Problem Statement
Currently, EntrypointInterface.wrapExecutionPayload doesn't supply chainInfo, which makes it very hard to incorporate any authwit implementation that needs to commit to chainInfo (for cross-chain replay protection). Contrast that with EntrypointInterface.createTxExecutionRequest which does supply chainInfo, and the discrepancy feels unjustified.
In our custom account contract implementation, we had to fork the DeployAccountMethod to avoid AccountEntrypointMetaPaymentMethod which relies on EntrypointInterface.wrapExecutionPayload, just to work around this issue. This also seems to be the only code path depending on it currently, so changing the interface right now should be feasible with very limited blast radius.
Proposed Solution
Modify EntrypointInterface.wrapExecutionPayload as following:
export interface EntrypointInterface {
wrapExecutionPayload(exec: ExecutionPayload, chainInfo: ChainInfo, options?: any): Promise<ExecutionPayload>;
}and update DeployAccountMethod and AccountEntrypointMetaPaymentMethod to propagate chainInfo from Wallet.
Example Use Case
No response
Alternative Solutions
No response
Additional Context
Beyond the immediate ask of this issue, a deeper question is whether the current DefaultAccountEntrypoint.#buildEntrypointCallData should be adjusted to also commit the authwit to chainInfo. As it's the basis of many builtin account contract types, the blast radius is much larger.
IMO, the risk of cross-chain replay attack is low when the wallet plays dual role:
- Guardian of the secret material needed for tx authorization
- Tx executor, i.e. PXE host
That's because the wallet is already highly trusted in that case, and the authwits are ephemeral and never leave that security boundary. However, when the two roles are separated, e.g. with a hardware wallet, the trust on the tx executor is naturally lowered, thus the risk for replay attack is elevated.
Problem Statement
Currently,
EntrypointInterface.wrapExecutionPayloaddoesn't supplychainInfo, which makes it very hard to incorporate any authwit implementation that needs to commit tochainInfo(for cross-chain replay protection). Contrast that withEntrypointInterface.createTxExecutionRequestwhich does supplychainInfo, and the discrepancy feels unjustified.In our custom account contract implementation, we had to fork the
DeployAccountMethodto avoidAccountEntrypointMetaPaymentMethodwhich relies onEntrypointInterface.wrapExecutionPayload, just to work around this issue. This also seems to be the only code path depending on it currently, so changing the interface right now should be feasible with very limited blast radius.Proposed Solution
Modify
EntrypointInterface.wrapExecutionPayloadas following:and update
DeployAccountMethodandAccountEntrypointMetaPaymentMethodto propagatechainInfofromWallet.Example Use Case
No response
Alternative Solutions
No response
Additional Context
Beyond the immediate ask of this issue, a deeper question is whether the current
DefaultAccountEntrypoint.#buildEntrypointCallDatashould be adjusted to also commit the authwit tochainInfo. As it's the basis of many builtin account contract types, the blast radius is much larger.IMO, the risk of cross-chain replay attack is low when the wallet plays dual role:
That's because the wallet is already highly trusted in that case, and the authwits are ephemeral and never leave that security boundary. However, when the two roles are separated, e.g. with a hardware wallet, the trust on the tx executor is naturally lowered, thus the risk for replay attack is elevated.