Substrate (Polkadot) Vault Design
Polkadot features some nice primitive operations that can be composed to build our vaults:
- Pure Proxy Accounts: these are accounts that have no matching private key and therefore no direct controller. Instead, they are controlled by a 'delegate'. The delegate has full control over the account including transfer of funds and, importantly, even adding removing new proxies.
- Derivative Accounts: these are accounts that are derived from a single root account and uniquely identified by a simple number. This is roughly analagous to how HD Wallets derive multiple addresses.
- Batch Calls: multiple operations can be batched together in a single atomic operation that either succeeds or fails in its entirety.
Additionally, Polkadot's cryptography support native schnorr signatures. This allows the network to generate a key and threshold-sign Polkadot transactions.
With these building blocks in mind, our Vaults are designed as follows:
- The Vault is a pure proxy account, meaning it can't be controlled directly.
- The controller of the Vault is an ephemeral key, known as the AggKey, generated jointly by all validators during each Keygen Ceremony.
- Deposit addresses are Derivative Accounts of the Vault address.
- At any moment the network can use the AggKey to authorise DOT transfers from any deposit address. We use this to sweep deposited funds from deposit addresses into the Vault.
- Similarly, the network can authorise transfers out of the Vault, to destination addresses.
- During a Vault rotation, the network generates a new AggKey and the old AggKey is used to create a Batch Call containing three instructions:
- Add the new AggKey as a controller of the Vault.
- Transfer any funds from the old AggKey to the new AggKey.
- Remove the old AggKey from the list of controllers.