Brave Wallet: Safer Signing for Sign-In With Ethereum and CoW Swap
This post describes work done by Principal Engineer Anthony Tseng and Staff Engineer Anirudha Bose. We also thank Anxo Rodriguez from the CoW Swap team for his code-review on our work done for CoW Swap.
Written by Anirudha Bose.
With our recent Brave browser release version 1.60, we are excited to introduce two powerful features for the Brave Wallet.
Sign-In With Ethereum (SIWE) gets a major overhaul, with first-class support for parsing ERC-4361 messages, and a brand new UX. We also extend our redesigned signing experience for Brave Swap to CoW Swap orders. Both these features enhance the security and UX of signing messages in Brave Wallet.
Sign-In With Ethereum
What is Sign-In With Ethereum?
Sign-In With Ethereum (or SIWE for short) replaces traditional login credentials with wallet-based sign-in functionality. Imagine a world where your wallet can help you login stamped with the indelible ink of an Ethereum wallet address of your choosing. This functionality shifts the role of authentication away from large centralized identity providers, into the hands of the individual.
The Sign-In With Ethereum protocol defines a method by which Ethereum accounts can sign in to external services by signing a standard message format as defined in ERC-4361. Thanks to this standard, you get the power of self-custodial identity while remaining portable across wallet implementations.
Brave Wallet always had basic support for SIWE. Since SIWE uses ERC-191 (Signed Data Standard), we’ve been able to display SIWE prompts as human-readable plaintext messages, but without any validation by the wallet.
In this latest update, we’re introducing a significant improvement to Sign-In With Ethereum support with our implementation of an ABNF parser for ERC-4361 conformant messages. This allows us to not only interpret SIWE messages and present them with a better look and feel, but also to improve the safety of signing into third-party apps and services. However, since there may still be cases where the SIWE message does not conform with these specifications, we fallback to legacy ERC-191 signing for maximum interoperability.
Once a SIWE message is successfully parsed, we verify the message for binding of domain, account, and chain ID fields, and display an appropriate error message if there’s a mismatch. This measure is designed to prevent phishing attacks, where a malicious actor may obtain a valid authorization to a legitimate third-party service. This is particularly important for SIWE, since the sign-in action is basically producing a signature for a message, which is susceptible to spoofing by a motivated attacker.
What is CoW Swap?
Coincidence of Wants (CoW) is a concept from the field of economics, particularly related to the barter system. It describes a situation where two parties each hold an item the other wants, so they agree to trade these items directly.
CoW Swap leverages this idea for trading on-chain assets. It is an interface built on top of the CoW Protocol—a fully permissionless trading protocol that leverages batch auctions as its price finding mechanism. CoW Protocol enables batch auctions to maximize liquidity via CoWs in addition to tapping all available on-chain liquidity whenever needed. Users express off-chain intents as signed EIP-712 typed messages through the CoW Swap interface. The CoW Protocol gathers these intents into a batch auction, to be settled by solvers that compete to find the most optimal CoW. The winning solver then executes all intents in a single on-chain transaction, maximizing trade surplus and saving on network fees.
A CoW settlement transaction
The dangers of off-chain messages
Signing off-chain messages, such as CoW orders, is unfortunately not the most friendly UX on any wallet. While off-chain messages significantly improve usability by providing a reliable way to exchange data through a gasless experience, such messages are largely opaque and unreadable to users. This is very similar to blind-signing of transaction calldata (which we have discussed in depth in a previous blog post). Because signing off-chain messages does not incur a gas fee, users are very likely to blindly approve a signing request without verifying the details. A maliciously crafted message is more than capable of draining assets from users’ wallets, without raising any suspicion because of its verbosity.
In December 2022, a scammer stole 14 BAYCs worth over 852 ETH ($1.07 million USD) at the time, through a sophisticated, month-long social engineering scam. The victim was tricked into signing a gasless Seaport message, which actually created a private bundle listing all of his BAYCs to the scammer for 0.00000001 ETH. Such attacks are becoming increasingly common due to the massive adoption of off-chain messages in NFT marketplaces, DEXs, etc.
Image courtesy of @serpent on X
EIP-712 to the rescue
EIP-712 proposed a standard for signing typed structured data as opposed to bytestrings. While typed messages are easier for machines to read, they are still not user-friendly enough for most people. For users to be able to confidently approve signing requests for CoW orders, they need to clearly see all the order details such as formatted amounts, token symbols, logos, etc.
We conceived the idea to solve this problem at DappCon 2023 in Berlin where we met CoW Swap’s engineering team. After brainstorming together, we came up with the solution to implement a message parser for CoW orders, to be able to extract the relevant parameters, and render them in a familiar way that’s easy to understand. The parser is tied to the type hash of the specific order struct used by CoW Swap, to prevent the parser from being used on non-CoW messages. We’ve also implemented calldata parsers for cases where the swap involves an on-chain transaction like, for example, when the user is swapping a native asset (such as ETH, or XDAI). Here’s what the final result looks like:
In the 1.60 release of the Brave browser, we have completely revamped the experience of Sign-In With Ethereum using Brave Wallet. We’ve added safety features and UX improvements that make the SIWE experience comparable to signing in on websites with traditional login credentials. You can try it out at https://login.xyz, which also has developer documentation for supporting SIWE on your websites.
We have extended similar improvements to the signing of CoW Swap orders, turning the unreadable off-chain messages into something that users can easily audit. You can try it out at https://swap.cow.fi on Ethereum and Gnosis Chain.
We intend to bring similar improvements to the signing experience in Brave Wallet, in order to protect users from inadvertently signing malicious messages and transactions. Stay tuned for major updates on these improvements coming soon to Brave Wallet.