Why does _domainSeparatorV4() in EIP712 (_hashTypedDataV4 in ERC20permit) check for address and chainID?

zesl · February 26, 2022, 4:36am

ERC20Permit uses _hashTypedDataV4()

OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/draft-ERC20Permit.sol#L54

      
        
                uint256 value,
                uint256 deadline,
                uint8 v,
                bytes32 r,
                bytes32 s
            ) public virtual override {
                require(block.timestamp <= deadline, "ERC20Permit: expired deadline");
            
            
    bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, owner, spender, value, _useNonce(owner), deadline));
            
            
    bytes32 hash = _hashTypedDataV4(structHash);
            
            
    address signer = ECDSA.recover(hash, v, r, s);
                require(signer == owner, "ERC20Permit: invalid signature");
            
            
    _approve(owner, spender, value);
            }
            
            
/**
             * @dev See {IERC20Permit-nonces}.
             */

which then uses _domainSeparatorV4() in EIP712

github.com

OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/draft-EIP712.sol#L70

      
        
                _HASHED_VERSION = hashedVersion;
                _CACHED_CHAIN_ID = block.chainid;
                _CACHED_DOMAIN_SEPARATOR = _buildDomainSeparator(typeHash, hashedName, hashedVersion);
                _CACHED_THIS = address(this);
                _TYPE_HASH = typeHash;
            }
            
            
/**
             * @dev Returns the domain separator for the current chain.
             */
            function _domainSeparatorV4() internal view returns (bytes32) {
                if (address(this) == _CACHED_THIS && block.chainid == _CACHED_CHAIN_ID) {
                    return _CACHED_DOMAIN_SEPARATOR;
                } else {
                    return _buildDomainSeparator(_TYPE_HASH, _HASHED_NAME, _HASHED_VERSION);
                }
            }
            
            
function _buildDomainSeparator(
                bytes32 typeHash,
                bytes32 nameHash,

But why does _domainSeparatorV4() check for address and chainID here?

frangio · March 2, 2022, 10:04pm

We check these things to see if the cache is valid. The chainid can change if the chain forks (like Ethereum Classic), you don't want the signatures for one chain to be valid for the other.

address(this) can be different during delegatecalls. You can see the issue where we introduced that to read more about the reasoning:

zesl · March 4, 2022, 6:00am

Thank you! For tokens that are not a delegated contract, checking address(this) would not be necessary?

frangio · March 8, 2022, 11:13pm

That's right, it is not necessary in that case.

zesl · March 13, 2022, 10:23am

However, since EIP-155, isn't chainID info included in most transaction signatures? Is this check for chainID mainly for the very few transactions signed by some old libraries?

frangio · March 14, 2022, 10:45pm

The chain id check makes sure that a different domain separator is used if the chain forks, to prevent replay attacks: an EIP712 signature should only valid for one chain and not for both.

zesl · March 15, 2022, 3:12am

Yes, but after EIP155, when the updated libraries sign "A Message", even if "A Message" does not contain the current chainID, the signer would include in the signature the chainID info? (the v value) Thus the chainID info would be there to prevent replays with or without EIP712 if the signature is the new version?

frangio · March 21, 2022, 6:10pm

EIP155 only affects the format of transactions. Simple signatures don't include the chain id.

zesl · March 22, 2022, 4:52am

From here: https://github.com/ethereum/EIPs/blob/master/EIPS/eip-155.md

It seems chain ID is covered for things signed in this standard?

If block.number >= FORK_BLKNUM and CHAIN_ID is available, then when computing the hash of a transaction for the purposes of signing, instead of hashing only six rlp encoded elements (nonce, gasprice, startgas, to, value, data) , you SHOULD hash nine rlp encoded elements (nonce, gasprice, startgas, to, value, data, chainid, 0, 0) .`

frangio · March 25, 2022, 12:58pm

That only covers signing of transactions, as far as I can tell.

zesl · March 30, 2022, 3:42am

You mean the native currency transactions only? But isn't every state modification on chain a transaction? Thus when submitting the 'Permit' signature for example, even if 'Permit' itself doesn't include chainID, the signature of the transaction would include it? Got different answers from different sources, but didn't find the related part in Ethereum github tho. Probably will check it later. BTW, thank you for the answers!

frangio · March 31, 2022, 1:07am

Yes, the signature of the transaction would include the chainId. But anyone could extract the permit alone from a transaction and re-send it to a different network (bundled in a separate transaction). You want to make sure that the permit is not accepted in a different network.

Topic		Replies	Views
Developer Guide: Delegation and Voting with EIP-712 Signatures Guides and Tutorials	7	3384	March 9, 2021
Meta Transactions - Forwarder.verify returns false Support etherscan-verify	3	132	January 27, 2024
[ERC-2771] Forwarder. Verify returns the wrong address Support etherscan-verify	4	477	November 22, 2023
Release Candidate for Contracts 3.4 Announcements	6	1418	February 3, 2021
EIP2612: invalid signature for mainnet chain; testnet is fine Smart Contracts erc20	0	92	February 29, 2024

Why does _domainSeparatorV4() in EIP712 (_hashTypedDataV4 in ERC20permit) check for address and chainID?

Related Topics