closeTime` if the transaction
-set that we nominate were to be externalized, we know that that `closeTime` is
-optimal to use for trimming against. Knowing the optimal value, we no longer
-need an estimate. (The first decision point does not change because at that
-point we do not yet know the rest of the `StellarValue` that we will end up
-nominating -- in particular we do not yet know the `closeTime` -- so an estimate
-is the best that we can do.) And because that value is optimal -- all the
-transactions that it leads to being trimmed would have been guaranteed to have
-returned `txTOO_EARLY`/`txTOO_LATE` if the transaction set had been
-externalized, and all the transactions that it leads to _not_ being trimmed are
-guaranteed _not_ to return `txTOO_EARLY`/`txTOO_LATE` if the transaction set is
-ultimately externalized -- it is clearly desirable to use it.
-
-3. In the presence of change #2, which trims any premature/expired transactions
-before nominating a `StellarValue`, it is only an ill-behaved node that would
-nominate a `StellarValue` containing a transaction which is premature/expired
-with respect to its own `closeTime`, so it becomes sensible for such a value to
-fail validation. There is no loss in this, since we would not want to accept a
-`StellarValue` from an ill-behaved node in any case; this change (given change
-\#2) simply represents a strict improvement in our ability to detect a particular
-incorrect behavior.
-
-4. In the presence of change #3, any candidate transaction set passed in to
-the compositing function consists only of transactions which are valid
-with respect to the `closeTime` in the same `StellarValue` as the transaction
-set. Therefore, once the compositing function has chosen one of the candidate
-transaction sets, the choice of a composited `closeTime` equal to the
-`closeTime` in the same `StellarValue` as the chosen transaction set becomes
-optimal in the following sense: it is precisely the latest `closeTime` with
-respect to which all of the transactions in the chosen transaction set are
-valid (unexpired). By comparison, the old protocol's choice of the maximal
-`closeTime` of all candidates' is simply a loss:
-
- - It might render some of the transactions in the composited set expired,
- which is the `txTOO_LATE` race that motivated this CAP.
-
- - It might render some transactions still in the memory pools of some nodes
- expired, when they might have had a chance of getting into a future ledger
- if the `closeTime` had not been needlessly increased.
-
- - It makes the ledger close time more sensitive to the choice of a large
- `closeTime` by a single bad actor, which we have called the "maximum
- `closeTime` injection" problem, and discussed above in the "Detailed
- illustration of failure mode".
-
-5. Given the ability to preserve the signature (since it is on a nominated
-`` pair, of which we now choose a specific one rather than
-combining multiple ones in producing the `closeTime`) in the output of the
-compositing function, there is little cost to doing so (we have the signature
-in memory and have already checked it), so we may as well lose as little
-information as possible. And given that we have preserved the signature on
-`StellarValue`s throughout the nomination protocol and into the ballot protocol,
-we must expect `SIGNED` `StellarValue`s in the ballot protocol, and we must
-check the signatures again in the ballot protocol, to make sure that the
-additional information that we are preserving is _correct_ information. The
-additional signature-checking, however, will be on a signature that we just
-checked during the preceding nomination round, so we will likely simply hit in
-cache nearly all the time, and not have to do significantly more signature
-checks.
-
-Therefore, we argue that each successive change represents a clear
-improvement, given the previous one (and the first represents a clear
-improvement over the existing implementation).
+1. The first listed change was one of the optimizations made in PR 2608,
+ without requiring a protocol change (or, therefore, CAP), so we do not need
+ to argue for it in this CAP, but we explain it for context: by estimating
+ when the next ledger will close and avoiding flooding any transactions
+ which will have expired by that time, we can save the network and memory
+ resources that we might have spent on behalf of transactions which were
+ unlikely ever to be applied anyway. This CAP could be seen in part as
+ propagating a similar style of change to some later stages in the protocol;
+ those changes _do_ require a protocol upgrade.
+
+2. The second listed decision point was changed in PR 2608, and we propose to
+ refine it further in this CAP. The PR 2608 change was similar to the one
+ made in the first decision point 1, at a different place: when we trim
+ transactions before choosing which `StellarValue` to nominate first when
+ triggering a new ledger. The change had the same idea as the aforementioned
+ one, to minimize the use of resources on behalf of likely-useless
+ transactions. In this CAP, we propose changing this decision point further
+ to do the trimming based on the exact `closeTime` that we are nominating.
+ Since the CAP behavior would allow us to know that that would be the exact
+ externalized `closeTime` if the transaction set that we nominate were to be
+ externalized, we know that that `closeTime` is optimal to use for trimming
+ against. Knowing the optimal value, we no longer need an estimate. (The
+ first decision point does not change because at that point we do not yet
+ know the rest of the `StellarValue` that we will end up nominating -- in
+ particular we do not yet know the `closeTime` -- so an estimate is the best
+ that we can do.) And because that value is optimal -- all the transactions
+ that it leads to being trimmed would have been guaranteed to have returned
+ `txTOO_EARLY`/`txTOO_LATE` if the transaction set had been externalized,
+ and all the transactions that it leads to _not_ being trimmed are
+ guaranteed _not_ to return `txTOO_EARLY`/`txTOO_LATE` if the transaction
+ set is ultimately externalized -- it is clearly desirable to use it.
+
+3. In the presence of change #2, which trims any premature/expired
+ transactions before nominating a `StellarValue`, it is only an ill-behaved
+ node that would nominate a `StellarValue` containing a transaction which is
+ premature/expired with respect to its own `closeTime`, so it becomes
+ sensible for such a value to fail validation. There is no loss in this,
+ since we would not want to accept a `StellarValue` from an ill-behaved node
+ in any case; this change (given change \#2) simply represents a strict
+ improvement in our ability to detect a particular incorrect behavior.
+
+4. In the presence of change #3, any candidate transaction set passed in to
+ the compositing function consists only of transactions which are valid with
+ respect to the `closeTime` in the same `StellarValue` as the transaction
+ set. Therefore, once the compositing function has chosen one of the
+ candidate transaction sets, the choice of a composited `closeTime` equal to
+ the `closeTime` in the same `StellarValue` as the chosen transaction set
+ becomes optimal in the following sense: it is precisely the latest
+ `closeTime` with respect to which all of the transactions in the chosen
+ transaction set are valid (unexpired). By comparison, the old protocol's
+ choice of the maximal `closeTime` of all candidates' is simply a loss:
+
+ - It might render some of the transactions in the composited set expired,
+ which is the `txTOO_LATE` race that motivated this CAP.
+
+ - It might render some transactions still in the memory pools of some nodes
+ expired, when they might have had a chance of getting into a future ledger
+ if the `closeTime` had not been needlessly increased.
+
+ - It makes the ledger close time more sensitive to the choice of a large
+ `closeTime` by a single bad actor, which we have called the "maximum
+ `closeTime` injection" problem, and discussed above in the "Detailed
+ illustration of failure mode".
+
+5. Given the ability to preserve the signature (since it is on a nominated
+ `` pair, of which we now choose a specific one rather than
+ combining multiple ones in producing the `closeTime`) in the output of the
+ compositing function, there is little cost to doing so (we have the
+ signature in memory and have already checked it), so we may as well lose as
+ little information as possible. And given that we have preserved the
+ signature on `StellarValue`s throughout the nomination protocol and into
+ the ballot protocol, we must expect `SIGNED` `StellarValue`s in the ballot
+ protocol, and we must check the signatures again in the ballot protocol, to
+ make sure that the additional information that we are preserving is
+ _correct_ information. The additional signature-checking, however, will be
+ on a signature that we just checked during the preceding nomination round,
+ so we will likely simply hit in cache nearly all the time, and not have to
+ do significantly more signature checks.
+
+Therefore, we argue that each successive change represents a clear improvement,
+given the previous one (and the first represents a clear improvement over the
+existing implementation).
### Rejected alternatives
The proposal in this CAP is the third that we have considered as a means of
-fixing the problems described in the "Motivation" section. We record them here
+fixing the problems described in the "Motivation" section. We record them here
to motivate the proposal that we later settled on for this CAP.
#### Deferring ledger time update until after applying transactions
The first idea was to change the point at which the current ledger header's
`closeTime` was updated from before transactions are applied to afterwards.
-(Ledger `upgrades` are already performed after transaction applies.) This
-would prevent an increase in the `closeTime` brought about by candidates other
-than the one whose transaction set was selected from causing transactions to
-fail (it would not occur until after they had been applied). However, this
-raised the concern that sometimes transactions would be applied despite having
+(Ledger `upgrades` are already performed after transaction applies.) This would
+prevent an increase in the `closeTime` brought about by candidates other than
+the one whose transaction set was selected from causing transactions to fail
+(it would not occur until after they had been applied). However, this raised
+the concern that sometimes transactions would be applied despite having
expiration times earlier than the close time of the ledger in which they were
-committed -- and there would not even be any bound on how large the gap
-between those times might be. This CAP maintains the invariant that if a
-transaction is applied, the close time of the ledger in which it is applied
-falls within the time bounds of the transaction.
+committed -- and there would not even be any bound on how large the gap between
+those times might be. This CAP maintains the invariant that if a transaction is
+applied, the close time of the ledger in which it is applied falls within the
+time bounds of the transaction.
#### Trimming transactions rendered expired by combining nominated candidates
The second idea was to remove transactions from the composited transaction set
-selected by the combine-candidates code in the nomination protocol, based on the
-(maximal) `closeTime` just selected by that code. However, that would seem to
-have opened up a new denial-of-service attack on the ledger:
-an attacker could create large numbers of transactions with very high fees,
-making it likely that they would be accepted into transaction sets, but with
-extremely short expiration times, that would almost certainly come before the
-next ledger close. They could therefore fill up the transaction sets with
-such transactions, yet avoid the transaction fees (the transactions would be
-trimmed by the new code before fees were charged), leaving the transaction
-sets produced by the nomination protocol with little or no room for legitimate
+selected by the combine-candidates code in the nomination protocol, based on
+the (maximal) `closeTime` just selected by that code. However, that would seem
+to have opened up a new denial-of-service attack on the ledger: an attacker
+could create large numbers of transactions with very high fees, making it
+likely that they would be accepted into transaction sets, but with extremely
+short expiration times, that would almost certainly come before the next ledger
+close. They could therefore fill up the transaction sets with such
+transactions, yet avoid the transaction fees (the transactions would be trimmed
+by the new code before fees were charged), leaving the transaction sets
+produced by the nomination protocol with little or no room for legitimate
transactions.
### Reflections on rejected alternatives
@@ -474,15 +480,15 @@ changes to transaction set composition and validity in the earliest protocol
phases possible", note that from the first rejected alternative, to the second
rejected alternative, to the proposal in this CAP, the phase of the protocol at
which we have considered placing the new trimming and validating code has moved
-earlier at each step. The "detailed argument in favor" of this CAP also
+earlier at each step. The "detailed argument in favor" of this CAP also
proceeded change-by-change in order from earlier to later phases of the
consensus protocol.
### Aside: Changing the combining of `upgrades` is feasible, but unnecessary
Considering the `closeTime`-related changes in this CAP also raised a further
-discussion: because the `SIGNED` `StellarValue`, besides the transaction set and
-close time, also contains a set of ledger `upgrades`, we could choose
+discussion: because the `SIGNED` `StellarValue`, besides the transaction set
+and close time, also contains a set of ledger `upgrades`, we could choose
additionally to change `upgrades` to come from the single selected
`StellarValue` rather than being combined in a way similar to the `closeTime`s,
as they are in the current protocol.
@@ -503,14 +509,14 @@ combinations of parameter changes would be insensible, then it might no longer
make sense just to combine each parameter individually -- the simple union of
individual changes could produce a result which was inconsistent. In that case,
the right way to combine them consistently would become ambiguous; there could
-be multiple options of which none would include all candidate parameter changes.
-Choosing the best single nominated set of upgrades might be the simplest way
-of choosing a consistent composite of all candidate upgrades.
+be multiple options of which none would include all candidate parameter
+changes. Choosing the best single nominated set of upgrades might be the
+simplest way of choosing a consistent composite of all candidate upgrades.
Overall, changing the selection of `upgrades` to match that of `closeTime`
could be said to make the resulting protocol simpler -- but it would make the
change for the CAP more complicated, and we haven't found any clear benefit to
-making that further change. (We did start with and do some testing of an
+making that further change. (We did start with and do some testing of an
implementation that also changed `upgrades` selection, but in the latest
implementation we have undone that part and are changing only `closeTime`.)
@@ -519,9 +525,9 @@ implementation we have undone that part and are changing only `closeTime`.)
Semantic changes resulting from this CAP we hope to be limited to the
correction of undesirable aspects of the current protocol, such as the
potential inconsistency of smart contract behavior described in the
-"Motivation", and not on any aspects of the protocol that well-behaved
-clients could be _relying_ on (a well-behaved client should not _rely_ on a
-potentially harmful race happening!).
+"Motivation", and not on any aspects of the protocol that well-behaved clients
+could be _relying_ on (a well-behaved client should not _rely_ on a potentially
+harmful race happening!).
## Security Concerns
@@ -531,44 +537,43 @@ then rejected, as described above in the "Design Rationale".
## Test Cases
-- A test is added to confirm that when a node selects a `StellarValue`
-to nominate, it trims from the selected transaction set precisely those
-transactions which would be invalid according to the `closeTime` in that
-`StellarValue`, and no others (in previous protocol versions, it should
-continue to trim those which are invalid according to the last ledger close
-time).
-
-- A test is added to confirm that nominated `StellarValue`s are checked
-for internal consistency between their close times and transaction sets --
-that is, that they contain no transactions which are invalid according to
-their own close times (a nominated `StellarValue` that does not meet that
-condition should be rejected by other nodes). (In old protocols, transactions
-in a nominated `StellarValue` are checked for validity against the last ledger
-close time.)
-
-- A test is added to confirm that the new code which builds upon PR 2608
-to allow a client to choose the `closeTime` to compare with a transaction's
-`minTime` correctly alters which transactions are considered `txTOO_EARLY` and
-which are not. (PR 2608 introduced the option for clients to choose a
-`closeTime` other than the last ledger close time to compare with a
-transaction's `maxTime` when determining which transactions are considered
-`txTOO_LATE`.)
+- A test is added to confirm that when a node selects a `StellarValue` to
+ nominate, it trims from the selected transaction set precisely those
+ transactions which would be invalid according to the `closeTime` in that
+ `StellarValue`, and no others (in previous protocol versions, it should
+ continue to trim those which are invalid according to the last ledger close
+ time).
+
+- A test is added to confirm that nominated `StellarValue`s are checked for
+ internal consistency between their close times and transaction sets -- that
+ is, that they contain no transactions which are invalid according to their
+ own close times (a nominated `StellarValue` that does not meet that condition
+ should be rejected by other nodes). (In old protocols, transactions in a
+ nominated `StellarValue` are checked for validity against the last ledger
+ close time.)
+
+- A test is added to confirm that the new code which builds upon PR 2608 to
+ allow a client to choose the `closeTime` to compare with a transaction's
+ `minTime` correctly alters which transactions are considered `txTOO_EARLY`
+ and which are not. (PR 2608 introduced the option for clients to choose a
+ `closeTime` other than the last ledger close time to compare with a
+ transaction's `maxTime` when determining which transactions are considered
+ `txTOO_LATE`.)
- The existing test for the compositing/combining function, which confirms that
-a set of candidate `StellarValue`s produces the expected composited `closeTime`,
-changes in three ways:
-
- - It tests that old protocols continue to behave the same way, but that
- in new protocol versions, the composited `closeTime` is simply that of the
- `StellarValue` containing the best transaction set, not the maximum
- `closeTime` of all candidates.
+ a set of candidate `StellarValue`s produces the expected composited
+ `closeTime`, changes in three ways:
+ - It tests that old protocols continue to behave the same way, but that in
+ new protocol versions, the composited `closeTime` is simply that of the
+ `StellarValue` containing the best transaction set, not the maximum
+ `closeTime` of all candidates.
- It is enhanced to test for expected `upgrades` as well (but these should
- behave the same between old and new protocols; it just checks that the
- new protocol doesn't accidentally change this).
+ behave the same between old and new protocols; it just checks that the new
+ protocol doesn't accidentally change this).
- It tests that old nomination protocols produce `BASIC` `StellarValue`s, but
- new nomination protocols produce `SIGNED` ones.
+ new nomination protocols produce `SIGNED` ones.
- The existing tests which check that the `StellarValue` produced by the
nomination protocol has the correct type changes to expect `BASIC`
@@ -577,11 +582,11 @@ changes in three ways:
## Implementation
-An implementation of this protocol has been written, which as far as the
-author knows is complete and correct in its semantics; it will certainly need
+An implementation of this protocol has been written, which as far as the author
+knows is complete and correct in its semantics; it will certainly need
refactoring, but it might constitute a demonstration of the practicality of
-implementing this proposal, and of a bound on the scope of the changes required,
-as well as a way of experimenting with its consequences:
+implementing this proposal, and of a bound on the scope of the changes
+required, as well as a way of experimenting with its consequences:
[Closetime change branch](https://github.com/rokopt/stellar-core/tree/proto-622-closetime)
@@ -590,28 +595,28 @@ The changes therein are limited to stellar-core, and comprise the following:
- The protocol version is bumped (currently anticipated to be to 14).
- The herder's choice of which transactions to include in the transaction set
-that it is going to nominate to depend, in new protocols only, on the close
-time that it is going to nominate, rather than (as in the current unreleased
-code) an estimate of when the next ledger is likely to close or (as in the
-released code) the last ledger close time.
+ that it is going to nominate to depend, in new protocols only, on the close
+ time that it is going to nominate, rather than (as in the current unreleased
+ code) an estimate of when the next ledger is likely to close or (as in the
+ released code) the last ledger close time.
- The herder's validation of `StellarValue`s nominated by other nodes changes
-to expect, in new protocols only, that values used by the ballot protocol
-are `SIGNED`.
+ to expect, in new protocols only, that values used by the ballot protocol are
+ `SIGNED`.
- The herder's validation of `StellarValue`s nominated by other nodes changes
-which `closeTime` to validate the transactions in the `StellarValue` against
-from the last ledger close time to the `closeTime` in the `StellarValue`.
+ which `closeTime` to validate the transactions in the `StellarValue` against
+ from the last ledger close time to the `closeTime` in the `StellarValue`.
- The herder's compositing of candidate `StellarValue`s into a single value to
-nominate, in new protocols only (it preserves its old behavior in old
-protocols), changes in the following ways:
-
+ nominate, in new protocols only (it preserves its old behavior in old
+ protocols), changes in the following ways:
- It chooses a composited `closeTime` directly from the `StellarValue`
- containing the selected transaction set. In particular, it does not need
- any trimming of the selected transaction set. (That set should already be
- consistent with `closeTime`, since it came from one nominated `StellarValue`,
- which the herder has already validated by the time it composites them.)
+ containing the selected transaction set. In particular, it does not need
+ any trimming of the selected transaction set. (That set should already be
+ consistent with `closeTime`, since it came from one nominated
+ `StellarValue`, which the herder has already validated by the time it
+ composites them.)
- It returns `SIGNED` `StellarValue`s.
diff --git a/core/cap-0035.md b/core/cap-0035.md
index 9654ea599..8e13afca4 100644
--- a/core/cap-0035.md
+++ b/core/cap-0035.md
@@ -17,54 +17,61 @@ Protocol version: 17
## Simple Summary
-This proposal provides the Issuer with a means to clawback (and reissue if desired)
-assets in order to support regulatory requirements. This function can be used to:
+This proposal provides the Issuer with a means to clawback (and reissue if
+desired) assets in order to support regulatory requirements. This function can
+be used to:
-1) recover assets that have been fraudulently obtained
-2) respond to regulatory actions, if required
-3) enable identity proofed persons to recover an enabled asset
-in the event of loss of key custody or theft.
+1. recover assets that have been fraudulently obtained
+2. respond to regulatory actions, if required
+3. enable identity proofed persons to recover an enabled asset in the event of
+ loss of key custody or theft.
-The proposal does not involve shared
-custody of the person’s account and does not affect custody of bearer assets in
-the persons account.
+The proposal does not involve shared custody of the person’s account and does
+not affect custody of bearer assets in the persons account.
## Working Group
-This protocol change was initially authored by Dan Doney and Tomer Weller. The working group include other authors and the consulted persons include key individuals familiar with the implementation of the core protocol and maintainers of Horizon and its SDKs.
+This protocol change was initially authored by Dan Doney and Tomer Weller. The
+working group include other authors and the consulted persons include key
+individuals familiar with the implementation of the core protocol and
+maintainers of Horizon and its SDKs.
## Motivation
-In order to meet securities regulatory requirements in many jurisdictions globally,
-the issuer (or designated transfer agent) must be able to demonstrate the ability
-to revoke assets in the event of a mistaken or fraudulent transaction or other
-regulatory action regarding a specific person or asset wide. To receive approval,
-the Issuer must demonstrate the ability to perform this action with or without the
-permission of the affected person. Unlike approaches that involve multiple
-signatures on the person’s wallet (brokerage clawback), this approach does not
-compromise the custody of other assets in the person’s wallet. Additionally, this
-approach is an improvement over an approach that invalidates the trustline. While
-trustline invalidation freezes assets, tokens (asset shares) remain in circulation
-compromising accounting models. The approach has other benefits to owners of the
-affected asset including the ability to recover assets if wallet custody is lost
-including the important business continuity mitigations in the loss of control of
-custodial or omnibus account.
-Ex: https://www.ccn.com/190m-gone-how-canada-biggest-bitcoin-exchange-lost-it/
+In order to meet securities regulatory requirements in many jurisdictions
+globally, the issuer (or designated transfer agent) must be able to demonstrate
+the ability to revoke assets in the event of a mistaken or fraudulent
+transaction or other regulatory action regarding a specific person or asset
+wide. To receive approval, the Issuer must demonstrate the ability to perform
+this action with or without the permission of the affected person. Unlike
+approaches that involve multiple signatures on the person’s wallet (brokerage
+clawback), this approach does not compromise the custody of other assets in the
+person’s wallet. Additionally, this approach is an improvement over an approach
+that invalidates the trustline. While trustline invalidation freezes assets,
+tokens (asset shares) remain in circulation compromising accounting models. The
+approach has other benefits to owners of the affected asset including the
+ability to recover assets if wallet custody is lost including the important
+business continuity mitigations in the loss of control of custodial or omnibus
+account. Ex:
+https://www.ccn.com/190m-gone-how-canada-biggest-bitcoin-exchange-lost-it/
### Goals Alignment
+
This CAP is aligned with the following Stellar Network Goals:
- The Stellar Network should be secure and reliable.
-- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments between
-assets in a manner that is fast, cheap, and highly usable.
+- The Stellar Network should enable cross-border payments, i.e. payments via
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
## Abstract
+
This proposal introduces new operations `ClawbackOp`,
`ClawbackClaimableBalanceOp`, and `SetTrustLineFlagsOp`, a new account flag
-`AUTH_CLAWBACK_ENABLED_FLAG`, a new trustline flag `TRUSTLINE_CLAWBACK_ENABLED_FLAG`,
-and a new claimable balance flag `CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG`.
+`AUTH_CLAWBACK_ENABLED_FLAG`, a new trustline flag
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG`, and a new claimable balance flag
+`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG`.
The `AUTH_CLAWBACK_ENABLED_FLAG` flag on the issuing account must be set when a
trustline is created to authorize a `ClawbackOp` operation submitted by the
@@ -72,9 +79,9 @@ issuer account.
A claimable balance inherits its clawback enabled status from the account
creating the claimable balance. A `ClawbackClaimableBalanceOp` operation is
-valid for claimable balances created by accounts whose trustline for the
-asset has clawback enabled, and for claimable balances created by an issuer
-account when the issuer account has clawback enabled.
+valid for claimable balances created by accounts whose trustline for the asset
+has clawback enabled, and for claimable balances created by an issuer account
+when the issuer account has clawback enabled.
The `ClawbackOp` and `ClawbackClaimableBalanceOp` operations result in the
removal of the specified assets issued from the network.
@@ -88,14 +95,15 @@ The `ClawbackOp` may result in revocation of some or all of the specified
assets from the designated account based on the amount provided in the
operation.
-The `SetTrustLineFlagsOp` allows the user to set and clear specific trustline
+The `SetTrustLineFlagsOp` allows the user to set and clear specific trustline
flags. This operation can be used to unset `TRUSTLINE_CLAWBACK_ENABLED_FLAG`.
## Specification
### XDR changes
-This patch of XDR changes is based on the XDR files in tag/commit `v15.1.0` (`90b2780584c6390207bf09291212d606896ce9f8`) of [stellar-core].
+This patch of XDR changes is based on the XDR files in tag/commit `v15.1.0`
+(`90b2780584c6390207bf09291212d606896ce9f8`) of [stellar-core].
```diff mddiffcheck.base=v15.1.0
diff --git a/src/xdr/Stellar-ledger-entries.x b/src/xdr/Stellar-ledger-entries.x
@@ -105,7 +113,7 @@ index 8d7463915..26ff33d43 100644
@@ -28,6 +28,17 @@ enum AssetType
ASSET_TYPE_CREDIT_ALPHANUM12 = 2
};
-
+
+union AssetCode switch (AssetType type)
+{
+case ASSET_TYPE_CREDIT_ALPHANUM4:
@@ -131,11 +139,11 @@ index 8d7463915..26ff33d43 100644
+ // with clawback enabled set to "true"
+ AUTH_CLAWBACK_ENABLED_FLAG = 0x8
};
-
+
// mask for all valid flags
const MASK_ACCOUNT_FLAGS = 0x7;
+const MASK_ACCOUNT_FLAGS_V16 = 0xF;
-
+
// maximum number of signers
const MAX_SIGNERS = 20;
@@ -187,12 +203,16 @@ enum TrustLineFlags
@@ -148,18 +156,18 @@ index 8d7463915..26ff33d43 100644
+ // balances created with its credit may also be clawed back
+ TRUSTLINE_CLAWBACK_ENABLED_FLAG = 4
};
-
+
// mask for all trustline flags
const MASK_TRUSTLINE_FLAGS = 1;
const MASK_TRUSTLINE_FLAGS_V13 = 3;
+const MASK_TRUSTLINE_FLAGS_V16 = 7;
-
+
struct TrustLineEntry
{
@@ -337,6 +357,27 @@ case CLAIMABLE_BALANCE_ID_TYPE_V0:
Hash v0;
};
-
+
+enum ClaimableBalanceFlags
+{
+ // If set, the issuer account of the asset held by the claimable balance may
@@ -207,7 +215,7 @@ index 7f08d7579..3c2b1f0be 100644
+ CLAWBACK_CLAIMABLE_BALANCE = 20,
+ SET_TRUST_LINE_FLAGS = 21
};
-
+
/* CreateAccount
@@ -236,20 +239,9 @@ struct ChangeTrustOp
struct AllowTrustOp
@@ -222,7 +230,7 @@ index 7f08d7579..3c2b1f0be 100644
- case ASSET_TYPE_CREDIT_ALPHANUM12:
- AssetCode12 assetCode12;
+ AssetCode asset;
-
+
- // add other asset types here in the future
- }
- asset;
@@ -231,11 +239,11 @@ index 7f08d7579..3c2b1f0be 100644
+ // 0, or any bitwise combination of the AUTHORIZED_* flags of TrustLineFlags
uint32 authorize;
};
-
+
@@ -376,6 +368,48 @@ case REVOKE_SPONSORSHIP_SIGNER:
signer;
};
-
+
+/* Claws back an amount of an asset from an account
+
+ Threshold: med
@@ -302,12 +310,12 @@ index 7f08d7579..3c2b1f0be 100644
+ SET_OPTIONS_INVALID_HOME_DOMAIN = -9, // malformed home domain
+ SET_OPTIONS_AUTH_REVOCABLE_REQUIRED = -10 // auth revocable is required for clawback
};
-
+
union SetOptionsResult switch (SetOptionsResultCode code)
@@ -1120,6 +1161,71 @@ default:
void;
};
-
+
+/******* Clawback Result ********/
+
+enum ClawbackResultCode
@@ -395,9 +403,9 @@ index 7f08d7579..3c2b1f0be 100644
Clawback operates similar to auth revocation in that it takes an amount of the
asset out of active circulation by preventing the account from using it on the
-network. Auth revocation freezes the full balance of an asset in an account, but
-clawback provides fine grain control and allows the issuer to take out of the
-account and destroy a specific amount of the asset.
+network. Auth revocation freezes the full balance of an asset in an account,
+but clawback provides fine grain control and allows the issuer to take out of
+the account and destroy a specific amount of the asset.
In order to execute a clawback of an amount in an account, an issuer account
must have its `AUTH_CLAWBACK_ENABLED_FLAG` flag set when the account holding
@@ -417,15 +425,14 @@ must have been created by an account that has clawback enabled on its
trustline.
In order to execute a clawback of a claimable balance created by an issuer
-account, the claimable balance must have been created when clawback was
-enabled on the issuer account.
+account, the claimable balance must have been created when clawback was enabled
+on the issuer account.
#### Account
-This proposal introduces a new flag to accounts,
-`AUTH_CLAWBACK_ENABLED_FLAG`. When the flag is set, trustlines created to the
-account inherit the flag and the balances within those trustlines may be
-clawed back by the issuer.
+This proposal introduces a new flag to accounts, `AUTH_CLAWBACK_ENABLED_FLAG`.
+When the flag is set, trustlines created to the account inherit the flag and
+the balances within those trustlines may be clawed back by the issuer.
An account may set or unset the flag using the existing `SetOptionsOp`
operation, unless the `AUTH_IMMUTABLE_FLAG` flag is set, in the same way that
@@ -433,13 +440,14 @@ existing `AUTH_*` flags may be set or unset unless the immutable flag is set.
#### Trustline
-This proposal introduces a new flag to trustlines, `TRUSTLINE_CLAWBACK_ENABLED_FLAG`,
-that is set at the time the trustline is created if the issuer account of the
-asset of the trustline has its `AUTH_CLAWBACK_ENABLED_FLAG` flag set.
+This proposal introduces a new flag to trustlines,
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG`, that is set at the time the trustline is
+created if the issuer account of the asset of the trustline has its
+`AUTH_CLAWBACK_ENABLED_FLAG` flag set.
-If the new flag is set it indicates that the balance held by the trustline
-can be clawed back by the issuer using the `ClawbackOp`, and that any
-claimable balance created by the account will also be clawback enabled.
+If the new flag is set it indicates that the balance held by the trustline can
+be clawed back by the issuer using the `ClawbackOp`, and that any claimable
+balance created by the account will also be clawback enabled.
#### Claimable Balance
@@ -447,14 +455,14 @@ This proposal introduces the first flag to claimable balances,
`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG`.
The `CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` flag is set at the time the
-claimable balance is created if the account creating the claimable balance
-has `TRUSTLINE_CLAWBACK_ENABLED_FLAG` set on the trustline of the asset of
-the claimable balance.
+claimable balance is created if the account creating the claimable balance has
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG` set on the trustline of the asset of the
+claimable balance.
If an issuer account creates a claimable balance for an asset it issues, the
-`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` flag is set at the time the
-claimable balance is created if the issuer account creating the claimable
-balance has `AUTH_CLAWBACK_ENABLED` set.
+`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` flag is set at the time the claimable
+balance is created if the issuer account creating the claimable balance has
+`AUTH_CLAWBACK_ENABLED` set.
If the new flag is set it indicates that the balance held by the claimable
balance can be clawed back by the issuer using the
@@ -463,49 +471,51 @@ balance can be clawed back by the issuer using the
#### Allow Trust Operation
This proposal introduces no changes to the `AllowTrustOp` operation XDR, but
-the operation will not accept the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` as a valid flag
-that it will operate. The definition of what flags the operation supports
+the operation will not accept the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` as a valid
+flag that it will operate. The definition of what flags the operation supports
will be limited to `AUTHORIZED_*` flags. When applying new flags to accounts
the operation will not change the `TRUSTLINE_CLAWBACK_ENABLED_FLAG`.
-If an `AllowTrustOp` operation is submitted with the `TRUSTLINE_CLAWBACK_ENABLED_FLAG`
-set, the operation will fail with the existing result code
-`ALLOW_TRUST_MALFORMED`.
+If an `AllowTrustOp` operation is submitted with the
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG` set, the operation will fail with the
+existing result code `ALLOW_TRUST_MALFORMED`.
#### Set Options Operation
This proposal introduces a new result code to the `SetOptionsOp` operation XDR,
-which will be returned if `AUTH_REVOCABLE_FLAG` flag is not set whenever the
+which will be returned if `AUTH_REVOCABLE_FLAG` flag is not set whenever the
`AUTH_CLAWBACK_ENABLED_FLAG` flag is set.
This introduces a failing result in these cases:
1. Setting only `AUTH_CLAWBACK_ENABLED_FLAG` without `AUTH_REVOCABLE_FLAG`
-already set will result in `SET_OPTIONS_AUTH_REVOCABLE_REQUIRED`.
+ already set will result in `SET_OPTIONS_AUTH_REVOCABLE_REQUIRED`.
2. Clearing `AUTH_REVOCABLE_FLAG` while `AUTH_CLAWBACK_ENABLED_FLAG` is set
-will result in `SET_OPTIONS_AUTH_REVOCABLE_REQUIRED`.
+ will result in `SET_OPTIONS_AUTH_REVOCABLE_REQUIRED`.
#### Clawback Operation
-This proposal introduces the `ClawbackOp` operation. The `ClawbackOp`
-operation reduces the balance of the asset in the account by the specified
-amount of the specific `asset` from the `from` account, returning it to the
-issuer account, burning it.
+This proposal introduces the `ClawbackOp` operation. The `ClawbackOp` operation
+reduces the balance of the asset in the account by the specified amount of the
+specific `asset` from the `from` account, returning it to the issuer account,
+burning it.
Similar to other operations the clawback operation will fail if the account
balance is less than the amount specified when accounting for selling
liabilities. If clawback is required of asset amounts locked up with selling
liabilities then the issuer may use the `AllowTrustOp` operation to revoke
authorization of the trustline, which will cancel any existing ledger entries
-creating selling liabilities, such as offers, and issue the `ClawbackOp` in
-the same transaction. If the issuer wishes to allow the `from` account to
-continue utilizing the asset it can include another `AllowTrustOp` after the
+creating selling liabilities, such as offers, and issue the `ClawbackOp` in the
+same transaction. If the issuer wishes to allow the `from` account to continue
+utilizing the asset it can include another `AllowTrustOp` after the
`ClawbackOp` to authorize the account once again.
The clawback operation requires a medium threshold signature to authorize the
operation.
-`CLAWBACK_MALFORMED` will be returned for `ClawbackOp` during validation under the following conditions:
+`CLAWBACK_MALFORMED` will be returned for `ClawbackOp` during validation under
+the following conditions:
+
- `asset` is native.
- `asset` value is invalid.
- `asset.issuer` != source account
@@ -513,18 +523,20 @@ operation.
- `from` == source account
Possible return values for the `ClawbackOp` during application are:
+
- `CLAWBACK_SUCCESS` if the clawback is successful.
-- `CLAWBACK_NOT_CLAWBACK_ENABLED` if the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` is not set.
+- `CLAWBACK_NOT_CLAWBACK_ENABLED` if the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` is
+ not set.
- `CLAWBACK_NO_TRUST` if the `from` account does not have a trustline for
-`asset`.
+ `asset`.
- `CLAWBACK_UNDERFUNDED` if the `from` account does not have sufficient
-available balance of `asset` after accounting for selling liabilities.
+ available balance of `asset` after accounting for selling liabilities.
#### Clawback Claimable Balance Operation
This proposal introduces the `ClawbackClaimableBalanceOp` operation. The
-`ClawbackClaimableBalanceOp` operation destroys a claimable balance,
-returning the asset to the issuer account, burning it.
+`ClawbackClaimableBalanceOp` operation destroys a claimable balance, returning
+the asset to the issuer account, burning it.
The operation will only succeed if the claimable balance has its
`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` set.
@@ -532,8 +544,7 @@ The operation will only succeed if the claimable balance has its
The operation source account must be the issuer account of the asset held in
the claimable balance.
-The operation requires a medium threshold signature to authorize the
-operation.
+The operation requires a medium threshold signature to authorize the operation.
The operation introduces no new or unique behavior to how sponsored reserves
function. When the operation applies, removing the claimable balance ledger
@@ -542,28 +553,33 @@ same way it is freed when any sponsored ledger entry is removed.
`ClawbackClaimableBalanceOp` is always valid.
-Possible return values for the `ClawbackClaimableBalanceOp` during application are:
+Possible return values for the `ClawbackClaimableBalanceOp` during application
+are:
+
- `CLAWBACK_CLAIMABLE_BALANCE_SUCCESS` if the clawback is successful.
-- `CLAWBACK_CLAIMABLE_BALANCE_DOES_NOT_EXIST` if the claimable balance does
-not exist.
-- `CLAWBACK_CLAIMABLE_BALANCE_NOT_ISSUER` if the source account is the not
-the issuer of the `asset`.
+- `CLAWBACK_CLAIMABLE_BALANCE_DOES_NOT_EXIST` if the claimable balance does not
+ exist.
+- `CLAWBACK_CLAIMABLE_BALANCE_NOT_ISSUER` if the source account is the not the
+ issuer of the `asset`.
- `CLAWBACK_CLAIMABLE_BALANCE_NOT_CLAWBACK_ENABLED` if the
-`CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` is not set.
+ `CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` is not set.
#### Set TrustLine Flags Operation
-This proposal introduces the `SetTrustLineFlagsOp` operation. The operation works
-like the `AllowTrustOp`, except it uses set and clear parameters to set/clear specific
-trustline flags. This will allow an issuer to clear the `TRUSTLINE_CLAWBACK_ENABLED_FLAG`.
-An important detail to note here is that `SetTrustLineFlagsOp` will mimic the changes to `AllowTrustOp`
-specified in [CAP-0029](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0029.md).
+This proposal introduces the `SetTrustLineFlagsOp` operation. The operation
+works like the `AllowTrustOp`, except it uses set and clear parameters to
+set/clear specific trustline flags. This will allow an issuer to clear the
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG`. An important detail to note here is that
+`SetTrustLineFlagsOp` will mimic the changes to `AllowTrustOp` specified in
+[CAP-0029](https://github.com/stellar/stellar-protocol/blob/master/core/cap-0029.md).
-The operation requires a low threshold signature to authorize the
-operation.
+The operation requires a low threshold signature to authorize the operation.
+
+`SET_TRUST_LINE_FLAGS_MALFORMED` will be returned for `SetTrustLineFlagsOp`
+during validation under the following conditions:
-`SET_TRUST_LINE_FLAGS_MALFORMED` will be returned for `SetTrustLineFlagsOp` during validation under the following conditions:
-- Both `AUTHORIZED_FLAG` and `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` are set on `setFlags`.
+- Both `AUTHORIZED_FLAG` and `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` are set
+ on `setFlags`.
- `asset` is invalid.
- `asset` is `ASSET_TYPE_NATIVE`.
- `setFlags` and `clearFlags` are modifying the same flags.
@@ -573,76 +589,78 @@ operation.
- `asset.issuer` != source account
Possible return values for the `SetTrustLineFlagsOp` during application are:
+
- `SET_TRUST_LINE_FLAGS_SUCCESS` if the operation is successful.
- `SET_TRUST_LINE_FLAGS_NO_TRUST_LINE` if the trustline doesn't exist.
-- `SET_TRUST_LINE_FLAGS_CANT_REVOKE` if `AUTH_REVOCABLE_FLAG` is not set on the issuer,
- but the authorization is downgraded (`AUTHORIZED_FLAG` -> `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG`, `AUTHORIZED_FLAG` -> 0,
- or `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` -> 0).
-- `SET_TRUST_LINE_FLAGS_INVALID_STATE` if the final state of the trustline flag has both
- `AUTHORIZED_FLAG` and `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` set.
+- `SET_TRUST_LINE_FLAGS_CANT_REVOKE` if `AUTH_REVOCABLE_FLAG` is not set on the
+ issuer, but the authorization is downgraded (`AUTHORIZED_FLAG` ->
+ `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG`, `AUTHORIZED_FLAG` -> 0, or
+ `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` -> 0).
+- `SET_TRUST_LINE_FLAGS_INVALID_STATE` if the final state of the trustline flag
+ has both `AUTHORIZED_FLAG` and `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` set.
## Design Rationale
In the event of regulatory action, erroneous transaction, or loss of custody,
-the issuer may conduct a clawback transaction if the appropriate flags are
-set. In the event of loss of custody, the affected party would need to
-demonstrate they are the rightful owner of the account (usually through
-reproofing KYC credentials or otherwise authenticating). On obtaining this
-proof, the issuer could execute a clawback from the lost account followed by a
-subsequent payment to a separate account under control of the affected party.
-Needless to say, executing a reallocation is a significant responsibility and
-in many cases should be reserved for licensed entities (like a transfer agent)
-holding the issuer credentials and aware of responsibilities under the law of
-the jurisdiction of the affected party and asset.
-
+the issuer may conduct a clawback transaction if the appropriate flags are set.
+In the event of loss of custody, the affected party would need to demonstrate
+they are the rightful owner of the account (usually through reproofing KYC
+credentials or otherwise authenticating). On obtaining this proof, the issuer
+could execute a clawback from the lost account followed by a subsequent payment
+to a separate account under control of the affected party. Needless to say,
+executing a reallocation is a significant responsibility and in many cases
+should be reserved for licensed entities (like a transfer agent) holding the
+issuer credentials and aware of responsibilities under the law of the
+jurisdiction of the affected party and asset.
+
### Flags
The account `AUTH_CLAWBACK_ENABLED_FLAG` flag allows the issuer to indicate
-that it has control over the use of the asset on the network. By including
-the flag in account flags, account owners may review the revocability of an
-asset issued by the issuer and have the choice to avoid this type of asset if
-they object to the implied trust in the issuer.
-
-The account `AUTH_REVOCABLE_FLAG` flag must also be set because for clawback
-to succeed in all cases that an account holds an asset, the issuer must be
-able to revoke authorization to release any offers creating selling
-liabilities with the asset. If an issuer enables clawback but not
-`AUTH_REVOCABLE_FLAG` it will likely be oversight.
-
-By setting the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` flag on the trustline, account owners
-have confidence that the clawback feature may not be enabled if it was not
-enabled when they created their trustline.
-
-By setting the `CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` flag on the claimable balance
-based on the state of the trustline of the account creating the claimable balance,
-account owners have confidence that the clawback feature may not be enabled
-for claimable balances they create if it was not enabled when they created
-their trustline.
+that it has control over the use of the asset on the network. By including the
+flag in account flags, account owners may review the revocability of an asset
+issued by the issuer and have the choice to avoid this type of asset if they
+object to the implied trust in the issuer.
+
+The account `AUTH_REVOCABLE_FLAG` flag must also be set because for clawback to
+succeed in all cases that an account holds an asset, the issuer must be able to
+revoke authorization to release any offers creating selling liabilities with
+the asset. If an issuer enables clawback but not `AUTH_REVOCABLE_FLAG` it will
+likely be oversight.
+
+By setting the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` flag on the trustline, account
+owners have confidence that the clawback feature may not be enabled if it was
+not enabled when they created their trustline.
+
+By setting the `CLAIMABLE_BALANCE_CLAWBACK_ENABLED_FLAG` flag on the claimable
+balance based on the state of the trustline of the account creating the
+claimable balance, account owners have confidence that the clawback feature may
+not be enabled for claimable balances they create if it was not enabled when
+they created their trustline.
### Threshold
The clawback operations require a medium threshold signature because they are
-changing the balance of accounts and changing the states of claimable
-balances and is more aligned with impact of a payment operation than an allow
-trust operation.
+changing the balance of accounts and changing the states of claimable balances
+and is more aligned with impact of a payment operation than an allow trust
+operation.
-`SetTrustLineFlagsOp` requires a low threshold signature because `AllowTrustOp`,
-the other operation that allows one to modify trustline flags, requires a low
-threshold as well.
+`SetTrustLineFlagsOp` requires a low threshold signature because
+`AllowTrustOp`, the other operation that allows one to modify trustline flags,
+requires a low threshold as well.
### Claimable Balances
Claimable balances are immutable and so any functionality to clawback a
-claimable balance is all or nothing. The clawback feature of claimable
-balances is proposed with a flag so that it is explicit when a claimable
-balance can be clawed back. The flag state is inherited from the trustline of
-the account creating the claimable balance to ensure that the balance
-controlled by the account holder does not change clawback enabled status when
-moving between account and claimable balances.
+claimable balance is all or nothing. The clawback feature of claimable balances
+is proposed with a flag so that it is explicit when a claimable balance can be
+clawed back. The flag state is inherited from the trustline of the account
+creating the claimable balance to ensure that the balance controlled by the
+account holder does not change clawback enabled status when moving between
+account and claimable balances.
A separate operation is specified to ensure that clawback is transparent and
-highly visible in comparison to routine claiming of a claimable balance and
-to allow issuers that use claimable balances routinely to distinguish between
+highly visible in comparison to routine claiming of a claimable balance and to
+allow issuers that use claimable balances routinely to distinguish between
claimable balances they can routinely claim and claimable balances they may
clawback.
@@ -655,76 +673,80 @@ of a trustline is not possible in this case. By setting the
on the state of the issuer account flags when the issuer account creates a
claimable balance, the issuer account retains control to specify if claimable
balances it creates are clawed back. This is intuitive, but not overly
-flexible. Issuer accounts that need to create claimable balances with
-clawback disabled, but need to have clawback enabled for new trustlines, can
-create claimable balances via a second account that it allows to have a
-trustline that is clawback disabled.
-
+flexible. Issuer accounts that need to create claimable balances with clawback
+disabled, but need to have clawback enabled for new trustlines, can create
+claimable balances via a second account that it allows to have a trustline that
+is clawback disabled.
### Allow Trust Operation
-The `AllowTrustOp` is disallowed from operating on the new `TRUSTLINE_CLAWBACK_ENABLED_FLAG`
-trustline flag because this operation doesn't have a parameter to set/clear flags.
-It requires the user to be aware of existing flags, which is an operational burden.
+The `AllowTrustOp` is disallowed from operating on the new
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG` trustline flag because this operation doesn't
+have a parameter to set/clear flags. It requires the user to be aware of
+existing flags, which is an operational burden.
-A new operation, `SetTrustLineFlagsOp`, is proposed in this cap to make
-trustline flag modification simpler. Additionally the `AllowTrustOp` operation is
-semantically intended to change authorization and clawback is outside it's scope.
+A new operation, `SetTrustLineFlagsOp`, is proposed in this cap to make
+trustline flag modification simpler. Additionally the `AllowTrustOp` operation
+is semantically intended to change authorization and clawback is outside it's
+scope.
The `AllowTrustOp` is deprecated for `SetTrustLineFlagsOp`.
-
### Set TrustLine Flags Operation
-The `SetTrustLineFlagsOp` will make it easier for issuers to modify trustline flags.
-
-In the context of clawback, an issuer can clear the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` from a trustline
-without knowledge of the current state of the other flags. This is not possible with
-`AllowTrustOp` because it sets the trustline flags to the value passed in by `AllowTrustOp`.
-It is also not possible to add the existing flag to the `AllowTrustOp` operation without
-breaking existing users of that operation since they will not be expecting to include the
-current state of the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` in the flags field.
-
-Clearing the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` allows the issuer to create a clawback enabled asset,
-with a subset of trustlines that are not subject to clawback. The ability to clear flag will also
-allow an issuer to disable clawback on an asset entirely by removing `AUTH_CLAWBACK_ENABLED_FLAG`
-on its own account and clearing `TRUSTLINE_CLAWBACK_ENABLED_FLAG` from all existing trustlines to
-that asset.
-
+The `SetTrustLineFlagsOp` will make it easier for issuers to modify trustline
+flags.
+
+In the context of clawback, an issuer can clear the
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG` from a trustline without knowledge of the
+current state of the other flags. This is not possible with `AllowTrustOp`
+because it sets the trustline flags to the value passed in by `AllowTrustOp`.
+It is also not possible to add the existing flag to the `AllowTrustOp`
+operation without breaking existing users of that operation since they will not
+be expecting to include the current state of the
+`TRUSTLINE_CLAWBACK_ENABLED_FLAG` in the flags field.
+
+Clearing the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` allows the issuer to create a
+clawback enabled asset, with a subset of trustlines that are not subject to
+clawback. The ability to clear flag will also allow an issuer to disable
+clawback on an asset entirely by removing `AUTH_CLAWBACK_ENABLED_FLAG` on its
+own account and clearing `TRUSTLINE_CLAWBACK_ENABLED_FLAG` from all existing
+trustlines to that asset.
### Asset instead of AssetCode
-Both `SetTrustLineFlagsOp` and `ClawbackOp` use an `Asset` as a parameter instead of an `AssetCode`
-to defer the decision of who all future authorizers of the operation can be. The `Asset` includes
-the issuer account, where-as use of `AssetCode` would assume the source account is always the issuer
-account. In this proposal, only the issuer may authorize the operation. This decision makes it possible
-in a future proposal to expand the accounts that may be allowed to issue the operation.
+Both `SetTrustLineFlagsOp` and `ClawbackOp` use an `Asset` as a parameter
+instead of an `AssetCode` to defer the decision of who all future authorizers
+of the operation can be. The `Asset` includes the issuer account, where-as use
+of `AssetCode` would assume the source account is always the issuer account. In
+this proposal, only the issuer may authorize the operation. This decision makes
+it possible in a future proposal to expand the accounts that may be allowed to
+issue the operation.
## Protocol Upgrade Transition
### Backwards Incompatibilities
-The change does not have an affect on previous assets, accounts, or transaction
-structure. It should not cause a breaking change in existing implementations.
+The change does not have an affect on previous assets, accounts, or transaction
+structure. It should not cause a breaking change in existing implementations.
Pre-authorized, pre-signed, or pre-planned transactions that create accounts,
-and create claimable balances, using assets that become clawback enabled
-could fail if those transactions did not include the issuer account as a
-claimant.
+and create claimable balances, using assets that become clawback enabled could
+fail if those transactions did not include the issuer account as a claimant.
The `ClawbackOp` operation introduced is reversible meaning that their use if
reversed has no impact on existing pre-signed or pre-authorized transactions
involving the asset and the account that the clawback operates on.
-The `ClawbackClaimableBalanceOp` operation is not reversible meaning that
-after their use there is no way to recreate the destroyed claimable balance
-with the same identifier. Pre-signed or pre-authorized transactions that
-claim the claimable balance will have encoded its identifier. Authors of
-contracts or systems utilizing pre-signed or pre-authorized transactions can
-identify that assets may be clawed back by inspecting the flags of the
-account that will create the claimable balance and the the flags of the
-issuer to understand if the issuer could enable clawback on new accounts.
-
+The `ClawbackClaimableBalanceOp` operation is not reversible meaning that after
+their use there is no way to recreate the destroyed claimable balance with the
+same identifier. Pre-signed or pre-authorized transactions that claim the
+claimable balance will have encoded its identifier. Authors of contracts or
+systems utilizing pre-signed or pre-authorized transactions can identify that
+assets may be clawed back by inspecting the flags of the account that will
+create the claimable balance and the the flags of the issuer to understand if
+the issuer could enable clawback on new accounts.
+
### Resource Utilization
No substantial changes to resource utilization.
diff --git a/core/cap-0036.md b/core/cap-0036.md
index 1d68d6e1d..db18d5c77 100644
--- a/core/cap-0036.md
+++ b/core/cap-0036.md
@@ -19,12 +19,12 @@ Protocol version: TBD
This proposal provides the Issuer with a means to claim assets stored in
claimable balances in order to support regulatory requirements. This function
-can be used to:
+can be used to:
-1) recover assets that have been fraudulently obtained
-2) respond to regulatory actions, if required
-3) enable identity proofed persons to recover an enabled asset
-in the event of loss of key custody or theft.
+1. recover assets that have been fraudulently obtained
+2. respond to regulatory actions, if required
+3. enable identity proofed persons to recover an enabled asset in the event of
+ loss of key custody or theft.
The proposal does not involve shared custody of the person’s account and does
not affect custody of bearer assets in the persons account.
@@ -32,8 +32,8 @@ not affect custody of bearer assets in the persons account.
## Working Group
This protocol change is being developed in conjunction with CAP-35 which was
-initially by Dan Doney and Tomer Weller. The working group include other authors
-and the consulted persons include key individuals familiar with the
+initially by Dan Doney and Tomer Weller. The working group include other
+authors and the consulted persons include key individuals familiar with the
implementation of the core protocol and maintainers of Horizon and its SDKs.
## Motivation
@@ -46,28 +46,29 @@ This CAP is aligned with the following Stellar Network Goals:
- The Stellar Network should be secure and reliable.
-- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments between
-assets in a manner that is fast, cheap, and highly usable.
+- The Stellar Network should enable cross-border payments, i.e. payments via
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
## Abstract
This proposal introduces a new `ClawbackClaimableBalanceOp` operation. The
`AUTH_RECOVERABLE` flag on the issuing account must be set to authorize a
-`ClawbackClaimableBalanceOp` operation submitted by the Issuing account. The
+`ClawbackClaimableBalanceOp` operation submitted by the Issuing account. The
`ClawbackClaimableBalanceOp` operation results in the claiming of a specific
-`ClaimableBalanceEntry`. The `ClawbackClaimableBalanceOp` operation only applies
-to assets issued by the source account. Assets that are revocable can be easily
-distinguished from traditional blockchain assets (bearer instruments) so that
-asset owners are aware of rights. The transaction results in revocation of all
-of the specified asset from the claimable balance and the claimable balance is
-destroyed as if it had been claimed by a claimaint.
+`ClaimableBalanceEntry`. The `ClawbackClaimableBalanceOp` operation only
+applies to assets issued by the source account. Assets that are revocable can
+be easily distinguished from traditional blockchain assets (bearer instruments)
+so that asset owners are aware of rights. The transaction results in revocation
+of all of the specified asset from the claimable balance and the claimable
+balance is destroyed as if it had been claimed by a claimaint.
## Specification
### XDR changes
-This patch of XDR changes is based on the XDR files as they are after the XDR changes from CAP-35 are applied.
+This patch of XDR changes is based on the XDR files as they are after the XDR
+changes from CAP-35 are applied.
```diff mddiffcheck.ignore=true
--- a/src/xdr/Stellar-transaction.x
@@ -80,12 +81,12 @@ This patch of XDR changes is based on the XDR files as they are after the XDR ch
+ CLAWBACK = 19,
+ CLAWBACK_CLAIMABLE_BALANCE = 20
};
-
+
/* CreateAccount
@@ -346,6 +347,17 @@ struct ClawbackOp
int64 amount;
};
-
+
+/* Claws back a claimable balance
+
+ Threshold: med
@@ -98,7 +99,7 @@ This patch of XDR changes is based on the XDR files as they are after the XDR ch
+};
+
/* BeginSponsoringFutureReserves
-
+
Establishes the is-sponsoring-future-reserves-for relationship between
@@ -475,6 +487,8 @@ struct Operation
RevokeSponsorshipOp revokeSponsorshipOp;
@@ -112,7 +113,7 @@ This patch of XDR changes is based on the XDR files as they are after the XDR ch
@@ -1193,6 +1207,27 @@ default:
void;
};
-
+
+/******* ClawbackClaimableBalance Result ********/
+
+enum ClawbackClaimableBalanceResultCode
@@ -149,6 +150,7 @@ This patch of XDR changes is based on the XDR files as they are after the XDR ch
```
### Semantics
+
An issuer clawing back a `ClaimableBalanceEntry` operates similar to auth
revocation and the `ClawbackOp` operation introduced in CAP-35. Account auth
recovation freezes the full balance of an asset in an account, clawback from an
@@ -160,42 +162,63 @@ in a claimable balance.
In order to execute a clawback on a claimable balance, an issuer account must
have its `AUTH_REVOCABLE` flag set. Once set, the issuer submits a
`ClawbackClaimableBalanceOp` operation in the same way a claimant can submit a
-`ClaimClaimableBalanceOp`. No predicates on the `ClaimableBalanceEntry` impact the success of the clawback.
+`ClaimClaimableBalanceOp`. No predicates on the `ClaimableBalanceEntry` impact
+the success of the clawback.
This operation does not require the signature of any claimaint accounts, or the
signature of the account that created the claimable balance. The amount of the
asset clawed back is burned and is not sent to any other address since the
-return of an asset to the . The issuer may reissue the asset to the same account
-or to another account if the intent of the clawback is to move the asset to
-another account.
+return of an asset to the . The issuer may reissue the asset to the same
+account or to another account if the intent of the clawback is to move the
+asset to another account.
#### Account
+
This proposal uses the existing `AUTH_REVOCABLE` flag in the issuer account
`AccountFlags`. Existing behavior and meaning of the flag is unchanged.
#### ClawbackClaimableBalance Operation
-The `ClawbackClaimableBalanceOp` operation destroys a claimable balance effectively returning the asset to the issuer, and burning the asset stored within.
+
+The `ClawbackClaimableBalanceOp` operation destroys a claimable balance
+effectively returning the asset to the issuer, and burning the asset stored
+within.
The clawback operation requires a medium threshold signature to authorize the
operation.
Possible return values for the `ClawbackClaimableBalanceOp` are:
+
- `CLAWBACK_CLAIMABLE_BALANCE_SUCCESS` if the clawback is successful.
- `CLAWBACK_CLAIMABLE_BALANCE_DOES_NOT_EXIST` if the claimable balance does not
exist.
- `CLAWBACK_CLAIMABLE_BALANCE_NOT_ISSUER` if the `sourceAccount` is not the
issuer account of the asset stored in the `ClaimableBalanceEntry`.
-- `CLAWBACK_CLAIMABLE_BALANCE_NOT_REVOCABLE` if the `AUTH_REVOCABLE` flag is not set
- on the `sourceAccount`.
+- `CLAWBACK_CLAIMABLE_BALANCE_NOT_REVOCABLE` if the `AUTH_REVOCABLE` flag is
+ not set on the `sourceAccount`.
## Design Rationale
-The rationale for this proposal extends the rational as described in CAP-35. Claimable balances store value on the network and the same events of regulatory action, erroneous transaction, or loss of custody of a claimaint account, can result in an issuer needing to reissue an asset stored within a claimable balance. CAP-35 adds this capability to assets stored in accounts, and this proposal provides the same functionality to claimable balances.
-CAP-35 allows an issuer to clawback specific amounts within an account but this proposal limits clawback to the full amount within the claimable balance. Claimable balances are immutable and there would be massive downstream impacts to changing the amount within a claimable balance.
+The rationale for this proposal extends the rational as described in CAP-35.
+Claimable balances store value on the network and the same events of regulatory
+action, erroneous transaction, or loss of custody of a claimaint account, can
+result in an issuer needing to reissue an asset stored within a claimable
+balance. CAP-35 adds this capability to assets stored in accounts, and this
+proposal provides the same functionality to claimable balances.
+
+CAP-35 allows an issuer to clawback specific amounts within an account but this
+proposal limits clawback to the full amount within the claimable balance.
+Claimable balances are immutable and there would be massive downstream impacts
+to changing the amount within a claimable balance.
+
+Claimable balances cannot be recreated after they are destroyed with clawback
+because their claimable balance ID is generated from the transaction that
+creates them, and to recreate the same claimable balance would duplicate events
+in downstream systems. Issuers can reissue the asset in a new claimable balance
+configured with the same claimaints and predicates to recreate the claimable
+balance, but the claimable balance ID will not be identical.
-Claimable balances cannot be recreated after they are destroyed with clawback because their claimable balance ID is generated from the transaction that creates them, and to recreate the same claimable balance would duplicate events in downstream systems. Issuers can reissue the asset in a new claimable balance configured with the same claimaints and predicates to recreate the claimable balance, but the claimable balance ID will not be identical.
-
### Reusing the AUTH_REVOCABLE flag
+
The account `AUTH_REVOCABLE` flag allows the issuer to indicate that it has
control over the use of the asset on the network. By including the
`AUTH_REVOCABLE` flag in account flags, account owners may review the
@@ -205,6 +228,7 @@ another form of an issuer revoking use of an asset with fine control over the
exact amount that the issuer is taking out of active circulation.
### Threshold
+
The clawback operation requires a medium threshold signature because it is
changing the balance of an account and is more aligned with impact of a payment
operation than an allow trust operation.
@@ -213,8 +237,8 @@ operation than an allow trust operation.
### Backwards Incompatibilities
-The change does not have an affect on previous assets, accounts, or transaction
-structure. It should not cause a breaking change in existing implementations.
+The change does not have an affect on previous assets, accounts, or transaction
+structure. It should not cause a breaking change in existing implementations.
The change does make it possible for claimable balances to be destroyed, and
claimable balances could form an important part of series of transactions that
@@ -234,8 +258,9 @@ of an accidental or temporary clawback would be identical to that of a clawback
of an asset from an account, or temporary auth revocation. Mutability of
claimable balances has not been proposed because when they were introduced they
were intended to be immutable.
-
+
### Resource Utilization
+
No substantial changes to resource utilization.
## Test Cases
diff --git a/core/cap-0037.md b/core/cap-0037.md
index a60a2467e..e909441f6 100644
--- a/core/cap-0037.md
+++ b/core/cap-0037.md
@@ -6,7 +6,7 @@ Title: Automated Market Makers
Working Group:
Owner: OrbitLens
Authors: OrbitLens
- Consulted: Jon Jove , Nicolas Barry , Nikhil Saraf, Phil Meng , Leigh McCulloch , Tomer Weller
+ Consulted: Jon Jove , Nicolas Barry , Nikhil Saraf, Phil Meng , Leigh McCulloch , Tomer Weller
Status: Draft
Created: 2021-03-03
Discussion: https://groups.google.com/g/stellar-dev/c/Ofb2KXwzva0/m/LLcUKWFmBwAJ
@@ -19,8 +19,8 @@ This proposal introduces liquidity pools and automated market makers on the
protocol level. AMMs rely on a mathematical formula to quote asset prices. A
liquidity pool is a ledger entry that contains funds deposited by users
(liquidity providers). In return for providing liquidity to the protocol, users
-earn fees from trades. The described approach of the interleaved order execution
-combines the liquidity of existing orderbooks with liquidity pools.
+earn fees from trades. The described approach of the interleaved order
+execution combines the liquidity of existing orderbooks with liquidity pools.
## Motivation
@@ -36,14 +36,14 @@ increase, as well as the number of operations required to maintain positions on
all orderbooks.
On the other hand, automated market makers provide natural incentives for
-liquidity crowdsourcing, making it much easier for ordinary users to participate
-in the process while gaining interest on their long-term holdings.
+liquidity crowdsourcing, making it much easier for ordinary users to
+participate in the process while gaining interest on their long-term holdings.
Asset issuers don't need to wait until the token attracts a critical mass of
users. They can start making several trading pairs with a newly issued asset by
merely depositing tokens to the pool or engaging community users to provision
-liquidity. This will certainly simplify the process of starting a new project on
-Stellar, as well as provide a powerful marketing flywheel for early-stage
+liquidity. This will certainly simplify the process of starting a new project
+on Stellar, as well as provide a powerful marketing flywheel for early-stage
tokens.
The AMM concept implies that no third-party company holds user funds at any
@@ -58,22 +58,23 @@ scalability compared to the existing DEX.
Proposed interleaved order execution on both the orderbook and liquidity pool
provides a familiar exchange experience in combination with the ability to have
on-chain limit orders. On the other hand, it fully incorporates all benefits of
-shared liquidity pools, at the same time hiding the underlying technical details
-from end-users. Users always get the best possible exchange price based on the
-combined liquidity.
+shared liquidity pools, at the same time hiding the underlying technical
+details from end-users. Users always get the best possible exchange price based
+on the combined liquidity.
## Abstract
-This proposal brings the concept of shared liquidity pools with automated market
-making to the protocol. Users deposit funds to a pool providing liquidity to the
-automated market maker execution engine which can quote asset prices based on an
-algorithm that derives the price directly from the amounts of tokens deposited
-to the pool.
+This proposal brings the concept of shared liquidity pools with automated
+market making to the protocol. Users deposit funds to a pool providing
+liquidity to the automated market maker execution engine which can quote asset
+prices based on an algorithm that derives the price directly from the amounts
+of tokens deposited to the pool.
Pool fees charged on every executed trade are accumulated in the pool,
increasing its liquidity. A user can withdraw the pool stake plus proportional
-accrued interest from the pool. Collected interest incentivizes users to deposit
-their funds to the pool, participating in the collective liquidity allocation.
+accrued interest from the pool. Collected interest incentivizes users to
+deposit their funds to the pool, participating in the collective liquidity
+allocation.
## Specification
@@ -91,7 +92,7 @@ their funds to the pool, participating in the collective liquidity allocation.
@@ -403,6 +403,43 @@ struct ClaimableBalanceEntry
ext;
};
-
+
+/* Contains information about current balances of the liquidity pool*/
+struct LiquidityPoolEntry
+{
@@ -142,7 +143,7 @@ their funds to the pool, participating in the collective liquidity allocation.
+ LiquidityStakeEntry LiquidityStake;
}
data;
-
+
@@ -479,6 +520,21 @@ case CLAIMABLE_BALANCE:
{
ClaimableBalanceID balanceID;
@@ -177,12 +178,12 @@ their funds to the pool, participating in the collective liquidity allocation.
+ DEPOSIT_POOL_LIQUIDITY = 21,
+ WITHDRAW_POOL_LIQUIDITY = 22
};
-
+
/* CreateAccount
@@ -390,6 +392,37 @@ struct ClawbackClaimableBalanceOp
ClaimableBalanceID balanceID;
};
-
+
+/* Deposits funds to the liquidity pool
+
+ Threshold: med
@@ -220,7 +221,7 @@ their funds to the pool, participating in the collective liquidity allocation.
@@ -1186,6 +1219,67 @@ default:
void;
};
-
+
+/******* DepositPoolLiquidity Result ********/
+
+enum DepositPoolLiquidityResultCode
@@ -286,15 +287,16 @@ their funds to the pool, participating in the collective liquidity allocation.
## Semantics
-Modified semantics of trading-related operations presented in this CAP allows to
-drastically reduce the number of new interaction flows. Liquidity from the pools
-will be immediately available for existing Stellar applications through the
-convenient offers and path payment interface operations.
+Modified semantics of trading-related operations presented in this CAP allows
+to drastically reduce the number of new interaction flows. Liquidity from the
+pools will be immediately available for existing Stellar applications through
+the convenient offers and path payment interface operations.
In this proposal, a constant product invariant is used for all calculations
-Other invariants can be implemented as separate pools with different price
-quotation formulas and execution conditions.
+Other
+invariants can be implemented as separate pools with different price quotation
+formulas and execution conditions.
#### DepositPoolLiquidityOp
@@ -303,13 +305,13 @@ liquidity pool defined as `LiquidityPoolEntry`.
- Before processing a deposit, basic validation is required to ensure that a
given combination of assets is allowed. For example, the situation when
- `assetA`=`assetB` should result in `DEPOSIT_POOL_LIQUIDITY_NOT_ALLOWED` error.
- This version of the proposal doesn't imply any other restrictions, but this
- may change in the future.
-- The node performs a lookup of a `LiquidityStakeEntry` by hash derived from the
- operation source account address, `poolType`, `assetA`, and `assetB`.
-- If the proposed pool fee (`fee` parameter) is less than 0.0001 or greater than
- 0.01, `DEPOSIT_POOL_LIQUIDITY_NOT_ALLOWED` error returned.
+ `assetA`=`assetB` should result in `DEPOSIT_POOL_LIQUIDITY_NOT_ALLOWED`
+ error. This version of the proposal doesn't imply any other restrictions, but
+ this may change in the future.
+- The node performs a lookup of a `LiquidityStakeEntry` by hash derived from
+ the operation source account address, `poolType`, `assetA`, and `assetB`.
+- If the proposed pool fee (`fee` parameter) is less than 0.0001 or greater
+ than 0.01, `DEPOSIT_POOL_LIQUIDITY_NOT_ALLOWED` error returned.
- The node loads source account balances for `assetA`, `assetB`. If any of the
balances do not exist, `DEPOSIT_POOL_LIQUIDITY_INSUFFICIENT_AMOUNT` error
returned.
@@ -318,60 +320,59 @@ liquidity pool defined as `LiquidityPoolEntry`.
Current pool price:
where:
- - ***A*** and ***B*** - amounts of asset A and asset B currently in the pool
- - ***a*** and ***b*** - `maxAmountA` and `maxAmountB` defined in the
- operation
-- Maximum allowed price deviation is controlled by the `priceAccuracy` (***d***)
- parameter.
+ - **_A_** and **_B_** - amounts of asset A and asset B currently in the pool
+ - **_a_** and **_b_** - `maxAmountA` and `maxAmountB` defined in the
+ operation
+- Maximum allowed price deviation is controlled by the `priceAccuracy`
+ (**_d_**) parameter.
In case of a significant deviation, `DEPOSIT_POOL_LIQUIDITY_PRICE_MISMATCH`
- error returned. This check is ignored if the pool doesn't exist
- or `priceAccuracy` equals to zero.
+ error returned. This check is ignored if the pool doesn't exist or
+ `priceAccuracy` equals to zero.
- Effective token amounts that can be deposited are adjusted to follow the
current price.
- If
- 
+ If 
, token A deposit amount is adjusted as
- )
+ ![`a=ceil(bd*P)`]()
otherwise
- )
+ ![`b=ceil(ad/P)`]()
where:
- - )
- - )
- - ***a*** and ***b*** – maximum effective amounts of tokens A and B that can
- be deposited to the pool. If the actual deposited amount of any token
- equals zero, `DEPOSIT_POOL_LIQUIDITY_INSUFFICIENT_AMOUNT` error returned.
+ - ![`ad=min(maxAmountA,accountBalanceA)`]()
+ - ![`bd=min(maxAmountB,accountBalanceB)`]()
+ - **_a_** and **_b_** – maximum effective amounts of tokens A and B that can
+ be deposited to the pool. If the actual deposited amount of any token
+ equals zero, `DEPOSIT_POOL_LIQUIDITY_INSUFFICIENT_AMOUNT` error returned.
- Stake weight calculated as
- )
+ ![`s=floor(S*√((a*b)/(A*B)))`]()
where
- - ***s*** - account stake (share of the pool obtained after the deposit)
- - ***a*** and ***b*** - effective amount of tokens to deposit
- - ***S*** - total stakes currently in the pool (from `LiquidityPoolEntry`)
- - ***A*** and ***B*** - correspondingly amount of token A and B currently
- deposited to the pool
+ - **_s_** - account stake (share of the pool obtained after the deposit)
+ - **_a_** and **_b_** - effective amount of tokens to deposit
+ - **_S_** - total stakes currently in the pool (from `LiquidityPoolEntry`)
+ - **_A_** and **_B_** - correspondingly amount of token A and B currently
+ deposited to the pool
- If `LiquidityPoolEntry` does not exist on-chain (this is the first deposit),
it is created automatically. The stake weight for the deposit, in this case,
the stake computed as
- )
-- If ***s***=0 (this can be the case with a very small stake or as a result of
- rounding approximation), the node
- returns `DEPOSIT_POOL_LIQUIDITY_INSUFFICIENT_AMOUNT` error.
-- If one of the assets is XLM and its balance does not satisfy the basic reserve
- requirement, `DEPOSIT_POOL_LIQUIDITY_LOW_RESERVE` error returned.
+ ![`s=floor(√(a*b))`]()
+- If **_s_**=0 (this can be the case with a very small stake or as a result of
+ rounding approximation), the node returns
+ `DEPOSIT_POOL_LIQUIDITY_INSUFFICIENT_AMOUNT` error.
+- If one of the assets is XLM and its balance does not satisfy the basic
+ reserve requirement, `DEPOSIT_POOL_LIQUIDITY_LOW_RESERVE` error returned.
- If the account `LiquidityStakeEntry` exists, the stake is increased
- `stake`+=***s*** and the proposed pool fee updated with the value from the
+ `stake`+=**_s_** and the proposed pool fee updated with the value from the
deposit operation. Otherwise, new `LiquidityStakeEntry` created,
`numSubEntries` for the source account incremented, and base reserve locked.
- Effective pool fee recalculated using a weighted average formula:
where
- - ***Fₙ*** - new pool fee
- - ***S*** - total stakes currently in the pool (from `LiquidityPoolEntry`)
- - ***F*** - current pool fee
- - ***s*** - account stake
- - ***f*** - pool fee proposed by the account
-- The node modifies `LiquidityPoolEntry` setting `amountA`+=***a***,
- `amountB`+=***b***, `stakes`+=***s***, fee=***Fₙ***.
+ - **_Fₙ_** - new pool fee
+ - **_S_** - total stakes currently in the pool (from `LiquidityPoolEntry`)
+ - **_F_** - current pool fee
+ - **_s_** - account stake
+ - **_f_** - pool fee proposed by the account
+- The node modifies `LiquidityPoolEntry` setting `amountA`+=**_a_**,
+ `amountB`+=**_b_**, `stakes`+=**_s_**, fee=**_Fₙ_**.
- Deposited funds transferred into the pool.
- `DEPOSIT_POOL_LIQUIDITY_SUCCESS` code returned.
@@ -380,41 +381,42 @@ liquidity pool defined as `LiquidityPoolEntry`.
`WithdrawPoolLiquidityOp` operation withdraws funds from a liquidity pool
proportionally to the account stake size.
-- The node performs a lookup of a `LiquidityStakeEntry` by hash derived from the
- operation source account address, `poolType`, `assetA`, and `assetB`.
+- The node performs a lookup of a `LiquidityStakeEntry` by hash derived from
+ the operation source account address, `poolType`, `assetA`, and `assetB`.
- If corresponding `LiquidityStakeEntry` was not found,
`WITHDRAW_POOL_LIQUIDITY_NOT_FOUND` error is returned.
- Requested stake withdrawal size larger then `LiquidityStakeEntry` `stake`
- value yields `WITHDRAW_POOL_LIQUIDITY_INVALID_STAKE` error. If the
- requested `stake` equals zero, the entire account liquidity is withdrawn.
+ value yields `WITHDRAW_POOL_LIQUIDITY_INVALID_STAKE` error. If the requested
+ `stake` equals zero, the entire account liquidity is withdrawn.
- The node loads current state of the matching liquidity pool.
- An account has a right to withdraw liquidity stake equal to
The amount of tokens to withdraw for each asset is computed as
- )
- )
+ ![`a=floor(A*l)`]()
+ ![`b=floor(B*l)`]()
where
- - ***s*** - share to withdraw
- - ***S*** - total number of pool shares from `LiquidityPoolEntry`
- - ***A*** and ***B*** - current token amount of the asset A and asset B in
- the pool respectively
+ - **_s_** - share to withdraw
+ - **_S_** - total number of pool shares from `LiquidityPoolEntry`
+ - **_A_** and **_B_** - current token amount of the asset A and asset B in
+ the pool respectively
- Trustlines info loaded for `assetA` and `assetB`. If the source account does
- not have a trustline for one of the assets or the trustline is not authorized,
- `WITHDRAW_POOL_LIQUIDITY_NO_TRUSTLINE` error returned. If a trustline limit
- prevents the transfer, `WITHDRAW_POOL_LIQUIDITY_LINE_FULL` error returned.
-- `LiquidityStakeEntry` updated: `stake`-=***s***. If the remaining stake equals
- zero, `LiquidityStakeEntry` is removed, `numSubEntries` for the source account
- is decremented, and base reserve unlocked.
+ not have a trustline for one of the assets or the trustline is not
+ authorized, `WITHDRAW_POOL_LIQUIDITY_NO_TRUSTLINE` error returned. If a
+ trustline limit prevents the transfer, `WITHDRAW_POOL_LIQUIDITY_LINE_FULL`
+ error returned.
+- `LiquidityStakeEntry` updated: `stake`-=**_s_**. If the remaining stake
+ equals zero, `LiquidityStakeEntry` is removed, `numSubEntries` for the source
+ account is decremented, and base reserve unlocked.
- Effective pool fee recalculated using a weighted average formula:
where
- - ***Fₙ*** - new pool fee
- - ***S*** - total stakes currently in the pool (from `LiquidityPoolEntry`)
- - ***F*** - current pool fee
- - ***s*** - stake to withdraw
- - ***f*** - pool fee proposed by the account (from `LiquidityStakeEntry`)
-- `LiquidityPoolEntry` updated: `amountA`-=***a***, `amountB`-=***b***,
- `stakes`-=***s***, fee=***Fₙ***. If the remaining pool stake equals zero,
+ - **_Fₙ_** - new pool fee
+ - **_S_** - total stakes currently in the pool (from `LiquidityPoolEntry`)
+ - **_F_** - current pool fee
+ - **_s_** - stake to withdraw
+ - **_f_** - pool fee proposed by the account (from `LiquidityStakeEntry`)
+- `LiquidityPoolEntry` updated: `amountA`-=**_a_**, `amountB`-=**_b_**,
+ `stakes`-=**_s_**, fee=**_Fₙ_**. If the remaining pool stake equals zero,
`LiquidityPoolEntry` is removed.
- Funds transferred to the source account balances.
- `WITHDRAW_POOL_LIQUIDITY_SUCCESS` code returned.
@@ -431,52 +433,52 @@ liquidity pools for the traded asset pair, fetches available cross orders
orders.
On every step, it checks whether the next maker order crosses the price of the
-taker order. Before the maker order execution the engine estimates the number of
-tokens that can be traded on each liquidity pool for the same trading pair up to
-the price of the current maker order.
+taker order. Before the maker order execution the engine estimates the number
+of tokens that can be traded on each liquidity pool for the same trading pair
+up to the price of the current maker order.
Amounts to be traded against the pool can be calculated using the following set
of formulas:
- Price-bound swap (estimate based on the target price)
- If *new price* > *current price*:
- %5Ccdot(1%2Bf)))
- )
- If *new price* < *current price*:
- %5Ccdot(1%2Bf)))
- %5Ccdot%20P-A))
+ If _new price_ > _current price_:
+ ![`a=ceil((√(A*B*P)-A)*(1+f))`]()
+ ![`b=ceil((A+a)/P-B)`]()
+ If _new price_ < _current price_:
+ ![`b=ceil((√(A*B/P)-B)*(1+f))`]()
+ ![`a=ceil((B+b)*P-A)`]()
- Amount-bound buy swap (estimate based on the target token amount)
For a given token A target amount:
- %7D%7BA-a%7D))
+ ![`b=ceil(a*B*(1+f)/(A-a))`]()
For a given token B target amount:
- %7D%7BB-b%7D))
+ ![`a=ceil(b*A*(1+f)/(B-b))`]()
- Amount-bound sell swap (estimate based on the source token amount)
For a given token A source amount:
- %7D%7BA%2Ba%7D))
+ ![`b=floor(-a*B*(1-f)/(A+a))`]()
For a given token B source amount:
- %7D%7BB%2Bb%7D))
+ ![`a=floor(-b*A*(1-f)/(B+b))`]()
where
- - ***A*** and ***B*** - current amounts of asset A and asset B in the pool
- - ***a*** and ***b*** – effective amounts of asset A and asset B to swap
- - ***f*** - trading pool fee
- - ***P*** - maximum price (equals currently processed maker order price)
+ - **_A_** and **_B_** - current amounts of asset A and asset B in the pool
+ - **_a_** and **_b_** – effective amounts of asset A and asset B to swap
+ - **_f_** - trading pool fee
+ - **_P_** - maximum price (equals currently processed maker order price)
-If ***a***>0 and ***b***>0, the corresponding amount of purchased tokens is
+If **_a_**>0 and **_b_**>0, the corresponding amount of purchased tokens is
deducted from the pool and added to the variable accumulating the total amount
traded on the pool. Another variable accumulates matching sold asset amount.
After that, the current maker order itself is matched to the remaining taker
-order amount, and so on, up to the point when a taker order is executed in full.
-If a manage offer operation is being processed and the outstanding amount can't
-be executed on the orderbook nor the pool, a new maker order with the remaining
-amount is created on the orderbook.
+order amount, and so on, up to the point when a taker order is executed in
+full. If a manage offer operation is being processed and the outstanding amount
+can't be executed on the orderbook nor the pool, a new maker order with the
+remaining amount is created on the orderbook.
Pool settlement occurs – traded tokens are deducted from the pool and added to
-the account balance, and matching amount of asset B transferred from the account
-balance to the pool.
+the account balance, and matching amount of asset B transferred from the
+account balance to the pool.
-The same behavior applies to path payment operations. This CAP doesn't imply any
-changes of current order matching or execution process for DEX offers.
+The same behavior applies to path payment operations. This CAP doesn't imply
+any changes of current order matching or execution process for DEX offers.
A trade against a pool generates a `ClaimOfferAtom` result with `offerID` equal
to `-poolType` and empty `sellerID`.
@@ -501,12 +503,12 @@ several shortcomings:
reality, it results in significantly larger codebase changes (more operations
and more use-cases to handle), a lot of work on the Horizon side, and much
more effort from the ecosystem developers.
-- The trading process becomes confusing for regular users. What's the difference
- between an order and a swap? How to get the best rate?
+- The trading process becomes confusing for regular users. What's the
+ difference between an order and a swap? How to get the best rate?
Of course, sooner or later wallets and exchange interfaces should come to the
rescue, providing hints in the interface and maybe even aggregating
- information across the liquidity pool and orderbook for a given assets pair to
- ensure the best possible exchange price. That's feasible, but not very
+ information across the liquidity pool and orderbook for a given assets pair
+ to ensure the best possible exchange price. That's feasible, but not very
user-friendly and may lead to confusion.
- Fragmented liquidity means that for any trade or path payment larger than
several dollars a wallet needs to perform several trades (against the
@@ -533,12 +535,12 @@ Advantages of the proposed approach:
- Users always receive the best possible price as the trade is executed against
the entire liquidity available for the certain trading pair.
- The orderbook and liquidity pool always remain in the balanced state which
- means there are no arbitrage opportunities between the pool and orderbook. The
- trading engine automatically conducts arbitrage rebalancing on each trade
+ means there are no arbitrage opportunities between the pool and orderbook.
+ The trading engine automatically conducts arbitrage rebalancing on each trade
under the hood, eliminating the need for external arbitrage actors.
- There are no reasonable use-cases that require trading exclusively on the
- pool. Price manipulations is probably the only applicable example of pool-only
- swaps.
+ pool. Price manipulations is probably the only applicable example of
+ pool-only swaps.
- Smaller attack surface since there is no way to trade on pool directly. This
also automatically prevents attacks based on the imbalanced oracle state and
significantly increases the cost of intentional price manipulations as the
@@ -558,8 +560,8 @@ Advantages of the proposed approach:
`ClaimOfferAtom` reused for the pool trades has an empty seller account
reference since the trade is executed against the pool. In order to distinguish
between specific pools which participated in the trade, the `offerID` field
-contains a negated `poolType` value (to avoid potential conflict with real offer
-IDs).
+contains a negated `poolType` value (to avoid potential conflict with real
+offer IDs).
This allows us to use the same data contract for all trades regardless of the
pool/orderbook type. However, introducing a separate contract specifically for
@@ -576,9 +578,9 @@ orderbook while illiquid or very volatile trading pairs require higher fees to
counter possible impermanent loss or low yield scenarios.
To provide the required pool fee flexibility without inventing complex voting
-mechanics, the voting prerogative delegated to the liquidity providers which can
-set the `fee` parameter in `DepositPoolLiquidityOp` operation, so the users can
-vote for the pool fee with their liquidity stakes. The effective pool yield
+mechanics, the voting prerogative delegated to the liquidity providers which
+can set the `fee` parameter in `DepositPoolLiquidityOp` operation, so the users
+can vote for the pool fee with their liquidity stakes. The effective pool yield
represents a weighted average of proposed liquidity stake fees. This way
accounts with larger stakes have more voting power which is fair given that
every liquidity provider risks proportional to the deposited stake.
@@ -603,17 +605,18 @@ the alphabetical order upon insertion. The comparator function takes into
account the asset type, asset code, and asset issuer address respectively.
Ledger key for the `LiquidityStakeEntry` is a hash derived from the account
-address+`poolType`+`assetA`+`assetB` fields combination to optimize the storage.
+address+`poolType`+`assetA`+`assetB` fields combination to optimize the
+storage.
#### No Assumptions Regarding Future Pool Types
This CAP makes no assumptions about possible pool functionality extensions or
-the introduction of other pool types in the future. With high probability, those
-potential new AMM architectures will require different implementation
-approaches, separate deposit/withdrawal operations, and additional parameters in
-ledger entries. It's impossible to predict requirements for yet-to-be-invented
-concepts, so designing infrastructure with regard to unknown forthcoming changes
-looks impractical.
+the introduction of other pool types in the future. With high probability,
+those potential new AMM architectures will require different implementation
+approaches, separate deposit/withdrawal operations, and additional parameters
+in ledger entries. It's impossible to predict requirements for
+yet-to-be-invented concepts, so designing infrastructure with regard to unknown
+forthcoming changes looks impractical.
As most of the existing approaches that can be ported to Stellar do not provide
significant benefits compared to the simple constant product invariant (or
@@ -642,8 +645,8 @@ may be significantly slower than 64-bit arithmetics.
Every `LiquidityPoolEntry` requires storage space on the ledger but unlike
`LiquidityStakeEntry` it is not backed by the account base reserve. This
-behavior can't be directly used to perform a resource execution attack as
-every `LiquidityPoolEntry` requires at least one `LiquidityStakeEntry`.
+behavior can't be directly used to perform a resource execution attack as every
+`LiquidityPoolEntry` requires at least one `LiquidityStakeEntry`.
## Security Concerns
diff --git a/core/cap-0038.md b/core/cap-0038.md
index ea68042bc..e979bc98f 100644
--- a/core/cap-0038.md
+++ b/core/cap-0038.md
@@ -14,16 +14,19 @@ Protocol version: 18
```
## Simple Summary
+
Automated market makers provide a simple way to provide liquidity and exchange
assets.
## Working Group
+
This proposal was initially authored by Jonathan Jove based on the results of
numerous discussions. The working group includes the author of a similar
proposal (OrbitLens), people with knowledge of market making (Nikhil Saraf and
Phil Meng), and a maintainer of Horizon and its SDKs (Tamir Sen).
## Motivation
+
Projects such as Uniswap have shown that automated market makers are effective
at providing easy-to-access liquidity at scale. The simplicity and
non-interactivity of liquidity pools can attract large amounts of capital and
@@ -31,17 +34,19 @@ enable high volumes of trading. We believe adding automated market makers to
Stellar will improve overall liquidity on the network.
### Goals Alignment
+
This proposal is aligned with several Stellar Network Goals, among them:
- The Stellar Network should run at scale and at low cost to all participants
-of the network
+ of the network
- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments
-between assets in a manner that is fast, cheap, and highly usable.
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
- The Stellar Network should make it easy for developers of Stellar projects to
-create highly usable products.
+ create highly usable products.
## Abstract
+
This proposal introduces automated market makers to the Stellar network.
`LiquidityPoolEntry` is introduced as a new type of `LedgerEntry` which stores
the state of a liquidity pool. New operations, `LiquidityPoolDepositOp` and
@@ -56,7 +61,10 @@ exchanging assets with the order book and liquidity pools.
## Specification
### XDR changes
-This patch of XDR changes is based on the XDR files in commit (`a5e7028c04305c7b6f7d08c981e87bb9891b7364`) of stellar-core.
+
+This patch of XDR changes is based on the XDR files in commit
+(`a5e7028c04305c7b6f7d08c981e87bb9891b7364`) of stellar-core.
+
```diff mddiffcheck.base=a5e7028c04305c7b6f7d08c981e87bb9891b7364
diff --git a/src/xdr/Stellar-ledger-entries.x b/src/xdr/Stellar-ledger-entries.x
index 0e7bc842..885cf2d4 100644
@@ -67,7 +75,7 @@ index 0e7bc842..885cf2d4 100644
typedef uint64 TimePoint;
typedef opaque DataValue<64>;
+typedef Hash PoolID; // SHA256(LiquidityPoolParameters)
-
+
// 1-4 alphanumeric characters right-padded with 0 bytes
typedef opaque AssetCode4[4];
@@ -25,7 +26,8 @@ enum AssetType
@@ -78,12 +86,12 @@ index 0e7bc842..885cf2d4 100644
+ ASSET_TYPE_CREDIT_ALPHANUM12 = 2,
+ ASSET_TYPE_POOL_SHARE = 3
};
-
+
union AssetCode switch (AssetType type)
@@ -39,24 +41,28 @@ case ASSET_TYPE_CREDIT_ALPHANUM12:
// add other asset types here in the future
};
-
+
+struct AlphaNum4
+{
+ AssetCode4 assetCode;
@@ -100,7 +108,7 @@ index 0e7bc842..885cf2d4 100644
{
case ASSET_TYPE_NATIVE: // Not credit
void;
-
+
case ASSET_TYPE_CREDIT_ALPHANUM4:
- struct
- {
@@ -108,7 +116,7 @@ index 0e7bc842..885cf2d4 100644
- AccountID issuer;
- } alphaNum4;
+ AlphaNum4 alphaNum4;
-
+
case ASSET_TYPE_CREDIT_ALPHANUM12:
- struct
- {
@@ -116,7 +124,7 @@ index 0e7bc842..885cf2d4 100644
- AccountID issuer;
- } alphaNum12;
+ AlphaNum12 alphaNum12;
-
+
// add other asset types here in the future
};
@@ -90,7 +96,8 @@ enum LedgerEntryType
@@ -127,12 +135,12 @@ index 0e7bc842..885cf2d4 100644
+ CLAIMABLE_BALANCE = 4,
+ LIQUIDITY_POOL = 5
};
-
+
struct Signer
@@ -214,12 +221,46 @@ const MASK_TRUSTLINE_FLAGS = 1;
const MASK_TRUSTLINE_FLAGS_V13 = 3;
const MASK_TRUSTLINE_FLAGS_V17 = 7;
-
+
+enum LiquidityPoolType
+{
+ LIQUIDITY_POOL_CONSTANT_PRODUCT = 0
@@ -177,7 +185,7 @@ index 0e7bc842..885cf2d4 100644
+ TrustLineAsset asset; // type of asset (with issuer)
+ int64 balance; // how much of this asset the user has.
+ // Asset defines the unit for this;
-
+
int64 limit; // balance cannot be above this
uint32 flags; // see TrustLineFlags
@@ -238,6 +279,8 @@ struct TrustLineEntry
@@ -192,7 +200,7 @@ index 0e7bc842..885cf2d4 100644
@@ -403,6 +446,33 @@ struct ClaimableBalanceEntry
ext;
};
-
+
+struct LiquidityPoolConstantProductParameters
+{
+ Asset assetA; // assetA < assetB
@@ -231,7 +239,7 @@ index 0e7bc842..885cf2d4 100644
+ LiquidityPoolEntry liquidityPool;
}
data;
-
+
@@ -457,7 +529,7 @@ case TRUSTLINE:
struct
{
@@ -239,7 +247,7 @@ index 0e7bc842..885cf2d4 100644
- Asset asset;
+ TrustLineAsset asset;
} trustLine;
-
+
case OFFER:
@@ -479,6 +551,12 @@ case CLAIMABLE_BALANCE:
{
@@ -252,7 +260,7 @@ index 0e7bc842..885cf2d4 100644
+ PoolID liquidityPoolID;
+ } liquidityPool;
};
-
+
// list of all envelope types used in the application
@@ -492,6 +570,7 @@ enum EnvelopeType
ENVELOPE_TYPE_AUTH = 3,
@@ -270,7 +278,7 @@ index a21c577a..84b84cbf 100644
@@ -47,6 +47,27 @@ struct StellarValue
ext;
};
-
+
+const MASK_LEDGER_HEADER_FLAGS = 0x7;
+
+enum LedgerHeaderFlags
@@ -312,7 +320,7 @@ index a21c577a..84b84cbf 100644
+ LEDGER_UPGRADE_BASE_RESERVE = 4,
+ LEDGER_UPGRADE_FLAGS = 5
};
-
+
union LedgerUpgrade switch (LedgerUpgradeType type)
@@ -111,6 +135,8 @@ case LEDGER_UPGRADE_MAX_TX_SET_SIZE:
uint32 newMaxTxSetSize; // update maxTxSetSize
@@ -321,7 +329,7 @@ index a21c577a..84b84cbf 100644
+case LEDGER_UPGRADE_FLAGS:
+ uint32 newFlags; // update flags
};
-
+
/* Entries used to define the bucket list */
diff --git a/src/xdr/Stellar-transaction.x b/src/xdr/Stellar-transaction.x
index 75f39eb4..f9d62a69 100644
@@ -330,7 +338,7 @@ index 75f39eb4..f9d62a69 100644
@@ -7,6 +7,12 @@
namespace stellar
{
-
+
+union LiquidityPoolParameters switch (LiquidityPoolType type)
+{
+case LIQUIDITY_POOL_CONSTANT_PRODUCT:
@@ -349,12 +357,12 @@ index 75f39eb4..f9d62a69 100644
+ LIQUIDITY_POOL_DEPOSIT = 22,
+ LIQUIDITY_POOL_WITHDRAW = 23
};
-
+
/* CreateAccount
@@ -212,6 +220,23 @@ struct SetOptionsOp
Signer* signer;
};
-
+
+union ChangeTrustAsset switch (AssetType type)
+{
+case ASSET_TYPE_NATIVE: // Not credit
@@ -373,7 +381,7 @@ index 75f39eb4..f9d62a69 100644
+};
+
/* Creates, updates or deletes a trust line
-
+
Threshold: med
@@ -221,7 +246,7 @@ struct SetOptionsOp
*/
@@ -381,13 +389,13 @@ index 75f39eb4..f9d62a69 100644
{
- Asset line;
+ ChangeTrustAsset line;
-
+
// if limit is set to 0, deletes the trust line
int64 limit;
@@ -409,6 +434,37 @@ struct SetTrustLineFlagsOp
uint32 setFlags; // which flags to set
};
-
+
+const LIQUIDITY_POOL_FEE_V18 = 30;
+
+/* Deposit assets into a liquidity pool
@@ -433,7 +441,7 @@ index 75f39eb4..f9d62a69 100644
}
body;
};
-
+
-union OperationID switch (EnvelopeType type)
+union HashIDPreimage switch (EnvelopeType type)
{
@@ -455,12 +463,12 @@ index 75f39eb4..f9d62a69 100644
+ Asset asset;
+ } revokeID;
};
-
+
enum MemoType
@@ -635,7 +704,33 @@ struct TransactionSignaturePayload
-
+
/* Operation Results section */
-
+
-/* This result is used when offers are taken during an operation */
+enum ClaimAtomType
+{
@@ -495,7 +503,7 @@ index 75f39eb4..f9d62a69 100644
@@ -651,6 +746,32 @@ struct ClaimOfferAtom
int64 amountBought;
};
-
+
+struct ClaimLiquidityAtom
+{
+ PoolID liquidityPoolID;
@@ -523,7 +531,7 @@ index 75f39eb4..f9d62a69 100644
+};
+
/******* CreateAccount Result ********/
-
+
enum CreateAccountResultCode
@@ -745,7 +866,7 @@ union PathPaymentStrictReceiveResult switch (
case PATH_PAYMENT_STRICT_RECEIVE_SUCCESS:
@@ -549,7 +557,7 @@ index 75f39eb4..f9d62a69 100644
// offers that got claimed while creating this offer
- ClaimOfferAtom offersClaimed<>;
+ ClaimAtom offersClaimed<>;
-
+
union switch (ManageOfferEffect effect)
{
@@ -933,7 +1054,10 @@ enum ChangeTrustResultCode
@@ -562,7 +570,7 @@ index 75f39eb4..f9d62a69 100644
+ CHANGE_TRUST_CANNOT_DELETE = -7, // Asset trustline is still referenced in a pool
+ CHANGE_TRUST_NOT_AUTH_MAINTAIN_LIABILITIES = -8 // Asset trustline is deauthorized
};
-
+
union ChangeTrustResult switch (ChangeTrustResultCode code)
@@ -956,7 +1080,9 @@ enum AllowTrustResultCode
// source account does not require trust
@@ -573,7 +581,7 @@ index 75f39eb4..f9d62a69 100644
+ ALLOW_TRUST_LOW_RESERVE = -6 // claimable balances can't be created
+ // on revoke due to low reserves
};
-
+
union AllowTrustResult switch (AllowTrustResultCode code)
@@ -1152,7 +1278,8 @@ enum RevokeSponsorshipResultCode
REVOKE_SPONSORSHIP_DOES_NOT_EXIST = -1,
@@ -583,7 +591,7 @@ index 75f39eb4..f9d62a69 100644
+ REVOKE_SPONSORSHIP_ONLY_TRANSFERABLE = -4,
+ REVOKE_SPONSORSHIP_MALFORMED = -5
};
-
+
union RevokeSponsorshipResult switch (RevokeSponsorshipResultCode code)
@@ -1218,7 +1345,9 @@ enum SetTrustLineFlagsResultCode
SET_TRUST_LINE_FLAGS_MALFORMED = -1,
@@ -594,12 +602,12 @@ index 75f39eb4..f9d62a69 100644
+ SET_TRUST_LINE_FLAGS_LOW_RESERVE = -5 // claimable balances can't be created
+ // on revoke due to low reserves
};
-
+
union SetTrustLineFlagsResult switch (SetTrustLineFlagsResultCode code)
@@ -1229,6 +1358,63 @@ default:
void;
};
-
+
+/******* LiquidityPoolDeposit Result ********/
+
+enum LiquidityPoolDepositResultCode
@@ -676,6 +684,7 @@ index 75f39eb4..f9d62a69 100644
### Semantics
#### LiquidityPoolDepositOp
+
`LiquidityPoolDepositOp` is the only way for an account to deposit funds into a
liquidity pool. The operation specifies a maximum amount to deposit for each
asset in the pool (ordered field-wise lexicographically among assets). The
@@ -697,11 +706,12 @@ specified by minPrice and maxPrice.
- `lpdo.maxPrice.n <= 0`
- `lpdo.maxPrice.d <= 0`
- `lpdo.minPrice.n * lpdo.maxPrice.d > lpdo.minPrice.d * lpdo.maxPrice.n` (this
-is equivalent to
-`lpdo.minPrice.n / lpdo.minPrice.d > lpdo.maxPrice.n / lpdo.maxPrice.d`)
+ is equivalent to
+ `lpdo.minPrice.n / lpdo.minPrice.d > lpdo.maxPrice.n / lpdo.maxPrice.d`)
+
+The process of applying `LiquidityPoolDepositOp lpdo` with source
+`sourceAccount` is
-The process of applying `LiquidityPoolDepositOp lpdo` with source `sourceAccount`
-is
```
tlPool = loadTrustLine(sourceAccount, lpdo.liquidityPoolID)
if !exists(tlPool)
@@ -772,12 +782,13 @@ Succeed with LIQUIDITY_POOL_DEPOSIT_SUCCESS
```
#### LiquidityPoolWithdrawOp
+
`LiquidityPoolWithdrawOp` is the only way for an account to withdraw funds from
a liquidity pool. The operation specifies an amount of pool shares to withdraw.
-Using that number of pool shares, it calculates amounts of each asset to withdraw
-with a maximum error (rounded against the depositor) of 1 stroop in each asset.
-Finally, it checks that the withdrawn amounts are at least those specified by
-minAmountA and minAmountB.
+Using that number of pool shares, it calculates amounts of each asset to
+withdraw with a maximum error (rounded against the depositor) of 1 stroop in
+each asset. Finally, it checks that the withdrawn amounts are at least those
+specified by minAmountA and minAmountB.
`LiquidityPoolWithdrawOp` will return `opNOT_SUPPORTED` during validation if
`(ledgerHeader.v1.flags & DISABLE_LIQUIDITY_POOL_WITHDRAWAL_FLAG) == DISABLE_LIQUIDITY_POOL_WITHDRAWAL_FLAG`
@@ -788,8 +799,9 @@ minAmountA and minAmountB.
- `lpwo.minAmountA < 0`
- `lpwo.minAmountB < 0`
-The process of applying `LiquidityPoolWithdrawOp lpwo` with source `sourceAccount`
-is
+The process of applying `LiquidityPoolWithdrawOp lpwo` with source
+`sourceAccount` is
+
```
tlPool = loadTrustLine(sourceAccount, lpwo.liquidityPoolID)
if !exists(tlPool)
@@ -832,11 +844,12 @@ Succeed with LIQUIDITY_POOL_WITHDRAW_SUCCESS
```
#### ChangeTrustOp
-`ChangeTrustOp` is extended to allow the creation, modification, and deletion of
-pool share trust lines. If a pool share trust line is the first one created for
+
+`ChangeTrustOp` is extended to allow the creation, modification, and deletion
+of pool share trust lines. If a pool share trust line is the first one created
+for the specified parameters, then the corresponding `LiquidityPoolEntry` will
+be created. Likewise, if a pool share trust line is the last one deleted for
the specified parameters, then the corresponding `LiquidityPoolEntry` will be
-created. Likewise, if a pool share trust line is the last one deleted for the
-specified parameters, then the corresponding `LiquidityPoolEntry` will be
deleted. To create a pool share trust line, you must have trust lines for each
of the constituent assets and those trust lines must at least be authorized to
maintain liabilities.
@@ -851,31 +864,34 @@ if `line.type() == ASSET_TYPE_POOL_SHARE` and
The behavior of `ChangeTrustOp` is changed for all trust line types
If `line.type() != ASSET_TYPE_POOL_SHARE` then
+
- If the asset trust line is being deleted but `liquidityPoolUseCount != 0`,
-return `CHANGE_TRUST_CANNOT_DELETE`.
+ return `CHANGE_TRUST_CANNOT_DELETE`.
If `line.type() == ASSET_TYPE_POOL_SHARE` and
+
- If pool share trust line does not exist (and therefore needs to be created)
- For each asset in the pool where the source account is not the issuer
- If the trust line for the asset is missing, return
- `CHANGE_TRUST_TRUST_LINE_MISSING`.
- - If the trust line for the asset is not authorized to maintain liabilities,
- return `CHANGE_TRUST_NOT_AUTH_MAINTAIN_LIABILITIES`.
+ `CHANGE_TRUST_TRUST_LINE_MISSING`.
+ - If the trust line for the asset is not authorized to maintain
+ liabilities, return `CHANGE_TRUST_NOT_AUTH_MAINTAIN_LIABILITIES`.
- The pool share trust line `tl` has
- `tl.asset.liquidityPoolID() == SHA256(line.liquidityPool())`
+ `tl.asset.liquidityPoolID() == SHA256(line.liquidityPool())`
- No flags are set on the pool share trust line.
- If no liquidity pool with `liquidityPoolID == SHA256(line.liquidityPool())`
- exists, then that liquidity pool is created.
+ exists, then that liquidity pool is created.
- The pool share trust line should count as two subentries (and therefore
require two base reserves)
- `poolSharesTrustLineCount` is incremented on the corresponding liquidity
pool and `liquidityPoolUseCount` is incremented on each asset trust line.
Note that `poolSharesTrustLineCount` is counting the number of **pool share
- trust lines** tied to a pool, so this will get incremented even if the source
- account is the issuer of both assets in the pool. `liquidityPoolUseCount` on
- the other hand counts the number of pools a given **asset trust line** is used in,
- so this is irrelevant if the source account is the issuer. The issuer doesn't have
- a trust line to assets it has issued, so this step is skipped in that case.
+ trust lines** tied to a pool, so this will get incremented even if the
+ source account is the issuer of both assets in the pool.
+ `liquidityPoolUseCount` on the other hand counts the number of pools a
+ given **asset trust line** is used in, so this is irrelevant if the source
+ account is the issuer. The issuer doesn't have a trust line to assets it
+ has issued, so this step is skipped in that case.
- If pool share trust line is being deleted
- `poolSharesTrustLineCount` is decremented on the corresponding liquidity
@@ -884,19 +900,22 @@ If `line.type() == ASSET_TYPE_POOL_SHARE` and
0, then that liquidity pool is erased.
#### SetTrustLineFlagsOp and AllowTrustOp
+
The authorization revocation behavior of `SetTrustLineFlagsOp` and
`AllowTrustOp` is extended to force a redeem of pool shares if any of the
referenced asset trust lines get their authorization revoked. For each redeemed
-pool share trust line, a claimable balance will be created for every constituent
-asset if there is a balance being withdrawn and the claimant is not the issuer.
-This means that for a redeemed pool share trust line, there can be zero, one, or
-two claimable balances created. These claimable balances will be sponsored by the
-sponsor of the pool share trust line, and will be unconditionally claimable by the
-owner of the pool share trust line.
+pool share trust line, a claimable balance will be created for every
+constituent asset if there is a balance being withdrawn and the claimant is not
+the issuer. This means that for a redeemed pool share trust line, there can be
+zero, one, or two claimable balances created. These claimable balances will be
+sponsored by the sponsor of the pool share trust line, and will be
+unconditionally claimable by the owner of the pool share trust line.
-The validity conditions for `SetTrustLineFlagsOp` and `AllowTrustOp` are unchanged.
+The validity conditions for `SetTrustLineFlagsOp` and `AllowTrustOp` are
+unchanged.
The process of applying `SetTrustLineFlagsOp` and `AllowTrustOp`
+
```
tl = loadTrustLine(trustor, asset)
@@ -966,31 +985,32 @@ if isAuthorizedToMaintainLiabilities(tl) && !isAuthorizedToMaintainLiabilities(e
```
#### PathPaymentStrictSendOp and PathPaymentStrictReceiveOp
+
`PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` are the only ways to
exchange with a liquidity pool. The operation does not allow users to determine
their own routing, rather the operation routes the exchange to the single venue
-("venue" in this context means either the order book or the liquidity pool) that
-yields the best price. In all respects, the behavior with liquidity pools is
-analogous to the behavior without liquidity pools.
+("venue" in this context means either the order book or the liquidity pool)
+that yields the best price. In all respects, the behavior with liquidity pools
+is analogous to the behavior without liquidity pools.
As noted, for each step in the path the exchange will be routed to the order
book or liquidity pool that yields the best price for the entire exchange. The
behavior is changed such that:
1. The price of the exchange is computed for the liquidity pool, or it is
-recorded that the exchange is not possible. There are multiple reasons that the
-exchange might not be possible, including insufficient liquidity or INT64_MAX
-overflow of either pool reserve. Note that exceeding limits set by the operation
-does not qualify as "not possible" in this context.
+ recorded that the exchange is not possible. There are multiple reasons that
+ the exchange might not be possible, including insufficient liquidity or
+ INT64_MAX overflow of either pool reserve. Note that exceeding limits set by
+ the operation does not qualify as "not possible" in this context.
2. The price of the exchange is computed for the order book, or it is recorded
-that the exchange is not possible. There are multiple reasons that the exchange
-might not be possible, including insufficient liquidity or a self trade. Note
-that exceeding limits set by the operation does not qualify as "not possible" in
-this context.
+ that the exchange is not possible. There are multiple reasons that the
+ exchange might not be possible, including insufficient liquidity or a self
+ trade. Note that exceeding limits set by the operation does not qualify as
+ "not possible" in this context.
3. If both exchanges are possible, then choose the one which produces the best
-price. In the event that both prices are equal, choose the liquidity pool.
+ price. In the event that both prices are equal, choose the liquidity pool.
4. If the exchange is not possible on the liquidity pool, then return whatever
-result was produced when exchanging with the order book.
+ result was produced when exchanging with the order book.
As an example of the above, consider a path payment strict send with path
`A -> B -> C:`
@@ -1005,9 +1025,9 @@ It is important to recognize that this happens on each step in the path, so
"return whatever result was produced when exchanging with the order book" is a
local statement _not_ a global statement. It is definitely possible that a path
payment will produce a different result then it would have in the absence of
-liquidity pools. One simple example of this occurs on a one step path when there
-is no liquidity on the order book, but there is sufficient liquidity on the
-liquidity pool to perform the exchange at a bad price. In the absence of
+liquidity pools. One simple example of this occurs on a one step path when
+there is no liquidity on the order book, but there is sufficient liquidity on
+the liquidity pool to perform the exchange at a bad price. In the absence of
liquidity pools the result would have been too few offers, but with liquidity
pools the result would have been under destination minimum or over source
maximum.
@@ -1024,28 +1044,37 @@ such a liquidity pool is `(X + x - Fx) (Y - y) >= XY` where
There are two important cases to handle: if we know the amount received, and if
we know the amount disbursed. If we know the amount received `x`, then the
invariant can be rearranged to yield
+
```
y <= Y - XY / (X + x - Fx)
= (1 - F) Yx / (X + x - Fx)
```
+
so the integrality requirement produces
+
```
y = floor[(1 - F) Yx / (X + x - Fx)] .
```
+
If we know the amount disbursed `y`, then the invariant can be rearranged to
yield
+
```
x >= (XY / (Y - y) - X) / (1 - F)
= Xy / (Y - y) / (1 - F)
```
+
so the integrality requirement produces
+
```
x = ceil[Xy / (Y - y) / (1 - F)] .
```
+
In this proposal, `F = 0.003` which corresponds to 0.3% (this is encoded by
`LIQUIDITY_POOL_FEE_V18`).
#### RevokeSponsorshipOp
+
This proposal adds a new result code `REVOKE_SPONSORSHIP_MALFORMED` for
`RevokeSponsorshipOp`. This result code will be returned on validation if
`RevokeSponsorshipOp.ledgerKey().type() == LIQUIDITY_POOL`. Additionally, all
@@ -1053,24 +1082,29 @@ existing validation failures will now return `REVOKE_SPONSORSHIP_MALFORMED` for
consistency.
#### Ledger Header Flags
+
This proposal also adds a `LedgerHeaderExtensionV1` that contains flags for
validators to vote on using a new `LedgerUpgradeType` `LEDGER_UPGRADE_FLAGS`.
-Three different flags can be set (enforced by
-`MASK_LEDGERHEADER_FLAGS`), which are -
-
-- `DISABLE_LIQUIDITY_POOL_TRADING_FLAG`: disable trading against liquidity pools
-- `DISABLE_LIQUIDITY_POOL_DEPOSIT_FLAG`: disable depositing into liquidity pools
-- `DISABLE_LIQUIDITY_POOL_WITHDRAWAL_FLAG`: disable withdrawing from liquidity pools
-
-This will allow validators to disable parts of this CAP in the
-event that unexpected behavior is encountered. These flags can only be set if
-validators vote for them, and they should only be used in case of emergency. The
-ability to disable these pool related features is only temporary, and will be
-removed in the future.
+Three different flags can be set (enforced by `MASK_LEDGERHEADER_FLAGS`), which
+are -
+
+- `DISABLE_LIQUIDITY_POOL_TRADING_FLAG`: disable trading against liquidity
+ pools
+- `DISABLE_LIQUIDITY_POOL_DEPOSIT_FLAG`: disable depositing into liquidity
+ pools
+- `DISABLE_LIQUIDITY_POOL_WITHDRAWAL_FLAG`: disable withdrawing from liquidity
+ pools
+
+This will allow validators to disable parts of this CAP in the event that
+unexpected behavior is encountered. These flags can only be set if validators
+vote for them, and they should only be used in case of emergency. The ability
+to disable these pool related features is only temporary, and will be removed
+in the future.
## Design Rationale
### Erasing the Liquidity Pool
+
Unused liquidity pools are erased automatically. An unused liquidity pool is
characterized by the property that no account has a trust line for the
corresponding pool shares. The implementation of `LiquidityPoolWithdrawOp` must
@@ -1078,6 +1112,7 @@ guarantee that the liquidity pool has no reserves if no account owns shares in
the liquidity pool, in order to avoid destroying assets.
### No LiquidityPoolEntry Reserve
+
This proposal does not require a reserve for a `LiquidityPoolEntry`. This is
justified by the fact that a `LiquidityPoolEntry` cannot exist without the
existence of a `TrustLineEntry` which can hold the pool share. The
@@ -1092,13 +1127,14 @@ account that creates a pool to be merged if it can find another account to
assume the sponsorship.
### TrustLineEntry with asset of type ASSET_TYPE_POOL_SHARE takes two base reserves
-This proposal uses Claimable Balances to send back an asset when a redemption is
-forced due to auth revocation. Instead of making the issuer put up the reserve,
-we would like to have the owner of the asset put up the reserve. This is ideal
-for a few reasons. First, the claimant of the claimable balance now has an
-additional incentive to claim the balance, and second, the issuer will not have
-to worry about potentially putting up many reserves in the case where many pool
-trust lines need to be redeemed on a revocation.
+
+This proposal uses Claimable Balances to send back an asset when a redemption
+is forced due to auth revocation. Instead of making the issuer put up the
+reserve, we would like to have the owner of the asset put up the reserve. This
+is ideal for a few reasons. First, the claimant of the claimable balance now
+has an additional incentive to claim the balance, and second, the issuer will
+not have to worry about potentially putting up many reserves in the case where
+many pool trust lines need to be redeemed on a revocation.
So how do we make the owner of the asset put up the reserve for the Claimable
Balance? We require pool trust lines to require the same number of reserves as
@@ -1108,48 +1144,58 @@ the trust line is deleted (freeing up two reserves), and then two sponsored
Claimable Balances are created.
But what if the owner account is already sponsoring at least `UINT32_MAX - 1`
-entries? They won't be able to sponsor those claimable balances and the revocation
-would fail. For this reason, we should limit `numSponsoring + numSubentries` to
-`UINT32_MAX`, guaranteeing that an account can always sponsor a claimable
-balance for every subentry that gets removed.
+entries? They won't be able to sponsor those claimable balances and the
+revocation would fail. For this reason, we should limit
+`numSponsoring + numSubentries` to `UINT32_MAX`, guaranteeing that an account
+can always sponsor a claimable balance for every subentry that gets removed.
### Claimable Balance is not created on authorization revocation if the claimant is the issuer
-Let's say Account A has a pool share trust line using Asset b1 and Asset b2. Account A
-is the issuer of Asset b1, but not b2. If A has it's authorization for b2 pulled then a redeem is
-forced in the liquidity pool and a Claimable Balance can be created for b2. But should one be created
-for b1? Account A would end up claiming the b1 balance, which would just result in the balance getting
-burned because A is the issuer of b1. We could accomplish the same step without failure by not creating
-the Claimable Balance in the first place and make this scenario simpler for the issuer.
+
+Let's say Account A has a pool share trust line using Asset b1 and Asset b2.
+Account A is the issuer of Asset b1, but not b2. If A has it's authorization
+for b2 pulled then a redeem is forced in the liquidity pool and a Claimable
+Balance can be created for b2. But should one be created for b1? Account A
+would end up claiming the b1 balance, which would just result in the balance
+getting burned because A is the issuer of b1. We could accomplish the same step
+without failure by not creating the Claimable Balance in the first place and
+make this scenario simpler for the issuer.
### Authorization revocation of an asset trust line in a pool can fail
-Here are the possible scenarios when a trust line in a pool has it's authorization revoked.
-Remember that the pool share trust line is deleted to free up reserves for two claimable balances -
+
+Here are the possible scenarios when a trust line in a pool has it's
+authorization revoked. Remember that the pool share trust line is deleted to
+free up reserves for two claimable balances -
1. Account A has a pool share trust line.
- On revoke, claimable balances are sponsored by A. Guaranteed to succeed.
2. Account A has a pool share trust line, but the trust line is sponsored by B.
- On revoke, claimable balances are sponsored by B. Guaranteed to succeed.
-3. Account A has a pool share trust line, the trust line is sponsored by B, but B is in the middle
-of a sponsorship sandwich where its entries will be sponsored by C.
- - On revoke, claimable balances (if any need to be created) are sponsored by C. This can fail
- if C does not have enough available balance to sponsor the claimable balances or if
- `numSponsoring + numSubentries + numClaimableBalancesToSponsor > UINT32_MAX`. The issuer can just
- submit the revoke again outside the sandwich for this to succeed.
- - This still works if C=A because claimable balances aren't subentries.
-4. Account A has a pool share trust line, and is in the middle of a sponsorship sandwich
-where its entries will be sponsored by C.
- - On revoke, claimable balances (if any need to be created) are sponsored by C. This can fail
- if C does not have enough available balance to sponsor the claimable balances or if
- `numSponsoring + numSubentries + numClaimableBalancesToSponsor > UINT32_MAX`. The issuer can just
- submit the revoke again outside the sandwich for this to succeed.
+3. Account A has a pool share trust line, the trust line is sponsored by B, but
+ B is in the middle of a sponsorship sandwich where its entries will be
+ sponsored by C. - On revoke, claimable balances (if any need to be created)
+ are sponsored by C. This can fail if C does not have enough available
+ balance to sponsor the claimable balances or if
+ `numSponsoring + numSubentries + numClaimableBalancesToSponsor > UINT32_MAX`.
+ The issuer can just submit the revoke again outside the sandwich for this to
+ succeed. - This still works if C=A because claimable balances aren't
+ subentries.
+4. Account A has a pool share trust line, and is in the middle of a sponsorship
+ sandwich where its entries will be sponsored by C.
+ - On revoke, claimable balances (if any need to be created) are sponsored by
+ C. This can fail if C does not have enough available balance to sponsor
+ the claimable balances or if
+ `numSponsoring + numSubentries + numClaimableBalancesToSponsor > UINT32_MAX`.
+ The issuer can just submit the revoke again outside the sandwich for this
+ to succeed.
For the failure cases, you can see that the account that owns/sponsors the pool
-share trust line is in the middle of a sponsorship sandwich. It is actually
-up to the issuer if the revoke is done in the middle of a sponsorship sandwich,
-so the issuer could always just submit the revoke with the sponsorship sandwich to make
-sure the revoke succeeds.
+share trust line is in the middle of a sponsorship sandwich. It is actually up
+to the issuer if the revoke is done in the middle of a sponsorship sandwich, so
+the issuer could always just submit the revoke with the sponsorship sandwich to
+make sure the revoke succeeds.
### Liquidity Pools Support Arbitrary Asset Pairs
+
Some implementations of liquidity pools, such as Uniswap V1, enforced the
requirement that one of the constituent assets was fixed. More recent
implementations, such as Uniswap V2, have generally removed this constraint.
@@ -1157,21 +1203,24 @@ implementations, such as Uniswap V2, have generally removed this constraint.
This proposal allows complete flexibility in the constituent assets of a
liquidity pool. We believe that this enables liquidity to be provided in the
manner that is most efficient. For example, providing liquidity between two
-stablecoins with the same underlying asset can be relatively low risk (assuming both
-are creditable). But if instead liquidity had to be provided against some fixed
-third asset, then the liquidity provider would be subject to impermanent loss in
-both liquidity pools.
+stablecoins with the same underlying asset can be relatively low risk (assuming
+both are creditable). But if instead liquidity had to be provided against some
+fixed third asset, then the liquidity provider would be subject to impermanent
+loss in both liquidity pools.
### Price Bounds for LiquidityPoolDepositOp
+
Fix assets X and Y. Suppose that `p > 0` is the value of Y in terms of X. A
portfolio consisting of `x` of X and `y` of Y has value `x + py` in terms of X.
Fix a real-valued differentiable function `f` of two real-valued variables such
that for all `p > 0` the system of equations
+
```
0 = f(x,y)
df/dy = p df/dx
```
+
has a unique solution with `x,y > 0` and `x' + py' >= x + py` for all `(x',y')`
satisfying `x',y' > 0` and `f(x',y') = 0` that are sufficiently near to
`(x,y)`. Consider a liquidity pool where the reserves `x` of X and `y` of `Y`
@@ -1179,11 +1228,13 @@ are constrained to satisfy `f(x,y) = 0`. Then the value of the reserves can be
minimized by the method of Lagrange multipliers. Let `z` be a Lagrange
multiplier and define the Lagrangian `L(x,y,z) = x + py - z f(x,y)`. This
yields the system of equations
+
```
0 = dL/dx = 1 - z df/dx
0 = dL/dy = p - z df/dy
0 = dL/dz = -f(x,y) .
```
+
`z` can be eliminated by combining the first two equations, which produces
`df/dy = p df/dx`. Following from the definition of `f`, there exist unique
`x,y > 0` that satisfy these equations. Furthermore, `(x,y)` is a local minima
@@ -1201,34 +1252,40 @@ prevent a vulnerability.
It is easy to see that the constant product invariant satisfies the above
conditions. Let `f(x,y) = xy - k` for some `k > 0`. For all `p > 0` the system
of equations
+
```
0 = xy - k
x = py
```
+
has the unique solution `y = sqrt(k/p), x = sqrt(kp)` where `x,y > 0`. Now note
that for any `(x',y')` satisfying `x',y' > 0` and `f(x',y') = 0`, the AM-GM
inequality implies
+
```
x' + py' = x' + kp/x' >= 2 sqrt(kp) = x + py .
```
### Price Bounds for LiquidityPoolWithdrawOp
-The corrolary to the above results "Price Bounds for LiquidityPoolDepositOp"
-is that an attacker cannot profit at the expense of a withdrawer, because moving
+
+The corrolary to the above results "Price Bounds for LiquidityPoolDepositOp" is
+that an attacker cannot profit at the expense of a withdrawer, because moving
the pool from its fair price actually makes the pool shares more valuable.
-But the above analysis only applies if you ignore rounding. With rounding, it is
-always possible that you receive less than you expect. It is even possible that
-you receive 0 of one asset. Therefore, we must include minimum withdrawal
+But the above analysis only applies if you ignore rounding. With rounding, it
+is always possible that you receive less than you expect. It is even possible
+that you receive 0 of one asset. Therefore, we must include minimum withdrawal
amounts.
### LiquidityPoolWithdrawOp Specifies a Withdrawal Amount
+
In some jurisdictions, every operation on a blockchain is considered a taxable
event. This means that the process of withdrawing all funds in order to deposit
a new amount could have extremely adverse tax consequences. Allowing arbitrary
withdrawal amounts avoids this issue with little extra complexity.
### Store Pool Shares in Trust Lines
+
This proposal stores pool shares in trust lines, without allowing pool shares
to be used in any operation except `LiquidityPoolWithdrawOp` and `ChangeTrust`.
This means that pool shares already have any associated data that could be
@@ -1236,21 +1293,24 @@ necessary to make them transferable or control authorization, but we do not
enable these features in this proposal.
### Pool Shares are not Transferable
+
There are good reasons that pool shares should be transferable, most notably
-that this would facilitate using them as collateral in lending. Stellar has very
-limited support for lending, so this reason is not sufficient to justify the
-effort of supporting transferability at this point. This proposal is designed
-such that transferability could easily be added in a future protocol version.
+that this would facilitate using them as collateral in lending. Stellar has
+very limited support for lending, so this reason is not sufficient to justify
+the effort of supporting transferability at this point. This proposal is
+designed such that transferability could easily be added in a future protocol
+version.
One of the decisions that will need to be made is what should happen to the
authorization state of a pool trustline if one of its corresponding asset
-trustlines has authorization downgraded. We could either always check the
-asset trustline's authorization when checking the pool trustline's authorization,
-or automatically update pool trustlines when the asset trustline changes. We need
-to make sure a pool trustline cannot be transferred to and redeemed by an account
-that has a deauthorized trustline to one of the assets in the pool.
+trustlines has authorization downgraded. We could either always check the asset
+trustline's authorization when checking the pool trustline's authorization, or
+automatically update pool trustlines when the asset trustline changes. We need
+to make sure a pool trustline cannot be transferred to and redeemed by an
+account that has a deauthorized trustline to one of the assets in the pool.
### Trust Lines for Pool Shares do not have any flags set
+
`ChangeTrustOp` creates trust lines for pool shares with no flags set. Right
now, pool shares aren't transferable so the set of possible interactions is
limited. `LiquidityPoolDepositOp` should be able to mint pool shares if the
@@ -1268,38 +1328,42 @@ the actual authorization state of the pool trust line from the asset trust
lines.
### Pool withdrawals are allowed when asset trust lines have AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG set
+
It would be unfair to lock an account's funds in a Liquidity Pool when they no
longer want to be a part of one. It's currently possible for an account to pull
-offers in the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state, so it makes sense
-to treat pool shares the same. An account in this state can withdraw from a pool,
-but will not be able to do anything else with those funds since operations like
-payments check authorization.
+offers in the `AUTHORIZED_TO_MAINTAIN_LIABILITIES_FLAG` state, so it makes
+sense to treat pool shares the same. An account in this state can withdraw from
+a pool, but will not be able to do anything else with those funds since
+operations like payments check authorization.
### Clawback assets from a pool
+
There are no operations that clawback directly from a pool, but the same
results can be achieved by using `SetTrustlineFlagsOp` or `AllowTrustOp`. The
issuer can deauthorize an asset trust line, which will redeem the all pool
-trust lines using that asset and account back to the owner account if
-possible, and if not, into a claimable balance. The issuer can then use
-`ClawbackOp` or `ClawbackClaimableBalanceOp` to clawback the assets.
+trust lines using that asset and account back to the owner account if possible,
+and if not, into a claimable balance. The issuer can then use `ClawbackOp` or
+`ClawbackClaimableBalanceOp` to clawback the assets.
### Alternative authorization revocation solution
-The current proposal forces a redemption of all referenced pool trust lines when an
-asset trust line has its authorization revoked. There is an alternative to this
-solution. We could instead require the issuer to revoke authorization on
-individual pool trust lines to force a redemption. This approach will require the
-issuer to look up all pool trust lines for an asset trust line to perform the
-revoke. It would also add an additional step when regulating assets for the
-issuer, so we would need to add an opt in flag for liquidity pools so issuers
-are aware of this.
+
+The current proposal forces a redemption of all referenced pool trust lines
+when an asset trust line has its authorization revoked. There is an alternative
+to this solution. We could instead require the issuer to revoke authorization
+on individual pool trust lines to force a redemption. This approach will
+require the issuer to look up all pool trust lines for an asset trust line to
+perform the revoke. It would also add an additional step when regulating assets
+for the issuer, so we would need to add an opt in flag for liquidity pools so
+issuers are aware of this.
This approach would be simpler to implement, and we wouldn't need to tie the
lifetime of an asset trust line to a pool trust line like in this proposal, but
it is not as user-friendly as the current proposal.
### Why the asset trust line is required to exist for the lifetime of corresponding pool trust lines
-This proposal introduces `TrustLineEntryExtensionV2.liquidityPoolUseCount`, which
-keeps track of the number of pool trust lines an asset trust line is used
+
+This proposal introduces `TrustLineEntryExtensionV2.liquidityPoolUseCount`,
+which keeps track of the number of pool trust lines an asset trust line is used
in. The extension is used to make sure the trust line is not deleted while
corresponding pool trust lines exist. This is required because without the
asset trust line, there is no way to deauthorize the trust line and force a
@@ -1309,16 +1373,17 @@ This mechanism is not required for the native asset since a trust line is not
required to hold the native asset, and the native asset is trustless.
### No Interleaved Execution
-This proposal uses `PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` as
-opaque interfaces to exchange on the Stellar network. These operations are
-referred to as opaque interfaces because there is no way to specify how you want
-the exchange to execute. This approach is favorable because it requires no
+
+This proposal uses `PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp`
+as opaque interfaces to exchange on the Stellar network. These operations are
+referred to as opaque interfaces because there is no way to specify how you
+want the exchange to execute. This approach is favorable because it requires no
changes to clients that depend on exchange.
-Because this is an opaque interface, the only thing we should absolutely require
-is that adding liquidity pools as an execution option should never make the
-exchange price worse. This is a weak requirement. Specifically it is much weaker
-than requiring that exchange produces the best price.
+Because this is an opaque interface, the only thing we should absolutely
+require is that adding liquidity pools as an execution option should never make
+the exchange price worse. This is a weak requirement. Specifically it is much
+weaker than requiring that exchange produces the best price.
The primary reason not to require that exchange produces the best price is ease
of implementation. Requiring that exchange always produces the best price
@@ -1330,19 +1395,20 @@ where an exchange will execute against either
- the order book alone (this is exactly what happens in protocol 16)
- one specific liquidity pool alone
-depending on which produces the better price. This price is not guaranteed to be
-the best possible price, but by construction it cannot be worse than executing
-against the order book alone.
+depending on which produces the better price. This price is not guaranteed to
+be the best possible price, but by construction it cannot be worse than
+executing against the order book alone.
-It is important to recognize that this happens on each step in the path, so
-no interleaving is a local statement _not_ a global statement. It is definitely
-possible that a path payment will exchange with a liquidity pool on one step and
-the order book on another step. A particularly surprising case occurs when there
-is a path with an internal loop such as `A -> B -> C -> A -> B`, in which case
-the first `A -> B` may use one venue and the second `A -> B` may use the other
-venue.
+It is important to recognize that this happens on each step in the path, so no
+interleaving is a local statement _not_ a global statement. It is definitely
+possible that a path payment will exchange with a liquidity pool on one step
+and the order book on another step. A particularly surprising case occurs when
+there is a path with an internal loop such as `A -> B -> C -> A -> B`, in which
+case the first `A -> B` may use one venue and the second `A -> B` may use the
+other venue.
#### Residual Arbitrage Opportunities
+
There are a variety of objections to this approach, but none of them justifies
the additional complexity of interleaved execution. It is claimed that
interleaved execution guarantees that there will be no arbitrage opportunities
@@ -1351,21 +1417,22 @@ pools involving the same assets, but false otherwise. If there are linear
combinations of assets which are effectively risk-free, then exchange will
still generate arbitrage opportunities even if interleaved execution is used.
-A concrete example where this could occur is if there were two highly creditable
-issuers of USD. Let's call the assets USD1 and USD2. Suppose a large exchange
-occurs from USD1 to EUR. With interleaved execution, there are no arbitrage
-opportunities between the order book and liquidity pools for USD1/EUR. But it
-could still be possible to sell USD1 for EUR, then buy USD2 for EUR at a profit.
-If there is a USD1/USD2 market then the arbitrageur may be able to settle their
-position instantly. Otherwise, the arbitrageur may wait until the opposite
-arbitrage opportunity arises to unwind their position.
+A concrete example where this could occur is if there were two highly
+creditable issuers of USD. Let's call the assets USD1 and USD2. Suppose a large
+exchange occurs from USD1 to EUR. With interleaved execution, there are no
+arbitrage opportunities between the order book and liquidity pools for
+USD1/EUR. But it could still be possible to sell USD1 for EUR, then buy USD2
+for EUR at a profit. If there is a USD1/USD2 market then the arbitrageur may be
+able to settle their position instantly. Otherwise, the arbitrageur may wait
+until the opposite arbitrage opportunity arises to unwind their position.
-There is also the reality that if the price of a liquidity pool has moved enough
-to generate an arbitrage opportunity with the order book or another liquidity
-pool, then it has probably moved enough to generate an arbitrage opportunity
-with some centralized exchange.
+There is also the reality that if the price of a liquidity pool has moved
+enough to generate an arbitrage opportunity with the order book or another
+liquidity pool, then it has probably moved enough to generate an arbitrage
+opportunity with some centralized exchange.
### CreatePassiveOfferOp, ManageBuyOfferOp, and ManageSellOfferOp Unchanged
+
This proposal does not change the behavior of `CreatePassiveOfferOp`,
`ManageBuyOfferOp`, and `ManageSellOfferOp`. This is a consequence of not
enforcing best pricing and interleaved execution. The Stellar protocol does not
@@ -1378,18 +1445,21 @@ pools, in the sense that they are the only way to change liquidity provided to
those venues.
### ClaimAtom
-In order to enable `PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` to
-emit accurate information about exchanges with liquidity pools, we converted
+
+In order to enable `PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp`
+to emit accurate information about exchanges with liquidity pools, we converted
`ClaimOfferAtom` into a union named `ClaimAtom`. Even though `ClaimAtom` is not
-required for `CreatePassiveOfferOp`, `ManageBuyOfferOp`, and `ManageSellOfferOp`,
-we still make the analogous change to the corresponding operation results. This
-should allow downstream systems to handle both results in the same way.
+required for `CreatePassiveOfferOp`, `ManageBuyOfferOp`, and
+`ManageSellOfferOp`, we still make the analogous change to the corresponding
+operation results. This should allow downstream systems to handle both results
+in the same way.
### No Minimum Deposit Time
+
Other proposals include a minimum time that funds must be deposited in a
-liquidity pool before they can be withdrawn. The argument is that this will help
-ensure stability of liquidity, avoiding fluctuations as volume moves between
-different pairs.
+liquidity pool before they can be withdrawn. The argument is that this will
+help ensure stability of liquidity, avoiding fluctuations as volume moves
+between different pairs.
This proposal does not include a minimum deposit time. The primary argument is
that liquidity fluctuations are the direct manifestation of liquidity providers
@@ -1405,17 +1475,19 @@ that they want to. Modern payment networks, like Stellar, should be trying to
remove friction rather than create it.
### Future Work: Support Fees Other than 0.3%
-This proposal fixes the constant product market maker fee at 0.3%. But we expect
-future protocol versions to take advantage of the extensibility which has been
-built into this proposal to support other fees. Such changes should be
+
+This proposal fixes the constant product market maker fee at 0.3%. But we
+expect future protocol versions to take advantage of the extensibility which
+has been built into this proposal to support other fees. Such changes should be
relatively easy to implement.
## Protocol Upgrade Transition
### Backwards Incompatibilities
+
This proposal introduces one backwards incompatibility. Clients that depend on
-`PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` executing against the
-order book will be broken. There are two ways a client could depend on this
+`PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` executing against
+the order book will be broken. There are two ways a client could depend on this
- Expecting to receive a certain price
- Expecting to execute certain orders
@@ -1427,16 +1499,20 @@ to this proposal. Therefore, the risk of this backwards incompatibility is
minimal.
### Resource Utilization
+
This proposal should have a minor effect on resource utilization. Converting
`PathPaymentStrictSendOp` and `PathPaymentStrictReceiveOp` into opaque
interfaces for exchange will slightly increase the constant factors associated
with these operations but will not effect the asymptotic complexity.
## Security Concerns
+
This proposal does not introduce any new security concerns.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0039.md b/core/cap-0039.md
index 53fa23619..13bbbadb8 100644
--- a/core/cap-0039.md
+++ b/core/cap-0039.md
@@ -16,12 +16,13 @@ Protocol version: TBD
## Simple Summary
This CAP addresses the following authorization semantics requirements:
+
- It should be clear and predictable to an asset holder if their assets are
-revocable.
+ revocable.
- It should be possible for issuer accounts to communicate their intent to
-revoke without giving up the mutability of their asset.
+ revoke without giving up the mutability of their asset.
- It should be possible for issuer accounts to make their assets usable with
-contracts, such as payment channels, without making their accounts immutable.
+ contracts, such as payment channels, without making their accounts immutable.
## Working Group
@@ -32,8 +33,8 @@ consulted individuals mentioned at the top of this document.
Trustline authorization is an important feature of the Stellar protocol. It
allows issuers to handle various regulatory requirements. However, its current
-behavior forces asset issuers to make a choice between immutable and predictable
-for asset holders, or mutable and unpredictable for asset holders.
+behavior forces asset issuers to make a choice between immutable and
+predictable for asset holders, or mutable and unpredictable for asset holders.
The current behavior makes all non-immutable assets revocable even if the asset
issuer does not have auth revocable flag cleared, and even if issuer has no
@@ -42,17 +43,18 @@ other reasons.
Most assets on the Stellar network are not immutable.
-This prevents most assets from being used in contracts since the revocation of a
-trustline can break a contract. This may prevent most assets from being used in payment channels, such as those described in [CAP-21].
+This prevents most assets from being used in contracts since the revocation of
+a trustline can break a contract. This may prevent most assets from being used
+in payment channels, such as those described in [CAP-21].
### Goals Alignment
This CAP is aligned with the following Stellar Network Goals:
- The Stellar Network should make it clear for asset holders to understand the
-trust relationship they have with asset issuers.
+ trust relationship they have with asset issuers.
- The Stellar Network should enable predictable lock-up of funds in escrow
-accounts for contracts, such as payment channels.
+ accounts for contracts, such as payment channels.
## Specification
@@ -75,12 +77,12 @@ index 0e7bc842..68c52758 100644
+ // Trustlines are created with revocation disabled set to "true"
+ AUTH_NOT_REVOCABLE_FLAG = 0x10
};
-
+
// mask for all valid flags
const MASK_ACCOUNT_FLAGS = 0x7;
const MASK_ACCOUNT_FLAGS_V17 = 0xF;
+const MASK_ACCOUNT_FLAGS_V18 = 0x1F;
-
+
// maximum number of signers
const MAX_SIGNERS = 20;
@@ -206,13 +209,16 @@ enum TrustLineFlags
@@ -92,13 +94,13 @@ index 0e7bc842..68c52758 100644
+ // issuer has specified that it may not revoke authorization.
+ TRUSTLINE_NOT_REVOCABLE_FLAG = 8,
};
-
+
// mask for all trustline flags
const MASK_TRUSTLINE_FLAGS = 1;
const MASK_TRUSTLINE_FLAGS_V13 = 3;
const MASK_TRUSTLINE_FLAGS_V17 = 7;
+const MASK_TRUSTLINE_FLAGS_V18 = 15;
-
+
struct TrustLineEntry
{
@@ -106,78 +108,89 @@ index 0e7bc842..68c52758 100644
### Semantics
-This proposal introduces one new account flag that controls whether new trustlines are created with revocation disabled or not.
+This proposal introduces one new account flag that controls whether new
+trustlines are created with revocation disabled or not.
-This proposal introduces one new trustline flag that captures onto the trustline
-at the moment it is created whether it will be revocable by the issuer account.
+This proposal introduces one new trustline flag that captures onto the
+trustline at the moment it is created whether it will be revocable by the
+issuer account.
-This proposal changes the `AllowTrustOp` to disallow its use to revoke or reduce
-the limit of a trustline that has the new trustline flag set. This prevents
-authorization revocation on trustlines when the issuer has indicated it does not
-intend to revoke trustlines while allowing the issuer account to remain mutable.
+This proposal changes the `AllowTrustOp` to disallow its use to revoke or
+reduce the limit of a trustline that has the new trustline flag set. This
+prevents authorization revocation on trustlines when the issuer has indicated
+it does not intend to revoke trustlines while allowing the issuer account to
+remain mutable.
-Existing and new trustlines for issuers that do not use the new account flag are
-unaffected and will use the existing behavior they have today. An issuer may
-revoke existing trustline at anytime by enabling the `AUTH_REVOCABLE_FLAG`
+Existing and new trustlines for issuers that do not use the new account flag
+are unaffected and will use the existing behavior they have today. An issuer
+may revoke existing trustline at anytime by enabling the `AUTH_REVOCABLE_FLAG`
account flag on the issuer account, and using the `AllowTrustOp` operation to
revoke authorization of the trustor.
-New trustlines created when the issuer account has its `AUTH_NOT_REVOCABLE_FLAG`
-will not be revocable, even if the issuer account sets the `AUTH_REVOCABLE_FLAG`
-account flag at a later time.
+New trustlines created when the issuer account has its
+`AUTH_NOT_REVOCABLE_FLAG` will not be revocable, even if the issuer account
+sets the `AUTH_REVOCABLE_FLAG` account flag at a later time.
#### Account Flags
This proposal introduces a new account flag:
-- `AUTH_NOT_REVOCABLE_FLAG` that indicates if trustlines should be created
-not revocable.
+
+- `AUTH_NOT_REVOCABLE_FLAG` that indicates if trustlines should be created not
+ revocable.
#### TrustLine Flags
-This proposal introduces a new trustline flag that is set on the trustline
-when it is created:
+This proposal introduces a new trustline flag that is set on the trustline when
+it is created:
+
- `TRUSTLINE_NOT_REVOCABLE_FLAG` that is set if the issuer account has its
-`AUTH_NOT_REVOCABLE_FLAG` flag set.
+ `AUTH_NOT_REVOCABLE_FLAG` flag set.
#### Change Trust Operation
This proposal introduces changes to the semantics of the `ChangeTrustOp`
operation.
-When `ChangeTrustOp` creates a new trustline it sets
+When `ChangeTrustOp` creates a new trustline it sets
`TRUSTLINE_NOT_REVOCABLE_FLAG` if the `AUTH_NOT_REVOCABLE_FLAG` account flag is
set on the issuer account.
-When `ChangeTrustOp` modifies an existing trustline the new flag is not changed,
-regardless of the state of the `AUTH_NOT_REVOCABLE_FLAG` or
+When `ChangeTrustOp` modifies an existing trustline the new flag is not
+changed, regardless of the state of the `AUTH_NOT_REVOCABLE_FLAG` or
`AUTH_REVOCABLE_FLAG` account flags on the issuer account.
#### Allow Trust Operation
-This proposal introduces changes to the semantics of the `ALLOW_TRUST` operation.
+This proposal introduces changes to the semantics of the `ALLOW_TRUST`
+operation.
- Disallow `ALLOW_TRUST` operations that downgrade authorization when the
-trustline is authorized and the `TRUSTLINE_NOT_REVOCABLE_FLAG` trustline flag is
-set.
+ trustline is authorized and the `TRUSTLINE_NOT_REVOCABLE_FLAG` trustline flag
+ is set.
#### Set TrustLine Flags Operation
-This proposal extends the cases that the `SetTrustLineFlagsOp` operation will return `SET_TRUST_LINE_FLAGS_MALFORMED` during validation to include the following conditions:
+This proposal extends the cases that the `SetTrustLineFlagsOp` operation will
+return `SET_TRUST_LINE_FLAGS_MALFORMED` during validation to include the
+following conditions:
+
- `TRUSTLINE_NOT_REVOCABLE_FLAG` is set on `clearFlags`.
Issuer accounts could use `SetTrustLineFlagsOp` to set the
-`TRUSTLINE_NOT_REVOCABLE_FLAG` on accounts, making it such
-that existing trustlines cannot be revoked.
+`TRUSTLINE_NOT_REVOCABLE_FLAG` on accounts, making it such that existing
+trustlines cannot be revoked.
## Design Rationale
-The `ChangeTrustOp` semantics introduced are consistent with the semantics of the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` flag that was introduced in [CAP-35].
+The `ChangeTrustOp` semantics introduced are consistent with the semantics of
+the `TRUSTLINE_CLAWBACK_ENABLED_FLAG` flag that was introduced in [CAP-35].
A disabled flag is introduced because disabling revocation is the new behavior.
Existing trustlines of non-immutable issuers are already revocable enabled even
though no flag on the trustline indicates that.
-A new not revocable flag is introduced onto accounts so that existing issuer accounts see no change in behavior.
+A new not revocable flag is introduced onto accounts so that existing issuer
+accounts see no change in behavior.
## Protocol Upgrade Transition
@@ -185,8 +198,8 @@ A new not revocable flag is introduced onto accounts so that existing issuer acc
This proposal is backwards compatible with existing and new trustlines.
-This proposal is backwards compatible for existing and new issuers who expect to
-enable auth revocation in the future but do not wish to enable it today.
+This proposal is backwards compatible for existing and new issuers who expect
+to enable auth revocation in the future but do not wish to enable it today.
### Resource Utilization
diff --git a/core/cap-0040.md b/core/cap-0040.md
index 3203038e9..ef8c71854 100644
--- a/core/cap-0040.md
+++ b/core/cap-0040.md
@@ -36,8 +36,8 @@ agreed by all parties to the contract.
Signing a set of transactions in contracts that have a time delay as specified
in [CAP-21] requires participants to exchange signatures for each transaction
-across multiple-steps, exchanging the signatures for the transactions in reverse
-order that they can be executed.
+across multiple-steps, exchanging the signatures for the transactions in
+reverse order that they can be executed.
A party must not share their signature for an earlier transaction before
receiving all signatures for latter transactions otherwise another party may be
@@ -46,8 +46,8 @@ authorize a latter transaction.
In the payment channel designs identified in the design rationale of [CAP-21]
this requires participants to exchange signatures across at least three
-messages. This coordination increases implementation complexity. This complexity
-increases significantly for payment channel implementations that are
+messages. This coordination increases implementation complexity. This
+complexity increases significantly for payment channel implementations that are
asynchronous or payment channels where receiving participants are allowed to
fall behind confirming payments from a sending participant.
@@ -60,7 +60,7 @@ transactions could be authorized simplifies payment channel implementations.
This CAP is aligned with the following Stellar Network Goals:
- The Stellar Network should make it easy for developers of Stellar projects to
-create highly usable products
+ create highly usable products
## Specification
@@ -90,7 +90,7 @@ index 8f7d5c20..03149f3d 100644
+ SIGNER_KEY_TYPE_HASH_X = KEY_TYPE_HASH_X,
+ SIGNER_KEY_TYPE_ED25519_SIGNED_PAYLOAD = KEY_TYPE_ED25519_SIGNED_PAYLOAD
};
-
+
union PublicKey switch (PublicKeyType type)
@@ -52,6 +54,13 @@ case SIGNER_KEY_TYPE_PRE_AUTH_TX:
case SIGNER_KEY_TYPE_HASH_X:
@@ -104,7 +104,7 @@ index 8f7d5c20..03149f3d 100644
+ opaque payload<64>;
+ } ed25519SignedPayload;
};
-
+
// variable size as the size depends on the signature scheme used
```
@@ -127,12 +127,14 @@ of the signer's payload using the private key that derives the signer's ed25519
public key.
For example, given:
+
- A private key `Ks` and its derived public key `Kp`.
- A ed25519 signed payload signer `S` that contains:
- Payload `P`.
- Public key `Kp`.
A signature that satisfies signer `S` is produced by:
+
- Ed25519 signing `P` with `Ks`.
Unlike transaction signatures in the Stellar protocol, the payload of this
@@ -149,8 +151,8 @@ payload such that it has a length of 4 bytes, for calculating the hint.
#### Transaction Envelopes
This proposal makes no structural changes to transaction envelopes other than
-the signature of an ed25519 signed payload signer may be included in the list of
-decorated signatures.
+the signature of an ed25519 signed payload signer may be included in the list
+of decorated signatures.
#### Signature Checking
@@ -158,8 +160,8 @@ Signature checking is changed to include verifying that any ed25519 signed
payload signer's have matching signatures.
Ed25519 signed payload signer signatures are verified by performing ed25519
-signature verification using the signature, the payload from the signer, and the
-ed25519 public key from the signer.
+signature verification using the signature, the payload from the signer, and
+the ed25519 public key from the signer.
#### Signer Verification Order
@@ -175,8 +177,8 @@ fails with `txBAD_AUTH_EXTRA`.
#### Transaction Validity
If a payload signer is used in the `extraSigners` precondition specified in
-[CAP-21], and the payload is empty, the transaction will fail with `txMALFORMED`
-(also specified in [CAP-21]).
+[CAP-21], and the payload is empty, the transaction will fail with
+`txMALFORMED` (also specified in [CAP-21]).
#### SetOptionsOp
@@ -186,16 +188,16 @@ is empty.
## Design Rationale
-This proposal provides a primitive that makes it possible to construct a set
-of transactions where all transactions can be authorized and submitted if the
+This proposal provides a primitive that makes it possible to construct a set of
+transactions where all transactions can be authorized and submitted if the
first transaction is authorized and submitted.
This proposal makes this possible since a Stellar transaction hash can be
specified as the payload of an ed25519 signed payload signer. A Stellar
transaction hash is the SHA-256 hash of the `TransactionSignaturePayload`
containing the Stellar transaction. A valid signature for the signer will also
-be a valid signature of the other Stellar transaction if the ed25519 key used to
-sign the payload is also required to sign the other transaction.
+be a valid signature of the other Stellar transaction if the ed25519 key used
+to sign the payload is also required to sign the other transaction.
An ed25519 signed payload signer can be constructed for each subsequent
transaction that needs authorizing, and included in the `extraSigners`
@@ -207,9 +209,9 @@ existing protocol by using the preauth transaction signer, use of that signer
requires creating a new ledger entry which is impractical in contracts with
multiple iterations.
-The maximum size of the set of transactions is three, limited to being one
-more than the maximum number of `extraSigners` specified in [CAP-21], currently
-two, and can be increased past three if the maximum size of `extraSigners` is
+The maximum size of the set of transactions is three, limited to being one more
+than the maximum number of `extraSigners` specified in [CAP-21], currently two,
+and can be increased past three if the maximum size of `extraSigners` is
changed.
The hint is specified as an XOR of the last 4 bytes of all elements of the
@@ -229,22 +231,22 @@ the requirements on when participants may exchange signatures for transactions.
The following paragraph in CAP-21:
->To update the payment channel state, the parties 1) increment i, 2)
->sign and exchange a closing transaction C_i, and finally 3) sign and
->exchange a declaration transaction D_i.
+> To update the payment channel state, the parties 1) increment i, 2) sign and
+> exchange a closing transaction C_i, and finally 3) sign and exchange a
+> declaration transaction D_i.
May be changed to:
->To update the payment channel state, the parties 1) increment i, 2)
->sign and exchange a closing transaction C_i and declaration
->transaction D_i.
+> To update the payment channel state, the parties 1) increment i, 2) sign and
+> exchange a closing transaction C_i and declaration transaction D_i.
-This changes the number of messages the parties must send to each other to
-update the payment channel, reducing the number from three to two. It reduces
-the number of messages down to one for any the payment channel implementation
+This changes the number of messages the parties must send to each other to
+update the payment channel, reducing the number from three to two. It reduces
+the number of messages down to one for any the payment channel implementation
where the receiving party of a payment update is the beneficiary.
Three messages using CAP-21:
+
```
+---+ +---+
| A | | B |
@@ -262,6 +264,7 @@ Three messages using CAP-21:
```
Simplified two message process using CAP-21 and CAP-40:
+
```
+---+ +---+
| A | | B |
@@ -275,8 +278,9 @@ Simplified two message process using CAP-21 and CAP-40:
| |
```
-Simplified one message process using CAP-21 and CAP-40 where B is the only
+Simplified one message process using CAP-21 and CAP-40 where B is the only
beneficiary of the update, supporting queue-like processing of payments:
+
```
+---+ +---+
| A | | B |
@@ -288,40 +292,40 @@ beneficiary of the update, supporting queue-like processing of payments:
```
This simplified exchange would be implemented by requiring the sender of a
-payment to include in D_i the `extraSigners` precondition with an ed25519 signed
-payload signer where the payload is the transaction hash of C_i and the ed25519
-public key is the public key of the receiving participant that must sign D_i and
-C_i.
-
-The effect of this change is the receiving participant must sign the transaction
-hash of C_i to authorize D_i, embedding their signature for C_i into D_i. If the
-receiving participant nefariously authorizes and submits D_i without sharing a
-signature for C_i, the sender who is watching the network may see D_i be
-submitted, extract the signature for C_i from the signatures on D_i, attach the
-signature to C_i, and submit C_i.
+payment to include in D_i the `extraSigners` precondition with an ed25519
+signed payload signer where the payload is the transaction hash of C_i and the
+ed25519 public key is the public key of the receiving participant that must
+sign D_i and C_i.
+
+The effect of this change is the receiving participant must sign the
+transaction hash of C_i to authorize D_i, embedding their signature for C_i
+into D_i. If the receiving participant nefariously authorizes and submits D_i
+without sharing a signature for C_i, the sender who is watching the network may
+see D_i be submitted, extract the signature for C_i from the signatures on D_i,
+attach the signature to C_i, and submit C_i.
The use of the payload signer in CAP-21's payment channel requires a payload of
-32 bytes to store the hash of another Stellar transaction. 32 bytes are required
-because Stellar transaction hashes utilize the SHA-256 algorithm.
+32 bytes to store the hash of another Stellar transaction. 32 bytes are
+required because Stellar transaction hashes utilize the SHA-256 algorithm.
### Other Uses
This new signer is likely to have other applications in scenarios similar to
-where HASH_X signers are currently used, except that the data revealed would not
-only be a hash shared by multiple transactions across multiple chains, but could
-be a signature for a hash validated by a smart contract on another chain, or a
-signature for any other use. However, this has limited use to only signatures of
-ed25519 keys as specified.
+where HASH_X signers are currently used, except that the data revealed would
+not only be a hash shared by multiple transactions across multiple chains, but
+could be a signature for a hash validated by a smart contract on another chain,
+or a signature for any other use. However, this has limited use to only
+signatures of ed25519 keys as specified.
The use of the payload signer in these other applications could require a
variety of different payload sizes. It would be impractical to permit large
payloads without changes to Stellar's fee participation because the sizes of
transactions and account sub-entries in the ledger could explode.
-A payload with a maximum length of 64 bytes, rather than 32 bytes, would support
-payloads that are hashes for most hashing algorithms defined today – e.g.
-SHA-384, SHA-512 – which may support future cross-chain applications that choose
-to use ed25519 signatures of hashes.
+A payload with a maximum length of 64 bytes, rather than 32 bytes, would
+support payloads that are hashes for most hashing algorithms defined today –
+e.g. SHA-384, SHA-512 – which may support future cross-chain applications that
+choose to use ed25519 signatures of hashes.
## Protocol Upgrade Transition
@@ -338,8 +342,8 @@ The size of signatures, and therefore transactions, remain the same.
The effort to verify the signature is equivalent to the effort to verify an
ed25519 signature.
-The size of signers stored in the ledger will be 3x the size, at 96 bytes,
-for ed25519 signed payload signers compared to 32 bytes for all other signers.
+The size of signers stored in the ledger will be 3x the size, at 96 bytes, for
+ed25519 signed payload signers compared to 32 bytes for all other signers.
## Test Cases
@@ -350,15 +354,15 @@ None yet.
If a transaction requires the signature of a Signed Payload Signer and a signer
signs it without understanding the preimage of the payload, the signer could be
authorizing another Stellar transaction if the payload is a Stellar transaciton
-hash, or the signer could be authorizing some other operation on another network
-or application. People and applications should never sign a hash that they do
-not completely understand the consequences of signing, in all the contexts that
-their key provides authentication or authorization. People and applications
-should never sign a transaction they do not completely understand. There are
-many cases where signing a transaction not completely understood can pose a
-security concern for the signer because the signer could be authorizing
-something they would not approve of if they did understand the transaction. This
-proposal introduces a new case with the Signed Payload Signer.
+hash, or the signer could be authorizing some other operation on another
+network or application. People and applications should never sign a hash that
+they do not completely understand the consequences of signing, in all the
+contexts that their key provides authentication or authorization. People and
+applications should never sign a transaction they do not completely understand.
+There are many cases where signing a transaction not completely understood can
+pose a security concern for the signer because the signer could be authorizing
+something they would not approve of if they did understand the transaction.
+This proposal introduces a new case with the Signed Payload Signer.
## Implementation
diff --git a/core/cap-0041.md b/core/cap-0041.md
index 1f831d1df..467491d53 100644
--- a/core/cap-0041.md
+++ b/core/cap-0041.md
@@ -18,10 +18,11 @@ Protocol version: TBD
## Simple Summary
This proposal provides users with the capability to submit transactions to the
-Stellar network concurrently, without coordinating the sequence numbers of those
-transactions. This capability is limited to transactions that are valid for two
-ledgers only, intended for use in the most common payments and transacting use
-case where users are building, signing, and submitting transactions immediately.
+Stellar network concurrently, without coordinating the sequence numbers of
+those transactions. This capability is limited to transactions that are valid
+for two ledgers only, intended for use in the most common payments and
+transacting use case where users are building, signing, and submitting
+transactions immediately.
## Working Group
@@ -32,26 +33,28 @@ TBD
Users of the Stellar network must coordinate and navigate the sequence number
for their account when submitting more than one transaction at a time.
-Typically this involves throttling payments to be processed serially and risking
-one transaction in the chain being invalid preventing a subsequent transaction
-from executing.
+Typically this involves throttling payments to be processed serially and
+risking one transaction in the chain being invalid preventing a subsequent
+transaction from executing.
Users who need to transact concurrently, or who do not wish to risk failed
subsequent transactions, can create a pool of Stellar accounts that exist only
-to be the source accounts of transactions to provide sequence numbers. Users
+to be the source accounts of transactions to provide sequence numbers. Users
must create the pool of accounts, maintain their balances to cover transaction
fees, and operate a database or infrastructure supporting synchronized locking
of the accounts. An account is locked when selected for use with a transaction.
-An account is unlocked after the transaction is seen as confirmed in a ledger as
-successful or failed, or its time bounds have been exceeded by a closed ledger.
+An account is unlocked after the transaction is seen as confirmed in a ledger
+as successful or failed, or its time bounds have been exceeded by a closed
+ledger.
-These problems are very similar to the problems faced by users of credit network
-acquiring payment systems that do not allow concurrent payments on a single
-virtual terminal. This problem is one of the problems often abstracted from
-merchants of credit networks by payment gateways and payment service providers.
+These problems are very similar to the problems faced by users of credit
+network acquiring payment systems that do not allow concurrent payments on a
+single virtual terminal. This problem is one of the problems often abstracted
+from merchants of credit networks by payment gateways and payment service
+providers.
Modern software products perform tasks concurrently and integrate with APIs and
-external systems without coordinating or synchronizing on a resource. These
+external systems without coordinating or synchronizing on a resource. These
problems increase the complexity of integrating with the Stellar network, and
create an experience more alike to acquiring payment systems and not modern
concurrent systems.
@@ -61,19 +64,19 @@ concurrent systems.
This CAP is aligned with the following Stellar Network Goals:
- The Stellar Network should make it easy for developers of Stellar projects to
-create highly usable products.
+ create highly usable products.
-- The Stellar Network should run at scale and at low cost to all participants of
-the network.
+- The Stellar Network should run at scale and at low cost to all participants
+ of the network.
-- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments
-between assets in a manner that is fast, cheap, and highly usable.
+- The Stellar Network should enable cross-border payments, i.e. payments via
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
## Abstract
-This proposal allows a transaction to be valid if its `seqNum` is zero (`0`), if
-the transaction is valid for only two ledgers.
+This proposal allows a transaction to be valid if its `seqNum` is zero (`0`),
+if the transaction is valid for only two ledgers.
This proposal is dependent on the `ledgerBounds` transaction precondition
proposed in [CAP-21].
@@ -88,7 +91,7 @@ index 1a4e491a..4574a038 100644
--- a/src/xdr/Stellar-transaction.x
+++ b/src/xdr/Stellar-transaction.x
@@ -1508,7 +1508,10 @@ enum TransactionResultCode
-
+
txNOT_SUPPORTED = -12, // transaction type not supported
txFEE_BUMP_INNER_FAILED = -13, // fee bump inner transaction failed
- txBAD_SPONSORSHIP = -14 // sponsorship not confirmed
@@ -97,7 +100,7 @@ index 1a4e491a..4574a038 100644
+ txMISSING_MEMO = -15, // transaction is missing a memo and required without sequence number
+ txDUPLICATE = -16 // transaction has been included in a prior ledger
};
-
+
// InnerTransactionResult must be binary compatible with TransactionResult
```
@@ -106,14 +109,15 @@ index 1a4e491a..4574a038 100644
This proposal changes the values that are valid for the `seqNum` of a
`TransactionV1Envelope` to not only the next sequence number of its
-`sourceAccount`, but also zero (`0`), if its `ledgerBounds` is set to a non-zero
-value and limits the transaction to being valid only for two or less ledgers,
-and if it has a memo set.
+`sourceAccount`, but also zero (`0`), if its `ledgerBounds` is set to a
+non-zero value and limits the transaction to being valid only for two or less
+ledgers, and if it has a memo set.
A transaction submitted will be valid only if had a memo set and, for a next
ledger `n`:
+
- `ledgerBounds` `minLedger` set to `n-1`, `maxLedger` is set to `n`, and its
-hash was not included in `n-1`'s transaction set.
+ hash was not included in `n-1`'s transaction set.
- `ledgerBounds` `minLedger` set to `n`, and `maxLedger` set to `n` or `n+1`.
A transaction submitted with a `seqNum` of zero but whose memo is not set, is
@@ -125,22 +129,23 @@ A transaction submitted with a `seqNum` of zero that does not satisfy the
if its `minLedger` is greater than the next ledger.
A transaction submitted with a `seqNum` of zero satisfies the `ledgerBounds`
-requirements, but whose hash is included in the last ledgers transaction set, is
-rejected with `TransactionResultCode` `txDUPLICATE`.
+requirements, but whose hash is included in the last ledgers transaction set,
+is rejected with `TransactionResultCode` `txDUPLICATE`.
This proposal introduces a new `TransactionResultCode` `txDUPLICATE` that is
used whenever a transaction is submitted a subsequent time after it has been
-included in a past ledger, and no other condition makes the transaction invalid.
+included in a past ledger, and no other condition makes the transaction
+invalid.
This proposal introduces a new `TransactionResultCode` `txMISSING_MEMO` that is
-used whenever a transaction is submitted a `seqNum` zero without a memo.
+used whenever a transaction is submitted a `seqNum` zero without a memo.
## Design Rationale
-Sequence numbers allow the protocol to guarantee that no replay of a transaction
-is ever possible for an account, forever, without a validator needing to
-remember all transactions that have been included in past ledgers. This reduces
-the storage and lookup costs for a validator.
+Sequence numbers allow the protocol to guarantee that no replay of a
+transaction is ever possible for an account, forever, without a validator
+needing to remember all transactions that have been included in past ledgers.
+This reduces the storage and lookup costs for a validator.
However, for the majority of transactions on the Stellar network sequence
numbers do not need to provide this guarantee forever. The majority of users of
@@ -153,12 +158,12 @@ behavior by application developers that they do not signal a need for most
transactions to be valid for more than a single ledger.
These qualities of the majority of use cases submitting transactions to the
-network indicate that the network does not need to prevent replay using sequence
-numbers forever.
+network indicate that the network does not need to prevent replay using
+sequence numbers forever.
-Validators can efficiently check that a transaction has not occurred in the last
-ledger with limited storage or memory requirements since the data set is limited
-to the transactions in a single ledger.
+Validators can efficiently check that a transaction has not occurred in the
+last ledger with limited storage or memory requirements since the data set is
+limited to the transactions in a single ledger.
### Sequence Number Zero
@@ -192,11 +197,11 @@ that happen to contain the same logical operations.
### Transaction Result Code Duplicate
The `TransactionResultCode` `txDUPLICATE` is introduced because other result
-codes semantics do not fit the case where the `ledgerBounds` are valid, there is
-no sequence number, but a transaction is invalid due to replay. When a duplicate
-transaction is submitted with the protocol today it will likely receive a
-`txBAD_SEQ` result code, however in this case the sequence number is zero or not
-set.
+codes semantics do not fit the case where the `ledgerBounds` are valid, there
+is no sequence number, but a transaction is invalid due to replay. When a
+duplicate transaction is submitted with the protocol today it will likely
+receive a `txBAD_SEQ` result code, however in this case the sequence number is
+zero or not set.
This result code will not be seen by most users because Horizon's transaction
submission system provides idempotency, identifying duplicate submissions and
@@ -206,8 +211,9 @@ returning the previous result.
### Backwards Incompatibilities
-This proposal is completely backwards compatible as it defines new functionality
-that is only accessible with transactions that are currently invalid.
+This proposal is completely backwards compatible as it defines new
+functionality that is only accessible with transactions that are currently
+invalid.
### Resource Utilization
@@ -222,9 +228,9 @@ operations. Therefore, the data set will be at most 1000 transactions, and will
consume at least 32KB if stored in memory, assuming transaction hashes are 32
bytes.
-This proposal requires validators to hold a list of all transactions hashes from
-the last ledger. Validators typically already store a list of the transactions
-from a number of recent ledgers and so no new storage is expected.
+This proposal requires validators to hold a list of all transactions hashes
+from the last ledger. Validators typically already store a list of the
+transactions from a number of recent ledgers and so no new storage is expected.
## Test Cases
diff --git a/core/cap-0042.md b/core/cap-0042.md
index 824f23f17..0232bbf2a 100644
--- a/core/cap-0042.md
+++ b/core/cap-0042.md
@@ -14,7 +14,8 @@ Protocol version: 20
## Simple Summary
-This CAP gives validators control of which fee policy to use for individual transactions included in a ledger.
+This CAP gives validators control of which fee policy to use for individual
+transactions included in a ledger.
## Working Group
@@ -22,36 +23,51 @@ TBD
## Motivation
-Right now, there is no mechanism that makes it possible to implement different fee structures based on transaction set composition; as a consequence, transaction sets can sometimes be heavily biased towards undesirable behaviors such as spikes of arbitrage trades that eventually fail.
+Right now, there is no mechanism that makes it possible to implement different
+fee structures based on transaction set composition; as a consequence,
+transaction sets can sometimes be heavily biased towards undesirable behaviors
+such as spikes of arbitrage trades that eventually fail.
-This CAP aims to correct this by isolating subsets of transactions that can compete on fees without causing overall fees to increase. At the same time, it makes it possible to expand policies to other dimensions in the future.
+This CAP aims to correct this by isolating subsets of transactions that can
+compete on fees without causing overall fees to increase. At the same time, it
+makes it possible to expand policies to other dimensions in the future.
### Goals Alignment
-The Stellar network aims to give equitable access to the global financial infrastructure, in particular the network should not benefit a minority of participants at the expense of others.
+The Stellar network aims to give equitable access to the global financial
+infrastructure, in particular the network should not benefit a minority of
+participants at the expense of others.
This CAP aims at restoring balance between use cases on the network.
## Abstract
-Right now transaction fees are computed for a given ledger based on [CAP-0005 Throttling and transaction pricing improvements](CAP-0005.md).
+Right now transaction fees are computed for a given ledger based on
+[CAP-0005 Throttling and transaction pricing improvements](CAP-0005.md).
CAP-005 defines:
-* How a transaction set (to be applied for the next ledger) gets constructed from an arbitrary number of candidate transactions as to enforce the policy that puts a bound on the number of operations present in any given ledger.
-* The base fee to use when applying a transaction set
+
+- How a transaction set (to be applied for the next ledger) gets constructed
+ from an arbitrary number of candidate transactions as to enforce the policy
+ that puts a bound on the number of operations present in any given ledger.
+- The base fee to use when applying a transaction set
This CAP generalizes the above in the following way:
-* It allows to subdivide transaction sets into components.
-* Components are sets of transactions with their own fee policy.
-* Validators get to select how to decompose and assign policies.
-Note that this CAP does not modify how transactions gets applied (ie: the apply order) other than fee computation.
+- It allows to subdivide transaction sets into components.
+- Components are sets of transactions with their own fee policy.
+- Validators get to select how to decompose and assign policies.
+
+Note that this CAP does not modify how transactions gets applied (ie: the apply
+order) other than fee computation.
## Specification
### XDR Changes
-This patch of XDR changes is based on the XDR files in commit (`b9501ae3288a5879d457841168cb4b249691cb43`) of stellar-core.
+This patch of XDR changes is based on the XDR files in commit
+(`b9501ae3288a5879d457841168cb4b249691cb43`) of stellar-core.
+
```diff mddiffcheck.base=b9501ae3288a5879d457841168cb4b249691cb43
---
src/protocol-curr/xdr/Stellar-ledger.x | 60 +++++++++++++++++++++++++-
@@ -64,7 +80,7 @@ index 84b84cbf..9c2cbcee 100644
@@ -176,6 +176,29 @@ case METAENTRY:
BucketMetadata metaEntry;
};
-
+
+enum TxSetComponentType
+{
+ // txs with effective fee <= bid derived from a base fee (if any).
@@ -94,7 +110,7 @@ index 84b84cbf..9c2cbcee 100644
@@ -184,6 +207,19 @@ struct TransactionSet
TransactionEnvelope txs<>;
};
-
+
+struct TransactionSetV1
+{
+ Hash previousLedgerHash;
@@ -114,7 +130,7 @@ index 84b84cbf..9c2cbcee 100644
@@ -203,11 +239,13 @@ struct TransactionHistoryEntry
uint32 ledgerSeq;
TransactionSet txSet;
-
+
- // reserved for future use
+ // when v != 0, txSet must be empty
union switch (int v)
@@ -129,7 +145,7 @@ index 84b84cbf..9c2cbcee 100644
@@ -358,9 +396,29 @@ struct LedgerCloseMetaV0
SCPHistoryEntry scpInfo<>;
};
-
+
+struct LedgerCloseMetaV1
+{
+ LedgerHeaderHistoryEntry ledgerHeader;
@@ -162,140 +178,229 @@ index 84b84cbf..9c2cbcee 100644
#### Consensus value
-SCP messages and ledger header reference transaction sets by hash. Consequently, the preimage supplied can transparently be migrated to `GeneralizedTransactionSet` when voting for a transaction set that can be applied using the version of the protocol with this CAP.
-
-The only place where it is not possible to transparently migrate to `GeneralizedTransactionSet` is in the `TransactionHistoryEntry` that are used in history archives where the `txSet` field is being deprecated instead.
-This allows to publish the actual hash preimage used during consensus rounds.
-
-In summary: if `lcl.ledgerHeader.version` is less than `P` (version this CAP takes effect), the preimage must be a `TransactionSet`, otherwise it must be a `GeneralizedTransactionSet`.
+SCP messages and ledger header reference transaction sets by hash.
+Consequently, the preimage supplied can transparently be migrated to
+`GeneralizedTransactionSet` when voting for a transaction set that can be
+applied using the version of the protocol with this CAP.
+The only place where it is not possible to transparently migrate to
+`GeneralizedTransactionSet` is in the `TransactionHistoryEntry` that are used
+in history archives where the `txSet` field is being deprecated instead. This
+allows to publish the actual hash preimage used during consensus rounds.
+In summary: if `lcl.ledgerHeader.version` is less than `P` (version this CAP
+takes effect), the preimage must be a `TransactionSet`, otherwise it must be a
+`GeneralizedTransactionSet`.
#### Value Validation
A `v1TxSet` is validated using the following rules:
-* `previousLedgerHash` is equal to the hash of the previous ledger.
-* `phases` contains exactly one element (this is an extension point).
-* `v0Components`
- * contains at least one transaction (hence empty `v1TxSet` can *only* be represented by a single phase with no components)
- * transactions from different components do not overlap
- * the union of all transactions together forms a valid transaction set that can be applied to a legder (transactions are valid, accounts can pay for fees, transactions sequence numbers form valid source account chains).
- * fee bids for any transaction satisfy the "minimum fee requirement", i.e. its fee bid is greater or equal to the minimum fee derived from `ledgerHeader.baseFee`
- * all the `baseFee` values in different `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` components are unique
- * `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` with non-empty `baseFee`:
- * `baseFee >= ledgerHeader.baseFee` (a corollary from the global minimum fee bid requirement).
- * each transaction in this component has a fee bid greater than or equal to the minimum fee bid derived from `baseFee` (for a regular transaction that would translate to `baseFee * numberOfTransactionOperations <= bidFee`)
+
+- `previousLedgerHash` is equal to the hash of the previous ledger.
+- `phases` contains exactly one element (this is an extension point).
+- `v0Components`
+ - contains at least one transaction (hence empty `v1TxSet` can _only_ be
+ represented by a single phase with no components)
+ - transactions from different components do not overlap
+ - the union of all transactions together forms a valid transaction set that
+ can be applied to a legder (transactions are valid, accounts can pay for
+ fees, transactions sequence numbers form valid source account chains).
+ - fee bids for any transaction satisfy the "minimum fee requirement", i.e.
+ its fee bid is greater or equal to the minimum fee derived from
+ `ledgerHeader.baseFee`
+ - all the `baseFee` values in different `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE`
+ components are unique
+ - `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` with non-empty `baseFee`:
+ - `baseFee >= ledgerHeader.baseFee` (a corollary from the global minimum
+ fee bid requirement).
+ - each transaction in this component has a fee bid greater than or equal to
+ the minimum fee bid derived from `baseFee` (for a regular transaction
+ that would translate to
+ `baseFee * numberOfTransactionOperations <= bidFee`)
#### Effective fee computation
The effective fee for a given transaction is computed in the following way:
- * If the transaction is in a `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component and `baseFee` is empty, its effective fee is its fee bid.
- * If the transaction is in a `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component and `baseFee` is set, its effective fee is derived from a base fee equal to that component's `baseFee`.
+- If the transaction is in a `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component
+ and `baseFee` is empty, its effective fee is its fee bid.
+- If the transaction is in a `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component
+ and `baseFee` is set, its effective fee is derived from a base fee equal to
+ that component's `baseFee`.
#### Candidate value generation
-Just like today, this CAP does not specify the exact algorithm used to produce a valid value as to make it easier for implementations to compete on the quality of transaction sets.
+Just like today, this CAP does not specify the exact algorithm used to produce
+a valid value as to make it easier for implementations to compete on the
+quality of transaction sets.
Here are a few example strategies that could be employed:
-* Do not give any fee discount to transactions containing "high traffic operations" (validators may keep a tally of recent operations to decide when this makes sense).
-* Limit the number of operations in a ledger that interact with the DEX (ie: any operation that could cross an offer).
-* Reserve some ledger capacity for transactions that are simple payment.
-* Define a few "high priority lanes" that can be easily identified, and one "catch all" lane limited in capacity for unknown transactions.
+
+- Do not give any fee discount to transactions containing "high traffic
+ operations" (validators may keep a tally of recent operations to decide when
+ this makes sense).
+- Limit the number of operations in a ledger that interact with the DEX (ie:
+ any operation that could cross an offer).
+- Reserve some ledger capacity for transactions that are simple payment.
+- Define a few "high priority lanes" that can be easily identified, and one
+ "catch all" lane limited in capacity for unknown transactions.
#### Nomination value comparison
-The order used by the nomination protocol's combine candidate function needs to be modified to support `GeneralizedTransactionSet`.
+The order used by the nomination protocol's combine candidate function needs to
+be modified to support `GeneralizedTransactionSet`.
Values are sorted in lexicographic order by:
-* number of operations (as to favor network throughput) _unchanged_,
-* sum of all fee bids (as to maximize quality of transaction sets) _new_,
-* total fee to collect (as to make sure that bids are actually meaningful; without this sets with constant minimal base fees ignoring any surge pricng could be preferred) _unchanged_,
-* size in bytes of the XDR encoded `GeneralizedTransactionSet` _in decreasing order_ (as to reduce IO resource utilization) _new_,
-* hash as a tie-breaker _unchanged_
+
+- number of operations (as to favor network throughput) _unchanged_,
+- sum of all fee bids (as to maximize quality of transaction sets) _new_,
+- total fee to collect (as to make sure that bids are actually meaningful;
+ without this sets with constant minimal base fees ignoring any surge pricng
+ could be preferred) _unchanged_,
+- size in bytes of the XDR encoded `GeneralizedTransactionSet` _in decreasing
+ order_ (as to reduce IO resource utilization) _new_,
+- hash as a tie-breaker _unchanged_
#### Implications on transaction flooding strategy
Not technically part of the protocol but described here for completeness.
-Changes done at the transaction queue and flooding level should align as much as possible with what happens during [Candidate Value Generation](#candidate-value-generation) as to limit the number of transactions that could get delayed or dropped by nomination later on:
-* limit the number of transactions in memory as to also take advantage of any potential additional limit on certain types of operations.
-* flood higher fee transactions first from the accumulated set.
+Changes done at the transaction queue and flooding level should align as much
+as possible with what happens during
+[Candidate Value Generation](#candidate-value-generation) as to limit the
+number of transactions that could get delayed or dropped by nomination later
+on:
+
+- limit the number of transactions in memory as to also take advantage of any
+ potential additional limit on certain types of operations.
+- flood higher fee transactions first from the accumulated set.
#### `LedgerCloseMeta` update
-The update in `LedgerCloseMeta` will happen together with the switch to the new protocol. This way we don't need to maintain backwards compatibility with legacy `TransactionSet` in `LedgerCloseMetaV1`.
+The update in `LedgerCloseMeta` will happen together with the switch to the new
+protocol. This way we don't need to maintain backwards compatibility with
+legacy `TransactionSet` in `LedgerCloseMetaV1`.
## Design Rationale
-The proposal tries to limit to a minimum the number of things actually enforced at the protocol layer, leaving the door open to more flexibility at the node level.
-
-In turn, this flexibility should allow for faster iteration without having to take a dependency on network wide protocol changes.
+The proposal tries to limit to a minimum the number of things actually enforced
+at the protocol layer, leaving the door open to more flexibility at the node
+level.
-There is no enforcement at the protocol layer on which of fee regimes (discounted vs direct fee) is picked for a given transaction.
+In turn, this flexibility should allow for faster iteration without having to
+take a dependency on network wide protocol changes.
-This changes the contract from a client point of view only slightly:
-the contract between the user and the network is still that the network should try to reduce fees when it can.
+There is no enforcement at the protocol layer on which of fee regimes
+(discounted vs direct fee) is picked for a given transaction.
-The difference is that with this CAP, the user cannot rely on the previous requirement that for "surge pricing" to be active, the ledger had to be at capacity (as per CAP-0005, the fee bid for the entire transaction set was derived from the cheapest transaction included in a full ledger), which limited the risk of paying extremely large fee bids greatly.
-As a consequence, with this CAP, a single transaction can be isolated by a validator and be forced to pay for its fee bid.
+This changes the contract from a client point of view only slightly: the
+contract between the user and the network is still that the network should try
+to reduce fees when it can.
-With the introduction of "fee bump", the need to specify fee bids much higher than recent ledgers was removed even for pre-signed transactions.
+The difference is that with this CAP, the user cannot rely on the previous
+requirement that for "surge pricing" to be active, the ledger had to be at
+capacity (as per CAP-0005, the fee bid for the entire transaction set was
+derived from the cheapest transaction included in a full ledger), which limited
+the risk of paying extremely large fee bids greatly. As a consequence, with
+this CAP, a single transaction can be isolated by a validator and be forced to
+pay for its fee bid.
+With the introduction of "fee bump", the need to specify fee bids much higher
+than recent ledgers was removed even for pre-signed transactions.
## Protocol Upgrade Transition
-As soon as this CAP becomes active, validators will produce `TransactionSetV1` in SCP.
+As soon as this CAP becomes active, validators will produce `TransactionSetV1`
+in SCP.
### Backwards Incompatibilities
-As this CAP does not change transaction semantics, impact on the ecosystem should be minimal.
+As this CAP does not change transaction semantics, impact on the ecosystem
+should be minimal.
-Systems that try to compute transaction fees that are close to market rate will have to be adjusted (by possibly interacting more with a local stellar-core instance) as "ledger capacity" would only be losely related to "local surge pricing".
+Systems that try to compute transaction fees that are close to market rate will
+have to be adjusted (by possibly interacting more with a local stellar-core
+instance) as "ledger capacity" would only be losely related to "local surge
+pricing".
-As users are potentially exposed to higher fees, their bidding strategy can be updated to bid what they're comfortable paying at the time _not counting on any discount_, and gradually increase their bid if their transaction is rejected based on urgency.
+As users are potentially exposed to higher fees, their bidding strategy can be
+updated to bid what they're comfortable paying at the time _not counting on any
+discount_, and gradually increase their bid if their transaction is rejected
+based on urgency.
-The exact strategy for picking the starting bid and increasing transaction bid is outside the scope of this document.
-A possible approach for picking a good starting bid can be to use the fee stats endpoint, adjust it if rejected by core's tx endpoint (that rejects transactions based on fee bid and its local transaction queue state), and after that multiply its fee bid by 10 or 100 after each timeout.
+The exact strategy for picking the starting bid and increasing transaction bid
+is outside the scope of this document. A possible approach for picking a good
+starting bid can be to use the fee stats endpoint, adjust it if rejected by
+core's tx endpoint (that rejects transactions based on fee bid and its local
+transaction queue state), and after that multiply its fee bid by 10 or 100
+after each timeout.
-As transaction sets are transmitted over the network, the overlay network will have to be updated to support the new format.
+As transaction sets are transmitted over the network, the overlay network will
+have to be updated to support the new format.
#### Surge pricing behavior change
-While this CAP doesn't define the candidate transaction set generation strategy, the initial approach would be to just continue using surge pricing approach described in [CAP-0005](cap-0005.md). However, using it requires slightly changing the algorithm: instead of rounding up during the [base fee computation](cap-0005.md#computation-of-the-associated-effective-base-fee) we need to round it down. The reason for doing that is to satisfy the `baseFee` validation requirement of `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component. With rounding up it's possible to have a valid transaction that doesn't satisfy that requirement. The impact of this change should be minimal.
+While this CAP doesn't define the candidate transaction set generation
+strategy, the initial approach would be to just continue using surge pricing
+approach described in [CAP-0005](cap-0005.md). However, using it requires
+slightly changing the algorithm: instead of rounding up during the
+[base fee computation](cap-0005.md#computation-of-the-associated-effective-base-fee)
+we need to round it down. The reason for doing that is to satisfy the `baseFee`
+validation requirement of `TXSET_COMP_TXS_MAYBE_DISCOUNTED_FEE` component. With
+rounding up it's possible to have a valid transaction that doesn't satisfy that
+requirement. The impact of this change should be minimal.
### Resource Utilization
-This change will require a small increase in CPU and memory utilization which should easily be recovered by the expected decrease in failed transactions propagating on the network during spikes.
+This change will require a small increase in CPU and memory utilization which
+should easily be recovered by the expected decrease in failed transactions
+propagating on the network during spikes.
## Security Concerns
-The changes on the security front are minimal as transaction semantics are not changed.
+The changes on the security front are minimal as transaction semantics are not
+changed.
The biggest change comes from validators having more control over fee policy.
This should not be a problem in practice:
-* transactions will never be charged more than their maximum bid, and people tend to put small multipliers on top of market rate (fees remain low).
-* as validators do not receive fees from transactions processing, there is little incentive for a validator to do this.
-* if certain validators adopt unfair fee policies
- * they will accrue negative reputation on the network. All activity from validators is recorded and archived, also thanks to CAP-0034, the validator that introduced the GeneralizedTransactionSet to the network is recorded.
- * thanks to SCP may cause other network participants to adjust their quorum configurations which could result from those validators to lose trust from the network.
- * standards around fee policies can be established outside of the protocol on expectations around well behaved validators to help with auditing.
-
+
+- transactions will never be charged more than their maximum bid, and people
+ tend to put small multipliers on top of market rate (fees remain low).
+- as validators do not receive fees from transactions processing, there is
+ little incentive for a validator to do this.
+- if certain validators adopt unfair fee policies
+ - they will accrue negative reputation on the network. All activity from
+ validators is recorded and archived, also thanks to CAP-0034, the validator
+ that introduced the GeneralizedTransactionSet to the network is recorded.
+ - thanks to SCP may cause other network participants to adjust their quorum
+ configurations which could result from those validators to lose trust from
+ the network.
+ - standards around fee policies can be established outside of the protocol on
+ expectations around well behaved validators to help with auditing.
## Future work
-The `TransactionPhase` union is an extension point to make it easy to add more "phases" to apply transactions.
+The `TransactionPhase` union is an extension point to make it easy to add more
+"phases" to apply transactions.
-As of this CAP, there is only one such phase: the existing transaction subsystem, and we expect new ones to be introduced over time, such as "Speedex transactions" or "smart contract transactions".
+As of this CAP, there is only one such phase: the existing transaction
+subsystem, and we expect new ones to be introduced over time, such as "Speedex
+transactions" or "smart contract transactions".
This CAP also leaves the door open to different types of components and phases.
Here are a few examples:
-* fee groups can be used to prioritize based on dimensions other than the order book as to rebalance use cases, for example based on the expected number of changes to the ledger.
-* phases could be used to alter the "apply order" policy: phases could be applied in the order they appear, or allow for parallel execution.
-* components could be added to add random numbers/seeds/parameters to update certain ledger entries (like oracles)
-* components could be added to provide information related to network partition/shard (nominators could flood differently based on that)
+
+- fee groups can be used to prioritize based on dimensions other than the order
+ book as to rebalance use cases, for example based on the expected number of
+ changes to the ledger.
+- phases could be used to alter the "apply order" policy: phases could be
+ applied in the order they appear, or allow for parallel execution.
+- components could be added to add random numbers/seeds/parameters to update
+ certain ledger entries (like oracles)
+- components could be added to provide information related to network
+ partition/shard (nominators could flood differently based on that)
## Test Cases
diff --git a/core/cap-0043.md b/core/cap-0043.md
index 1709e6722..07d4b17f3 100644
--- a/core/cap-0043.md
+++ b/core/cap-0043.md
@@ -25,31 +25,32 @@ TBD
## Motivation
This proposal has two motivatons:
-1. The common requirement in financial institutions to use security modules that
-are FIPS approved.
+
+1. The common requirement in financial institutions to use security modules
+ that are FIPS approved.
2. The inability that Stellar account holders have today to use cloud hosted
-HSMs (Hardware Security Modules) to store account keys.
+ HSMs (Hardware Security Modules) to store account keys.
Financial institutions typically require the cryptographic algorithms and
modules they use to appear in approved lists of the latest relevant FIPS
standard, at this time FIPS 140-3 and FIPS 140-2 and their relevant annexes and
-related standards. The US and Canadian governments require FIPS for systems they
-run, operate, or buy. This makes FIPS relevant to corporations that work with
-governments.
+related standards. The US and Canadian governments require FIPS for systems
+they run, operate, or buy. This makes FIPS relevant to corporations that work
+with governments.
Cloud hosted HSMs have made HSMs accessible and they have become popular for
generating and storing keys securely. Cloud HSMs typically support a small
subset of FIPS approved algorithm implementations along with ECDSA secp256k1
which isn’t FIPS approved, but popular due to Bitcoin’s and Ethereum's use and
-broad use in other blockchains. See [Appendix: Cloud Hosted
-HSMs](#appendix-cloud-hosted-hsms).
+broad use in other blockchains. See
+[Appendix: Cloud Hosted HSMs](#appendix-cloud-hosted-hsms).
Stellar supports a single assymetric key type and signing algorithm for
controlling accounts, ed255519. Ed25519 is not included in approved lists of
FIPS 140-2, and there are no known HSMs supporting ed25519 certified as FIPS
compliant. While ed25519 is mentioned in drafts of FIPS 186-5 there is no
-evidence that FIPS approved security modules will arise in the immediate future.
-Ed25519 is not supported by any cloud hosted HSMs today.
+evidence that FIPS approved security modules will arise in the immediate
+future. Ed25519 is not supported by any cloud hosted HSMs today.
There may be other benefits to supporting secp256k1 signing keys for
compatibility with some other blockchains in certain cross-chain protocols, but
@@ -63,7 +64,8 @@ support the use of off-the-shelf security products.
## Abstract
The proposal adds ECDSA keys as an option to use as signers of accounts. The
-proposal adds includes support for the NIST P-256 curve and the secp256k1 curve.
+proposal adds includes support for the NIST P-256 curve and the secp256k1
+curve.
This proposal makes it possible for a Stellar account holder to store their
account key in FIPS certified modules, and/or in cloud hosted HSMs.
@@ -77,7 +79,9 @@ utilize a HSM.
### XDR Changes
-This patch of XDR changes is based on the XDR files in commit (`394b9413180969e2035e19742194d9c04c5bf5d9`) of stellar-core.
+This patch of XDR changes is based on the XDR files in commit
+(`394b9413180969e2035e19742194d9c04c5bf5d9`) of stellar-core.
+
```diff mddiffcheck.base=394b9413180969e2035e19742194d9c04c5bf5d9
diff --git a/src/xdr/Stellar-types.x b/src/xdr/Stellar-types.x
index 8f7d5c20..9394ada7 100644
@@ -102,7 +106,7 @@ index 8f7d5c20..9394ada7 100644
+ SIGNER_KEY_TYPE_ECDSA_P256 = KEY_TYPE_ECDSA_P256,
+ SIGNER_KEY_TYPE_ECDSA_SECP256K1 = KEY_TYPE_ECDSA_SECP256K1
};
-
+
union PublicKey switch (PublicKeyType type)
@@ -52,6 +57,16 @@ case SIGNER_KEY_TYPE_PRE_AUTH_TX:
case SIGNER_KEY_TYPE_HASH_X:
@@ -119,7 +123,7 @@ index 8f7d5c20..9394ada7 100644
+ uint256 y;
+ } ecdsaSecp256k1;
};
-
+
// variable size as the size depends on the signature scheme used
@@ -80,4 +95,16 @@ struct HmacSha256Mac
{
@@ -171,9 +175,10 @@ the parts of the protocol that are required to enable signing keys.
The proposal does not add support for the new key types as account identifiers,
because that would be unnecessary. Any Stellar account holder who wishes to
-control a Stellar account with a new key type can do so by changing the signers.
-Also, a change to account identifiers would have a substantially larger
-downstream impact on Horizon, SDKs, wallets, and other ecosystem applications.
+control a Stellar account with a new key type can do so by changing the
+signers. Also, a change to account identifiers would have a substantially
+larger downstream impact on Horizon, SDKs, wallets, and other ecosystem
+applications.
The proposal does not add support for the new key types as node identifiers,
because that would be unnecessary for the motivation of the proposal. If a need
@@ -186,13 +191,13 @@ per key, because decompressing the key requires solving y^2 = x^3 - 3x + b and
finding the square-root of a value. This is a trade-off between ledger storage
space and the CPU time a validator must expend to verify a signature. It would
not be ideal for validators, as part of verifying signatures, to need to
-decompress the key each time. Compressed form would not reduce the size of ECDSA
-signatures, and so would have no impact on the largest dimension of scale that
-the network has, transactions. The choice to use uncompressed form in the XDR
-does not limit whether the strkey definition uses compressed form, and so the
-use of uncompressed form in the protocol does not impact the UX. See [Appendix:
-Compressed vs Uncompressed
-Benchmark](#appendix-compressed-vs-uncompressed-benchmark) for an example.
+decompress the key each time. Compressed form would not reduce the size of
+ECDSA signatures, and so would have no impact on the largest dimension of scale
+that the network has, transactions. The choice to use uncompressed form in the
+XDR does not limit whether the strkey definition uses compressed form, and so
+the use of uncompressed form in the protocol does not impact the UX. See
+[Appendix: Compressed vs Uncompressed Benchmark](#appendix-compressed-vs-uncompressed-benchmark)
+for an example.
The raw r and s points that form the ECDSA signature are stored as is, as this
is the most raw and convenient format. Some standard libraries may prefer to
@@ -207,20 +212,20 @@ curves are added in the future their points lengths may be different.
The names for the new signer types, `SIGNER_KEY_TYPE_ECDSA_P256` and
`SIGNER_KEY_TYPE_ECDSA_SECP256K1`, were selected to lean on the most common
-terms used to refer to the algorithm and curve types. The most consistent naming
-scheme would be to name the former `_ECDSA_SECP256R1`, but that name would
-probably not be easily recognized by many who encounter it.
+terms used to refer to the algorithm and curve types. The most consistent
+naming scheme would be to name the former `_ECDSA_SECP256R1`, but that name
+would probably not be easily recognized by many who encounter it.
## Protocol Upgrade Transition
As soon as this CAP becomes active, Stellar accounts may have the new signer
types. Any application, such as Horizon, that performs analysis on the signers
of accounts may encounter the new types. Any application that performs analysis
-on transactions signed by the new types, or transactions that use a SetOptionsOp
-with the new types, may encounter the new types.
+on transactions signed by the new types, or transactions that use a
+SetOptionsOp with the new types, may encounter the new types.
-An accompanying change will be required to [SEP-23 Strkeys] to add new algorithm
-discrimants.
+An accompanying change will be required to [SEP-23 Strkeys] to add new
+algorithm discrimants.
### Backwards Incompatibilities
@@ -232,19 +237,20 @@ This proposal will require Stellar validators to verify ECDSA signatures.
This proposal may introduce some change in performance characteristics due to
the CPU utilization differences between the ECDSA and EdDSA (ed25519)
-algorithms. Ed25519 has assembly optimized implementations in multiple langauges
-and is typically considered to be faster than ECDSA. These differences are
-difficult to comment on generally as it depends on CPU architecture and the
-implementation in use.
+algorithms. Ed25519 has assembly optimized implementations in multiple
+langauges and is typically considered to be faster than ECDSA. These
+differences are difficult to comment on generally as it depends on CPU
+architecture and the implementation in use.
The reference implementation of the Stellar protocol, stellar-core, uses
libsodium. Libsodium uses optimized vector instructions and 128-bit arithmetic
and is considered to be an optimal implementation for ed25519 on amd64/x86.
-Simiarily optimized versions of ECDSA in OpenSSL may be able to verify only 0.5x
-the signatures as libsodium.
+Simiarily optimized versions of ECDSA in OpenSSL may be able to verify only
+0.5x the signatures as libsodium.
Related material:
+
- https://monocypher.org/speed
- https://essay.utwente.nl/75354/1/DNSSEC%20curves.pdf
@@ -264,6 +270,7 @@ TBD
The following cloud hosted HSMs were reviewed when assessing the motivation of
the proposal.
+
- [Microsoft Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys)
- [Google Cloud Key Management Service](https://cloud.google.com/kms/docs/algorithms)
- [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/cryptographic-details/crypto-primitives.html)
diff --git a/core/cap-0044.md b/core/cap-0044.md
index e8f42bfc9..91aa6cf32 100644
--- a/core/cap-0044.md
+++ b/core/cap-0044.md
@@ -14,31 +14,36 @@ Protocol version: TBD
```
## Simple Summary
+
Provide validators the ability to configure SPEEDEX.
## Working Group
+
This proposal is based on an earlier draft written by Geoff Ramseyer, which
Nicolas Barry has also contributed to.
## Motivation
+
SPEEDEX requires two kinds of configuration: the set of assets comprising the
market, and the parameters used by the built-in solver. The set of assets must
-be configurable because the time to compute a solution increases with the number
-of assets, so we cannot compute a solution for all assets. The parameters must
-be configurable because different parameters may work better during different
-market regimes.
+be configurable because the time to compute a solution increases with the
+number of assets, so we cannot compute a solution for all assets. The
+parameters must be configurable because different parameters may work better
+during different market regimes.
### Goals Alignment
+
This proposal supports the development of SPEEDEX on Stellar, which in turn
supports the Stellar Network Goals
-- The Stellar Network should run at scale and at low cost to all participants of
-the network.
+- The Stellar Network should run at scale and at low cost to all participants
+ of the network.
- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments
-between assets in a manner that is fast, cheap, and highly usable.
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
## Abstract
+
This proposal introduces `SpeedexConfigurationEntry`, a new type of
`LedgerEntry`, that tracks the assets that can be traded in SPEEDEX and the
solver configuration for computing the prices.
@@ -46,6 +51,7 @@ solver configuration for computing the prices.
## Specification
### XDR changes
+
This patch of XDR changes is based on the XDR files in commit
(`a211531148f13ab38725bc176630793d657b7f88`) of stellar-core.
@@ -57,7 +63,7 @@ index c870fe09..cb91c48d 100644
@@ -473,6 +473,31 @@ struct LiquidityPoolEntry
body;
};
-
+
+enum SpeedexSolutionComparisonHeuristic
+{
+ PRICE_WEIGHTED_SQUARED_L2_NORM = 0
@@ -94,7 +100,7 @@ index c870fe09..cb91c48d 100644
+ SpeedexConfigurationEntry speedexConfiguration;
}
data;
-
+
@@ -557,6 +584,9 @@ case LIQUIDITY_POOL:
{
PoolID liquidityPoolID;
@@ -103,7 +109,7 @@ index c870fe09..cb91c48d 100644
+case SPEEDEX_CONFIGURATION:
+ void;
};
-
+
// list of all envelope types used in the application
diff --git a/src/xdr/Stellar-ledger.x b/src/xdr/Stellar-ledger.x
index 84b84cbf..141c0a70 100644
@@ -119,7 +125,7 @@ index 84b84cbf..141c0a70 100644
+ LEDGER_UPGRADE_REMOVE_SPEEDEX_ASSET = 7,
+ LEDGER_UPGRADE_SPEEDEX_TATONNEMENT_CONFIGURATION = 8
};
-
+
union LedgerUpgrade switch (LedgerUpgradeType type)
@@ -137,6 +140,12 @@ case LEDGER_UPGRADE_BASE_RESERVE:
uint32 newBaseReserve; // update baseReserve
@@ -132,12 +138,13 @@ index 84b84cbf..141c0a70 100644
+case LEDGER_UPGRADE_SPEEDEX_SOLVER_CONFIGURATION:
+ SpeedexSolverConfiguration speedexNewConfig; // update solver configuration
};
-
+
/* Entries used to define the bucket list */
```
### Semantics
+
During the protocol upgrade, a `SpeedexConfigurationEntry` will be initialized
with an empty list of assets and a reasonable default solver configuration. The
default solver configuration will be detailed when the actual parameters are
@@ -146,25 +153,29 @@ specified.
There is only ever one `SpeedexConfigurationEntry`.
### The set of assets
+
`SpeedexConfigurationEntry.asset` is an ordered list of assets, using the same
ordering as CAP-0038. When an asset is added to the set, it must be inserted in
the appropriate location. The set can be modified by the upgrades
`LEDGER_UPGRADE_SPEEDEX_ADD_ASSET` and `LEDGER_UPGRADE_SPEEDEX_REMOVE_ASSET`.
### The add/remove asset upgrades
+
The upgrade `LEDGER_UPGRADE_SPEEDEX_ADD_ASSET` is valid if the asset is valid,
-the asset is not a pool share, and the asset is not currently a SPEEDEX asset.
+the asset is not a pool share, and the asset is not currently a SPEEDEX asset.
The upgrade `LEDGER_UPGRADE_SPEEDEX_REMOVE_ASSET` is valid if the asset is
currently a SPEEDEX asset (which implies that the asset is valid, and that the
asset is not a pool share).
### The solver configuration upgrade
+
The upgrade `LEDGER_UPGRADE_SPEEDEX_SOLVER_CONFIGURATION` is valid if the
-configuration is valid. The validity conditions will be detailed when the actual
-parameters are specified.
+configuration is valid. The validity conditions will be detailed when the
+actual parameters are specified.
## Design Rationale
+
SPEEDEX has a number of control parameters determining how to run the solver
(current default solver is Tatonnement). Most of these parameters can take any
value in a reasonable range and produce a reasonably good result. However,
@@ -189,23 +200,24 @@ to handle smaller smoothness multipliers. As such, Stellar may want to adjust
the smoothness multiplier in response to network traffic.
### Alternative configuration mechanisms
+
A number of different approaches to SPEEDEX configuration were considered, in
addition to this proposal:
- validators propose the entire configuration, including the set of assets,
-during nomination
-- validators propose the solver configuration, but not the set of assets, during
-nomination
+ during nomination
+- validators propose the solver configuration, but not the set of assets,
+ during nomination
The first proposal would be the SPEEDEX equivalent of anarchy. The market would
-be different in every ledger, and people may not be able to trade when they want
-to depending on which node nominates.
+be different in every ledger, and people may not be able to trade when they
+want to depending on which node nominates.
-The second proposal is more palatable, but is still worse than this proposal. In
-order for SPEEDEX to be robust to the nomination of a pathological solver
+The second proposal is more palatable, but is still worse than this proposal.
+In order for SPEEDEX to be robust to the nomination of a pathological solver
configuration, it must run a backup computation with a more trustworthy
-configuration. But how should that configuration be chosen? It could be fixed or
-chosen via upgrades. If it is fixed, then it won't be robust to changes in
+configuration. But how should that configuration be chosen? It could be fixed
+or chosen via upgrades. If it is fixed, then it won't be robust to changes in
market regime. If it is chosen via upgrades, then it reduces to this proposal.
With this proposal, the solver configuration _is_ for the backup computation.
@@ -213,6 +225,7 @@ But instead of nominating a solver configuration, nodes nominate a complete set
of candidate prices (not detailed in this proposal).
### All SPEEDEX assets in a single ledger entry
+
This proposal stores all SPEEDEX assets in a single ledger entry. Initially, I
had favored a design where every SPEEDEX asset has its own ledger entry because
it keeps the ledger entry size bounded. But every node needs to know the full
@@ -222,16 +235,21 @@ necessitate loading all of the SPEEDEX asset ledger entries anyway.
## Protocol Upgrade Transition
### Backwards Incompatibilities
+
This proposal does not introduce any backwards incompatibilities.
### Resource Utilization
+
This proposal does not change resource utilization.
## Security Concerns
+
This proposal does not introduce any security concerns.
## Test Cases
+
None yet.
## Implementation
+
None yet.
diff --git a/core/cap-0045.md b/core/cap-0045.md
index e94d1d2ab..99ce72673 100644
--- a/core/cap-0045.md
+++ b/core/cap-0045.md
@@ -14,27 +14,37 @@ Protocol version: TBD
```
## Simple Summary
+
Describe how [SPEEDEX](https://arxiv.org/abs/2111.02719) prices will be
computed.
## Working Group
+
This proposal is based on an earlier draft written by Geoff Ramseyer, to which
Nicolas Barry has also contributed.
## Motivation
-In order for SPEEDEX to facilitate efficient and commutative trades over a set of assets across multiple market participants (orders, liquidity pools), a set of prices (one for each asset) need to be computed. The prices are chosen to minimize a heuristic objective function which ensures equilibrium between demands and endowments over the entire asset set. This CAP outlines the methodology by which the objective is computed and prices are computed.
+
+In order for SPEEDEX to facilitate efficient and commutative trades over a set
+of assets across multiple market participants (orders, liquidity pools), a set
+of prices (one for each asset) need to be computed. The prices are chosen to
+minimize a heuristic objective function which ensures equilibrium between
+demands and endowments over the entire asset set. This CAP outlines the
+methodology by which the objective is computed and prices are computed.
### Goals Alignment
+
This proposal supports the development of SPEEDEX on Stellar, which in turn
supports the Stellar Network Goals
-- The Stellar Network should run at scale and at low cost to all participants of
-the network.
+- The Stellar Network should run at scale and at low cost to all participants
+ of the network.
- The Stellar Network should enable cross-border payments, i.e. payments via
-exchange of assets, throughout the globe, enabling users to make payments
-between assets in a manner that is fast, cheap, and highly usable.
+ exchange of assets, throughout the globe, enabling users to make payments
+ between assets in a manner that is fast, cheap, and highly usable.
## Abstract
+
This proposal describes two methods by which SPEEDEX prices are computed, and a
method for choosing between these two methods. The first method takes advantage
of `GeneralizedTransactionSet` introduced in CAP-0042 to endow validators with
@@ -45,6 +55,7 @@ to run an iterative solver.
## Specification
### XDR changes
+
This patch of XDR changes is based on the XDR files in commit
(`90dbf13c483a4c126741a0e5ad0a222fb51ff299`) of stellar-core.
@@ -56,7 +67,7 @@ index 84b84cbf..ec66ffb0 100644
@@ -176,14 +176,35 @@ case METAENTRY:
BucketMetadata metaEntry;
};
-
+
-// Transaction sets are the unit used by SCP to decide on transitions
-// between ledgers
struct TransactionSet
@@ -64,7 +75,7 @@ index 84b84cbf..ec66ffb0 100644
Hash previousLedgerHash;
TransactionEnvelope txs<>;
};
-
+
+struct TransactionSetV1
+{
+ Hash previousLedgerHash;
@@ -94,7 +105,7 @@ index 84b84cbf..ec66ffb0 100644
@@ -203,11 +224,13 @@ struct TransactionHistoryEntry
uint32 ledgerSeq;
TransactionSet txSet;
-
+
- // reserved for future use
+ // when v != 0, txSet must be empty
union switch (int v)
@@ -109,7 +120,7 @@ index 84b84cbf..ec66ffb0 100644
@@ -358,9 +381,30 @@ struct LedgerCloseMetaV0
SCPHistoryEntry scpInfo<>;
};
-
+
+struct LedgerCloseMetaV1
+{
+ LedgerHeaderHistoryEntry ledgerHeader;
@@ -141,37 +152,41 @@ index 84b84cbf..ec66ffb0 100644
```
### Semantics
+
SPEEDEX pricing has two phases:
- The first phase takes place before consensus. Different validators may use
-different implementations, and these implementations are free to make use of
-any techniques including nondeterminism and parallelism.
+ different implementations, and these implementations are free to make use of
+ any techniques including nondeterminism and parallelism.
- The second phase takes place during transaction application. Every validator
-must implement the same semantics, and these semantics must be deterministic.
+ must implement the same semantics, and these semantics must be deterministic.
The prices ultimately used to settle trades will be either the prices from the
first phase, or the prices from the second phase. All nodes must use the same
heuristic to determine which prices are closer to market.
#### GeneralizedTransactionSet
+
This proposal takes advantage of `GeneralizedTransactionSet` introduced in
CAP-0042. Refer to that proposal to understand how `GeneralizedTransactionSet`
interacts with `LedgerHeader`.
#### The first phase
+
Because the first phase occurs before consensus, this proposal can only specify
what constitutes valid output. The `GeneralizedTransactionSet` is valid if
- `GeneralizedTransactionSet.v() == 1`
- `GeneralizedTransactionSet.v1TxSet().previousLedgerHash` is the hash of the
-previous ledger
+ previous ledger
- every transaction in `GeneralizedTransactionSet.v1TxSet().txs` is valid
- `GeneralizedTransactionSet.v1TxSet().prices.size() == 0` or
-`GeneralizedTransactionSet.v1TxSet().prices.size() == SpeedexConfigurationEntry.assets.size()`
+ `GeneralizedTransactionSet.v1TxSet().prices.size() == SpeedexConfigurationEntry.assets.size()`
- every price in `GeneralizedTransactionSet.v1TxSet().prices` is strictly
-positive
+ positive
#### The second phase
+
Because the second phase occurs during transaction application, this proposal
fully specifies the output.
@@ -184,9 +199,10 @@ which we will describe independently.
The first component of tatonnement is the demand aggregator, which determines
the total amount of an asset demanded by all market participants at given
prices. The demand aggregator sums the demand for every asset over liquidity
-pools and orders.
+pools and orders.
A liquidity pool holding assets `X` and `Y` has demand
+
```
X' = { (pX + Y) (1 - F) / (p * (2 - F)) : p < (1 - F) Y/X
{ (pX + Y) / (p * (2 - F)) : 1/p < (1 - F) X/Y
@@ -196,9 +212,12 @@ Y' = { (pX + Y) / (2 - F) : p < (1 - F) Y/X
{ (pX + Y) (1 - F) / (2 - F) : 1/p < (1 - F) X/Y
{ Y : otherwise
```
-where `p = p(X) / p(Y)` is the market price ratio. `F` is the fee ratio required by the liquidity pool.
+
+where `p = p(X) / p(Y)` is the market price ratio. `F` is the fee ratio
+required by the liquidity pool.
An offer selling `X` for `Y` at a minimum price ratio of `P` has demand
+
```
X' = { 0 : P / (1 - S) <= p
{ X - (p - P) X / (S * p) : P < p < P / (1 - S)
@@ -208,18 +227,22 @@ Y' = { pX : P / (1 - S) <= p
{ (p - P) X / S : P < p < P / (1 - S)
{ 0 : p <= P
```
+
where `p = p(X) / p(Y)` is the market price ratio, and
`S = 2^(-SpeedexConfigurationEntry.solverConfig.smoothness)`.
The second component of tatonnement is the heuristic objective function. A step
should only be taken if the step size is minimal or the objective function
-decreases. The heuristic function is the squared l2 norm of price-weighted excess demand of all assets, and is configurable via
-`SpeedexSolverConfiguration.SpeedexSolutionComparisonHeuristic`. The excess demand for an asset is defined as the sum of
-all demands from liquidity pools and orders for that asset minus the sum of all
-endowments from liquidity pools and orders for that asset.
+decreases. The heuristic function is the squared l2 norm of price-weighted
+excess demand of all assets, and is configurable via
+`SpeedexSolverConfiguration.SpeedexSolutionComparisonHeuristic`. The excess
+demand for an asset is defined as the sum of all demands from liquidity pools
+and orders for that asset minus the sum of all endowments from liquidity pools
+and orders for that asset.
The third component of tatonnement is the actual solver. The following is a
pseudocode implementation of the solver:
+
```
// Input:
// numAssets is the number of assets (uint32_t)
@@ -284,22 +307,28 @@ for i in 0..numIterations
// Reduce the step size so future steps will try to reduce the objective
invStepSize *= stepSizeFactor
```
-There are several places that this pseudocode can overflow, which is discussed in the [Possible places of overflow](#possible-places-of-overflow) section and future versions
-of this proposal will explicitly handle that.
+
+There are several places that this pseudocode can overflow, which is discussed
+in the [Possible places of overflow](#possible-places-of-overflow) section and
+future versions of this proposal will explicitly handle that.
#### Choosing between the prices
-If the first phase does not propose a price, i.e. `GeneralizedTransactionSet.v1TxSet().prices.size() == 0`,
-then the prices from the second phase will be used.
-Otherwise, the prices from the first phase and from the second phase will be evaluated
-using the heuristic objective function also used in tatonnement (see the second
-component of tatonnement above). If the heuristic values are different, then
-whichever prices produce a lower value will be used. If the heuristic values
-are the same, then the prices from the second phase will be used.
+If the first phase does not propose a price, i.e.
+`GeneralizedTransactionSet.v1TxSet().prices.size() == 0`, then the prices from
+the second phase will be used.
+
+Otherwise, the prices from the first phase and from the second phase will be
+evaluated using the heuristic objective function also used in tatonnement (see
+the second component of tatonnement above). If the heuristic values are
+different, then whichever prices produce a lower value will be used. If the
+heuristic values are the same, then the prices from the second phase will be
+used.
## Design Rationale
### Two-phase pricing
+
Computing prices during before and after consensus maximizes the flexibility of
the protocol. Before consensus, validators have a great deal of flexibility to
use parallelism, randomness, outside data sources like the price stream from an
@@ -313,30 +342,52 @@ could, for example, be generated by searching for a good configuration during
nomination or using outside data sources. But this is a very indirect approach;
why nominate the configuration when you can simply nominate the result. This
approach also doesn't avoid the need to perform tatonnement after validation,
-because a byzantine validator could nominate a bad configuration. Therefore this
-approach is also less performant than what is proposed in this CAP because every
-node must do tatonnement twice instead of once.
+because a byzantine validator could nominate a bad configuration. Therefore
+this approach is also less performant than what is proposed in this CAP because
+every node must do tatonnement twice instead of once.
### Empty set of prices is valid in the first phase
+
The first phase is optional because a validator that does not want to perform
-any calculations could always choose random prices. If we tolerate random prices,
-then we should acknowledge that no prices at all is probably just as useful.
+any calculations could always choose random prices. If we tolerate random
+prices, then we should acknowledge that no prices at all is probably just as
+useful.
### Demand from a liquidity pool
+
Consider a liquidity pool holding assets `X` and `Y` (we will also use `X` and
-`Y` to denote the reserves of those assets). The market price ratio between the two assets is defined as:
+`Y` to denote the reserves of those assets). The market price ratio between the
+two assets is defined as:
+
+$$ -->
and 
are prices of `X` and `Y` respectively, in arbitrary price unit. 
and 
are the infinitesimal quantities of `X` and `Y` that can be exchanged for each other.
+where
+
+and
+
+are prices of `X` and `Y` respectively, in arbitrary price unit.
-For a constant-product liquidity pool (the only type this proposal is concerned about), the constant-product invariant requires that any transaction within the pool must not reduce the the product of the two reserves (i.e. liquidity).
+
+
+and
+
+are the infinitesimal quantities of `X` and `Y` that can be exchanged for each
+other.
-The liquidity pool starts at equilibrium point `E`, with reserve amounts `X` and `Y` respectively.
+For a constant-product liquidity pool (the only type this proposal is concerned
+about), the constant-product invariant requires that any transaction within the
+pool must not reduce the the product of the two reserves (i.e. liquidity).
-Consider the scenario where the market decides on a lower price for `X` relative to `Y` than what is manifested in the current equilibrium `E`, the liquidity pool will buy `X` and sell `Y` (at the market rate) until a new equilibrium is established (call it `E’`) (see figure below).
+The liquidity pool starts at equilibrium point `E`, with reserve amounts `X`
+and `Y` respectively.
+
+Consider the scenario where the market decides on a lower price for `X`
+relative to `Y` than what is manifested in the current equilibrium `E`, the
+liquidity pool will buy `X` and sell `Y` (at the market rate) until a new
+equilibrium is established (call it `E’`) (see figure below).
@@ -344,18 +395,32 @@ From the constant-product invariant, the pool will buy X sell Y as long as :
%5Cdelta%7Bx%7D)(Y-%5Cdelta%7By%7D)%5Cge%20XY)
and 
are infinitesimal amount of `X` and `Y` to trade, whose relative price ratio is set by the market. `F` the liquidity pool's fee ratio. Expanding the above equation, rearranging, and dividing both sides by :
+where
+
+and
+
+are infinitesimal amount of `X` and `Y` to trade, whose relative price ratio is
+set by the market. `F` the liquidity pool's fee ratio. Expanding the above
+equation, rearranging, and dividing both sides by
+
+:
%5Ccdot%5Cfrac%7B%5Cdelta%7Bx%7D%7D%7B%5Cdelta%7By%7D%7D%5Ccdot%20Y%5Cge%20(1-F)%5Cdelta%7Bx%7D)
and using the price definition, we get:
+Taking
+
+and using the price definition, we get:
%5Ccdot%5Cfrac%7B1%7D%7Bp%7D%5Ccdot%20Y%20%5Cge%200)
Y%7D%7BX%7D)
Y'%7D%7BX'%7D)
Y%7D%7BX%7D)
+Solving the budget constraint and marginal price constraint together, we get
+the demand for `X` and `Y` when
+
:
+
(1-F)%7D%7Bp%5Ccdot(2-F)%7D)
(1-F)%7D%7Bp%5Ccdot(2-F)%7D%20%3E%20%5Cfrac%7BpX(1-F)%2BpX%7D%7Bp%5Ccdot(2-F)%7D%20%3D%20X)
-
+Observe that in this case,
+
-and Y%2BY%7D%7B2-F%7D%3DY)
+and
+
Thus, the liquidity pool, as expected, sells `Y` and purchases `X`.
-In the reverse scenario, when the market decides on a higher price of `X` relative to `Y`, the pool needs to sell `X` and purchase `Y` to reach new equilibrium `E'` (figure below).
+In the reverse scenario, when the market decides on a higher price of `X`
+relative to `Y`, the pool needs to sell `X` and purchase `Y` to reach new
+equilibrium `E'` (figure below).
-By the exact same notion, when X%7D%7BY%7D)
, the demand for `X` and `Y` are:
+By the exact same notion, when
+,
+the demand for `X` and `Y` are:
+
%5Ccdot%20p%7D)
(1-F)%7D%7B2-F%7D)
%5Ccdot%20p%7D%3C%5Cfrac%7BpX%2BpX(1-F)%7D%7B(2-F)%5Ccdot%20p%7D%3DX)
and (1-F)%7D%7B2-F%7D%3E%5Cfrac%7B(Y%2B(1-F)Y)%7D%7B2-F%7D%20%3DY)
+Observe in this case,
+
+and
+
Thus, the liquidity pool, as expected, sells `X` and purchases `Y`.
-When the price is in between, i.e. Y%7D%7BX%7D%20%5Cle%20p%20%5Cle%20%5Cfrac%7BY%7D%7B(1-F)X%7D)
, no trade will happen and both reserves stay the same.
+When the price is in between, i.e.
+,
+no trade will happen and both reserves stay the same.
### Demand from an order
-Tatonnement does not handle discontinuities well. The demand from an order is
-intrinsically discontinuous, so a natural solution is to smooth the demand. This
-can be achieved by linearly interpolating the price-weighted demand between the case where the order does not execute and the case where the order does execute.
-
-It doesn't matter whether you linearly interpolate the asset sold or the asset bought. The two quantities are linearly related according to the budget
-constraint 
, so linear interpolation of one asset implies linear interpolation of the other.
-To fully illustrate the demand interpolation heuristics, consider an offer selling asset `X` (we also use `X` to denote the amount of asset `X` being offered) for asset `Y` at limit price 
. At any point, the budget must be conserved:
+Tatonnement does not handle discontinuities well. The demand from an order is
+intrinsically discontinuous, so a natural solution is to smooth the demand.
+This can be achieved by linearly interpolating the price-weighted demand
+between the case where the order does not execute and the case where the order
+does execute.
+
+It doesn't matter whether you linearly interpolate the asset sold or the asset
+bought. The two quantities are linearly related according to the budget
+constraint
+,
+so linear interpolation of one asset implies linear interpolation of the other.
+
+To fully illustrate the demand interpolation heuristics, consider an offer
+selling asset `X` (we also use `X` to denote the amount of asset `X` being
+offered) for asset `Y` at limit price
+.
+At any point, the budget must be conserved:
%20%3D%20p_%7Bx%7D%5Ccdot%20x)
, the price ratio between `X` and `Y` (`p` is also equivalent to the price of `X` when `Y` is the denominated asset), and ignore the fee component `F` (we do not collect fees from the orders), we get:
+Define
+,
+the price ratio between `X` and `Y` (`p` is also equivalent to the price of `X`
+when `Y` is the denominated asset), and ignore the fee component `F` (we do not
+collect fees from the orders), we get:
+
+$$ -->
and the limit price 
is a function of the smoothness parameter 
.
-Specifically, %7D)
.
-
-When 
, no trade will happen, demand for `Y` is `0`, and demand for `X` is the full amount of `X` valued at 
.
+its limit price at which the order executes fully. The ratio between this price
+
+and the limit price
+
+is a function of the smoothness parameter
+.
+Specifically,
+.
+
+When
+,
+no trade will happen, demand for `Y` is `0`, and demand for `X` is the full
+amount of `X` valued at
+.
+
+When
+
,
+the entire amount `X` is traded for `Y`, thus demand for `Y` is
+
+
+
+
,
+and demand for `X` is `0`.
+
+For
+
,
+the demands are linearly interpolated from the end points (see figure below):
-When , the entire amount `X` is traded for `Y`, thus demand for `Y` is , and demand for `X` is `0`.
-
-For , the demands are linearly interpolated from the end points (see figure below):
+$$ -->
and 
and 
, rearrange, we get when 
the demand for `Y` is:
+Substituting
+
+and
+
+and
+,
+rearrange, we get when
+
+the demand for `Y` is:
+
+$$ -->
X%7D%7BS%7D)
%7D%7Bp%7D%3D%5Cfrac%7B(p%20-%20P)X%7D%7BS%5Ccdot%20p%7D)
X%7D%7BS%5Ccdot%20p%7D)