How to allow multisig wallets to authenticate with your Dapp using ERC-1271.
EIP-1271 defines a way to verify signatures through a smart contract, these are usually multi-signature (multisig) wallets like Gnosis Safe, unfortunately, some websites, like OpenSea don’t like multisig wallets, or don’t want to allow multisig wallets to log in, even though it is simple and safe.
So in this post, I will explain how multisig wallets work, why they are great for web3 teams or DAO, and how you can allow them to log in to your website easily.
How can Contracts “sign” messages?
In some applications, when you wish to connect a wallet, you might have to sign a message, this message proves to the backend of the application that you are who you say you are, the signature requires a private key, and when checked using the recovery algorithm, the verifying party would know who signed that message.
The issue is, a multisig wallet is a smart contract, smart contracts do not have a private key and cannot sign messages, however, thanks to the EIP-1271, they can validate a message, which allows them to delegate the signatures to one or more externally owned accounts (ordinary wallets like Metamask).
This is what an ERC1271 contract would look like, it implements the “isValidSignature” functionality defined in EIP-1271, which is the main thing, but it also requires 3 signatures in order to treat a signed message as valid, purely as an implementation, this is a flawed and untested implementation, but this is how it might look:
How wallet verification usually works
Let's look at this diagram, it explains how a common web3 authentication flow works:
- The server generates a nonce, a random text for the user to sign.
- The user signed the nonce with their wallet.
- The server verifies the signature using errcover to validate that it was signed with the right wallet.
- The server gives a token (usually JWT) that is used to interact with the website and services.
This is pretty simple and is probably common knowledge for most web3 developers, but it is incomplete.
It’s easy to understand why contract wallets will not pass this, since they cannot sign, the backend will never verify their signatures.
How can we make wallet verification work for smart contracts?
It’s quite simple, looking at step (5) in the diagram above, we should make a request to the contract, and check if the signature is approved by it.
Here is a javascript example using ethers:
- We check if the signer is a wallet or a contract.
- For contracts, we are verifying the signature by calling the contract as ERC1271.
- For EOA we verify the signature normally.
What about the wallet side of things?
Luckily we have a unified solution for wallets to authenticate with, it is free, simple, open source, and supports almost any wallet out of the box including smart contract wallets , so as long as your website supports wallet connect, you are pretty much done on this side.
Creating a WalletConnect client for a smart contract is pretty simple, and I will cover that in a future post, but most contract wallets have their own clients for it, for example, gnosis safe.
What next
I actually wrote this post because I wanted to use gnosis safe, yet I’m pretty disappointed about OpenSea not supporting EIP-1271 contracts as wallets, as you can see, it’s pretty simple, and it supports further decentralization and anonymity on the blockchain while allowing teams and DAO’s to collaborate on web3 projects securely.
Gnosis tried to make it happen in 2021 on Twitter.
8 months ago there was a Reddit post on the OpenSea community around it, where they gave this generic response to some users:
Multisig wallets is not currently an option offered on the OpenSea platform. However, we are constantly upgrading and adding features to improve user experience. In this case, I'll send this feedback to our product team.
