-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit and remove unwanted builtin-actor code for FVM #424
Comments
I would expect we don't need a FIP for the change here unless they change some behaviour to be other than what might be expected had we had user-programmed actors from the start. |
@ZenGround0 is going to take the first pass on audit what's need to be cleaned up. |
Another item: the payment channel requires that addresses are of account actors specifically. If we implement either account abstraction or a standard signature verification method, we should instead delegate signature checking to the actor in question. cc @arajasek (all calls to resolve an actor code CID are suspect) |
The miner actor only supports built-in accounts and multisigs as control addresses |
Almost anything that uses the built-in actor |
In #807 @ZenGround0 flags that we want to:
|
Adding to the reengineering API milestone, though I don't think we need to hit everything covered here as part of that effort. |
Deprecating the old Miner::ControlAddress method, and using the new |
@jennijuju and I are attempting to groom this issue a little. Here's a summary of proposed ideas -- some of these may simply require a quick check before being marked complete:
|
@lemmih Do you know who from your team will pick up this issue yet? |
@sudo-shashank will be looking at this once he's finished with his other builtin-actor tasks. |
The built-in actors were developed in an environment assuming there were no user-programmed actors. Some of the basic ones like the Init actor, multisig, payment channel have code in them that will limit their use by user-programmed actors once available.
As an example, the Init actor has an allow-list for which actor code CIDs are permitted to initialise which other actors, which is scoped to allow only the known actors. It may be ok (if unnecessary) to retain some kind of restriction on creation of built-in miner or singletone actors, but as written this will prevent anyone creating any other actor.
Various actors also contain caller checks that prohibit callers outside the built-in account and multisig actor. But anything that permits the built-in multisig should permit any actor to call it.
cc @jennijuju @ZenGround0 @arajasek
The text was updated successfully, but these errors were encountered: