EIP-3074: The Caller Field in Signatures is Crucial
The Caller field in the EIP-3074 signature is extremely important, as an incorrect Caller can potentially steal your funds. This article is sourced from @lightclients, compiled, translated, and written by MetaCat.
Summary:
Ethereum’s next step: EIP-3074 included in Prague upgrade, introducing three major reforms to smart contracts with wallet integration.
Background:
Latest Ethereum ACDE conference: Dencun upgrade went smoothly! What improvements will the next Pectra upgrade bring?
After EIP-3074, an incorrect signature will be able to deplete the balance in your Ethereum account. Yes, it’s true. The co-authors of EIP-3074 are here to address this concern before things get out of control.
Firstly, currently, there are no wallets that support signing data without a prefix. This means that there are currently no wallets supporting EIP-3074. No matter how many dashboards you browse or advanced features you enable, it is currently not possible to sign messages using EIP-3074.
The message you sign for logging into a dapp uses a standard based on EIP-191, which is completely different from EIP-3074. It adds the following data to your signed message:
This is why it is not possible to deceive a dapp user into actually signing a valid Ethereum transaction. Transactions are signed with a unit byte value as a prefix:
For more information, see:
https://github.com/ethereum/execution-specs/tree/master/lists/signature-types
EIP-3074 plans to use the prefix 0x04. This will eliminate ambiguity with any other type of signable data in Ethereum. Wallets must actively choose to allow users to sign these messages.
The specific way wallets integrate EIP-3074 could potentially create situations where users are more easily exploited. To understand this, we need to ensure we understand how EIP-3074 signatures work.
Constructing a signature verification message has the following fields. Importantly, it includes a Caller address. This is the only address that AUTH considers the signature valid for.
To deplete the balance of an account, two conditions must be met:
1. The wallet needs to allow the user to sign to any Caller address.
2. The user must not verify the Caller’s trustworthiness.
This means that executing either of these will not be a problem for the user.
We hope wallet software understands that the EIP-3074 Caller is more like an extension of wallet software code rather than a contract. Wallets should not allow users to freely execute arbitrary code and access their private keys. Similarly, they should not allow users to arbitrarily delegate their Ethereum accounts.
Therefore, if wallet software integrates EIP-3074 insecurely and users do not verify the Caller they are interacting with, they may end up delegating to a malicious Caller. However, it can still be undone by sending a single tx from an EOA. This will revoke all “in-flight” AUTH signatures.
At the very least, wallet software should make signing EIP-3074 messages a big deal, just like exporting your private key. Even if the wallet securely integrates 3074, the account can still be stolen. This is a fundamental property of batch transactions. It allows for easily sending multiple operations, just as it allows attackers to trick you into sending a batch of assets to an address they control.
Wallet software must clearly display each operation you are signing. This way, it is easy to notice “I only intended to make one transaction, but this signing request is making me do a dozen transactions.” This cannot be detected if blind signing is used for batch processing.
Yes, EIP-3074 trusts wallets a lot. But we have already placed our trust in them securely using our private keys! There is no higher level of trust.
EIP-3074 can be integrated and used safely. If any wallet has questions about how to implement this, please feel free to contact us. As the authors of EIP-3074, we are currently considering how best to help further develop this standard.
Over the past few years, we have spent a lot of time developing hypothetical scenarios about how it can be used and abused. We are excited to see these ideas start to come to production. But we also recognize that this is the hardest part.
Summary:
Concerns about a single incorrect signature depleting your Ethereum account balance after EIP-3074:
– Currently, wallets do not support signatures of the EIP-3074 type, which follows a new format.
– The Caller field in the EIP-3074 signature is crucial. An adverse Caller can steal your funds.
– Wallets need to ensure that the Caller address is trustworthy, similar to how wallets currently prevent the execution of arbitrary code.
– Batch transactions in EIP-3074 still open up a world where malicious actors can deceive you into signing asset transfer transactions. Wallets need to clearly display what will happen when signing EIP-3074 messages.
– Yes, we have a high level of trust in wallets, but users have already entrusted them with their private keys, which is the highest level of trust.
EIP-3074 and EIP-4337:
For Account Abstraction providers, EIP-3074 is a great thing as it benefits our customers.
ERC-4337 is the best way to introduce new users to the crypto space.
EIP-3074 is the best way to introduce existing users to smart accounts.
Related Reports:
Ethereum’s Cancun upgrade core: How does EIP-4844’s Blob reduce fees by 100 times?
Dencun Cancun upgrade is coming: How will the new EIP proposal change Ethereum?
Perspectives on new technologies harming token prices: Examples from Ethereum’s EIP-4844 and Restaking trends.