Have a formal definition of sandwich transactions #773
Comments
|
Alternatively, if we can make the |
JakeUrban
added
SEP
|
I didn't realize sandwich transactions were used in other protocols. My thinking was that SEP-8 doesn't make any attempt to define what kind of transactions the client should submit to the approval server, so its left to the organization implementing SEP-8 to communicate this to their clients. This is bad. Instead, organizations implementing SEP-8 should be able to reference the SEP to their clients, and the SEP should have a format definition of "sandwich transactions". Something like this:
The SEP also doesn't seem to mention that trust-lines to regulated assets are |
|
I always read We are as well not mentioning sandwich requirements. If the clients submits them, fine, if not we add them and add a revised flag. Sample (here's the result): import requests
from stellar_sdk import Server, TransactionBuilder, Network
APPROVAL_SERVER = 'https://dsq.technology/sep-8/tx-approve/'
PUBLIC_KEY = 'GCD2XJSMQT4RHLGMILDJDTCHGP2PWH2RREFNNSW3XLPB7PAVT5UWQBZT'
server = Server(horizon_url='https://horizon.stellar.org')
builder = TransactionBuilder(server.load_account(PUBLIC_KEY), Network.PUBLIC_NETWORK_PASSPHRASE)
tx_xdr = builder.append_manage_buy_offer_op(
selling_code='USD',
selling_issuer='GDUKMGUGDZQK6YHYA5Z6AY2G4XDSZPSZ3SW5UN3ARVMO6QSRDWP5YLEX',
buying_code='TSLA',
buying_issuer='GBRDHSZL4ZKOI2PTUMM53N3NICZXC5OX3KPCD4WD4NG4XGCBC2ZA3KAG',
amount='1.00',
price='402.9721521'
).build().to_xdr()
requests.post(APPROVAL_SERVER, data={'tx': tx_xdr}).json()['tx']The definition from @JakeUrban looks fine to me, though. |
|
@howardtw this is what I was confused about originally, why can't our partner do this:
Does our partner understand they can do this? Why do they feel the need to describe sandwich transactions in their TOML? |
|
Are we implicitly saying that clients should always:
This process requires two round-trips, which is not so ideal in my opinion. It would be the best if clients know that they need to construct a sandwich transaction before submitting the transaction to the approval server so that it can be done with just 1 round-trip. One might argue that the approval server can sign the My understanding is that @shredding has both flows implemented. That is, the approval server will approve sandwich transactions as well as return a revised transaction. However, it is unclear to me that whether the revised transaction is signed before returning to the client or not.
They haven't made use of the three intermediate statuses
I don't think they have thought about using the revised status to make the sandwich. And this is why they feel the need to communicate the approval criteria more clearly. If we reach a consensus that using the "revised" status to make the sandwich is the way to go, we can tell them about it. |
|
I agree the double round trip is not ideal, and organizations running SEP-8 servers are incentivized to educate clients about sandwich transactions so they don't have to do this. I think a combination of educating our partner about the |
What is the benefit of this? We give back the signed transaction in step 2 and go for it (we add a time bound, but that's not even necessary). If we'd be happy with the transaction in step 4, why not already in step 2? |
Thanks @shredding! That's good to know. And I agree it's an easy optimization to make. My thought on the approval server in general is that it should be the entity that "approves" a transaction so that the transaction will become submittable. Dismissing a client-supplied transaction and giving the client a self-made transaction that's pre-approved seems a bit aggressive and assertive to me. That's why I feel like it would be better if it could use the "revised" status as a suggestion (transaction not signed). From software's perspective, I would also favor that the approval server only signs transactions that have been signed by the client for consistency, consistency as in when the approval server would sign a transaction. |
|
It's still a suggestion; it's up to the client to co-sign and broadcast the transaction. Generally speaking, our SEP-8 implementation is quite complex; e.g. it supports stellar channels and does a lot of checks on the account level. So in general, the job of the approval servers (at least ours) tends to not be to validate transaction composition. That's merely a byproduct. It's approving the intent (in our case trading) of the user and transaction composition is just the way of approving the intent. At least that's how I understood it. |
I agree with you that returning a signed sandwich transaction that wraps the original intent/operations is a way for approval servers (at least yours) to say that it approves the intent, and it's up to the client to co-sign it. I don't feel strongly about whether the approval server should sign the sandwich transaction or not in step 2. My goal is to make SEP-8 more useful, up-to-date, and more importantly, make sense to most people who implemented or plan on implementing SEP-8 in the ecosystem. And it seems like signing it prior to returning is more useful in your case. Really appreciate your feedback @shredding I'd love your thoughts on this too @tomerweller @leighmcculloch |
|
@howardtw In regards to if the server should sign the revised transaction, SEP-8 is explicit about this and states the transaction should be signed so that the client can submit it without making a second request to the server: stellar-protocol/ecosystem/sep-0008.md Line 38 in c6c006e Speaking to the issue title and description, I think it might be helpful if there is developer documentation demonstrating how to group operations in a transaction to temporarily authorize an account for only that transaction rather than writing a formal definition for the term 'sandwich transaction'. I agree with @shredding here #773 (comment), I wouldn't expect to see deep technical details about how a transaction should be constructed in the approval criteria. The description for approval criteria is a human readable string. stellar-protocol/ecosystem/sep-0001.md Line 138 in c6c006e I think it is simpler and less error prone for clients and servers to implement SEP-8 making use of the revised status rather than require clients to preemptively build the correct transaction upfront, as doing so would bind the client's implementation to the server's and any attempt to generically specify the type of sandwich may be insufficient for all cases. There is still only one request. What am I missing? |
|
Based on the conversations in this PR, looks like we all agree on starting with a definition for a sandwich transaction in our developer documentations. And it should improve the words around both CAP-18 and CAP-33. @JakeUrban is it something that you can take on? |
and others
Why
We've started to reference to sandwich transactions since the introduction of CAP-33 and CAP-18. We talked about the "sandwich approach" in CAP-33, and we also talked about the authorization sandwich in the control asset access section in our new doc.
Recently one of our partners has expressed the difficulty about communicating the use of sandwich transactions through
approval_criteriain the currencies section of SEP-1.Having a formal definition of sandwich transactions would facilitate such communications.
The text was updated successfully, but these errors were encountered: