The increasing popularity of ERC-4337 (Account Abstraction) and the adoption of smart contract wallets are transforming the wallet ecosystem. The EIP-1271 provides a standard for effective and secure signature verification for these smart contract wallets.
When connecting a wallet to an app, a user might need to sign a message to prove ownership of the connected wallet. In the case of an externally owned account (EOA), the user utilizes their private key to sign this message. The party responsible for verification can then apply the recovery algorithm, such as ecrecover to verify the message.
ecrecover
While smart contract wallets are capable of creating signatures, they differ from EOAs in that they do not use a private key. Rather, the verification of signatures is handled by the smart contract’s inherent mechanism. EIP-1271 is a standard interface to verify signatures generated by smart contract wallets.
This is the typical process for web3 authentication:
First, the server creates a message that needs the user’s signature. This message includes a random nonce to prevent replay attacks. Next, the user signs a hashed version of this message using their private key. Finally, the server checks the signature. If the message is signed properly, it should return the address of the user.
To support smart contracts wallet, we need to modify a little this verification process. We should call the isValidSignature function of the smart contract wallet to verify if the signature is approved by it, as defined in EIP-1271. As each smart account is associated to a specific network, the dApp must specify on which network the signature must be verified.
isValidSignature
Here is an example a basic script to verify signatures that works for both EOAs and Smart Contract Wallets.
import { isValidEip1271Signature, mainnet, polygon } from '@cometh/eip1271-signature-validation' async function isValidSignature( signingAddress: string, message: string, signature: string ) { try { // verify the message for an externally owned account (EOA) using the recovery algorithm const recovered = ethers.utils.verifyMessage(message, signature); return recovered === signingAddress; } catch { // verify the message for a smart account signature following EIP1271 const isValid = await isValidEip1271Signature( signingAddress, message, signature, [polygon, polygonMumbai] ); return isValid; } }
As shown in the script above, we use a simple library to validate EIP1271 signatures that you can add to your project via npm:
Because smart wallets can be counterfactual contracts, they don’t exist until the first user transaction. To allow dapps authenticate users with an undeployed wallet, the support for ERC-6492 (Signature Validation for Predeploy Contracts) is planned and will soon be directly available in this library.
Account abstraction is becoming a standard on Ethereum ecosystem with more than 1.8M accounts deployed in a few months.
For Dapps, embracing EIP-1271 unlocks the potential of Account Abstraction and its user base. Big players like OpenSea, Aave, Uniswap already supports smart wallet on their Dapps leading the way for the Ethereum ecosystem.
Co-written by Vincent Le Gallic and Yoan Salvayre
Join the Cometh community:
Try Cometh, visit our websiteFollow us on TwitterJoin our Discord
