signature-validator icon indicating copy to clipboard operation
signature-validator copied to clipboard

Published 20 hours ago verified publisher icon AmbireTech

Support isValidSignature(bytes, bytes)

Open schmanu opened this issue 2 years ago • 3 comments

Some smart contract wallets including Safe use isValidSignature(bytes, bytes) instead of isValidSignature(bytes32, bytes).

For those this signature validator will not work as the magic value results in 0x20c13b0b instead of 0x1626ba7e

schmanu avatar Jan 13 '23 14:01 schmanu

@schmanu the EIP was updated to use bytes32, bytes and that's it's latest version AFAIK?

Also, using bytes as input presumes that the function would take input that isn't the final digest, but might not be compatible with different schemes (eg with prefix vs without prefix, in other words hash(ethereum signed message+hash(input)) vs hash(input)). Unless it is used for the final digest.

Anyway, we have nothing against implementing this, I'm just curious what the rationale is. Furthermore whether the input is the final digest affects the implementation

Ivshti avatar Jan 13 '23 15:01 Ivshti

Hey @Ivshti, at the time the isValidSignaturecall was implemented in the safe-contracts the standard was still isValidSignature(bytes, bytes). That's why it is implemented in this way.

schmanu avatar Jan 16 '23 08:01 schmanu

@schmanu can you give me an example of how it's used? are the first bytes the input to keccak256? Or is prefixing also done (Ethereum signed message)?

Ivshti avatar Feb 02 '23 12:02 Ivshti

closing due to inactivity

@schmanu feel free to reopen if you feel strongly about this, especially if you're willing to PR it

Ivshti avatar Aug 29 '24 07:08 Ivshti

At Snapshot we verify EIP-712, ERC-1271 (signatures on both old and new versions) and want to support ERC-6492

We found this library awesome library just today, and this library got everything we want to verify, except a check for signatures coming from older safe version, i.e checking for magic value 0x20c13b0b

Is there some way to get this added?

ChaituVR avatar Aug 29 '24 17:08 ChaituVR

I think so, @ChaituVR: can you point to verification logic for the older safe version and we can try to get it implemented

Ivshti avatar Aug 30 '24 05:08 Ivshti

Hey @Ivshti It is here https://github.com/snapshot-labs/snapshot.js/blob/master/src/verify/evm.ts#L72-L81

ChaituVR avatar Aug 30 '24 13:08 ChaituVR

@ChaituVR unfortunately since this is an obsolete version of the standard, it doesn't make sense to complicate this module - implementing this would require a new flow with fallbacks, a new interface (to take bytes) and a lot of other complications which would also somewhat make the security audits we have at the moment obsolete.

I would recommend using signature-validator with a separate flow for this standard.

Ivshti avatar Sep 15 '24 06:09 Ivshti