Util: Allow v to be 0 or 1 for EIP1559 transactions

[ernestognw]

Fixes #1904

[holgerd77]

Ah, just seeing that you already opened a PR on this.

So for context (sorry, this is likely not obvious, we likely want to better document): we are doing work on the current version of the packages towards master, on develop we are long-term-preparing the next round of breaking releases.

Let's anyhow continue here with discussing the things I raised in the issue, this would be the first step here.

[codecov]

Codecov Report

Merging #1905 (5f6bcc4) into master (2f42dcf) will increase coverage by 0.55%.
The diff coverage is 100.00%.

Flag	Coverage Δ
block	85.57% <ø> (ø)
blockchain	83.82% <ø> (ø)
client	76.95% <ø> (ø)
common	94.19% <ø> (ø)
devp2p	82.62% <ø> (+0.26%)	⬆️
ethash	90.76% <ø> (ø)
trie	80.02% <ø> (ø)
tx	88.28% <100.00%> (+0.05%)	⬆️
util	92.63% <100.00%> (?)
vm	81.02% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[ernestognw]

Ah, just seeing that you already opened a PR on this.

So for context (sorry, this is likely not obvious, we likely want to better document): we are doing work on the current version of the packages towards master, on develop we are long-term-preparing the next round of breaking releases.

Let's anyhow continue here with discussing the things I raised in the issue, this would be the first step here.

Thanks for context, I changed the target branch to master and rebased accordingly. I replied about the details on the issue, just right here

[holgerd77]

LGTM, reasoning and justification see separate comment, will merge.

[holgerd77]

Ok, this is the central line of this PR (this is just an additional transparency explanation for everyone to follow including the team). So this allows v to directly pass through if 0 or 1. The chainId parameter is ignored in this case.

The function here is not exported. Effects are indirect, to all methods below this comment where additional NOTE: line comments are added. I've checked all the methods and do not see security or other implications or side effects.

Namely:

• ecrecover: This will then allow with this update to directly pass in an EIP-1559 (or any other typed) tx with v being 0 or 1 and will recover the correct PK in these cases as well. No side effects on other (legacy) txs.
• toRpcSig: Now allows EIP-1559 txs to be converted in eth_sign format, no side effects
• toCompactSig: Now allows EIP-1559 txs to be converted in eth_sign format, no side effects (was first a bit unsure about the 0 case but this is included as well respectively not affected)
• isValidSignature: Now allows EIP-1559 txs to be converted in eth_sign format, no side effects

So I would give this a go and merge this and would include in the very imminent last round of master releases before we merge in develop.

We can then continue on develop with do some further signature code cleanup - with some inspiration from the breaking-release-TODOs - in favor of a complete direct removal.

[jochem-brouwer]

Hmm I think I just realized a cleaner method of fixing the precompiles than doing this guard in the precompiles. What if we throw here if v = 0 or v = 1 and a chainId is provided? If you would now pass in a chainId and v = 1 or v = 0 then ecrecover will not throw, while it would throw before (since this signature recovery method returns a negative value in that case).

EDIT nvm this will not fix the precompiles. (But it might be cleaner to throw here if chainId is provided and v is 0 or 1?)

[holgerd77]

Oh, respectively tests are failing, then we have to figure out before. This is likely related to the merge of #1900, @jochem-brouwer do you have an idea what happens? 🤔

[jochem-brouwer]

Hi @holgerd77, I don't think it is related to #1900 since ecrecover tests are failing. I'll take a look now 😄

[holgerd77]

Hi @holgerd77, I don't think it is related to #1900 since ecrecover tests are failing. I'll take a look now 😄

Ah, interesting, I thought tests would have been passed before here, but also not 100% sure.

[jochem-brouwer]

There are errors in blockchain tests;

Errors thrown in file: GeneralStateTests/stPreCompiledContracts2/CALLCODEEcrecover1.json test: CALLCODEEcrecover1_d0g0v0_London:
	Error: invalid receiptTrie (vm hf=london -> block number=1 hash=0x7d96d00345e783092e7b862aaab79d0b08b041d0d91ce8720546c1214895bc91 hf=london baseFeePerGas=10 txs=1 uncles=0)
	correct last header block
Errors thrown in file: GeneralStateTests/stPreCompiledContracts2/CallEcrecover1.json test: CallEcrecover1_d0g0v0_London:
	Error: invalid receiptTrie (vm hf=london -> block number=1 hash=0xf94a90c5e3158e156ad8218bc49e8a59cb17be564648808466302e01040abe49 hf=london baseFeePerGas=10 txs=1 uncles=0)
	correct last header block
Errors thrown in file: GeneralStateTests/stStaticCall/static_CallEcrecover1.json test: static_CallEcrecover1_d0g0v0_London:
	Error: invalid receiptTrie (vm hf=london -> block number=1 hash=0x92f8983a4d37035279956e921f45a17e8b28146591e1dbf031cfffba11a23c2f hf=london baseFeePerGas=10 txs=1 uncles=0)
	correct last header block

These all have to do with the ecrecover precompile. (This is also the reason why vm-api CI fails)

Take a look at where ecrecover is called:

ethereumjs-monorepo/packages/vm/src/evm/precompiles/01-ecrecover.ts

Line 24 in 2f42dcf

publicKey = ecrecover(msgHash, new BN(v), r, s)

The input to these tests have v = 1. The precompile calls into util ecrecover. This calls into calculateSigRecovery (which is edited in this PR):

ethereumjs-monorepo/packages/util/src/signature.ts

Line 73 in 2f42dcf

const recovery = calculateSigRecovery(v, chainId)

In this PR, calculateSigRecovery immediately returns v = 1. However, without this PR, and with chainId as argument set as undefined (as is the case in the precompile!) it returns v - 27. This yields a negative number if v=1 and is thus invalid, the precompile throws. However, in this PR, because v = 1 it immediately returns 1, which is a valid value, and thus the call succeeds (and does not throw).

I don't see a clean way how to fix this, it would need an extra argument to ecrecover in util to signal that we are using a precompile and we thus force v = v - 27. (I did not check but I think that the call to ethereum-cryptography expects v of either 0 or 1, EDIT: yes, it does; https://github.com/paulmillr/noble-secp256k1/blob/9e1353def2be5ee7a0a87b515a66382acb547716/index.ts#L458).

[jochem-brouwer]

Actually, we could also do these v checks in the precompile? Would that work? I'm a bit hesitant to merge this PR because this has to do with signatures and could have big (security) implications..?

[jochem-brouwer]

Tx tests will fail, we should figure out why this v.eqn(0) check is in the _validateTxV method.

[holgerd77]

I am on it.

[holgerd77]

I wouldn't tie this to "after the _validateTxV() analysis" but rather do before respectively directly in the method, think this will get more robust (less ocassion for the analysis to go wrong).

Will try this and update the tests.

[holgerd77]

@jochem-brouwer ok, I would have a tendency to give this a go, but I would wait for your final confirmation.

[jochem-brouwer]

One question, otherwise LGTM.

[jochem-brouwer]

For these tests we should review if there was any reason why we used this toJSON logic for already-signed txs.

[jochem-brouwer]

Hmm I think I just realized a cleaner method of fixing the precompiles than doing this guard in the precompiles. What if we throw here if v = 0 or v = 1 and a chainId is provided? If you would now pass in a chainId and v = 1 or v = 0 then ecrecover will not throw, while it would throw before (since this signature recovery method returns a negative value in that case).

EDIT nvm this will not fix the precompiles. (But it might be cleaner to throw here if chainId is provided and v is 0 or 1?)

[jochem-brouwer]

If v = 36 then we get a chainId = 0, right? Why is this not ok?

In case of v = 35, then v - 35 (thus 0, which is odd) means we subtract 36, so we end up with a negative chain id which is obviously wrong. But for 36 this logic seems to work..? Unless chain id 0 is special?

[holgerd77]

TBH I don't find any reference about chain ID 0 and I'm unsure if this theoretically a valid chain ID. I would rather assume for now that it is not, mainnet starts with 1 and all other chain IDs I came across were some arbitrary higher value. In doubt I would tend to leave "as is", if someone demands we could still add later on.

[jochem-brouwer]

Yup, I agree

[jochem-brouwer]

LGTM, thanks @ernestognw 😄

[ernestognw]

LGTM, thanks @ernestognw 😄

Thanks to you folks! Many things happened here that I would've not been able to address, I appreciate it.
Please let me know if I can add something from my side.

[ernestognw]

Are these becoming unreachable code?

[holgerd77]

LGTM