Pure Proxy Accounts
Anonymous Proxy (Pure Proxy)
THE ACCOUNT TAB IN THE POLKADOT-JS UI CANNOT HANDLE COMPLEX PROXY SETUPS
The Accounts Tab in the Polkadot-JS UI cannot handle complex proxy setups (e.g. a proxy -> multisig -> a pure proxy which is part of another multisig). These complex setups must be done using the Extrinsics Tab directly.
We recommend to use the Westend Testnet if you are testing features for the first time. By performing the complex proxy setups on the testnet, you can comfortably replicate the procedure on the main networks.
RISK OF LOSS OF FUNDS
Read carefully the text below and before performing any action using anonymous proxies on Polkadot, experiment on the Westend testnet.
Anonymous proxies (pure proxies) are very different from other proxy types. The proxies we described so far are existing accounts assigned as proxies by a primary account. These proxies act on behalf of the primary account, reducing the exposure of the primary account's private key. Remember, the more often we use an account's private key to sign transactions, the more we expose that key to the internet, increasing the visibility of that account. The purpose of a proxy is thus to draw the attention of potential attackers away from the primary account, as proxies' private keys will be used most of the time to perform actions on behalf of the primary account.
Anonymous proxies (pure proxies) are new accounts that are created (not assigned) by a primary account. That primary account then acts as any proxy on behalf of the anonymous proxy. Anonymous proxies are keyless non-deterministic accounts as they do not have a private key but they have an address that is randomly generated. Also, in some sense, nobody owns an anonymous proxy as nobody has a private key to control them.
RENAMING ANONYMOUS PROXIES AS PURE PROXIES
Anonymous proxies are not anonymous because they have an address that is spawned by a primary account acting as any proxy. Even if the any proxy changes, it is still possible to find who generated the anonymous proxy by going backward using a block explorer. There was thus the need to change the name of anonymous proxy. People suggested keyless accounts since they do not have a private key and are proxied accounts. However, multisig accounts are also keyless (but deterministic). Moreover, even if anonymous proxies are proxied accounts, they can still act as proxies and control other accounts via proxy calls (see multisig example below). Thus, the name that has been chosen is pure proxy. If you want to know more about the reasoning behind renaming of pure proxies, see the discussion in this PR or the discussion on Polkadot forum.
From now on we will thus use the term pure proxy instead of anonymous proxy.
Create and Remove Pure Proxy
INFO
To create a pure proxy see this support article, or watch this technical explainer video.
REMOVING PURE PROXIES
The procedure for removing a pure proxy is different from the one used to remove other proxies. Visit the section "Removing an Anonymous Proxy" on this support article, or watch this technical explainer video.
EXPLAINER VIDEO ON PURE PROXIES
Learn more about pure proxies from our technical explainer video.
Use of Pure Proxy
The use of the pure proxy is strictly bound to the relationship between the pure proxy and the any proxy. Note that the any proxy does not necessarily be the one who created the pure proxy in the first place. Hence, pure proxies are not really owned by somebody, but they can be controlled. Once that relationship between the pure proxy and its any proxy is broken, the pure proxy will be inaccessible (even if visible on the Polkadot-JS UI). Also, pure proxies are non-deterministic, meaning that if we lose one pure proxy, the next one we create from the same primary account will have a different address.
Pure proxies cannot sign anything because they do not have private keys. However, although they do not have private keys and cannot sign any transaction directly, they can act as proxies (or better, proxy channels) within proxy.proxy calls (proxy calls). For example, it is possible to have pure proxies within a multisig. Using proxy calls, it is possible to use the any proxy to call the pure proxy, which in turn will do a multisig call. More about this later on.
DANGER
Once you remove the relationship with any proxy, the pure proxy will be inaccessible. Also, pure proxies cannot sign for anything.
Why Pure Proxy?
Despite their complexity and associated dangers, pure proxies have important benefits that we discuss below.
Enhanced Security
Pure proxies cannot be stolen because they do not have private keys. The only accounts that have full access to the pure proxies are any proxies. Security can be further increased if the any proxy is a multi-signature account.
Simplified and Secure Account Management
WALK-THROUGH TUTORIAL VIDEO OF ACCOUNT MANAGEMENT
You can see this video tutorial that goes through this scenario. The tutorial requires some familiarity with the Extrinsic Tab of the Polkadot-JS UI.
Probably the greatest benefit of using pure proxies is the management of complex account relationships at a corporate level. Let's take for example 3 accounts belonging to Charlie, Dan and Eleanor working for Company X. Charlie holds funds belonging to Company X, but he wants to leave the company and transfer the economic responsibility to Eleanor. Dan is a staking proxy of Charlie.
Without Pure Proxy, Charlie must (see left side of the Figure below):
Remove Dan as a staking proxy, this step requires 1 signature
Stop nominating and unbound all funds , this step requires 2 signatures
Transfer the funds to Eleanor, this step requires 1 signature
Then Eleanor adds Dan as a staking proxy (1 signature). The whole process requires 5 signatures. Here we are presenting a simple example, in fact, with multi-signature accounts and multiple proxies the procedure would be more time-consuming and labor-intensive.
With Pure Proxy (see right side of the Figure above), Charlie must add Eleanor as any proxy of the pure proxy, and remove himself (or Eleanor can remove him). The process requires just 2 signatures (1 signature to add the new any proxy and 1 signature the remove the old one). The funds remain in the pure proxy, and it is not necessary to stop nominating or unbond funds. Also, any proxy relationships with the pure proxy stay in place. Thus, if we use the pure proxy, with an increasing number of proxies we will always have to sign twice (not necessarily true in multi-signature accounts). While if we are not using the pure proxy, the more the proxies the more signatures we need to detach them from the old stash and attach them to the new stash (see Figure below).
Multi-signature Account Management
Pure proxies are useful to efficiently manage multi-signature (multisig) accounts. In fact, multi-signature accounts are deterministic, which means that once a multisig is created the signatories cannot be changed. If one of the signatories wants to leave the multisig, a new multisig must be created. This is inconvenient, especially at corporate-level management where the chance of replacing someone within a multisig can be high. Pure proxies allow keeping the same multisig when the signatories change.
Scenario One: One Anonymous Proxy within a Multisig
WALK-THROUGH TUTORIAL VIDEO
You can see this video tutorial that goes through this scenario. The tutorial requires some familiarity with the Extrinsic Tab of the Polkadot-JS UI.
It is possible to put a pure proxy within a multisig, and then transactions will be signed by the any proxy on behalf of the pure proxy (proxied account). Let's take for example the diagram below. Alice, Bob and Anon are part of the multisig ABC, a multisig account with threshold 2. P-C is a pure proxy spawned by Charlie, who now acts as any proxy and thus signs anything on behalf of P-C. The pure proxy cannot sign directly because it does not have a private key. So, for example, to send funds from the multisig to Dan, Charly needs to submit a proxy.proxy extrinsic to P-C, which in turn will submit a multisig.asMulti extrinsic to ABC containing the call data for the balances.transferKeepAlive extrinsic about the transfer of some funds from ABC to Dan. Alice can then approve the transfer by submitting a multisig.asMulti extrinsic also containing the call data for the balances.transferKeepAlive extrinsic about the transfer of some funds from ABC to Dan.
If Charly wants to leave the multisig, a new any proxy can be added to P-C and Charly can be removed (by himself or by the new any proxy). Note that the multisig also contains Bob that in this specific example does not do anything.
PROXY CALLS
To use a pure proxy within a multisig you need to use the Extrinsic Tab and generate a proxy.proxy extrinsic. If you try to sign a multisig transaction using the pure proxy you will be prompted with a warning. Remember, you cannot sign something directly if you do not have a private key.
Scenario Two: Multisig made of Anonymous Proxies
WALK-THROUGH TUTORIAL VIDEO
You can see this video tutorial that goes through this scenario. The tutorial requires some familiarity with the Extrinsic Tab of the Polkadot-JS UI.
The diagram below shows a multisig that is made only with pure proxies (P-A, P-B and P-C). In this situation Alice, Bob or Charly can leave the multisig at any time without the requirement of creating a new multisig. If for example, Bob leaves the multisig the procedure will require somebody else to be added as any proxy to P-B, and then Bob can remove himself (or the new any proxy can remove Bob).
In the diagram above, Alice submits the proxy.proxy extrinsic to P-A, which in turn submits the multisig.asMulti extrinsic containing the balances.transferKeepAlive extrinsic about the transfer of some tokens from ABC to Dan. Then, Charly does the same to confirm the transaction. Note that Charly will need to pay for some weight, for the computation that is necessary to execute the transaction.
Proxy calls
Proxy calls are used by proxies to call proxied accounts. These calls are important for example in the case of pure proxies, as any attempt to sign transactions with a pure proxy will fail. For more details see the dedicated section about anonymous proxies.
Nested Proxy Calls
As the term suggests, nested proxy calls are proxy calls within proxy calls. Such calls are needed if there are proxied accounts that are proxies themselves. In the example diagram below, Alice has a stash account that has a staking proxy account, P-C. P-C is a pure proxy, a proxied account originally spawned by Charly that is now an any proxy of P-C and signs everything on its behalf.
For example, to bond more funds, Charly needs to submit a prox.proxy extrinsic to P-C, which in turn submits a proxy.proxy extrinsic to Alice including for example a staking.bondExtra extrinsic, specifying the number of extra tokens that need to be bounded. If Charly wants to leave, a new account can take his place as any proxy (before Charly leaves!). There is no need to change the staking proxy account. Also, Alice is the only one who can remove P-C as a staking proxy, and P-C can only perform staking-related tasks. For example, P-C cannot send funds out from Alice's account.
Proxy calls can be done using the Extrinsic Tab in the Polkadot-JS UI. Nested proxy calls can be done by calling each proxy.proxy extrinsic separately, or in some cases by just calling the last proxy.proxy extrinsic. In the diagram above, submitting the proxy call from P-C to Alice will automatically ask for Charly's signature. Thus one proxy call will trigger the second one because Charly's is the only any proxy of P-C, and P-C cannot sign anything. While if we want to use Bob's account we will need to submit all three proxy calls.
Last updated
