SIMD-0431: Loader V3: Minimum Extend Program Size#431
Conversation
|
Hello deanmlittle! Welcome to the SIMD process. By opening this PR you are affirming that your SIMD has been thoroughly discussed and vetted in the SIMD discussion section. The SIMD PR section should only be used to submit a final technical specification for review. If your design / idea still needs discussion, please close this PR and create a new discussion here. This PR requires the following approvals before it can be merged:
Once all requirements are met, you can merge this PR by commenting |
deanmlittle
changed the title
|
Lgtm |
|
@0xRigel requesting your review as this pertains to multisig wallets like Squads. I know we discussed at breakpoint but worth double checking you don't foresee any issues. I think it is actually as simple as throwing a lighthouse instruction at the end to ensure the authority doesn't change. |
|
Whats the current reason for Aside from that, this looks good. We'll just have to make a few adjusments to the UI's under the hood logic for extend program. |
ACK, thanks for reviewing! There are a many dumb restrictions on LoaderV3 due to security issues that can arise as a result of problematic account midstates created during the upgrade process. Hopefully we can ship a few more fixes that would allow us to relax these constraints in the future! |
deanmlittle
changed the title
buffalojoec
left a comment
buffalojoec
left a comment
There was a problem hiding this comment.
I think this proposal could actually use a bit of fleshing out for context.
I've written a draft implementation here: anza-xyz/agave#9859
The first major issue I found is that we'd actually need to break the
ExtendProgram instruction's accounts list beyond just requiring a signature.
The authority is actually not a member of the required accounts for
ExtendProgram. We would need to add it.
For this reason, I'm actually considering SIMD-0164 as a preferred solution. We
would introduce a new instruction with a new accounts list and deprecate the
old one.
Since callers will have to modify their code anyway in order to support the
ExtendProgram instruction after this feature, are we certain changing the
existing instruction is cleaner? It seems like maybe not.
Additionally, this proposal can probably add more details about some of the
deliberation that occurred in SIMD-0164. After all, it's going to be the exact
same design, just a different rollout strategy.
There was a bit of discussion about how this change affects multisigs. However,
in SIMD-0164 and also here in this proposal (via ack by @0xRigel) these
concerns were curtailed. We can probably at least mention how this affects
multisigs in one of the lower sections of the SIMD.
@Lichtso also added context to SIMD-0164 about already-deployed, possibly
frozen programs. This proposal will have the same issues.
We probably have to add that ExtendProgram will be accessible via CPI as a
result of this proposal's feature activation. If we don't, self-upgrading
programs won't be able to invoke ExtendProgram via CPI with their PDA
signers.
I am of the opinion that simply modifying the existing instruction makes more sense for several reasons:
Thus 164 is actually doing more work to achieve the same outcome. For that reason, I do not think 164 is a better solution. |
I re-read SIMD-0164 any yes you are right, it does not mention the old one being disabled, but that would be my intention. Can update that SIMD.
It is not about displaying error messages but preventing unauthorized access from others. Currently |
|
I believe I have addressed all outstanding feedback. It is really just a matter of making the decision of whether we go with #164 or #431. As we would be throwing a missing signer error either way, I find no justification to pollute our Enum with an additional instruction when we can simply modify the existing one to achieve the same result. |
|
The only reason why If we make it permissioned self upgrading programs would have to use the transient (but atomic) authority shuffle pattern to sign In that sense neither SIMD-0431 nor SIMD-0164 are needed, we can just disable |
The authority shuffle is very clunky, and I agree with you that if we do have to shuffle, why not just combine this into upgrade directly? Upon reevaluating our options, I think I actually have an even better solution to this. I think we should instead:
By doing so, Extend can remain "permissionless" as it is today, so none of our workflows change, but it can piggyback on the safety of the |
Only top-level instructions are known ahead of time. For self upgrading programs the By then it becomes very similar to the retract-modify-redeploy-workflow in the early designs of loader-v4. With the difference being that loader-v4 explicitly persisted the retracted state in the program account, while this dirty flag here would be implicit and only exist during the transaction. |
Ahh yeah, you're right. Though I suppose we could go the other way and have the upgrade instruction introspect for the |
- Near max account size (10 MiB): allow sub-10 KiB extends when less than 10 KiB of headroom remains - Frozen programs: already rejected by the loader with Immutable
SIMD-0431: revise to use minimum extension size approach
deanmlittle
changed the title
|
@Lichtso we've reworked this proposal to use a minimum extension length, as proposed by jstarry here on SIMD-0164. Please give this another review, and if it's acceptable by all parties, we'll update dependent SIMDs like SIMD-0430 and SIMD-0433. |
Lichtso
left a comment
Lichtso
left a comment
There was a problem hiding this comment.
I am still in favor of "Disable ExtendProgram entirely", as I think that being able to manipulate other peoples programs at all is fishy. However, in the interest of getting this fixed, I will approve this simpler yet potentially incomplete solution.
Yeah, disabling permissionless resizing of program accounts would be the most complete fix, but at the cost of breaking many long-existing workflows for self-upgrading programs and multisig upgrades. I documented this out in the Alternatives Considered section. |
|
Thanks, bw-solana!
|
|
✅ All approvals received! @deanmlittle, you can now merge this by commenting ✅ Status: Ready to merge |
|
@deanmlittle before merging this proposal, please wait to get review from Squads (@0xRigel). I spoke to @0xRigel the other day about this proposal and the underlying issues it seeks to fix. The most complete fix would be to make the |
0xRigel-squads
left a comment
0xRigel-squads
left a comment
There was a problem hiding this comment.
Really appreciate the multisig consideration @buffalojoec @deanmlittle ❤️
Lgtm ✅
|
/merge |
|
✅ Merge successful! deanmlittle's PR has been merged. |
9 participants
No description provided.