I am in the process of setting up a pool that has multiple owners. The operator will not have control over the signing key of the other owners.
Now I am running into the issue that in order to sign the Pool registration-certificate, it MUST be signed by all owners.
Failing to include the owner’s skey gives an error with “MissingVKeyWitnessesUTXOW”. At least, this is my assumption based on the specs: https://hydra.iohk.io/build/902246/download/1/delegation_design_spec.pdf#subsubsection.3.4.4
- Am I correct that I need the signingKey of all the owners ?
- What is the best way to get this transaction signed with signingKeys I have no control over?
- Or should I just ask the other owners for the signingKey? (I have no idea yet what the abuse potential is of having a signingKey of someone else)
- Or is there a way to sign a transaction in multiple steps? (send the transaction to the other owners to be signed).
Thanks in advance!
Yes, you will need to sign the transaction with all stake skeys
I believe each owner can sign transaction individually, but I have not attempted this. Worst case, I personally see no real danger in requesting the owner to provide their stake keys. From an adversarial perspective, the worst you could do as a malicious actor is either un-delegate their stake or re-delegate to another pool, either of which action would tank your pool pledge. You as the operator with the pool cold keys could disrupt the pool regardless, so therefore I don’t see an issue.
As long as the other owner does not share payment address keys, those funds will be safe.
Just tried it and basically signed the transaction with two stake.skeys where Bob and Alice contribute to pledge:
cardano-cli shelley transaction sign
Hey Frog, how do you create multiple keys for multiple pool owners? Creating multiple keys seems simple enough but how do you associate these multiple keys to my one pool?
I am using coincashew and it provides no guidance on this topic thanks in advance.
How did you go about partially signing the registration? I am in a similar situation but wont be able to get access to the pledge’s payment signing key (So I cannot abuse the funds)
you don’t need the pledge payment signing key - any arbitrary payment address can be use to pay the transaction fees / deposits associated with submitting the transaction
first - simply create multiple address keys with different names
1 rewards.skey, rewards.vkey, rewards.addr
2 pledge1.skey, pledge1.vkey, pledge1.addr
3 pledge2.skey, pledge2.vkey, pledge2.addr
Make sure to register each stake addresses as well as create delegation certs for each stake address
Pool registration params will look something like this:
–pool-reward-account-verification-key-file ~/path/to/rewards.vkey \
–pool-owner-stake-verification-key-file ~/path/to/pledge1.vkey \
–pool-owner-stake-verification-key-file ~/path/to/pledge2.vkey \
And of course, do not forget to sign the tx with as many secrets keys as addresses involved.
Thanks for your reply frog
I hadn’t thought about another payment address , but what can be done about the stake.skey? Is it critical that this key is cold?
While it’s not best practice to throw stake keys around, the worst a malicious actor could really do is re-delegate your stake (or unregister your stake address) without your permission - meaning you would simply need to move the funds to a new address (hence new stake key) - this could harm the pool, but I don’t see many cases where you would trash your own operation by re-delegating your partners stake keys. If you were to run off and create a separate pool using them all the other party would need to do is send the funds to a new address which would effectively make the stake keys useless.
With that being said, you can sign in counterparts using witnesses assuming the other party is sophisticated enough to use the cli. I don’t have an example offhand but I’m sure I could dig something up if that’s the route you want to go.
Let me know - I will have some time tomorrow to help
Your friend, FROG
And widthdraw your rewards if any
Thanks for the explanation that helps alot
If you don’t mind, an example of using a witness would be great thanks. I cant seem to find many resources online explaining this process, so learning how to do so would be super helpful regardless.
Yep - but only if the relevant stake address correlates the rewards address registered for the pool. This would not be the case with a pledge (owner address) that is different than the registered rewards address.
Buy absolutely true otherwise for a regular delegated stake address (non-pool owner address)
This is interesting. By multiple keys (rewards, pledge1, pledge2), you really mean multiple pairs (stake+payment) of keys, right?
In other words, what you suggesting is that we create the following 3 pairs of keys:
- SPO - rewards-stake.skey, rewards-stake.vkey, rewards-payment.skey, rewards-payment.vkey
- owner 1 - pledge1-stake.skey, pledge1-stake.vkey, pledge1-payment.skey, pledge1-payment.vkey
- owner 2 - pledge2-stake.skey, pledge2-stake.vkey, pledge2-payment.skey, pledge2-payment.vkey
Can you or anyone verify my following understanding is also correct:
Each owner would need to create delegation cert and register on chain
- owner1 : node.vkey + pledge1-stake.vkey → deleg1.cert
- owner2 : node.vkey + pledge2-stake.vkey → deleg2.cert
When SPO creates the pool.cert, we need following parameters
–pool-owner-stake-verification-key-file ~/path/to/pledge2-stake.vkey \
When SPO build the transaction to register the pool, it would need all the delegation certs as well as the pool.cert
–certificate-file deleg2.cert \
When SPO signs the transaction to register the pool, it would use the following parameters (assuming transaction fee and deposite comes from rewards account)
–signing-key-file pledge2-stake.skey \
Individual owners would fund to their own pledge payment account.
All rewards would go to rewards-payment account. SPO would have to divided it up and distribute to owners.
In the above scenario, SPO can be one of the owners or be different from any one of them.
Also note in the above scenario SPO need to share node.vkey with owners, and owners need to share pledge-stake.vkey and pledge-stake.skey with SPO.
Step 4 > You need to sign with the
--signing-key-file rewards-payment.skey only if it is the wallet that pays for the tx fees. Otherwise, any other funded wallet paying for the tx fees will be fine as well.
Thanks. For step 4, do we need rewards-stake.skey to sign as well?
No. It is not required for pool registration.
Interesting. I guess the rational is no need stake holder’s authorization for receiving reward!
Thanks. I’m going to try out the process outlined with testnet and maybe update everyone here later.
I have verified the above scheme works. I managed to updated my existing single-owner pool with 2 owner and a separate SPO account. You can find my test pool at Cardano PoolTool - The most comprehensive staking statistics for Cardano on the web.
In this process I also created a diagram to illustrate the relationship among all keys, certs and processes. Hope it helps. I will probably write a blog to flesh it out.
Also another thing that is probably worth sharing
- I used Daedalus wallet to create 2 accounts. One is delegated to some random pool, while the 2nd one is not.
- I used extraction tool to extract stake key and payment key from those 2 accounts and used them as the 2 owners
- it turns out I only need to register stake addr for the 2nd account. No need for the first account since it was already registered by Daedalus when I delegated it out for the first time.
I have a couple of more questions regarding this 2-owner setup. Hopefully someone can help out
- is rewards account balance counted towards pledge? (probably no since we did not make it as one of the owner account)
- is rewards account balance counted towards pool live stake?
- I managed to re-delegate one of the owner account to another pool, which seems crazy to me. Is owner account allowed to be re-delegated to some other pool? If so, what is the status the original pool?