EIP-712: Another leap toward widespread adoption of blockchain and decentralized applications (part 1)
With this article, learn the key concepts of Ethereum message signing and why you should not be using the traditional eth_sign signing method.
The Ethereum blockchain network is always improving. In keeping with its decentralized and open-source nature, anyone can recommend new functionalities or new features that they think will make Ethereum better. Formal suggestions are made in the form of Ethereum Improvement Proposals (EIPs). If enough support is there, these proposals are put into action via a network upgrade, and blockchain developers can reflect these changes in their dApps and applications that interact with dApps.
One major improvement is that of EIP-712, which seeks to improve the transaction process. Before going in-depth, we first have to cover Ethereum messages, signatures, and cryptography. Then, to give you a better idea of what I’m talking about, I’ve developed a demo of a simple dApp. With this demo, we’ll go over the old way of completing transactions and compare that with how much better transactions are with the EIP-712 standard.
Messages and signatures
Signatures play a key role in the Ethereum blockchain. In fact, every transaction on the Ethereum blockchain involves cryptographic signatures. Similar to real-life ink signatures, blockchain signatures are used to signify approval of a transaction as well as to prove the person signing is who they say they are.
But what a user signs is not a check or a physical contract. It’s a message. A message is simply metadata that conveys what is being authorized for the transaction. Signing a message doesn’t necessarily create a transaction on the blockchain, however.
While the metadata within the message could instruct Ether (the main cryptocurrency of the Ethereum blockchain) to be sent from one account to another in exchange for a digital asset, there are other uses. The message could be for interacting with a dApp. It could even be for off-chain transactions to avoid paying gas fees.
A user is able to sign a message with just a couple of clicks, and the technology behind blockchain is able to look at that signature and determine whether it comes from the owner of the funds being exchanged.
The authentication process is enabled by a two-key system. This system allows users to send and receive crypto and other digital assets without the need for third-party verification.
The first kind of key is a private key. A private key is, well, private. It’s a long string of characters that enables you to prove you’re the owner of your funds.
So how do you prove ownership of your funds without showing the other party your private key?
You sign using your private key, which is paired with your public key. A public key is a form of address that anyone can send funds to, like a bank account number. To access those funds, however, you need the accompanying private key.
When you sign a message, your private key is not exposed. Through blockchain cryptography, the signature can be verified as being created using the signer’s private key, but the private key is kept hidden.
Ethereum message signing through a demo
Now that we’ve gone over some key concepts of message signing and cryptography, I want to show you the ins and outs of signing an Ethereum message by using a demo. The purpose of the demo dApp is to prepare a token transfer transaction that can be executed by a relayer so that I incur no gas fees.
Signing an Ethereum transaction the traditional way
First, let’s look at an example of signing an Ethereum transaction using the traditional eth_sign approach.
As shown in the screenshot below, I want to send 100 tokens to someone
Three values will be passed on to a relayer once I sign the message:
From Address: My wallet address
To Address: The wallet address of the receiver of my tokens
Value: The number of tokens I want to send
Gas: A standard transfer transaction takes 21,000 units gas (Note: this is not the fee)
Nonce: This is the number of transactions sent from the wallet.
I must sign the message to send the tokens, so I click on Sign Message (eth_sign).
To sign the message, we’re using MetaMask, which is both a digital wallet for cryptocurrency and a vehicle for connecting to blockchain-based applications.
Once I click Sign Message, it brings forth the MetaMask app with my wallet information. The five values we saw before are taken and converted into a 256-character hash function, as shown below.
The disadvantage of this method is that I have no way of knowing if this is the correct message. I have no way of knowing what data I’m signing. Yes, I can see the metadata before clicking Sign Message (eth_sign), but there’s no clear confirmation that the values I’m signing with my MetaMask wallet are the same as what was shown to me before clicking on Sign Message (eth_sign).
It’s even possible that I’ve inadvertently landed on a malicious phishing dApp and that 0x390c1ccbaaa98aaae4500e6972f541789344f86693c816d14146c84531d336f means “Please empty my entire digital wallet and give my hard-earned crypto to this address. Please.” Because of the possible dangers associated with the traditional way of signing, MetaMask even displays a warning: “Signing this message can be dangerous. This signature could potentially perform any operation on your account’s behalf.”
On top of all this, the eth_sign method can provide a “blank check” to the receiver. Once they have my signature, they can sign any message they want and therefore conduct transactions on my behalf.
Think of it this way. Say, for example, you sign multiple documents a day, so you invest in a signature stamp to speed up the process. You then mail out these signed documents. Would you feel comfortable including that signature stamp in with the check you signed? The contract you signed?
Of course not!
In part two of the series, we will explain how the new EIP standard solves these problems and how you can incorporate it into your blockchain-based applications.
Read EIP-712: Another leap toward widespread adoption of blockchain and decentralized applications (part 2 ).
What Relevantz Can Do for You
With our vast knowledge and experience in blockchain and creating blockchain applications, such as DeFi applications for financial services organizations, Relevantz can help you explore decentralized app use cases and help build apps that will delight your traditional customers and crypto customers alike.
Want to serve your customers through blockchain-based applications?