feat(anvil): handle signature impersonation for EIP-7702 authorization list (#12553)

* feat(anvil): handle signature impersonation for EIP-7702 authorization list

- added an it test with an auth signed w/ fake sig

Co-Authored-By: Shiyas Mohammed <[email protected]>

* early check

---------

Co-authored-by: Shiyas Mohammed <[email protected]>
Co-authored-by: Matthias Seitz <[email protected]>

Author: 3 people

crates/anvil/src/eth/backend/executor.rs

@@ -14,9 +14,14 @@ use crate::{
     mem::inspector::AnvilInspector,
 };
 use alloy_consensus::{
-    Header, Receipt, ReceiptWithBloom, constants::EMPTY_WITHDRAWALS, proofs::calculate_receipt_root,
+    Header, Receipt, ReceiptWithBloom, constants::EMPTY_WITHDRAWALS,
+    proofs::calculate_receipt_root, transaction::Either,
+};
+use alloy_eips::{
+    eip7685::EMPTY_REQUESTS_HASH,
+    eip7702::{RecoveredAuthority, RecoveredAuthorization},
+    eip7840::BlobParams,
 };
-use alloy_eips::{eip7685::EMPTY_REQUESTS_HASH, eip7840::BlobParams};
 use alloy_evm::{
     EthEvm, Evm, FromRecoveredTx,
     eth::EthEvmContext,
@@ -276,6 +281,35 @@ impl<DB: Db + ?Sized, V: TransactionValidator> TransactionExecutor<'_, DB, V> {
         let mut tx_env: OpTransaction<TxEnv> =
             FromRecoveredTx::from_recovered_tx(&tx.transaction.transaction, *tx.sender());
 
+        if let TypedTransaction::EIP7702(tx_7702) = &tx.transaction.transaction
+            && self.cheats.has_recover_overrides()
+        {
+            // Override invalid recovered authorizations with signature overrides from cheat manager
+            let cheated_auths = tx_7702
+                .tx()
+                .authorization_list
+                .iter()
+                .zip(tx_env.base.authorization_list)
+                .map(|(signed_auth, either_auth)| {
+                    either_auth.right_and_then(|recovered_auth| {
+                        if recovered_auth.authority().is_none()
+                            && let Ok(signature) = signed_auth.signature()
+                            && let Some(override_addr) =
+                                self.cheats.get_recover_override(&signature.as_bytes().into())
+                        {
+                            Either::Right(RecoveredAuthorization::new_unchecked(
+                                recovered_auth.into_parts().0,
+                                RecoveredAuthority::Valid(override_addr),
+                            ))
+                        } else {
+                            Either::Right(recovered_auth)
+                        }
+                    })
+                })
+                .collect();
+            tx_env.base.authorization_list = cheated_auths;
+        }
+
         if self.networks.is_optimism() {
             tx_env.enveloped_tx = Some(alloy_rlp::encode(&tx.transaction.transaction).into());
         }

crates/anvil/tests/it/eip7702.rs

@@ -6,7 +6,7 @@ use alloy_primitives::{U256, bytes};
 use alloy_provider::{PendingTransactionConfig, Provider};
 use alloy_rpc_types::{Authorization, TransactionRequest};
 use alloy_serde::WithOtherFields;
-use alloy_signer::SignerSync;
+use alloy_signer::{Signature, SignerSync};
 use anvil::{NodeConfig, spawn};
 
 #[tokio::test(flavor = "multi_thread")]
@@ -153,3 +153,73 @@ async fn can_send_eip7702_request() {
     assert_eq!(log.topics().len(), 0);
     assert_eq!(log.data().data, log_data);
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn eip7702_authorization_bypass() {
+    let node_config = NodeConfig::test().with_hardfork(Some(EthereumHardfork::Prague.into()));
+    let (api, handle) = spawn(node_config).await;
+    let provider = http_provider(&handle.http_endpoint());
+
+    let wallets = handle.dev_wallets().collect::<Vec<_>>();
+
+    // deploy simple contract forwarding calldata to LOG0
+    // PUSH7(CALLDATASIZE PUSH0 PUSH0 CALLDATACOPY CALLDATASIZE PUSH0 LOG0) PUSH0 MSTORE PUSH1(7)
+    // PUSH1(25) RETURN
+    let logger_bytecode = bytes!("66365f5f37365fa05f5260076019f3");
+
+    let eip1559_est = provider.estimate_eip1559_fees().await.unwrap();
+
+    let from = wallets[0].address();
+    let tx = TransactionRequest::default()
+        .with_from(from)
+        .into_create()
+        .with_nonce(0)
+        .with_max_fee_per_gas(eip1559_est.max_fee_per_gas)
+        .with_max_priority_fee_per_gas(eip1559_est.max_priority_fee_per_gas)
+        .with_input(logger_bytecode);
+
+    let receipt = provider
+        .send_transaction(WithOtherFields::new(tx))
+        .await
+        .unwrap()
+        .get_receipt()
+        .await
+        .unwrap();
+
+    assert!(receipt.status());
+
+    let contract = receipt.contract_address.unwrap();
+    let authorization = Authorization {
+        chain_id: U256::from(31337u64),
+        address: contract,
+        nonce: provider.get_transaction_count(from).await.unwrap(),
+    };
+    let fake_auth_sig = Signature::new(U256::ZERO, U256::ZERO, true);
+    api.anvil_impersonate_signature(fake_auth_sig.as_bytes().into(), from).await.unwrap();
+    let authorization = authorization.into_signed(fake_auth_sig);
+
+    let log_data = bytes!("11112222");
+    let mut tx = TxEip7702 {
+        max_fee_per_gas: eip1559_est.max_fee_per_gas,
+        max_priority_fee_per_gas: eip1559_est.max_priority_fee_per_gas,
+        gas_limit: 100000,
+        chain_id: 31337,
+        to: from,
+        input: bytes!("11112222"),
+        authorization_list: vec![authorization],
+        ..Default::default()
+    };
+    let signature = wallets[1].sign_transaction_sync(&mut tx).unwrap();
+
+    let tx = tx.into_signed(signature);
+    let mut encoded = Vec::new();
+    tx.eip2718_encode(&mut encoded);
+
+    let receipt =
+        provider.send_raw_transaction(&encoded).await.unwrap().get_receipt().await.unwrap();
+    let log = &receipt.inner.inner.logs()[0];
+    // assert that log was from EOA which signed authorization
+    assert_eq!(log.address(), from);
+    assert_eq!(log.topics().len(), 0);
+    assert_eq!(log.data().data, log_data);
+}