Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cryptographic signatures are super useful in Ethereum Solidity smart contracts for proving that a user approves an action. However, it'd be nice to do this for smart contracts but there is no key. So, what to do?

ERC-1271 is a specification for calling smart contracts that require signatures. Instead of an actual signatures, it calls a function and verifies the action being performed.

Most SCA (Smart Contract accounts) implement ERC-1271 using the similar methods to EOAs. When processing information from a smart contract that was checking the signature for the SCA, it did NOT include the origin contract. This meant that signatures were not specific enough!

Why is this bad? If the same address owns multiple SCAs, then there is no discriminator between the two SCAs! So, a replay attack could be used from one SCA to another.

Several implementations, including Alchemy's LightAccount, were vulnerable to this issue. When signing data, it's important to be as specific as possible and verify everything possible to prevent these types of issues. Good find!