Solidity ecrecover – How to Fix ecrecover Returning Wrong Address for Number-Only toSignString

ecrecoversignaturesolidityweb3js

//web3 code
      let hash = web3.utils.soliditySha3("String"); //if replace "String" with "0" "123" etc , ecrecover returns wrong address
      console.log("hash", web3.utils.soliditySha3("\x19Ethereum Signed Message:\n32", hash))
      let signature = await web3.eth.personal.sign(hash, currentAccount);
      console.log("signature", signature);
      let r = signature.slice(0, 66);
      let s = "0x" + signature.slice(66, 130);
      let v = web3.utils.hexToNumberString("0x" + signature.slice(130, 132));
      console.log("r", r);
      console.log("s", s);
      console.log("v", v);

//solidity code
function extractSigner(
        uint8 v,
        bytes32 r,
        bytes32 s
    ) internal view returns (address) {
        string memory n = toString(nonce); //nonce corresponding to "String" in web3 code above
        bytes32 hash = keccak256(
            abi.encodePacked(
                "\x19Ethereum Signed Message:\n32",
                keccak256(bytes(n))
            )
        );
        return ecrecover(hash, v, r, s);
    }

the whole process is, sign the string using web3js, and input the v,r,s in solidity. If the toSignString contains any letters, solidity returns the proper address. But if toSignString only consists of number, solidity returns a wrong address, why?

Best Answer

Your issue is here :

let hash = web3.utils.soliditySha3("String");

As per the documentation, a non numerical string will be interpreted as string while a numerical string input will be interpreted as uint256 but on the solidity side you are interpreting the bytes as string input. The abi encoding being different, you are not verifying the same data that was signed.

A quick fix if you want to ensure a string interpretation on the signer side :

let hash = web3.utils.soliditySha3({ type: "string", value: "YOUR-STRING-DATA" });

That way, whatever data is passed at soliditiSha3 will be interpreted as string, matching the verifier's logic and allowing you to recover the proper address.

Related Solutions

Ethereumjs-utils – Getting an Address Using ethereumjs-utils ecrecover

ecrecover returns public key, you need to convert it to address with pubToAddress.

pub     = ethJsUtil.ecrecover(msg, v, r, s);
addrBuf = ethJsUtil.pubToAddress(pub);
addr    = ethJsUtil.bufferToHex(addrBuf);

Also, you can use fromRpcSig to get v, r, s

sig = web3.eth.sign(myAccount,msg)
res = ethJsUtil.fromRpcSig(sig)
pub = ethJsUtil.ecrecover(msg, res.v, res.r, res.s);

Please note that web3.eth.sign adds prefix to the message before signing it (see JSON-RPC spec).

Here is how to add it manually:

const util = require('ethereumjs-util')

const msg = new Buffer('hello');
const sig = web3.eth.sign(web3.eth.accounts[0], '0x' + msg.toString('hex'));
const res = util.fromRpcSig(sig);

const prefix = new Buffer("\x19Ethereum Signed Message:\n");
const prefixedMsg = util.sha3(
  Buffer.concat([prefix, new Buffer(String(msg.length)), msg])
);

const pubKey  = util.ecrecover(prefixedMsg, res.v, res.r, res.s);
const addrBuf = util.pubToAddress(pubKey);
const addr    = util.bufferToHex(addrBuf);

console.log(web3.eth.accounts[0],  addr);

On the other hand, testrpc (at least version 3.0.5) does not add such prefix.

Example node.js + testrpc session:

const util = require('ethereumjs-util')

const msg = web3.sha3('hello!');
const sig = web3.eth.sign(web3.eth.accounts[0], msg);
const {v, r, s} = util.fromRpcSig(sig);

const pubKey  = util.ecrecover(util.toBuffer(msg), v, r, s);
const addrBuf = util.pubToAddress(pubKey);
const addr    = util.bufferToHex(addrBuf);

console.log(web3.eth.accounts[0], addr);

Solidity ecrecover vs Web3j Sign.signMessage() – Compatibility Explained

The problem was actually double hashing.

Looking at the Web3j's signMessage() method

Sign.SignatureData sig =Sign.signMessage(messageBytes, ecKeyPair);

and signedMessageToKey() method

String pubKey = Sign.signedMessageToKey(messageBytes, sig).toString(16);

These methods internally hash(sha3) the input messageBytes before signing and on verification. This works fine when both signature is generated and verified using Web3j itself. But this makes Web3j's signature different from what is obtained from geth's sign() method.

Here is a public gist with modified Web3j's Sign.java file that can be used avoid the double hashing problem: https://gist.github.com/xoriole/4c2a9630dba5a20ee28fb58edf193375

Best Answer

Related Solutions

Ethereumjs-utils – Getting an Address Using ethereumjs-utils ecrecover

Solidity ecrecover vs Web3j Sign.signMessage() – Compatibility Explained

Related Topic