feat(standards): Add DelayedExecution (Timelocked Accounts) to AuthMultisigSmart

[onurinanc]

Closes: #3043.

Previously opened a draft PR implementing all features regarding Smart Multisig here: #2973. That PR still relatively big, and we separate the delayed execution logic into this PR.

[PhilippGackstatter]

I left a few questions/comments/nits. Overall, I'm having a hard time wrapping my head around this PR. In particular:

• it seems we have multiple names for the same concept - would be great to unify.
• I find the use of the pending slots hard to follow, and I'm not sure I understand why we need these. I left a question/suggestion to use auth args instead.
• I don't understand why we need the cancel_and_propose functionality when we already have the individual cancel and propose.

[PhilippGackstatter]

Nit: I'd call this TX_SUMMARY_COMMITMENT instead of TX_HASH for accuracy (everywhere it is used in this PR).

[PhilippGackstatter]

Nit: I think we should rather add a Where: clause explaining the inputs rather than the side effect which can be checked by looking at the code.

[PhilippGackstatter]

Nit: Returning the zeros is unnecessary.

[PhilippGackstatter]

Suggested change

	proc get_propose_expiration_delta
	exec.get_delayed_execution
	# => [min_delay, propose_expiration_delta, 0, 0]
	proc get_propose_expiration_delta
	exec.get_delayed_execution_config
	# => [min_delay, propose_expiration_delta, 0, 0]

Nit: Maybe the current procedure name could be a bit clearer.

[PhilippGackstatter]

I don't understand why we set and then get the delta - this seems redundant. The neq.0 check is already done in tx::update_expiration_block_delta (but it is not documented in a Panics if section - if you don't mind, we could add it in this PR).

So, I think the whole procedure can be removed in favor of calling tx::update_expiration_block_delta directly.

[PhilippGackstatter]

Does this procedure use TX_HASH? If not, can we remove it from the inputs/outputs? I'd also pass in num_verified_signatures but not return it. Caller should dup it.

[PhilippGackstatter]

Is the use of this procedure to communicate to the auth procedure that the current transaction executed a proposed action? It seems like this is intended to be called from a tx script, which is arbitrarily provided by the tx executor.

If so, can we not achieve the same by passing a flag as AUTH_ARGS? And if so, can we get rid of all the pending slots by using this pattern?

[onurinanc]

I think the same pattern needs to stay for propose/cancel, so it might be good keeping execute on the same pattern for symmetry. I'm not sure if removing all the pending slots by using the AUTH_ARGS pattern works.

[PhilippGackstatter]

Is this procedure description accurate? In set_pending_execute we write PENDING_EXECUTE_FLAG and not a HASH, so there is a mismatch.

[PhilippGackstatter]

Is the functionality of this procedure not the same as calling cancel and then propose? Why do we need a single procedure for this?

[onurinanc]

Commented here now: #3043 (comment)

[PhilippGackstatter]

Given that we clear the pending slots as the last step, the tx summary we computed earlier contains the changes to the pending slots. This works in principle, but feels a bit unclean. Mentioning in case this was not intended.

[PhilippGackstatter]

Nit: We usually don't mention the exact error variants.

[PhilippGackstatter]

Afaict, propose_transaction and cancel_transaction_proposal are both essentially setters for their provided arguments; writing into a temporary storage slot. The arguments come from a tx script, which is constructed by a user. The main work is done in the auth procedure, which reads the slots, enforces delay constraints and updates the maps.

If we do not need these procedures to be called from a note, which I assume is not the case, we could reduce complexity by a lot by removing these procedures and setting AUTH_ARGS to the hash of the following data:

[delay_action, CANCEL_TX_SUMMARY_COMMITIMENT, PROPOSE_TX_SUMMARY_COMMITIMENT, SALT]

where delay_action is one of {execute, propose, cancel}. We then dispatch based on delay_action.

That way, we could handle all logic in one flow within the auth procedure rather than splitting it across a pre-auth and a post-auth phase, and avoid having three temporary storage slots.

Whether the user of the multisig constructs a tx script and calls these APIs or whether they construct AUTH_ARGS in the above way should be essentially equivalent.

Any thoughts? Would this work?

[onurinanc]

If we do not need these procedures to be called from a note, which I assume is not the case, we could reduce complexity by a lot by removing these procedures and setting AUTH_ARGS to the hash of the following data:

I was thinking that we might somehow extend delayed execution logic into note-based auth, however, as I explore more about this I've seen that it's not possible to use the same logic as this design requires num_signatures, and this is not the case for owner controlled and rbac.

So, although I believe the current design is easier to read, your proposed way of constructing AUTH_ARGS reduces the complexity, and API calls are easier to use. So, it seems it is better to switch to your proposed design.

[PhilippGackstatter]

Since this is a bigger refactor, I'd wait for @bobbinth or @mmagician's input before executing on this.