Super User Account

Summary

With the advancement of Cadence language and Flow Blockchain, I think there is a need to separate AuthAccount into two (maybe more) security levels. Inspiration comes from operating systems security. (sudo from Linux world and administrator account from Windows )

Before writing a FLIP, I would like to get some community feedback.

Basic Idea

The basic idea is to move some dangerous operations ( like adding/removing the public key, deploying a contract, deleting a contract, getting AuthAccount capability, etc.) to SuperAuthAccount

For example below transaction will fail:

transaction(publicKey: [UInt8]) {
    prepare(signer: AuthAccount) {
        let key = PublicKey(
            publicKey: publicKey,
            signatureAlgorithm: SignatureAlgorithm.ECDSA_P256
        )
        signer.keys.add(
            publicKey: key,
            hashAlgorithm: HashAlgorithm.SHA3_256,
            weight: 10.0
        )
    }
}

instead it had to be written as:

For example below transaction will fail:

transaction(publicKey: [UInt8]) {
    prepare(signer: SuperAuthAccount) {
        let key = PublicKey(
            publicKey: publicKey,
            signatureAlgorithm: SignatureAlgorithm.ECDSA_P256
        )
        signer.keys.add(
            publicKey: key,
            hashAlgorithm: HashAlgorithm.SHA3_256,
            weight: 10.0
        )
    }
}

For multi-sign scenarios, there can be a mixture of SuperAuthAccount and AuthAccount in transactions, depending on the access. It is up to wallets to get approval from users. This way, even if wallets don’t support this new feature, they can continue to work as is. ( by signing as SuperAuthAccount without warning, which is equal to today’s case )

With support from wallet developers by enabling some features like:
- Big warning when a transaction wants to use SuperAuthAccount
- Requiring the user to authenticate with a password again before signing

we can prevent some dangerous attacks on users.

Another benefit of this approach is even if I gave AuthAccount access with capability to someone; I can prevent them from updating/deleting contracts on my account or adding/revoking public keys.

Backwards compatibility

Most of the transactions on the network don’t involve these actions, so the impact would be minimal. Some contracts may need to be updated.