A First Solution to the Refund Problem

[jakmeier]

Refund Problem: When a business creates the Near Protocol user accounts for their customers, they open themselves up to a faucet draining attack where an attacker can steal some of the tokens in the faucet. That's because a user can delete the created account and send the tokens reserved for the storage of the account to any account they want. The amount is maybe only worth a few cents but it can be repeated for free.

Goal: Make it possible to create users without giving the public the chance to steal the tokens in the faucet that pays for the new users.

Note that a faucet can always be drained by the public, if it is completely free to create accounts through the faucet. We just want to make sure the attacker can't have any financial benefits on their side from draining the faucet, i.e. they can steal what's in the faucet.

Step 1: Zero balance accounts (DONE)

Accounts with less than 770 bytes of storage no longer require storage staking.
This has already shipped and is in use today.

• Final NEP: https://github.com/near/NEPs/blob/master/neps/nep-0448.md
• Implementation PR: feat: add zero balance accounts #8378
• NEP PR Discussion: zero balance account NEP NEPs#448
• Earlier Discussions: Zero Balance Account NEPs#402 and [Discussion] Removing storage staking for base account information NEPs#415

Step 2: Allow smart contracts in free accounts (STARTED)

Smart contract functionality should be available to accounts created through a non-exploitable faucet.

• Align on design for smart contract functionality in free accounts #9304
• Create a NEP for the chosen design. NEP-491
• August 2023 milestone: Get NEP-491 accepted #9381
• Ship the implementation to testnet, including documentation