Missing EIP-712 chainID validation Cover

Missing EIP-712 chainID validation

Introduction

EIP-712 defines a way to cryptographically hash and sign a typed JSON data structure. Particularly, this EIP features an EIP712Domain data type present in every EIP-712 signed object, which declares the following fields:

  • name: the user-readable name of the signing domain, i.e. the name of the DApp or the protocol.
  • version the current major version of the signing domain. Signatures from different versions are not compatible.
  • chainId: the EIP-155 chain id. The user-agent should refuse signing if it does not match the currently active chain.
  • verifyingContract: the address of the contract that will verify the signature. The user-agent may do contract-specific phishing prevention.
  • salt: a disambiguating salt

Issue

Wallets fail to comply with the following statement when signing EIP-712 structures:

The user-agent should refuse signing if it does not match the currently active chain.

Additionally, most wallets do not alert users when signing an EIP-712 object for a different chainId than the one selected.

Attack Vector

A malicious DApp can trick users into signing EIP-712 objects for an EVM chain different from the one they intend to interact with.

Impact and Attack Scenarios

By obtaining signatures for arbitrary chains, attackers can gain authorization to a given protocol on a network of their choice. The actual impact depends on its application and could lead to financial loss.

EIP-712 is used to sign objects off-chain, which can later be executed and validated on-chain to provide an allowance on a given protocol. Therefore, a malicious DApp or phishing campaign could leverage the previously described implementation weakness to gain allowance to a certain protocol on an arbitrary chain. The attack would consist in tricking victims into signing an EIP-712 typed data object containing the chainId of the attacker’s choice in the EIP712Domain struct. Once the attacker obtains a signed permit/approval for the desired chain, they could use it, for instance, to remove liquidity or perform unauthorized token transfers.

Test the chainId validation issue on extensions

Coinspect adapted the Metamask Test DApp to provide the essential features necessary to test the present issue on browser extension wallets. The repository and setup instructions for the modified test DApp can be found at https://github.com/coinspect/test-dapp-eip-712.

Test the chainId validation issue on mobile apps

Coinspect has forked WalletConnect Example DApp and modified it to provide extra signature verification details. The repository along with the instructions to setup the forked test DApp are located at: https://github.com/coinspect/walletconnect-dapp-eip712-test.