Signature generalisation

[recmo]

Description

• Make signatures opaque bytes with a one-byte flag
• Implement different signature types:
  • Current eth_sign
  • EIP712
  • msg.sender
  • External contract
• Make message hash compatible with EIP712
• Adjust internal and external interfaces for this change

Motivation and Context

This tries to implement on:

• ZEIP-1: Off-chain order generation by smart contracts
• ZEIP-7: On-chain order generation by smart contracts

It does not try to implement, but is related to:

• ZEIP-3: Cross-relayer orders
• ZEIP-9: Allow generation of multiple orders with a single signature
• ZEIP-10: multihash/multiformat message format.

How Has This Been Tested?

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Change requires a change to the documentation.
• Added tests to cover my changes.

[coveralls]

Coverage remained the same at 90.238% when pulling 8ef7087 on feature/contracts/module-refactors into 732a46a on v2-prototype.

[abandeali1]

Shouldn't this be 66?

[abandeali1]

Remove _v1 from the filename.

[abandeali1]

• The taker signature should be optional (so if takerSignature.length is 0, assume taker is msg.sender).
• We also need to update a mapping to prevent replay attacks.
• I personally prefer the more generalized approaches described in the ZEIP 18 comments. Maybe since we're pretty undecided on the best approach for this, we just make this a separate function for now?

[abandeali1]

Change named return to isValid.

[abandeali1]

If we have a different message format or add a salt, we can probably remove the separator.

[abandeali1]

why not rename this isValidSignature for consistency?

[fabioberger]

Nit: can we rename stype to sigType? Camel-case and less ambiguous.

[fabioberger]

@recmo our convention is the thumbs up a comment once it's been addressed.

[fabioberger]

Why is this case necessary?

[recmo]

It's not necessary, but it seemed a good idea from a defense programing perspective. Default values are usually zero. Let's not make them accidentally be some sort of signature.

[abandeali1]

+1

[fabioberger]

Typo: Implicitly

[fabioberger]

Super cool that V2 will keep backward compatibility support for EC sigs 🥇

[fabioberger]

Awkward new line. Can we remove?

[fabioberger]

Is this meant to be commented out still?

[recmo]

It's commented for performance reasons. This check is more costly than the actual function. That should not concert us at the moment though, and it would be better to have more checks while we keep breaking stuff.

[abandeali1]

Can you give an example of how this would be used? It seems like msg.sender will always be order.maker in this case, which seems a bit strange to me.

[abandeali1]

+1

[abandeali1]

It seems a bit strange to me that we are always including the orderSchemaHash, even when we aren't using an EIP712 signature. What's the logic for this?

[recmo]

The reasoning is that EIP712 is not a standard for signing a hash, but a standard for generating a hash from structured data. Since none of the other signing methods have requirements on the hashing algorithm, we may as well use EIP712 everywhere.

In fact, we should probably use an EIP712 hash for order.orderHash.

[abandeali1]

Can you provide an example of how this is used? It seems to me that in the current contracts, msg.sender will always be order.maker.

[recmo]

The current PR excludes taker abstraction, so for a successful fillOrder, we always have msg.sender == order.taker. When taker abstract is added, this will no longer hold true, and this signature type can be used by either maker or taker if they call fillOrder.

In the current PR the cancelOrder function also takes a signature. If maker calls cancelOrder herself she can set the signature to SignatureType.Caller.

[abandeali1]

When would someone pass in an intentionally invalid signature? Why not just revert if the signature is malformed?

[recmo]

I want to reserve 0x00 as an invalid value, because it is the default value and might show up accidentally.

You are right, it should revert() instead of throwing, to be consistent with other invalid values.

Would there be value in adding a signature schema that rejects (returns false) always? It's pretty much free to add, does hurt and might be useful somehow?

[abandeali1]

The length of the inputs here are no longer guaranteed to be 484 bytes.

[recmo]

What's the significance of 484? I updated fillOrderNoThrow to take arbitrary lengths.

[abandeali1]

Sorry, it wouldn't let me comment on the correct line for some reason. The delegatecall takes the input length, and we're still passing in 484.

[abandeali1]

Remove this function, we renamed to marketFillOrders.

[abandeali1]

Ignore my previous comment, looks like you accidentally renamed batchFillOrdersNoThrow to fillOrdersUpTo.

[abandeali1]

I don't really have a preference for digest over hash, but this arg is still named hash in ISigner.

[recmo]

This signature does not include a nonce, so cancelOrders with this signature mechanism are prone to replays.

[abandeali1]

In the current implementation we don't even need a signature here since msg.sender is required to be the maker.

[abandeali1]

Let's add an explicit return here.

[abandeali1]

Let's change all of these returns to return isValid for clarity.

[LogvinovLeon]

Do we have any data on how expensive is the signature validation? Two state reads also consume some gas.

[abandeali1]

An ecrecover is at least 3000 gas (and your gas profiler actually showed it being one of the most expensive parts of the function). An sload is only 200 I believe.

[recmo]

Good question! ecrecover is 3000 gas + 36 for the hash + couple hundred overhead. State read is 200 gas. Let's ignore (partially) canceled orders for now and look at two scenarios:

1. Unfilled order: Read both filled and cancelled, then verify signature ~ 4000 gas.
2. Partially filled order: Read filled, short circuit, skip verify ~ 200 gas.

So depending on the ratio partial filled / new orders the expect gas cost is 4000 x + 200 (1-x) =
3800 x + 200.

Status quo is a fixed cost of about 3500. Setting these equal and solving for x gives 87%.

So if less than 87% of the fill orders are new orders, this method saves gas.

@tomhschmidt : Do we have empirical data on this?

But!

We need to optimize for the case where the order is valid. In this case, we would need to read both state variables anyway to process the order, so reading it earlier should not add gas cost. Making the optimization essentially free.

At the moment we don't optimize for this, and we read the same state again in getUnavailableTakerTokenAmount on line 124(244) and again on line 138. This is of course
redundant, as the state can not change in between.

I added a comment to remind us to optimize this.

[LogvinovLeon]

All those ifs add to understanding but increase the gas consumption. Will we comment them out in a production version?

[recmo]

I was not planning on that, and we need some way to distinguish the cases. What do you suggest instead?

A simple trick is to sort the branches by popularity.

[LogvinovLeon]

isValidSignature seems too generic. Can we change to isValid0xOrderSignature or smth longer?

[abandeali1]

I think it's intended to be generic though. I could see people using the same function for other purposes as well?

[recmo]

As it is, it is pretty generic. Right now we only use it for maker signature, we will also use it for taker signature and maybe controller signature, etc. These would then sign different objects, not Orders's but FillOrder's and possibly other structures.

[LogvinovLeon]

If this is not a WIP any more we need more comments. Much more comments.
I'm unable to read that. Let's reference to some solidity documentation or other sources that can help people understand that. (Talking about the whole function. Let's also have it as a rule to have a very good and verbose explanation before every assembly trick. How much does it save, why is it absolutely neccessary? not against assembly in general, but I want other people to be able to understand that even if they're not so experienced.

[LogvinovLeon]

Feel free to ignore it for now. It's still a prototype.

[recmo]

Yeah, I'm not happy with the complexity of this assembly at all. It's not even tested and probably contains bugs. It does show that there is a solution though. We can reimplement it using byte[] input so we can construct the input arguments in Solidity instead of assembly.

[recmo]

Added a // TODO

[recmo]

TODO

• Tezor signatures

[abandeali1]

I kind of like adding more explicit support for 0xProject/ZEIPs#7, since this requires one less external call than SignatureType.Contract. Thoughts on adding SignatureType.Approved?

Also, it occurs to me that we should probably be returning the address of the signer rather than a bool in all cases. With taker abstraction, we don't always know the address of the taker in advance (and therefore can't pass in signer).

[recmo]

I kind of like adding more explicit support for 0xProject/ZEIPs#7, since this requires one less external call than SignatureType.Contract. Thoughts on adding SignatureType.Approved?

How about this:

contract MixinSignatureValidator {

    enum SignatureType {
        // ....
        Presigned
   }

    mapping ((hash, signer) => bool) presigned;

    function preSign(bytes32 hash, address signer, bytes signature) {
         require(signature.type != Presigned); // Not really necessary
         if(isValidSignature(hash, signer, signature)) {
              presigned[hash, signer] = true;
         }
    }

    function isValidSignature(bytes32 hash, address signer, bytes signature) {
         // ...
         if(signature.type == Presign && presigned[hash, signer])
              return true;
    }

  // ...
}

In the EIP-7 scenario the maker would call

preSign(orderHash, this, SignatureType.Caller);

and the taker would call

fillOrder(/* ... */, SignatureType.Presign);

If the goal is to create an on-chain order book, you can add a wrapper function that includes order details:

function preSignOrder(Order order) {
   preSign(orderHash(order), msg.sender, SignatureType.Caller);
   LogOnchainOrder(order);
}

[recmo]

Also, it occurs to me that we should probably be returning the address of the signer rather than a bool in all cases. With taker abstraction, we don't always know the address of the taker in advance (and therefore can't pass in signer).

Hmm... So far my solution was to add address taker, bytes takerSignature to the fillOrder arguments. In the case of SignatureType.Caller this is redundant. In the case of SignatureType.Ecrecover it is a bit more complex, as an invalid signature would always be accepted, but result in a random address (which will likely not have tokens and thus ultimately fail the TX, but I prefer if it fails at signature verification stage already). In the case of SignatureType.Contract and the above proposed SignatureType.Presign we absolutely need a provided address, but this could be provided in the bytes signature.

I'm not sure which is more elegant. Can we revisit this discussion when we PR the taker abstraction?

[abandeali1]

Re presigning an order, why not just use a mapping of orderHash => signer?

I also don't think that presigning should actually require a signature (we can simply calculate the orderHash and use that, since maker is part of the hash).

[recmo]

Re presigning an order, why not just use a mapping of orderHash => signer?

I try to keep isValidSignature agnostic to its use case. Currently it supports multiple signers for the same message. This mapping would break that assumption by allowing only one signer per orderHash. Now that I think of it, that may also cause a race condition if we receive two preSigns for the same message hash with different signers.

I also don't think that presigning should actually require a signature (we can simply calculate the orderHash and use that, since maker is part of the hash).

This would make it specific to the maker signatures, it would not work for taker signatures and potential other kind of signature uses.

---

I'll open a separate PR for this feature, as it is quite a significant extension.

[recmo]

Looks like this is even more complex: http://solidity.readthedocs.io/en/develop/abi-spec.html#use-of-dynamic-types

[fabioberger]

We are really trying to push the community towards ethereum/EIPs#712

[fabioberger]

later -> latter