“One bad signature will be able to drain your account on Ethereum after EIP-3074.”
Yes; this is true. 3074 coauthor here! Let me put this concern to rest a bit before it gets more out of hand.
To start: I’m not aware of any wallets that support signing unprefixed data today. This means that currently, no wallets support 3074. Doesn’t matter how many control panels you navigate through or advanced features you turn on. It isn’t possible to sign a 3074 message today.
The messages you sign to “login” to dapps use a completely different standard based on EIP-191. This prepends the following data to the message you sign:
“””
0x19 <0x45 (E)> <thereum Signed Message:\n” + len(message)> <data to sign>
“””
That’s what makes it impossible to trick someone logging into a dapp to actually sign a valid Ethereum transaction.
Transactions are prefixed with single byte values:
0x01 - 2930 tx
0x02 - 1559 tx
0x03 - 4844 tx
more info here: https://github.com/ethereum/execution-specs/tree/master/lists/signature-types
3074 plans to use the prefix 0x04. This will disambiguate it from all other types of signable data in Ethereum.
Wallets will have to actively opt-in to allowing users to sign these messages.
Depending on how wallets integrate 3074, they could create a situation where their users can more easily be exploited. To understand this, we need to make sure we understand how 3074 signatures work.
The auth msg which the signature is constructed over have the below fields. Importantly, it includes an invoker address. This is the only address under which the signature will be considered valid by AUTH.
For an account to be drained 1) the wallet will need to allow users to sign to any invoker address and 2) the users must not verify the invoker is trustworthy. Do either of those and there is not an issue.
For 1) we hope wallets understand that 3074 invokers are more akin to extensions of their code than they are contracts. Wallets don’t give users the freedom to run arbitrary code with access to their pk; similarly, they shouldn’t allow users to delegate their account arbitrarily.
So if wallets insecurely integrate 3074 and users do not verify the invoker they’re interacting with, it is possible to delegate to a malicious invoker.
However, it is possible to undo by sending a single tx from the EOA. This revokes all “in-flight” AUTH signatures.
At minimum, wallets should make signing a 3074 message a big deal. This is like exporting-your-private-key level of big deal.
Assuming a wallet securely integrates 3074, it is still possible for an account to be swept. This is a fundamental property of batch txs. It as easily allows you to send multiple ops as it allows an attacker to trick you to send a batch of assets to an address they control.
Wallets must clearly display each op you’re signing over. This way, it is easy to notice “I was only planning to make a single trade, but this signing request is having me do a dozen transfers also”.
It will be impossible to detect this if batching available via blind signing.
Yes, 3074 is putting a lot of trust into wallets. But look, we are already trusting them with securely our private key! There isn’t a higher level of trust.
It is possible to integrate and use 3074 safely. If any wallets have questions on how they can do this, please don’t hesitate to reach out. As authors of 3074, we’re currently figuring how we can best help this standard in its next phase of life.
Over the last several years, we’ve spent a lot of time developing hypothetical scenarios on how it might be used and abuse. We’re excited for these ideas to begin being productionized. But we’re also cognizant that this is the hard part.
This article originally titled “One bad signature will be able to drain your account on Ethereum after EIP-3074” is reproduced from [lightclients]]. All copyrights belong to the original author [lightclients]. If you have any objection to the reprint, please contact the Gate Learn team, the team will handle it as soon as possible.
Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.
Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.
“One bad signature will be able to drain your account on Ethereum after EIP-3074.”
Yes; this is true. 3074 coauthor here! Let me put this concern to rest a bit before it gets more out of hand.
To start: I’m not aware of any wallets that support signing unprefixed data today. This means that currently, no wallets support 3074. Doesn’t matter how many control panels you navigate through or advanced features you turn on. It isn’t possible to sign a 3074 message today.
The messages you sign to “login” to dapps use a completely different standard based on EIP-191. This prepends the following data to the message you sign:
“””
0x19 <0x45 (E)> <thereum Signed Message:\n” + len(message)> <data to sign>
“””
That’s what makes it impossible to trick someone logging into a dapp to actually sign a valid Ethereum transaction.
Transactions are prefixed with single byte values:
0x01 - 2930 tx
0x02 - 1559 tx
0x03 - 4844 tx
more info here: https://github.com/ethereum/execution-specs/tree/master/lists/signature-types
3074 plans to use the prefix 0x04. This will disambiguate it from all other types of signable data in Ethereum.
Wallets will have to actively opt-in to allowing users to sign these messages.
Depending on how wallets integrate 3074, they could create a situation where their users can more easily be exploited. To understand this, we need to make sure we understand how 3074 signatures work.
The auth msg which the signature is constructed over have the below fields. Importantly, it includes an invoker address. This is the only address under which the signature will be considered valid by AUTH.
For an account to be drained 1) the wallet will need to allow users to sign to any invoker address and 2) the users must not verify the invoker is trustworthy. Do either of those and there is not an issue.
For 1) we hope wallets understand that 3074 invokers are more akin to extensions of their code than they are contracts. Wallets don’t give users the freedom to run arbitrary code with access to their pk; similarly, they shouldn’t allow users to delegate their account arbitrarily.
So if wallets insecurely integrate 3074 and users do not verify the invoker they’re interacting with, it is possible to delegate to a malicious invoker.
However, it is possible to undo by sending a single tx from the EOA. This revokes all “in-flight” AUTH signatures.
At minimum, wallets should make signing a 3074 message a big deal. This is like exporting-your-private-key level of big deal.
Assuming a wallet securely integrates 3074, it is still possible for an account to be swept. This is a fundamental property of batch txs. It as easily allows you to send multiple ops as it allows an attacker to trick you to send a batch of assets to an address they control.
Wallets must clearly display each op you’re signing over. This way, it is easy to notice “I was only planning to make a single trade, but this signing request is having me do a dozen transfers also”.
It will be impossible to detect this if batching available via blind signing.
Yes, 3074 is putting a lot of trust into wallets. But look, we are already trusting them with securely our private key! There isn’t a higher level of trust.
It is possible to integrate and use 3074 safely. If any wallets have questions on how they can do this, please don’t hesitate to reach out. As authors of 3074, we’re currently figuring how we can best help this standard in its next phase of life.
Over the last several years, we’ve spent a lot of time developing hypothetical scenarios on how it might be used and abuse. We’re excited for these ideas to begin being productionized. But we’re also cognizant that this is the hard part.
This article originally titled “One bad signature will be able to drain your account on Ethereum after EIP-3074” is reproduced from [lightclients]]. All copyrights belong to the original author [lightclients]. If you have any objection to the reprint, please contact the Gate Learn team, the team will handle it as soon as possible.
Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.
Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.