Authority timelock #3
Conversation
| // Check that the timelock is no longer than 1 year | ||
| if Clock::get()?.unix_timestamp.saturating_add(ONE_YEAR) < timestamp { | ||
| return Err(ErrorCode::TimestampTooLate.into()); | ||
| } |
| /// CHECK: Unchecked new authority, can be a native wallet or a PDA of another program | ||
| pub new_authority: AccountInfo<'info>, | ||
| #[account(seeds = [new_authority.key().as_ref(), timestamp.to_be_bytes().as_ref()], bump)] | ||
| pub escrow_authority: SystemAccount<'info>, |
There was a problem hiding this comment.
let me make sure i follow this correctly: escrow_authority holds one or more authorities on behalf of new_authority.key(), but all of those authorities can only be claimed after timestamp.
i.e., this logic works even if multiple programs are transferred to the same new_authority at the same timestamp
There was a problem hiding this comment.
Yes exactly, you send any number of authorities to the PDA seeded by new_authority and timestamp.
This PDA will only ever sign to send the authorities to new_authority after timestamp.
| pub struct Commit<'info> { | ||
| pub current_authority: Signer<'info>, | ||
| /// CHECK: Unchecked new authority, can be a native wallet or a PDA of another program | ||
| pub new_authority: AccountInfo<'info>, |
There was a problem hiding this comment.
we have to be super careful about setting this key correctly right?
There was a problem hiding this comment.
(i'm not sure if there's anything better we can do here, since it's not like we can sign as the governance authority anyway)
There was a problem hiding this comment.
Yes, I have a strategy
guibescos
force-pushed
the
authority-timelock
branch
from
30a06fa to
d461e45
Compare
This program implements a timelock for upgrade authorities.
The
current_authoritytransfers the authority to a PDA of thenew_authorityand thetimestampat which the transfer can happen. The PDA will only sign authority transfer tonew_authorityafter thetimestamp.