Currently, the inner transaction's signer only sign the Tx sections. The wrapper's signer is therefore free to design the Header completely on their own and submit the transaction. The header, though, carries some important metadata like the expiration and chain_id fields which have an impact on the validity and effects of the transaction itself. This means that the wrapper's signer might produce a Header which is not in the interest of the inner tx's signer.
To fix this, we can make the inner signer sign the Header too with the only difference in the TxType field: this header can be signed and then sent to the wrapper producer. The wrapper's signer should modify the TxType of this header to be TxType::Wrapper and setting the values associated with it (like the gas limit and the fee amount, which are completely up to the wrapper's signer), sign it and include it in the transaction. The Tx will still have a single Header and this means that, for both the signatures to be valid, the wrapper's signer is not allowed to modify the other fields of the header itself, basically committing to the preferences of the inner's signer.
When validating the inner transaction in wasm (VP), we expect this Signature to be present and valid: if not, the inner transaction will fail. Note that the wrapper would still be accepted and the fees paid and this is the correct logic since a modification of this field can only be done by the wrapper's signer.
We'd also need to update the client to produce this extra signature in sign_tx
Currently, the inner transaction's signer only sign the
Txsections. The wrapper's signer is therefore free to design theHeadercompletely on their own and submit the transaction. The header, though, carries some important metadata like theexpirationandchain_idfields which have an impact on the validity and effects of the transaction itself. This means that the wrapper's signer might produce aHeaderwhich is not in the interest of the inner tx's signer.To fix this, we can make the inner signer sign the
Headertoo with the only difference in theTxTypefield: this header can be signed and then sent to the wrapper producer. The wrapper's signer should modify theTxTypeof this header to beTxType::Wrapperand setting the values associated with it (like the gas limit and the fee amount, which are completely up to the wrapper's signer), sign it and include it in the transaction. TheTxwill still have a singleHeaderand this means that, for both the signatures to be valid, the wrapper's signer is not allowed to modify the other fields of the header itself, basically committing to the preferences of the inner's signer.When validating the inner transaction in wasm (VP), we expect this
Signatureto be present and valid: if not, the inner transaction will fail. Note that the wrapper would still be accepted and the fees paid and this is the correct logic since a modification of this field can only be done by the wrapper's signer.We'd also need to update the client to produce this extra signature in
sign_tx