Remove recover_signer Footgun with Keychain Signatures #1997
Description
Summary
The recover_signer function in TempoSignature has a critical design footgun where callers may incorrectly assume a recovered signer address from a keychain signature is fully authorized, when in reality additional validation against the keychain precompile is required.
Problem
When recover_signer is called on a TempoSignature::Keychain variant:
- It validates the inner signature cryptographically
- It returns the cached access key address from the
KeychainSignature - It does NOT verify that the access key is actually authorized in the keychain precompile
This creates a dangerous assumption gap - the function successfully returns an address, implying the signature is valid, but the caller must also separately verify the access key is authorized for the account.
Location
crates/primitives/src/transaction/tt_signature.rs - recover_signer function
Impact
Anyone using recover_signer without understanding this limitation could:
- Accept signatures from unauthorized access keys
- Allow critical operations (like EIP-7702 delegation) by spoofed keychain signatures
- Create security vulnerabilities where an attacker signs with their own key but claims to act on behalf of a victim's address
Root Cause
The recover_signer function cannot access the keychain precompile to verify authorization because:
- It's a pure cryptographic function operating on primitives
- It has no access to blockchain state or precompile execution context
Current Mitigation
PR #1990 adds:
- A comment warning about this footgun in the
recover_signerfunction - Explicit skipping of keychain signatures in EIP-7702 authorization list processing
Required Action
All usages of recover_signer must be audited to ensure:
- Keychain signature cases are handled appropriately
- Access key authorization is verified separately when needed
- Critical operations reject keychain signatures if precompile validation isn't performed
Recommended Fix
We don't have a recommended fix for this yet.