Only on Radix: Real Blockchain Account Deletion | The Radix Blog | Radix DLT

The latest update to the Radix Wallet enables what seems like a simple (maybe even boring) feature: deleting an account that you don’t want to use anymore.

That red button hides a surprising truth though: this feature is only possible to do right on Radix, because of the asset-oriented way accounts work on Radix.

So you’re saying deleting an account is somehow hard?

If all you want is to have an account not appear in your wallet anymore, that’s easy. But to properly delete it? That’s hard on a public blockchain.

If a user (who knows nothing about blockchain tech) says they want to delete an account, they will naturally assume that the account practically doesn’t exist anymore, and therefore some things must be true:

  • If anybody tries to interact with it, it won’t work
  • Everybody who knew about it can see that it’s gone and I’m no longer in control of it
  • It’s impossible for me or anybody else to regain control of it
  • Anything that was in it before is lost forever

That kind of proper deletion is quite useful if you truly want to cut ties with an account forever. The problem is that you can’t do any of those things on most blockchains.

Why? Because of how they define accounts and tokens. On these other blockchains, accounts are just simple addresses derived from and controlled forever by a single key, and token ownership is a list of account addresses in different token smart contracts. And that means…

On other networks, you can’t prevent others from depositing to your account. The concept of “depositing tokens” is implemented in other people’s token smart contracts, not in the account, so you literally can’t stop a token smart contract from assigning ownership of its tokens to your account address.

On other networks, you can’t reconfigure an account so everybody knows it can’t be used by anyone. Account addresses are forever tied to the single key, and that key could always be held by somebody, somewhere. That means that you can’t prove that you aren’t in control, the account can still be stolen and used by somebody if they get their hands on the key, and they would still be able to withdraw assets (or do anything else).

Radix fixes this.

Radix accounts, however, aren’t just an address created from a single forever key – they’re native components that have built-in logic. And tokens on Radix aren’t just balances managed in smart contracts – they’re native resources that must follow certain universal rules.

Put those things together and lots of cool things become possible, like decentralized multi-factor account control and recovery, configuration of rules for allowed deposits by third parties, and more.

It also means that an account’s owner can properly “delete” it. Of course things on a public network live forever. But we can reconfigure a Radix account component so that all of the normal user expectations for what “deleting” means are actually fulfilled. Essentially the account exists but is “tombstoned” so that it might as well not exist, and anybody looking at it knows that to be the case.

How does that work?

Deleting an account on Radix is basically just a matter of a single clever transaction manifest. But to understand how that transaction works, we have to quickly divert into the Radix account’s cool “owner badge” feature.

The account owner badge

Because Radix accounts are functional components, not just addresses, they can actually have built-in native features. Those features include the things you commonly need to do with an account, like withdraw from it, deposit to it, and lock network fees using XRD it holds. It also includes handy things like being able to configure rules on the account for which deposits from third parties it’s willing to accept (no random airdrops if you don’t want them!)

Another really important account feature is what we call “securification”. It’s a funny name, but what it does is powerful. It tells the account, in one step, to mint and return a special “owner badge” NFT, and configure itself to exclusively use that badge to authorize use of the account. That means that whoever (or whatever) holds that NFT can present it to the account to prove it has the right to use the account.

Crucially, securification also means that the account will no longer accept the original key that created the account. That original signature key is now forever forgotten and has no meaning. This is completely unlike every other blockchain where that key is forever tied to the control of the account. The owner badge means that Radix accounts can truly break that link, and remain completely decentralized.

The primary use of the owner badge is to enable multi-factor control and recovery. The Radix Wallet can “securify” an account, stick the owner badge into a special native “access controller” component, and that component can implement all of our fancy multi-factor control and recovery features. Ultimately, those multi-factor rules determine when the access controller is willing to produce a proof of the owner badge to do something with the account.

But, back on topic, you’ll see now how the owner badge also makes it possible for us to properly “delete” a Radix account.

The account deletion transaction

When a user wants to delete an account, their wallet just needs to build a single transaction manifest that does this sequence of things:

1) Withdraw any assets held in the account and deposit them elsewhere as the user prefers.

2) Configure the account’s third-party deposit rules to accept no deposits of any asset from others.

3) “Securify” the account, to forever cut the link to the original signing key and get the owner badge.

4) Deposit the owner badge into the account that minted it.

That last step is fun. Inside the team, it’s referred to as the account “swallowing its own key”. It’s taking the owner badge NFT – which is now in sole control of the account – and shoving it into the account itself. That means that the only way to get access to that key is to already have it, which of course is now impossible. The account is sealed off forever, guaranteed by the Radix network.

The result of this transaction is the account behaving exactly how the user expects if it’s “deleted”:

  • If anybody tries to interact with it, it won’t work
  • Everybody who knew about it can see that it’s gone and I’m no longer in control of it
  • It’s impossible for me or anybody else to regain control of it
  • Anything that was in it before is lost forever

So while the account still “exists” on the network in some technical sense, anybody looking at the network can see that it has swallowed its owner key and know with certainty that it’s a “deleted account” that nobody can use ever again. The gateway will probably be updated at some point to check that itself and say so directly. And maybe at some point in the future, a protocol update could expose that multi-step manifest functionality behind a single “delete” method on the account component. But the approach above works right now on the current Radix Network and is perfectly functional.

Creating that manifest is exactly what the Radix Wallet will now do if the user taps that big red “Delete Account” button – and it can also include moving any lingering assets out of the account before deleting it. The user just needs to sign a nice, easily-understandable Radix-style transaction to make it happen.