Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CIP-0087? | Maybe Datum #440

Closed

Conversation

fallen-icarus
Copy link

@fallen-icarus fallen-icarus commented Jan 18, 2023

A CIP that looks to address the concerns of #364, #423, #309, #310, and #321 in one go.

See proposal here.

@fallen-icarus fallen-icarus marked this pull request as ready for review January 18, 2023 18:25
Copy link
Collaborator

@rphair rphair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good at first view @fallen-icarus & thanks for drawing all these discussions together.

CIP-????/README.md Outdated Show resolved Hide resolved
@nielstron
Copy link
Contributor

I approve this CIP. The issue of accidentally locking UTxOs for good is widespread and problematic and the use cases for multipurpose scripts are clear enough to make them easy to achieve by design.

@nielstron
Copy link
Contributor

nielstron commented Jan 24, 2023

Note that the motivation/problem 3 is not accurate. A solution to this problem with the current design / PlutusV2 and the corresponding drawback is outlined here: https://github.com/ImperatorLang/eopsin/blob/master/ARCHITECTURE.md#minting-policy---spending-validator-double-function

@fallen-icarus
Copy link
Author

@nielstron I updated the problem 3 section to acknowledge eopsin's workaround. My apologies for not doing it sooner.

@nielstron
Copy link
Contributor

Thanks!

@ch1bo
Copy link
Contributor

ch1bo commented Jan 26, 2023

PR #309 has a related discussion to this.

#309 (comment)

@fallen-icarus
Copy link
Author

fallen-icarus commented Jan 26, 2023

@ch1bo What are your thoughts about this CIP? It is meant to address the concerns of 309 as well. Do you agree that it does?

Edit: Here is my recent comment in that thread that further explains my perspective. comment

@imikushin
Copy link

@fallen-icarus In this model, can there be a situation when there's one script address, and:

  • one transaction would spend from it running the script as a tx-level script,
  • another transaction would spend from it running the script per-UTxO?

Another question: can a transaction run several tx-level scripts? (Perhaps, when spending outputs from M addresses, created from N scripts, where M > N) How would this work?

CIP-????/README.md Outdated Show resolved Hide resolved
@fallen-icarus
Copy link
Author

@imikushin The same script can be used in either context. You can think of all scripts as having logic like

if maybe_datum == Just datum
then utxo_level_logic
else tx_level_logic

can a transaction run several tx-level scripts? ... How would this work?

You can use as many tx-level scripts as will fit into the tx. The following table shows some valid usages:

Tx 1 Tx 2 Tx 3 Tx 4
Script A as tx-level Script A as tx-level Script A as utxo-level Script A as utxo-level
Script B as tx-level Script B as utxo-level Script B as tx-level Script B as utxo-level

The only restriction is that, within the same tx, script A cannot be used as BOTH a tx-level script and a utxo-level script. As far as how this would work, the ledger is already capable of detecting if all the relevant scripts are present. Currently, every utxo needs an accompanying script to execute at the utxo-level. This detection tooling will need to be slightly altered to also allow using tx-level scripts to witness all utxos from that script's address in the same way that a pubkey can witness all utxos from the user's address.

Perhaps, when spending outputs from M addresses, created from N scripts, where M > N

This is an interesting use case: If Address AA and Address AB are protected by Script A, can script A be used at the tx-level for Address AA's utxos while being used at the utxo-level for Address AB's utxos in the same tx? I would have to say no simply because this would likely dramatically complicate the ledger-script interface and I don't think this use case is ubiquitous enough to warrant adding such complexity. For most use cases, the script is probably meant to be used as only one level or the other, regardless of the address being spent from. If this usage is necessary, you can always break it up over multiple txs. Somebody on the plutus or ledger team will know better how complicated allowing this niche use case would be. The proposal, as it is now, does not allow for this use case.

@imikushin
Copy link

@fallen-icarus, thanks for your reply. With clarifications about multiple tx-level scripts, I can definitely get behind this proposal.

Tx-level validation (as opposed to per-UTxO) basically gives more scalability for free (besides, of course, implementation cost), i.e. we're not paying for it by sacrificing security or decentralization.

@imikushin
Copy link

@fallen-icarus Just a thought: maybe a better name for this CIP could be Transaction Level Validation Scripts.

I think it communicates the solution much better. Sure, script re-usability is an issue. But a much bigger concern is scalability, which this proposal addresses.

I mean, just think of a transaction dealing with multiple outputs that has to perform a ZK proof verification (a pretty intensive computation). How much easier it gets with per-transaction script execution vs per-output.

@fallen-icarus
Copy link
Author

@imikushin I had thought about that before but tx level scripts aren't the main focus of this CIP. While I personally agree with the tx level scripts being the most important consequence of this CIP (since you can't fully utilize the eUTxO model without it), the main focus is on changing things to use the Maybe Datum. @rphair Do you have an opinion on this?

@rphair
Copy link
Collaborator

rphair commented Feb 3, 2023

@fallen-icarus I agree the "Transaction" oriented name would be eye-catching for implementations, but the goal of any standard is to be applied as generally as possible. Therefore if the current name "Maybe Datum" is the most generally applicable I'd be in favour of keeping it in the title unless there's a more explicit title that means the same thing (as a non Plutus programmer it means nothing to me except what people have said about this & related CIPs).

@imikushin's highlighted use case is a great one to keep focusing on, but from my (not technically expert on this subject) point of view you have to read deeply into the text to find how this phrase applies to the subject. So maybe that use case could be included under a heading like "Use cases for Transaction Level Validation Scripts" in the Motivation or Rationale section.

Copy link
Contributor

@michaelpj michaelpj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CIP contains two very different proposals:

  • A fairly straightforward proposal to make datums optional. This is fine, I would like to do something like this, but overall I prefer CIP-0069? | Plutus Script Type Uniformization #321
  • A complicated proposal to reduce how often scripts are executed in some cases.

I think it would be a stronger proposal if these were separated (from the title I assumed it would just be the first part). In particular the second needs much more development, as it currently glosses over a lot of important details.


I think the overall proposal could be carved up and made simpler and more compositional.

  • Proposal 1: when the ledger accumulates script evaluations to perform as (Script, [Data]) tuples, it deduplicates this list before performing evaluations, so as not to do redundant work. This would need a CIP because it would need to specify the budget discount for the non-evaluated scripts, otherwise it's pointless.
  • Proposal 2: optional datums or CIP-0069? | Plutus Script Type Uniformization #321
  • Proposal 3: something with this special flag designed to make more script evaluations look identical

This would allow for proposal 1 to get implemented, while we're still working out what the best way to get more identical script evaluations is (whether it's proposal 3 or something else).

CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
@fallen-icarus
Copy link
Author

@michaelpj thanks for the review. I'll need to think about the rest of your comments here.

@KtorZ KtorZ added the State: Waiting for Author Proposal showing lack of documented progress by authors. label Feb 14, 2023
@ShariffL
Copy link

ShariffL commented Feb 16, 2023

@oversize @KtorZ @katomm adding you in this discussion as well. Is there a way to get this CIP approved and merged? It will improve scalability for multi output tx. Or can you advise us how to move forward on this CIP? CC: @imikushin

@fallen-icarus
Copy link
Author

@ShariffL I agree with @michaelpj that this CIP should be broken up into a few composable CIPs. Currently, I am considering breaking it up into two CIPs:

  1. Using Maybe Datum for when a utxo is missing one. This would also enable universal scripts (one that can mint, spend, or manage rewards). It is mutually exclusive to CIP-0069? | Plutus Script Type Uniformization #321.
  2. Adding a new tx input type for grouped inputs. See here. This would address the redundant executions and enable "ignoring" datums even if utxos have them (they will still be present in the ScriptContext).

@fallen-icarus
Copy link
Author

I have updated the proposal to represent the reviewers' responses. This proposal no longer deals with the redundant executions. As suggested, that will be its own CIP.

@KtorZ KtorZ changed the title CIP-???? | Maybe Datum CIP-0087? | Maybe Datum Feb 21, 2023
CIP-????/README.md Outdated Show resolved Hide resolved
CIP-????/README.md Outdated Show resolved Hide resolved
@KtorZ KtorZ removed the State: Waiting for Author Proposal showing lack of documented progress by authors. label Feb 21, 2023
fallen-icarus and others added 2 commits February 21, 2023 09:08
Co-authored-by: Matthias Benkort <[email protected]>
Co-authored-by: Matthias Benkort <[email protected]>
2. This increases the need to trust software that is being used to get the datum information from the extended address. A malicious frontend can alter the datum information so that it can steal funds from the user.
- Using a proxy - users send their funds to a middle contract/entity that then attaches the required datum for the users and passes the funds onto the desired script address. Currently, the only way to use proxies in a trustless manner is to use a plutus script as the proxy. But then we are back to where we started: a missing datum will result in the permanent locking of the funds sent to the proxy contract. So the only real proxy workaround for completely preventing locking due to a missing datum is to use a multisig native script or another pubkey address and have the owner(s) attach the proper datum for the users. Both of these options force reliance on centralized parties.

As a final point, there are use cases where a datum is not needed for the Dapp to function. In these situations, a dummy datum is still required just to prevent locking.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To give another use case: There are situations where the sender should not need to be aware they are sending funds to a script.

An example to this are "Smart contract wallets". These wallets would lock funds in a script instead of a private key and can be used to implement do social recovery wallets or for-purpose debit accounts.

Only plutus scripts that use the new plutus ledger language will have their datums handled in this way. All other plutus ledger languages will retain their usage.

### `ScriptArgs` Alternative
The `ScriptArgs` proposal ([here](https://github.com/cardano-foundation/CIPs/pull/321)) could also address the issues motivating this CIP. The `ScriptArgs` approach could allow for easily implementing future changes such as allowing scripts to take other kinds of arguments. However, all of the details have yet to be ironed out.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is the major competitor to your proposal, I think you need to say a lot more about why you think yours should be implemented instead!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michaelpj Do you think there is value in implementing the Maybe Datum for now while we sort out the ScriptArgs? The main difference between the two is that the ScriptArgs is easily extendable, but there are still questions around it. The Maybe Datum proposal does not take us very far from the existing design. IMO the issues discussed in this CIP are pressing enough to prioritize fixing soon. If we implement the Maybe Datum proposal first, we can then take our time sorting out the ScriptArgs. If ScriptArgs is deemed to be better, how much different is the process of going from our current design to ScriptArgs than going from the Maybe Datum design to ScriptArgs?

Being able to sort out the ScriptArgs without the pressure caused by the discussed issues is my main argument for why we should do the Maybe Datum. Basically, the idea is to use this CIP as a potential stopgap.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, absolutely not. Changes that require new Plutus ledger languages are very expensive because they require us to support old versions forever. I am extremely not keen to add something that we plan to remove later.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michaelpj Understood. Then I don't have an argument for choosing this proposal over the ScriptArgs one since I personally believe that, if the ScriptArgs can be added safely, it should be used. However, I think there is value in documenting what has been considered at each step of evolution for the design - this has been my main motivation for continuing to steel man this CIP despite thinking that ScriptArgs would likely be better. I am totally fine with this proposal getting merged, but then marking its status as inactive once ScriptArgs is ready. I'm not sure if the CIP process is meant to be used this way.

Considering that you did something similar with #336, what are your thoughts about this? I'm willing to wait until the ScriptArgs proposal is ready and then try arguing against it.

@KtorZ KtorZ added the Category: Plutus Proposals belonging to the 'Plutus' category. label Mar 18, 2023
@Ryun1
Copy link
Collaborator

Ryun1 commented Jul 15, 2024

I believe this has been included within Conway

Can you confirm @zliu41 @lehins ?🙏

@fallen-icarus
Copy link
Author

The others can correct me if I am wrong, but as the author of this CIP, I do not think this is being implemented in Conway. CIP-69 (#784) uses a Maybe Datum in a different way than this CIP was proposing. IMO, CIP-69 obsoletes the need for this one.

@lehins
Copy link
Contributor

lehins commented Jul 17, 2024

@fallen-icarus Yes, you are right in that CIP-0069 takes a different approach to solve the same problem. In that sense, it does make this CIP obsolete.

@rphair
Copy link
Collaborator

rphair commented Jul 17, 2024

Thanks everybody especially @fallen-icarus for all the prior work on this. Based on the last comments by @lehins @fallen-icarus @Ryun1 I'm closing this as superseded, but please feel free to reopen if that turns out not to be true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: Plutus Proposals belonging to the 'Plutus' category.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants