forked from ethereum/EIPs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
initial commit for eip-6384 (ethereum#6384)
* initial commit for eip-readable-signatures * Update EIPS/eip-readable-signatures.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * removed build files * updated links * updated links * eip.md updated according to linter suggestions * updated EIP according to linter * updated the eip according to the linter * fixed linter errors at the md file * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * updated signature paramater name to typedDataBuffer * updated signature paramater name to typedDataBuffer * added explanation to the rationale section * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * Update EIPS/eip-6384.md Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com> * removed unnecessary media * removed unnecessary media * Update EIPS/eip-6384.md --------- Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com>
- Loading branch information
Showing
14 changed files
with
635 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
--- | ||
eip: 6384 | ||
title: Human-readable offline signatures | ||
description: A method for retrieving a human-readable description of EIP-712 typed and structured data. | ||
author: Tal Be'ery (@talbeerysec), RoiV (@DeVaz1) | ||
discussions-to: https://ethereum-magicians.org/t/eip-6384-readable-eip-712-signatures/12752 | ||
status: Draft | ||
type: Standards Track | ||
category: ERC | ||
created: 2023-01-08 | ||
requires: 712 | ||
--- | ||
|
||
## Abstract | ||
|
||
This EIP introduces the `evalEIP712Buffer` function, which takes an [EIP-712](./eip-712.md) buffer and returns a human-readable text description. | ||
|
||
## Motivation | ||
|
||
The use case of Web3 off-chain signatures intended to be used within on-chain transaction is gaining traction and being used in multiple leading protocols (e.g. OpenSea) and standards [EIP-2612](./eip-2612.md), mainly as it offers a fee-less experience. | ||
Attackers are known to actively and successfully abuse such off-chain signatures, leveraging the fact that users are blindly signing off-chain messages, since they are not humanly readable. | ||
While [EIP-712](./eip-712.md) originally declared in its title that being ”humanly readable” is one of its goals, it did not live up to its promise eventually and EIP-712 messages are not understandable by an average user. | ||
|
||
In one example, victims browse a malicious phishing website. It requests the victim to sign a message that will put their NFT token for sale on OpenSea platform, virtually for free. | ||
|
||
The user interface for some popular wallet implementations is not conveying the actual meaning of signing such transactions. | ||
|
||
In this proposal we offer a secure and scalable method to bring true human readability to EIP-712 messages by leveraging their bound smart contracts. | ||
As a result, once implemented this EIP wallets can upgrade their user experience from current state: | ||
|
||
![](../assets/eip-6384/media/MiceyMask-non-compliant.png) | ||
|
||
to a much clearer user experience: | ||
|
||
![](../assets/eip-6384/media/ZenGo-EIP-compliant.png) | ||
|
||
The proposed solution solves the readability issues by allowing the wallet to query the `verifyingContract`. The incentives for keeping the EIP-712 message description as accurate as possible are aligned, as the responsibility for the description is now owned by the contract, that: | ||
|
||
- Knows the message meaning exactly (and probably can reuse the code that handles this message when received on chain) | ||
- Natively incentivized to provide the best explanation to prevent a possible fraud | ||
- Not involving a third party that needs to be trusted | ||
- Maintains the fee-less customer experience as the added function is in “view” mode and does not require an on-chain execution and fees. | ||
- Maintains Web3’s composability property | ||
|
||
## Specification | ||
|
||
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119. | ||
|
||
EIP-712 already formally binds an off-chain signature to a contract, with the `verifyingContract` parameter. We suggest adding a “view” function (`"stateMutability":"view"`) to such contracts, that returns a human readable description of the meaning of this specific off-chain buffer. | ||
|
||
```solidity | ||
/** | ||
* @dev Returns the expected result of the offchain message. | ||
*/ | ||
function evalEIP712Buffer(bytes32 domainHash, string memory primaryType, bytes memory typedDataBuffer) | ||
external | ||
view | ||
returns (string[] memory) { | ||
... | ||
} | ||
``` | ||
|
||
**Every compliant contract MUST implement this function.** | ||
|
||
Using this function, wallets can submit the proposed off-chain signature to the contract and present the results to the user, allowing them to enjoy an “on-chain simulation equivalent” experience to their off-chain message. | ||
|
||
This function will have a well known name and signature, such that there is no need for updates in the EIP-712 structure. | ||
|
||
### Function's inputs | ||
|
||
The inputs of the function: | ||
|
||
- `domainHash` is the EIP-712's domainSeparator, a hashed `eip712Domain` struct. | ||
- `primaryType`is the EIP-712's `primaryType`. | ||
- `typedDataBuffer` is an ABI encoded message part of the EIP-712 full message. | ||
|
||
### Function's output(s) | ||
|
||
The output of the the function is an array of strings. The wallet SHOULD display them to its end-users. The wallet MAY choose to augment the returned strings with additional data. (e.g. resolve contract addresses to their name) | ||
|
||
The strings SHOULD NOT be formatted (e.g. should not contain HTML code) and wallets SHOULD treat this string as an untrusted input and handle its rendering as such. | ||
|
||
### Support for EIP-712 messages that are not meant to be used on-chain | ||
|
||
If `verifyingContract` is not included in the EIP-712 domain separator, wallets MUST NOT retrieve a human-readable description using this EIP. In this case, wallets SHOULD fallback to their original EIP-712 display. | ||
|
||
## Rationale | ||
|
||
- We chose to implement the `typeDataBuffer` parameter as abi encoded as it is a generic way to pass the data to the contract. The alternative was to pass the `typedData` struct, which is not generic as it requires the contract to specify the message data. | ||
- We chose to return an array of strings and not a single string as there are potential cases where the message is composed of multiple parts. For example, in the case of a multiple assets transfers in the same `typedDataBuffer`, the contract is advised to describe each transfer in a separate string to allow the wallet to display each transfer separately. | ||
|
||
### Alternative solutions | ||
|
||
#### Third party services: | ||
|
||
Currently, the best choice for users is to rely on some 3rd party solutions that get the proposed message as input and explain its intended meaning to the user. This approach is: | ||
|
||
- Not scalable: 3rd party provider needs to learn all such proprietary messages | ||
- Not necessarily correct: the explanation is based on 3rd party interpretation of the original message author | ||
- Introduces an unnecessary dependency of a third party which may have some operational, security, and privacy implications. | ||
|
||
#### Domain name binding | ||
|
||
Alternatively, wallets can bind domain name to a signature. i.e. only accept EIP-712 message if it comes from a web2 domain that its `name` as defined by EIP-712 is included in `eip712Domain`. However this approach has the following disadvantages: | ||
|
||
- It breaks Web3’s composability, as now other dapps cannot interact with such messages | ||
- Does not protect against bad messages coming from the specified web2 domain, e.g. when web2 domain is hacked | ||
- Some current connector, such as WalletConnect do not allow wallets to verify the web2 domain authenticity | ||
|
||
## Backwards Compatibility | ||
|
||
For non-supporting contracts the wallets will default to showing whatever they are showing today. | ||
Non-supporting wallets will not call this function and will default to showing whatever they are showing today. | ||
|
||
## Reference Implementation | ||
|
||
A reference implementation can be found [here](../assets/eip-6384/implementation/src/MyToken/MyToken.sol). | ||
This toy example shows how an [EIP-20](./eip-20.md) contract supporting this EIP implements an EIP-712 support for "transferWithSig" functionality (a non-standard variation on Permit, as the point of this EIP is to allow readability to non-standard EIP-712 buffers). | ||
To illustrate the usability of this EIP to some real world use case, a helper function for the actual OpenSea's SeaPort EIP-712 is implemented too in [here](../assets/eip-6384/implementation/src/SeaPort/SeaPort712ParserHelper.sol). | ||
|
||
## Security Considerations | ||
|
||
### The threat model: | ||
|
||
The attack is facilitated by a rogue web2 interface (“dapp”) that provides bad parameters for an EIP-712 formatted message that is intended to be consumed by a legitimate contract. Therefore, the message is controlled by attackers and cannot be trusted, however the contract is controlled by a legitimate party and can be trusted. | ||
|
||
The attacker intends to use that signed EIP-712 message on-chain later on, with a transaction crafted by the attackers. If the subsequent on-chain transaction was to be sent by the victim, then a regular transaction simulation would have sufficed. | ||
|
||
The case of a rogue contract is irrelevant, as such a rogue contract can already facilitate the attack regardless of the existence of the EIP-712 formatted message. | ||
|
||
Having said that, a rogue contract may try to abuse this functionality in order to send some maliciously crafted string in order to exploit vulnerabilities in wallet rendering of the string. Therefore wallets should treat this string as an untrusted input and handle its renderring it as such. | ||
|
||
### Analysis of the proposed solution | ||
|
||
The explanation is controlled by the relevant contract which is controlled by a legitimate party. The attacker must specify the relevant contract address, as otherwise it will not be accepted by it. Therefore, the attacker cannot create false explanations using this method. | ||
Please note that if the explanation was part of the message to sign it would have been under the control of the attacker and hence irrelevant for security purposes. | ||
|
||
Since the added functionality to the contract has the “view” modifier, it cannot change the on-chain state and harm the existing functionalities of the contract. | ||
|
||
## Copyright | ||
|
||
Copyright and related rights waived via [CC0](../LICENSE.md). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.17; | ||
|
||
interface IEvalEIP712Buffer { | ||
function evalEIP712Buffer(bytes32 domainHash, string memory primaryType, bytes memory typedDataBuffer) | ||
external | ||
view | ||
returns (string[] memory); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.17; | ||
|
||
import "@openzeppelin/contracts/token/ERC20/ERC20.sol"; | ||
import "@openzeppelin/contracts/utils/cryptography/EIP712.sol"; | ||
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol"; | ||
import {IEvalEIP712Buffer} from "../IEvalEIP712Buffer.sol"; | ||
import {MyToken712ParserHelper} from "./MyToken712ParserHelper.sol"; | ||
import {TransferParameters} from "./MyTokenStructs.sol"; | ||
|
||
contract MyToken is ERC20, EIP712, IEvalEIP712Buffer { | ||
mapping(address => uint256) private _nonces; | ||
address public eip712TransalatorContract; | ||
|
||
bytes32 private constant TYPE_HASH = | ||
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"); | ||
|
||
bytes32 private constant TRANSFER_TYPEHASH = | ||
keccak256("Transfer(address from,address to,uint256 amount,uint256 nonce,uint256 deadline)"); | ||
|
||
constructor(address _eip712Transaltor) ERC20("MyToken", "MT") EIP712("MyToken", "1") { | ||
eip712TransalatorContract = _eip712Transaltor; | ||
_mint(msg.sender, 1e18); | ||
} | ||
|
||
function mintToCaller() public { | ||
_mint(msg.sender, 1e18); | ||
} | ||
|
||
function nonces(address owner) public view returns (uint256) { | ||
return _nonces[owner]; | ||
} | ||
|
||
function transferWithSig(address from, address to, uint256 amount, uint256 deadline, uint8 r, bytes32 v, bytes32 s) | ||
public | ||
{ | ||
require(block.timestamp <= deadline, "TransferSig: expired deadline"); | ||
bytes32 structHash = keccak256(abi.encode(TRANSFER_TYPEHASH, from, to, amount, _nonces[from]++, deadline)); | ||
// _hashTypedDataV4 is a helper function from EIP712.sol that gets the strcutHash and uses the domain separator in order to hash the message | ||
bytes32 hash = _hashTypedDataV4(structHash); | ||
address signer = ECDSA.recover(hash, r, v, s); | ||
require(signer == from, "TransferSig: unauthorized"); | ||
_transfer(from, to, amount); | ||
} | ||
|
||
function DOMAIN_SEPARATOR() public view returns (bytes32) { | ||
return _domainSeparatorV4(); | ||
} | ||
|
||
function evalEIP712Buffer( | ||
bytes32 domainSeparator, | ||
string memory primaryType, | ||
bytes memory typedDataBuffer | ||
) public view override returns (string[] memory) { | ||
require( | ||
keccak256(abi.encodePacked(primaryType)) == keccak256(abi.encodePacked("Transfer")), | ||
"MyToken: invalid primary type" | ||
); | ||
require(domainSeparator == _domainSeparatorV4(), "MyToken: Invalid domain"); | ||
return MyToken712ParserHelper(eip712TransalatorContract).parseSig(encodedData); | ||
} | ||
} |
35 changes: 35 additions & 0 deletions
35
assets/eip-6384/implementation/src/MyToken/MyToken712ParserHelper.sol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.17; | ||
|
||
import "src/MyToken/MyToken.sol"; | ||
import "@openzeppelin/contracts/utils/Strings.sol"; | ||
|
||
contract MyToken712ParserHelper { | ||
string sigMessage = | ||
"This is MyToken transferWithSig message, by signing this message you are authorizing the transfer of MyToken from your account to the recipient account."; | ||
|
||
struct Transfer { | ||
address from; | ||
address to; | ||
uint256 amount; | ||
uint256 nonce; | ||
uint256 deadline; | ||
} | ||
|
||
function parseSig(bytes memory signature) public view returns (string[] memory sigTranslatedMessage) { | ||
Transfer memory transfer = abi.decode(signature, (Transfer)); | ||
sigTranslatedMessage = new string[](3); | ||
sigTranslatedMessage[0] = sigMessage; | ||
sigTranslatedMessage[1] = Strings.toString(transfer.deadline); | ||
sigTranslatedMessage[2] = string( | ||
abi.encodePacked( | ||
"By signing this message you allow ", | ||
Strings.toHexString(transfer.to), | ||
" to transfer ", | ||
Strings.toString(transfer.amount), | ||
" of MyToken from your account." | ||
) | ||
); | ||
return sigTranslatedMessage; | ||
} | ||
} |
10 changes: 10 additions & 0 deletions
10
assets/eip-6384/implementation/src/MyToken/MyTokenStructs.sol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.17; | ||
|
||
struct TransferParameters { | ||
address from; | ||
address to; | ||
uint256 amount; | ||
uint256 nonce; | ||
uint256 deadline; | ||
} |
113 changes: 113 additions & 0 deletions
113
assets/eip-6384/implementation/src/SeaPort/SeaPort712ParserHelper.sol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.17; | ||
|
||
import {ItemType, OrderType, OfferItem, ConsiderationItem, OrderComponents} from "src/SeaPort/SeaPortStructs.sol"; | ||
import "@openzeppelin/contracts/utils/Strings.sol"; | ||
|
||
contract SeaPort712ParserHelper { | ||
bytes32 private domainSeperator = keccak256( | ||
abi.encodePacked("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)") | ||
); | ||
|
||
string sigMessage = | ||
"This is a Seaport listing message, mostly used by OpenSea Dapp, be aware of the potential balance changes"; | ||
|
||
struct BalanceOut { | ||
uint256 amount; | ||
address token; | ||
} | ||
|
||
struct BalanceIn { | ||
uint256 amount; | ||
address token; | ||
} | ||
|
||
function getTokenNameByAddress(address _token) private view returns (string memory) { | ||
if (_token == address(0)) { | ||
return "ETH"; | ||
} else { | ||
(bool success, bytes memory returnData) = _token.staticcall(abi.encodeWithSignature("name()")); | ||
if (success && returnData.length > 0) { | ||
return string(returnData); | ||
} else { | ||
return "Unknown"; | ||
} | ||
} | ||
} | ||
|
||
// need to manage array length because of the fact that default array values are 0x0 which represents 'native token' | ||
function getElementIndexInArray(address addressToSearch, uint256 arrayLength, address[] memory visitedAddresses) | ||
private | ||
pure | ||
returns (uint256) | ||
{ | ||
for (uint256 i; i < arrayLength; i++) { | ||
if (addressToSearch == visitedAddresses[i]) { | ||
return i; | ||
} | ||
} | ||
return visitedAddresses.length + 1; | ||
} | ||
|
||
function parseSig(bytes memory signature) public view returns (string[] memory sigTranslatedMessage) { | ||
OrderComponents memory order = abi.decode(signature, (OrderComponents)); | ||
BalanceOut[] memory tempBalanceOut = new BalanceOut[](order.offer.length); | ||
BalanceIn[] memory tempBalanceIn = new BalanceIn[](order.consideration.length); | ||
address[] memory outTokenAddresses = new address[](order.offer.length); | ||
address[] memory inTokenAddresses = new address[](order.consideration.length); | ||
|
||
uint256 outLength; | ||
for (uint256 i; i < order.offer.length; i++) { | ||
uint256 index = getElementIndexInArray(order.offer[i].token, outLength, outTokenAddresses); | ||
if (index != outTokenAddresses.length + 1) { | ||
tempBalanceOut[index].amount += order.offer[i].startAmount; | ||
} else { | ||
outTokenAddresses[outLength] = order.offer[i].token; | ||
tempBalanceOut[outLength] = BalanceOut(order.offer[i].startAmount, order.offer[i].token); | ||
outLength++; | ||
} | ||
} | ||
|
||
uint256 inLength; | ||
for (uint256 i; i < order.consideration.length; i++) { | ||
if (order.offerer == order.consideration[i].recipient) { | ||
uint256 index = getElementIndexInArray(order.consideration[i].token, inLength, inTokenAddresses); | ||
if (index != inTokenAddresses.length + 1) { | ||
tempBalanceIn[index].amount += order.consideration[i].startAmount; | ||
} else { | ||
inTokenAddresses[inLength] = order.consideration[i].token; | ||
tempBalanceIn[inLength] = | ||
BalanceIn(order.consideration[i].startAmount, order.consideration[i].token); | ||
inLength++; | ||
} | ||
} | ||
} | ||
|
||
sigTranslatedMessage = new string[](outLength + inLength + 2); | ||
sigTranslatedMessage[0] = sigMessage; | ||
sigTranslatedMessage[1] = | ||
string(abi.encodePacked("The signature is valid until ", Strings.toString(order.endTime))); | ||
for (uint256 i; i < inLength; i++) { | ||
sigTranslatedMessage[i + 2] = string( | ||
abi.encodePacked( | ||
"You will receive ", | ||
Strings.toString(tempBalanceIn[i].amount), | ||
" of ", | ||
getTokenNameByAddress(tempBalanceIn[i].token) | ||
) | ||
); | ||
} | ||
|
||
for (uint256 i; i < outLength; i++) { | ||
sigTranslatedMessage[i + inLength + 2] = string( | ||
abi.encodePacked( | ||
"You will send ", | ||
Strings.toString(tempBalanceOut[i].amount), | ||
" of ", | ||
getTokenNameByAddress(tempBalanceOut[i].token) | ||
) | ||
); | ||
} | ||
return (sigTranslatedMessage); | ||
} | ||
} |
Oops, something went wrong.