You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After a small discussion I wanted to collect some thoughts on SignatureChecker.isValidERC1271SignatureNow. It largely assumes that the signer contract is trusted when verifying ERC-1271 signatures.
Signatures are often used by relayers to perform actions on behalf of users with their permission. Therefore it should be assumed that signers can be malicious and additional security considerations might come into play. Two observations are:
signer.staticcall does not include a gas limit
(bool success, bytes memory result) = signer.staticcall copies the entirety of the returned data, making it susceptible to returndata bomb attacks
is partially addressed in the EIP:
Since there are no gas-limit expected for calling the isValidSignature() function, it is possible that some implementation will consume a large amount of gas. It is therefore important to not hardcode an amount of gas sent when calling this method on an external contract as it could prevent the validation of certain signatures.
However, general security concerns for relayers still apply (call to the unknown): Relayers might not be aware that a fixed gas limit should be set or that relayed transactions should be discarded if they cost more than X. This could be a bad scenario if relayers are sponsored, use a fixed fee, or if the maximum gas is not debited upfront.
is not much of a concern when there is no fixed gas limit in the call to the signer. The worst scenario might be confusion if the call reverts in the caller's context instead of the signer contract.
Potential solutions:
Add general security consideration advice to SignatureChecker.isValidERC1271SignatureNow.
Only load 32 bytes from returndata via assembly.
Add gasLimit parameter to SignatureChecker.isValidERC1271SignatureNow and implement 2.
Do nothing.
Considering that the most simple solution might be the best, 4. or 1. might be the most sensible, though I'm interested if anyone has some more thoughts on this.
The text was updated successfully, but these errors were encountered:
Adding a fixed gas limit technically would be breaking though.
Thanks for pointing out the similarities to ERC-165.
A perhaps relevant discussion is #1750.
馃摑 Details
After a small discussion I wanted to collect some thoughts on
SignatureChecker.isValidERC1271SignatureNow
. It largely assumes that thesigner
contract is trusted when verifying ERC-1271 signatures.openzeppelin-contracts/contracts/utils/cryptography/SignatureChecker.sol
Lines 29 to 47 in 4e7e6e5
Signatures are often used by relayers to perform actions on behalf of users with their permission. Therefore it should be assumed that
signer
s can be malicious and additional security considerations might come into play. Two observations are:signer.staticcall
does not include a gas limit(bool success, bytes memory result) = signer.staticcall
copies the entirety of the returned data, making it susceptible toreturndata
bomb attacksis partially addressed in the EIP:
However, general security concerns for relayers still apply (call to the unknown): Relayers might not be aware that a fixed gas limit should be set or that relayed transactions should be discarded if they cost more than X. This could be a bad scenario if relayers are sponsored, use a fixed fee, or if the maximum gas is not debited upfront.
signer
. The worst scenario might be confusion if the call reverts in the caller's context instead of thesigner
contract.Potential solutions:
SignatureChecker.isValidERC1271SignatureNow
.returndata
via assembly.gasLimit
parameter toSignatureChecker.isValidERC1271SignatureNow
and implement 2.Considering that the most simple solution might be the best, 4. or 1. might be the most sensible, though I'm interested if anyone has some more thoughts on this.
The text was updated successfully, but these errors were encountered: