Folks, I wanted to separate rewards that come from the active stake of the owner from the pool rewards (i.e. 340 + 1%). There is a separate pool-reward-account-verification-key that doesn’t need to get witnessed. Currently the owner rewards are redirected to the pool reward stake address. I do this in preparation for Alonzo when I want to have the pool rewards paid to a Plutus contract.
I moved some some funds from Ledger to a new wallet. Then, back to a new Ledger account. The network should not know that both owner stake addresses as well as the pool reward address are all secured by the same HW wallet.
Remember, I don’t have payment/stake keys generated by cardano-cli that could get compromised when moving around to sign stuff. Every account that holds more funds than I’m happy to loose is secured by a HW device.
A signed Tx is the aggregate of the output from everyone who witnessed the Tx. Most folks don’t have multiple independent parties that need to witness, so they can use cardano-cli transaction sign. Much worse, they hold the signing key from multiple parties and still use cardano-cli transaction sign with multiple secret keys that they control as a single entity.
With the process above (i.e. independent witness+aggregate) I could email the raw Tx around the globe and ask everyone to “witness” the config change independently - I don’t need to have their signing keys.
It is by design that owner(s) and operator should have sufficient trust between them to run a pool. Otherwise, if owner rewards were paid directly into their account, there would be a market place for pledge providers.
And even like this, it seems it has happened to some extent.
Interesting, thanks for sharing. I’m not yet sure that I can follow the logic, though. The spec says
collaborating to form a stake pool should require significant trust between the owners. Otherwise, everyone could choose to become a co-owner of a stake pool instead of delegating, which would render the mechanism of pledging stake ineffective.
How does the conclusion follow from the premise? How would pledging become ineffective if everybody could do it instead of delegating?
The rationale for the existence of pledge is protection from sybil attacks.
The rewards that a stake pool gets depend on a pledge of funds that the stake pool owner(s) provide. This adds a cost to creating a competitive stake pool, and protects against Sybil attacks on the stake pool level
Thus the concern seems to be that sybil protection would somehow stop working if people could cooperate on raising pledge without also trusting each other. So the protection against this type of attack is trust?
I’m sorry, I don’t get it. Surely missing something very obvious. What is it?