Add design proposal for generalized ownership

[aeyakovenko]

Problem

Current implementations of ownership rely on account pubkeys, which cannot be composed across programs.

How these problems manifest in Ethereum. https://medium.com/@kelvinfichter/looking-at-ownership-in-the-evm-6e6914d341d

Summary of Changes

Propose a design for general ownership of countable things, with a mechanism to programatically transfer the ownership based on output from other programs.

CC #3266

[garious]

I can't give much feedback on this yet. Need more context on the problem being solved. If it's solving the problem that I think it's solving, I'm surprised not to see monoids mentioned in the proposed solution. Seems like this should be a debate between monoids and semigroups and how a program should expose that functionality to accounts that it is the owner of.

I'd think this proposal can take the form:

Runtime doesn't allow parallel access to "credits" on userdata, because it doesn't know what it means to be a credit on an otherwise opaque data type. To define a credit, we propose programs optionally implement a semigroup interface for accounts it owns. Going one step further, the runtime can also create and initialize these accounts if an identity operation is defined. When used in conjunction, the identity and semigroup operations form a monoid, opening the door for additional runtime optimizations such as the popular MapReduce.

[garious]

programmatic?

[aeyakovenko]

Assignment based on the output of a program? What should you call it?

[garious]

"use a common program" -> "define an instruction"?

[aeyakovenko]

@garious not really define, how about: "reuse the same code and state machine"

[garious]

"actual owner" is a strange thing to say. Smells of a terminology problem. Is there a "not-actual owner" that's hijacked the term "owner"?

[aeyakovenko]

Account has an owner, which is the program. Signer, which is the thing that owns the some keypair. The owner of the state which stores these bits, which is irrelevant here. How about token_owner, or unit_owner?

[garious]

I can't help specialize vague terminology. I asked because I can't tell what you're referring to. I need you to spend some time either thinking on the terminology and defining it earlier in this document, or spend more time clarifying the problem statement and have others propose solutions.

[garious]

A credit-only account needs a signature?

[aeyakovenko]

Yep, it just needs to show proof of owning the identity. Kind of interesting, since this account doesn’t need an actual balance

[garious]

Personally, I'd accept tokens from anybody giving tokens out - my signature is not required.

[aeyakovenko]

@garious, want to work on this together? It would be nice to split this up into a semi group and a monoid.

[garious]

@aeyakovenko, I'd prefer not to work on this until you create an GitHub issue that describes the problem in detail, such that we can prioritize it. It's likely that I'll want to write a design proposal of my own and maybe implement it too. The MapReduce possibility is something that we've been talking about since the earliest days of the project.

[aeyakovenko]

@garious let’s move this forward. Dealing with external settlement depends on this.

[garious]

@aeyakovenko, can you explain how dealing with external settlement depends on this?

[aeyakovenko]

@garious the example in the doc discusses how two external assets get traded by an exchange program. The alternative is a single non-generalized exchange that only understands the tokens and external assets it was initially programmed with.

[garious]

@aeyakovenko, I wonder if the fundamental problem here is in the Token program. It decides what to do based on data in Instruction.data. Instead, what could be in Instruction.data is TokenInstruction::LoadInstructionFromAccount. If so, an "analyst" program would accept a TicTacToe account and use that state to store a TokenInstruction into an account that it owns. The Token program would then load a Transfer instruction and proceed as it normally would. The message would be written as such:

let transfer_ix = token::transfer(42, &carol_id, &dan_id);
let message = Message::new(vec![
    ttt_instruction::move(&alice_id, &game_id, 2, 2),
    system_instruction::create_account(&gambling_greg_id, size_of(transfer_tx)),
    tttanalyst_instruction::when_winner(&gambling_greg_id, &game_id, IS_X, transfer_ix),
    token_instruction::load_instruction_from_account(&gambling_greg_id),
]);

client.send_message(&[&alice_keypair, &gambling_greg_keypair, &carol_keypair]);

[aeyakovenko]

@garious, it needs to lock the tokens from transfer while their are in play. In the design it’s covered as OwnerState::Escrow

[garious]

In fact, that last instruction can be generalized for all programs if recognized by the runtime:

system_instruction::load_instruction_from_account(TOKEN_PROGRAM_ID, &gambling_greg_id)

[aeyakovenko]

@garious, ah I see. You are looking at the output of the previous instruction. You can do that with atomics. Configure the token program to payout the result based if an instruction is called with the right keys in the same TX. it doesn’t even need to look at the state, just Succeed.

That doesn’t compose. The token program needs to have those hooks. Everyone implementing a token must add them, since it’s sync for that state transition. I can’t add additional tokens and gamble them in tic-tac-toe against other token programs.

[aeyakovenko]

@garious I don’t see where the chain enforces that the transfer occurs if and only if the winner won

[garious]

@aeyakovenko, yes, that's not obvious. It'd be implemented by this line:

tttanalyst_instruction::when_winner(&gambling_greg_id, &game_id, IS_X, transfer_ix)

What it's saying is that the analyst is analyzing the game_id account to see if X won, and if so, storing transfer_ix in gambling_greg_id, and otherwise storing a no-op.

[garious]

The big limitation in my example is the lack of an escrow account. What's awkward there is that the escrow account would be owned by the token program, whereas the contract controlling them would be held by tttanalyast, which cannot sign a token transfer transaction.

Your suggestion of a predicate language in token is one way to move forward, but feels like a long rabbit hole. I'd rather have token delegate ownership to a program, which is already part of this proposal. Let me think on the possibility of making that delegation the only new feature.

[aeyakovenko]

@garious think there are two ways,

1. token escrow on (program, instruction, keys)
2. if the tx executes, the transfer occurs to data held in one of the keys

or

1. token escrow when an Account::data transitions from 0 to pubkey
2. when the account is non-zero, the escrow can change the owner to pubkey

[garious]

I don't understand what you're saying there ^^^

[garious]

I'm not optimistic that I'm going to grok this proposal if only incrementally moved forward in response to my review comments. I think this will either require another brain or a rewrite. If a rewrite, I'd suggest way more content in the problem description and less code in the proposed solution.

[garious]

This sentence is unclear - specifically "ownership" and "arbitrary units".

[garious]

This looks like the first use of "externally countable ownership". What does it mean?

[garious]

What do you mean by "items" and "units" exactly?

[garious]

That looks like an overreaching assertion.

[garious]

This is using ambiguous terminology.

[garious]

actual owner

[garious]

trigger?

[garious]

assign or award?

[garious]

Another definition of OwnerState? Are these progressively more advanced definitions? Perhaps this was all the same OwnerState definition and each field was introduced as a full OwnerState definition?

[garious]

Where is Trade defined?

[rob-solana]

why is a pointer to the OwnerState needed in this struct?

[aeyakovenko]

I am going to split this out into two problems.

1. generalized ownership
2. cross program state transitions

[garious]

@aeyakovenko, can this be closed in favor of #4603?

[aeyakovenko]

@garious want to file another Issue that captures the problem of delegating scarcity to a Token program? And a way to delegate transfer of ownership to other programs from within the Token program?

[garious]

@aeyakovenko, in that model, you don't delegate. It's permissionless. You'd spin up a token to represent some other set of tokens, and then stake and trade with the new token. How about tickets for demos of various usecases you propose? I'm working towards betting on tic-tac-toe outcome with a Token. After that, the other example you give here, of swapping two Tokens. Looking for others?

[garious]

@aeyakovenko, sounds like your solution must be addressing more problems than what you've provided. You mentioned splitting this proposal into two earlier. Sounds like we'll need that sooner than later. If so, can you do that with issues instead of PRs?

[garious]

@aeyakovenko, this PR is very old and hasn't gotten traction. Can we close it for now?

[aeyakovenko]

@garious closed. We are moving too slowly for general purpose tokens. Maybe stakes will be the first consumer.