Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Invalid signature when using smart accounts with SIWE #3260

Closed
kenjicncr opened this issue Nov 19, 2024 · 10 comments
Closed

[bug] Invalid signature when using smart accounts with SIWE #3260

kenjicncr opened this issue Nov 19, 2024 · 10 comments
Labels
bug Something isn't working needs review

Comments

@kenjicncr
Copy link

Link to minimal reproducible example

https://github.com/reown-com/web-examples/tree/main/dapps/appkit-siwe

Summary

Description

When attempting to sign in with a smart account using Sign-In with Ethereum (SIWE), the signature verification is failing despite the signature being correctly formatted and coming from a valid smart account.

Since email sign-ups default to smart accounts, this make them unuseable for verifcation

Current Behavior

  • Smart account signature verification fails with "Invalid signature" error
  • The signature is properly formatted and starts with 0x
  • Using @reown/appkit-siwe for verification

Expected Behavior

  • Smart account signatures should be properly verified
  • Authentication should succeed with valid smart account signatures

Reproduction Steps

  1. Set up Next.js app with @reown/appkit-siwe
  2. Configure NextAuth with SIWE
  3. Attempt to sign in with a smart account
  4. Observe signature verification failure

Example Signature

0x0000000000000000000000004e1dcf7ad4e460cfd30791ccc4f9c8a4f820ec67000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000000000000000003241688f0b900000000000000000000000041675c099f32341bf84bfc5382af534df5c7461a0000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000007a6733696a79300000000000000000000000000000000000000000000000000000000000000000000284b63e800d...

Environment

  • Next.js App Router
  • @reown/appkit-siwe: latest
  • next-auth: latest

Additional Context

The signature format indicates this is coming from a smart account rather than an EOA wallet. The verification process needs to handle smart account signatures differently from regular EOA signatures.

List of related npm package versions

@reown/appkit-siwe: latest
next-auth: latest
@kenjicncr kenjicncr added bug Something isn't working needs review labels Nov 19, 2024
@elix1er
Copy link

elix1er commented Nov 19, 2024

got the same. drove me nuts. wait for appkit // siwe v1.5.0 release bump soon, fixes been FINALLY merged. 🚀

@elix1er
Copy link

elix1er commented Nov 19, 2024

@magiziz ETA public release ?

@kenjicncr
Copy link
Author

@elix1er thanks glad i'm not the only one.

for some reason, one click sign w/ solana stopped working as well. the modal just stopped showing anymore

@elix1er
Copy link

elix1er commented Nov 27, 2024

pull the latest now. or @canary.

@rtomas
Copy link
Contributor

rtomas commented Nov 29, 2024

can you please confirm that this problem persist or not on latest v1.5.3 ?

@elix1er
Copy link

elix1er commented Dec 2, 2024

checking now -

@isefatuna
Copy link

Can anyone find a solution? I cannot verify the signature format returned from Appkit with the same libraries that I used to verify personal_sign. I am trying to verify the signature on the server side.

@rtomas
Copy link
Contributor

rtomas commented Dec 6, 2024

please check our new siwe examples and also the docs so you can fix it
https://github.com/reown-com/web-examples/
https://docs.reown.com/appkit/react/core/siwe

@rtomas rtomas closed this as completed Dec 6, 2024
@itxtoledo
Copy link

same problem here, the signed message is too long:

0x000000000000000000000000ca11bde05977b3631167028862be2a173976ca110000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000028000000000000000000000000000000000000000000000000000000000000001e482ad56cb0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000200000000000000000000000000ba5ed0c6aa8c49038f819e587e2633c4a9f428a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000e43ffba36f00000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000040da21b5c4dcb56d0ad08564384fc4fd75a64a444d145eece111836173fec431dfc9acbd70b91446c369230e48083df57b9381445549fb658ce314737a1d7bffd2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000c0000000000000000000000000000000000000000000000000000000000000012000000000000000000000000000000000000000000000000000000000000000170000000000000000000000000000000000000000000000000000000000000001df2c5d21c94d9efff09d2b140d13243920fce309b53567b1c5d02f658a8f9c26167f25c9c51422f139a6d43d75fc4f9ec5f79ca58c7d41634f95b7fc2e4ade110000000000000000000000000000000000000000000000000000000000000025f198086b2db17256731bc456673b96bcef23f51d1fbacdd7c4379ef65465572f1d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008a7b2274797065223a22776562617574686e2e676574222c226368616c6c656e6765223a227a42584b376e6a426359317546653952394759324e4869763068376735544e764666364767306a51583251222c226f726967696e223a2268747470733a2f2f6b6579732e636f696e626173652e636f6d222c2263726f73734f726967696e223a66616c73657d000000000000000000000000000000000000000000006492649264926492649264926492649264926492649264926492649264926492

@tomiir
Copy link
Collaborator

tomiir commented Jan 8, 2025

Hi @itxtoledo @kenjicncr Smart Accounts may emit two different type of signatures depending on if they are deployed or not. It seems our siwe package verification logic is missing the non deployed case which we will address

Some references:
A smart contract signature if deployed: https://eips.ethereum.org/EIPS/eip-1271
A wrapped SA signtaure if not: https://eips.ethereum.org/EIPS/eip-6492

for now:
viem provides validation for these signatures via https://viem.sh/docs/actions/public/verifyMessage.html
and is a handy way to validate all sig types at once on evm. Let me know if this is something that would work for you!
Will try to add 6492 validation to our siwe package so it's readily available. @rtomas maybe we should put a warning in docs for now with this workaround

@elix1er SIW Solana should not have issues in the latest version, could you verify? 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rtomas @isefatuna @tomiir @itxtoledo @kenjicncr @elix1er