| CHIP Number | 0037 |
|---|---|
| Title | EIP-712 Wallet Puzzle |
| Description | Define a standard puzzle for EIP-712-based Chia wallets and an auxiliary puzzle that allows many coins to be spent with only one signature. |
| Author | Yak, Rigidity |
| Editor | Dan Perry |
| Comments-URI | CHIPs repo, PR #131 |
| Status | Final |
| Category | Informational |
| Sub-Category | Chialisp Puzzle |
| Created | 2024-11-13 |
| Requires | CHIP-0036 |
| Replaces | - |
| Superseded-By | - |
This CHIP proposes two new Chialisp puzzles. The first enables EIP-712 wallets by allowing coins to be spent based on signatures for EIP-712 messages, acting in a similar manner to the standard puzzle. The signed message contains the network's genesis challenge, id of the coin to be spent, as well as a delegated puzzle hash. The second puzzle can be used to control many coins using messages from a specific puzzle, thus enabling normal (non-vault) wallets to only request one EIP-712 signature per spend.
As outlined in this introductory post, hardware wallet support has been one of Chia community's predominant asks. However, making a Ledger app is a complex process that is not guaranteed to yield the desired result. By using an EIP-712 message-controlled puzzle, we can enable hardware wallet support in a much easier fashion.
This CHIP also offers a potential solution to the issue of signing UX. Notably, signatures of puzzles modelled after the standard one are coin-specific, meaning wallets need to handle one signing request for every coin that is included in a transaction. This is notable for EIP-712 requests sent to a hardware wallet - where users have to confirm each message via multiple clicks - and passkeys - where users may need to present their authentication method (e.g., fingerprint) multiple times. By adopting the new puzzles, wallets can securely adopt a model where only one signature is needed to spend a 'controller coin', which then controls the coins with actual funds.
This CHIP proposes new puzzles that expand (rather than replace) wallet functionalities. Moreover, the new keccak256 operator is used inside a softfork operator, ensuring backwards compatibility.
Simplicity and interoperability were our main aims. The first puzzle operates on the 'delegated puzzle hash' principle of the standard puzzle, where users delegate the generation of conditions to a delegated puzzle. The coin id and network genesis challenge are also included in signed messages in order to mimick the functionality of an AGG_SIG_ME condition.
EIP-712 specifies that all messages have a domain and structured data. The standard EIP712Domain of the messages intended for this CHIP's puzzle will have the following fields:
name: Set to"Chia Coin Spend".version: Set to"1".salt: The 32-byte genessis challenge of the Chia network the message is being signed for.
According to the specification above, messages signed for mainnet will have the following domain:
{
"name": "Chia Coin Spend",
"version": "1",
"salt": "0xccd5bb71183532bff220ba46c268991a3ff07eb358e8255a65c30a2dce0e5fbb"
}The body of the message will have a singlet type, ChiaCoinSpend. The types field will be described as follows for all messages:
{
"ChiaCoinSpend": [
{"name": "coin_id", "type": "bytes32"},
{"name": "delegated_puzzle_hash", "type": "bytes32"}
]
}The full chialisp code of the first proposed puzzle, p2_eip712_message, can be found here. The chialisp code for the second puzzle, p2_controller_puzzle, can be found here.
These puzzles were integrated into chia-wallet-sdk in EIP-712 Stuff. Tests ensure that:
- the correct type hash and domain separator are generated by the code
- the cost of the code inside the
softforkguard is exactly 2605 - the spend of a coin locked a
p2_eip712_messagepuzzle only succeeds when the proper message hash is signed
Aditionally, the CLI and UI in the hermes PoC repository have been used to test message signing with Ledger Nano X, Trezor Model T, and Tangem cards. The signatures have been used to spend coins on a simulator network that supports the keccak256 operator.
chia-wallet-sdk contains the reference implementation for this puzzles, which was added in EIP-712 Stuff.
Wallets and libraries are responsible for securing spends via the appropriate messages and delegated puzzles. We've confirmed that the keccak256 calls within the softfork 1 guard will continue working at any point after the soft fork height. The puzzles have also been reviewed by a third party.
Chialisp source for puzzles:
CLVM bytecode (hex) for puzzles:
Chialisp libraries used by puzzles:
Copyright and related rights waived via CC0.