Switch to `AuthRpoFalcon512Acl` to allow anyone to burn assets

[mmagician]

Our faucet currently uses the vanilla version of the auth procedure.
We should switch to AuthRpoFalcon512Acl so that we allow anyone to burn assets without authorization from the faucet creator.
In fact, why not just use the create_basic_fungible_faucet helper from miden-base which handles it already?

See 0xMiden/protocol#1806 (comment) for context

[igamigo]

I think this would work, but you'd have to be careful to retry minting transactions correctly because once you open this up, a potential DDoS appears where users insert a lot of burn transactions which change the state of the account and invalidate any ongoing transaction proofs.

[bobbinth]

Yes, I think the main challenge the "hybrid" approach I've been mentioning offline and in some other comments is avoiding state contention. We actually don't want anyone to execute transactions against the faucet as long as the faucet is managed but the faucet app (otherwise as @igamigo said, one user executing a transaction against the faucet would invalidate all other in-flight transaction being built by other users).

If the faucet is managed either by the network or by some set of owners, then we can have a "time-sharing" approach. For example, we could say that out of every 64 blocks, the last 8 are "reserved" for network transactions, and the first 56 are reserved for "owner" transactions. Then, the mint requests could be processed as they are now (i.e., local execution), but "burn" notes sent to the faucet would get processed automatically by the network with some small time delay.

[mmagician]

a potential DDoS appears where users insert a lot of burn transactions which change the state of the account and invalidate any ongoing transaction proofs.

Right, that's a good point and I haven't thought about. So for now, I don't really see a way around this, and we simply don't allow users to burn assets? (I think a hybrid approach would take a while to implement).

This is going to be a problem for all other faucets which are managed by non-network accounts (e.g. where the owner is a multisig as mentioned here). I wonder whether we should change the default settings for the procedures that trigger authentication and require that all procedures trigger it.

In a production setting, we're likely not going to have "free faucets", so random users aren't going to request tokens all the time. Usually an initial amount of tokens is minted, after which there is some minting schedule (assuming inflationary tokens). Depending on the mint frequency, we could encounter the same problem as here, but I don't think this would be a huge issue if token rewards are created e.g. once per day.

Now, I don't expect the exact same code we have to be used for such production scenarios, but since we ship it as out-of-the-box faucet, it should provide reasonable working defaults (and currently it serves neither our needs nor future prod needs).

[bobbinth]

I'm thinking of this faucet as a "testnet" faucet - so, not too worried about the fact that the "burn" procedure is not really useful right now.

But we do need to think through how this will work in the production setting, and more immediately, how AggLayer-based faucets would work.

I agree that the hybrid approach is some time off. The alternative that should work for all other faucets except for the native faucet is note-based authentication (i.e., when certain procedures can be invoked only by notes coming from certain senders).

So, I think we have 3 design alternatives (maybe more):

1. A local faucet updatable only by its owners. This is kind of what we have in this repo. In this context, a burn procedure that doesn't require authentication may still be useful for efficiency purposes - but users can't call it directly.
2. A network faucet with note-based authentication. This is how I imagine AggLayer faucets could work. Basically, it is a network account where users could directly call burn or mint (assuming they provide the required proof), but also, there is a set of owners that can make privileged updates (via notes).
3. A hybrid faucet where some transactions can be executed directly by the owners and other transactions could be executed by the network. This is how I think the native faucet could work in the production setting (though, maybe there are other alternative to this as well).

[mmagician]

a burn procedure that doesn't require authentication may still be useful for efficiency purposes - but users can't call it directly.

AFAIU, you're proposing to invoke a procedure by the owner without authentication. I believe this is not a mechanism we can support today. We can either:

• restrict that caller = owner by checking their signature
• allow anyone to call burn

I don't really see a way to verify ownership while skipping the authentication, but I might be missing something.

---

The alternative that should work for all other faucets except for the native faucet is note-based authentication

Agreed that for our native faucet we can't have note-based authentication because of the fees (without some paymaster, at least).
For AggLayer contracts, it probably makes sense to have a network account with note-based authentication (I still need to dive deeper there, though).

For all other faucets in production, mint would only ever be callable by the owner anyway (can be done by "direct" procedure calls, or by sending notes). So the question is how to enable burn by anyone, without opening a door to a DoS attack as @igamigo wrote.

Local faucet

• burn only callable by the owner (or by anyone with a possible DoS attack), effectively preventing any sort of burn.

Local faucet with note-based authentication

• a burn note can be created by anyone. It won't be consumed until one of the owners decides to consume the burn note(s). It does introduce an extra trust assumption that the owner consumes all pending burn notes.

Network faucet with note-based authentication

• anyone can submit a burn note ( == permissionless)
• only owners can submit a valid mint note
• more load on the network (provers)

Assuming we don't have hybrid accounts in the foreseeable future, I agree that production faucets should be network accounts with note-based authentication. One extra advantage is that the faucet configuration doesn't care whether the owner is a multisig or not - that distinction is made at the note creation level.
Let's discuss in the next sync whether we can squeeze in hybrid accounts within the next few releases - else I'll create an appropriate issue in miden-base for faucets with note-based auth.

[bobbinth]

AFAIU, you're proposing to invoke a procedure by the owner without authentication. I believe this is not a mechanism we can support today. We can either:

• restrict that caller = owner by checking their signature
• allow anyone to call burn

I don't really see a way to verify ownership while skipping the authentication, but I might be missing something.

Ah yes - you are correct! With the public state we can't do it. I think I was thinking more about the situation where account state is private - but that has some nuances as well.

For AggLayer contracts, it probably makes sense to have a network account with note-based authentication (I still need to dive deeper there, though).

For all other faucets in production, mint would only ever be callable by the owner anyway (can be done by "direct" procedure calls, or by sending notes). So the question is how to enable burn by anyone, without opening a door to a DoS attack as @igamigo wrote.

Just to clarify - by note-based authentication i mean something like this:

• One of the storage slot of the faucet stores account ID of the owner.
• When mint is called, we check if note.sender == owner, and if so, proceed with the mint request. This can be applied to other procedures as well.
• burn does not check the note's sender against the owner - and so, burn notes can be issued by any user.

All the notes (both for minting, burning, and otherwise) are applied to the account by the network (i.e., in network transactions). So, there should be no DoS attack vector here.

Local faucet

• burn only callable by the owner (or by anyone with a possible DoS attack), effectively preventing any sort of burn.

I think burn being callable only by the owner in this setting makes sense. But why would this prevent anyone from using burn notes? Basically, people (and apps) would still be able to send burn notes to the faucet, it is just that the owner would need to apply them.

Local faucet with note-based authentication

• a burn note can be created by anyone. It won't be consumed until one of the owners decides to consume the burn note(s). It does introduce an extra trust assumption that the owner consumes all pending burn notes.

I think we are using different terminology here. In my mind, "note-based authentication" is only relevant for network accounts. What you are describing here is what I described in the previous point (I think) - which is relevant for "local faucet".

[mmagician]

I think we are using different terminology here. In my mind, "note-based authentication" is only relevant for network accounts. What you are describing here is what I described in the previous point (I think) - which is relevant for "local faucet".

I think we're indeed using different terminology here :) I was perhaps not clear with making the distinction between "tx-script-based" local faucets (a tx script which calls an account procedure, but no notes), and "note-based" local faucets (similar, but to call an account procedure we need to produce a note first).
Our current faucet is of the former type.

I think with this distinction my previous description should make more sense, lmk if that's not the case.

[mmagician]

When thinking about the genesis config, I found myself revisiting this issue and thinking about what type of a faucet should be used as our native faucet. This becomes especially relevant when we have fees.

I think we have two broad options:

1. BasicFungibleFaucet

• no explicit external "owner", since this faucet has a pubkey
• specified via account at genesis (likely a multisig)
• to mint assets, the account must make a transaction and pay fees
• in theory, new (native) assets are minted, part of which could be used to pay the fees, but...
• with the current faucet::distribute impl., during minting, no assets ever enter the owner's vault
  • so we can't subtract the fee from the native's account vault

A. Pre-funded account

• at genesis, pre-fund the account
• this means the BasicFungibleFaucet holds its own assets (is this even possible? I think it should be, since we could just specify the vault contents programmatically)

B. Modify BasicFungibleFaucet -> SelfPayingBasicFungibleFaucet

• instead of distributing purely to the target, additionally mint a small amount to own vault
• then the account has enough to cover the fee

2. NetworkFungibleFaucet

• the owner (any separate account, likely a multisig) is the only one allowed to mint. It would be specified as an account at genesis
• assets are minted by the network faucet consuming a MINT note
• to create the MINT note, the owner must pay a fee
• so the owner MUST be pre-funded
• to consume the MINT note, the network faucet must also pay a fee
  • either the native faucet is pre-funded with its own tokens (would this work? Same question as 1.A ), or
  • we have a MINT-S (sponsored) note carrying the fee

I'm not a fan of 1.B at it creates another standard, which leaves us with 1.A and 2 - so unless I missed something, the "owner" (whether the faucet itself, or an external owner) must be pre-funded at genesis. At this point, the difference between the two approaches comes down to:

• do we want local proving or ntx builder proving for minting the native asset?
• do we want to dogfood our proposal to process notes by network accounts (MINT-S -like)?

[bobbinth]

I'm not a fan of 1.B at it creates another standard, which leaves us with 1.A and 2 - so unless I missed something, the "owner" (whether the faucet itself, or an external owner) must be pre-funded at genesis.

I agree with this - though, in the longer term, the native faucet would have functionality that is very different from other faucets. For example, once we have some kind of reward mechanisms (e.g., validator rewards), we'd need to come up with a way to issue assets from the native faucet according to some protocol-level rules. We may even end up interpreting the block kernel as a transaction performed against the native faucet.

This is not something we need to worry about now - so, the options you outlined work. Among these options, I'm leaning towards the network faucet with a pre-funded owner. Though, I haven't thought this through too deeply yet.

[mmagician]

I'm leaning towards the network faucet with a pre-funded owner.

Same here, mostly for the reason of dogfooding - it would force us to nail down the mechanism of network faucets paying their transaction fees.
In the light of this, a follow-up to 0xMiden/node#1429 would involve changing the native faucet to be of type network fungible faucet, but I wouldn't do it just yet (maybe after fees are turned on)