Enforce pre-prepared transactions

israellevin

Hey guys, I'm working on a project which is now moving in from Ethereum, and I'm trying to construct some sort of smart contract, but I'm not sure it's doable in Stellar. Basically, my situation is as follows: Alice asks for a service to be provided by Bob, but the only person who can confirm the service was provided is Carl. So Alice sends her payment to an escrow account (after Bob signs a time-locked refund transaction, much like this escrow example: https://www.stellar.org/developers/guides/walkthroughs/stellar-smart-contracts.html#2-party-multisignature-escrow-account-with-time-lock-recovery ), and if Bob manages to provide the service in time he can ask Carl to co-sign a transaction that releases the funds to Bob's private account, thus completing the payment.

However, sometimes Bob wants to promise Betty, another service provider, a cut from this escrowed payment in return for completing the service. And Betty may promise some of her cut to a third service provider, who may offer some of his cut to a fourth, eventually forming a whole chain of providers between which the escrowed payment is eventually divided (when Carl confirms).

One way of doing this in Stellar is for Bob to provide Betty with a half-signed transaction moving some of the payment from the escrow to Bob himself and some of it to a new escrow account controlled by Betty. If she wishes to bring in another provider she gives him a copy of that transaction along with a new half-signed transaction dividing the payment further, and so on.

This has one clear weakness: since the tokens do not (and can not) leave the first escrow account until Carl's confirmation, it is always possible for the signers of that account to spend the payment, thus invalidating all the other "division-of-payment" transactions.

We started thinking about possible solutions to this problem. Perhaps some way to dynamically add service providers as signers to the account (but is it possible to sign a transaction that adds a signer before the pubkey of that signer is known? Probably not), or even issuing a new asset type for every division, and use trust to make certain it can only be spent as originally intended.

The thing we are really after is a way to ensure that the tokens in an account can only be spent by one of two possible transactions. Is there a clean, canonical way to achieve this?

dzham

israellevin The thing we are really after is a way to ensure that the tokens in an account can only be spent by one of two possible transactions. Is there a clean, canonical way to achieve this?

There is.

You use something called pre-authorized transactions.

How is basically works is that you generate a transaction that you want to submit sometime in the future, and you tell the network that once/if-ever a transaction hash matching that transaction is submitted, consider it signed by you already,

If you want to limit it to two specific transactions, one-or-the-other, generate the transactions using the same sequence number, and then lock down the account so nothing else can be executed (usually by changing signature weights, or signing thresholds)

Your pre-authorized transactions would restore the account, and then go on with their respective business.

israellevin

Wow, that's exactly what I was after! Thank you so much. I'll go implement it ?

For future ref, here is the relevant documentation: https://www.stellar.org/developers/guides/concepts/multi-sig.html#pre-authorized-transaction