VelvetShark

EIP-3074 - Pass the AUTH, please!

Give me the sword
Give me the sword by Peter Frederiksen

This article is part of a "30 Days with Ethereum Standards" series. To see the first article in the series and to understand why the standards matter, check the initial article: 30 Days with Ethereum Standards.

EIP-3074: AUTH and AUTHCALL opcodes

Allow externally owned accounts to delegate control to a contract.

Abstract: This EIP introduces two EVM instructions AUTH and AUTHCALL. The first sets a context variable authorized based on an ECDSA signature. The second sends a call as the authorized account. This essentially delegates control of the externally owned account (EOA) to a smart contract.


What EIP-3074 is about

In summary, EIP-3074 is a huge step towards account abstraction that delegates complex functionality to invoker contracts while allowing users to keep their existing EOAs. While it introduces powerful new capabilities, the proposal also presents some risks, including technical issues and security challenges.

EIP-3074 was already approved for inclusion in the next Ethereum upgrade (Pectra, scheduled for Q4 2024), and as Ethereum continues to evolve, new, alternative standards are being proposed to address the limitations and risks of EIP-3074. One such proposal is EIP-7702.

Why it is important

EIP-3074 is a significant step in enhancing Ethereum's account model and improving user experience. It allows EOAs to access advanced features that were previously only possible with smart contract wallets, such as:

  • Transaction batching - combining multiple transactions into one, saving gas fees
  • Sponsored transactions - having transaction fees covered by a third party
  • Social recovery - appointed contacts can help restore access to an account
  • Custom cryptography - enabling new signature schemes beyond ECDSA

This makes Ethereum more accessible to a wider range of users by simplifying interactions and reducing costs. Users can maintain their existing EOAs while accessing new functionalities.

Use cases

Some promising use cases enabled by EIP-3074 include:

  • Decentralized applications covering transaction fees for their users
  • Bundling complex multi-step transactions into a single signature
  • Implementing recovery mechanisms directly in EOAs
  • Offering subscription services that include gas fees
  • Allowing batched transfers and approvals in a single transaction

Drawbacks

While EIP-3074 offers many benefits, some potential drawbacks must be considered:

  • Invoker contracts, if not properly implemented, could threaten user funds
  • Phishing attacks could trick users into authorizing malicious invokers
  • The original EOA key retains ultimate control, complicating key rotation
  • It requires a hard fork to implement the new opcodes
  • It does not provide a way to initiate transactions from smart contracts

To mitigate risks, invokers must undergo thorough audits and use safeguards like timelocks and multisigs. Wallets should implement verification of invoker authenticity. New standards are already in the works to address these concerns, such as EIP-7702. More on 7702 in a future article.

EIP-3074 in pizza terms

Imagine you’re at a party and instead of ordering your own pizza, you give your friend the power to order pizza for you using your phone app. In this analogy:

  • Your phone app is like your externally owned account (EOA).
  • You giving permission to your friend is like using the AUTH opcode, which lets you set up who can act on your behalf.
  • Your friend ordering pizza on your behalf corresponds to the AUTHCALL opcode, allowing specific actions (like transactions) to be made using your wallet, but as directed by a smart contract your friend controls.

Wit this setup, you don’t have to do everything yourself. You can delegate tasks like ordering pizza to a friend you trust. Similarly, EIP-3074 allows you to delegate transaction powers to smart contracts, making complex operations simpler and potentially saving on transaction fees, among other benefits. Also, just as you would be cautious about which friend you give your phone to, the same goes for EIP-3074. Delegate, but only when you trust them.

Give me the sword
Never Give Your Keys To A Stranger by Shaun Tan

Resources