test: add failing test for EOA admin key validation issue

joshieDo · joshieDo · commit 6af630f5fc95 · 2025-08-29T11:21:58.000+01:00
This test demonstrates that when an EOA's own address is used as the
publicKey for an admin key (which happens when using the EOA's private
key to create the admin key), the validation fails due to a recursive
validation loop in the signature checking logic.

The issue occurs because:
1. unwrapAndValidateSignature extracts the inner signature
2. For Secp256k1 keys, it calls isValidSignatureNowCalldata with the EOA address
3. Since the EOA has code (via EIP-7702), it calls isValidSignature on the EOA
4. This triggers the 64/65 byte special case expecting raw EOA signature
5. But the signature is EIP-712 formatted, causing validation to fail
diff --git a/test/EOAKeyConflict.t.sol b/test/EOAKeyConflict.t.sol
@@ -0,0 +1,151 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+import "./Base.t.sol";
+
+/// @dev Test that reproduces the issue where using the EOA's private key as an admin key
+/// causes validation failure due to recursive validation loop.
+contract EOAKeyConflictTest is BaseTest {
+    
+    /// @dev Test that using EOA's own address as admin key publicKey causes validation failure
+    function testEOAAsAdminKeyFails() public {
+        // Create a delegated EOA
+        DelegatedEOA memory d = _randomEIP7702DelegatedEOA();
+        vm.deal(d.eoa, 100 ether);
+        
+        // Create an admin key where the publicKey is the EOA's own address
+        // This simulates what happens when using mock_admin_with_key(KeyType::Secp256k1, eoa_private_key)
+        PassKey memory adminKey;
+        adminKey.k.keyType = IthacaAccount.KeyType.Secp256k1;
+        adminKey.k.publicKey = abi.encode(d.eoa); // EOA's address as publicKey
+        adminKey.k.isSuperAdmin = true;
+        adminKey.k.expiry = 0;
+        adminKey.privateKey = d.privateKey; // Same private key as EOA
+        adminKey.keyHash = _hash(adminKey.k);
+        
+        // Authorize the key
+        vm.prank(d.eoa);
+        d.d.authorize(adminKey.k);
+        
+        // Create a simple call
+        ERC7821.Call[] memory calls = new ERC7821.Call[](1);
+        calls[0] = _thisTargetFunctionCall(0, hex"");
+        
+        // Get nonce and compute digest
+        uint256 nonce = d.d.getNonce(0);
+        bytes32 digest = d.d.computeDigest(calls, nonce);
+        
+        // Sign with the admin key (using EOA's private key)
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(adminKey.privateKey, digest);
+        bytes memory innerSignature = abi.encodePacked(r, s, v);
+        
+        // Wrap the signature with keyHash and prehash flag (as relay.rs does)
+        bytes memory wrappedSignature = abi.encodePacked(
+            innerSignature,
+            adminKey.keyHash,
+            uint8(0) // prehash = false
+        );
+        
+        // Try to execute with the wrapped signature
+        bytes memory opData = abi.encodePacked(nonce, wrappedSignature);
+        bytes memory executionData = abi.encode(calls, opData);
+        
+        // This should fail because:
+        // 1. unwrapAndValidateSignature extracts the 65-byte inner signature
+        // 2. For Secp256k1 keys, it calls SignatureCheckerLib.isValidSignatureNowCalldata
+        // 3. Since publicKey is the EOA's address and EOA has code (delegated), 
+        //    it calls isValidSignature on the EOA
+        // 4. This triggers the 64/65 byte special case which expects ecrecover to return EOA address
+        // 5. But ecrecover returns a different address because the digest is EIP-712 formatted
+        vm.expectRevert(bytes4(keccak256("Unauthorized()")));
+        d.d.execute(_ERC7821_BATCH_EXECUTION_MODE, executionData);
+    }
+    
+    /// @dev Test that using a different key works correctly
+    function testDifferentAdminKeyWorks() public {
+        // Create a delegated EOA
+        DelegatedEOA memory d = _randomEIP7702DelegatedEOA();
+        vm.deal(d.eoa, 100 ether);
+        
+        // Create an admin key with a DIFFERENT address/private key
+        PassKey memory adminKey = _randomSecp256k1PassKey();
+        adminKey.k.isSuperAdmin = true;
+        
+        // Authorize the key
+        vm.prank(d.eoa);
+        d.d.authorize(adminKey.k);
+        
+        // Create a simple call
+        ERC7821.Call[] memory calls = new ERC7821.Call[](1);
+        calls[0] = _thisTargetFunctionCall(0, hex"");
+        
+        // Get nonce and compute digest
+        uint256 nonce = d.d.getNonce(0);
+        bytes32 digest = d.d.computeDigest(calls, nonce);
+        
+        // Sign with the admin key
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(adminKey.privateKey, digest);
+        bytes memory innerSignature = abi.encodePacked(r, s, v);
+        
+        // Wrap the signature with keyHash and prehash flag
+        bytes memory wrappedSignature = abi.encodePacked(
+            innerSignature,
+            adminKey.keyHash,
+            uint8(0) // prehash = false
+        );
+        
+        // Execute with the wrapped signature
+        bytes memory opData = abi.encodePacked(nonce, wrappedSignature);
+        bytes memory executionData = abi.encode(calls, opData);
+        
+        // This should succeed because the admin key's publicKey is NOT the EOA's address
+        d.d.execute(_ERC7821_BATCH_EXECUTION_MODE, executionData);
+        
+        // Verify the call was executed
+        assertEq(targetFunctionPayloads.length, 1);
+        assertEq(targetFunctionPayloads[0].by, d.eoa);
+    }
+    
+    /// @dev Test that demonstrates the exact validation flow when EOA is used as admin key
+    function testValidationFlowWithEOAKey() public {
+        // Create a delegated EOA
+        DelegatedEOA memory d = _randomEIP7702DelegatedEOA();
+        
+        // Create an admin key where publicKey is EOA's address
+        PassKey memory adminKey;
+        adminKey.k.keyType = IthacaAccount.KeyType.Secp256k1;
+        adminKey.k.publicKey = abi.encode(d.eoa);
+        adminKey.k.isSuperAdmin = true;
+        adminKey.privateKey = d.privateKey;
+        adminKey.keyHash = _hash(adminKey.k);
+        
+        // Authorize the key
+        vm.prank(d.eoa);
+        d.d.authorize(adminKey.k);
+        
+        // Create a digest for testing
+        bytes32 digest = keccak256("test message");
+        
+        // Sign with the admin key
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(adminKey.privateKey, digest);
+        bytes memory innerSignature = abi.encodePacked(r, s, v);
+        
+        // Test unwrapAndValidateSignature directly with wrapped signature
+        bytes memory wrappedSignature = abi.encodePacked(
+            innerSignature,
+            adminKey.keyHash,
+            uint8(0)
+        );
+        
+        // This will fail because:
+        // 1. It unwraps to get 65-byte innerSignature
+        // 2. For Secp256k1, calls isValidSignatureNowCalldata(d.eoa, digest, innerSignature)
+        // 3. Since d.eoa has code, it calls isValidSignature on d.eoa
+        // 4. That hits the 65-byte special case, tries ecrecover
+        // 5. ecrecover doesn't return d.eoa because the signature is for a different digest context
+        (bool isValid, bytes32 returnedKeyHash) = d.d.unwrapAndValidateSignature(digest, wrappedSignature);
+        
+        assertFalse(isValid, "Validation should fail when EOA is used as admin key");
+        assertEq(returnedKeyHash, adminKey.keyHash, "Should return the correct keyHash even on failure");
+    }
+}
