From f0bea3d36f662f22d1b60e30a15d5bda74750f95 Mon Sep 17 00:00:00 2001 From: Francesco Sullo Date: Mon, 16 Dec 2024 11:31:14 -0800 Subject: [PATCH] Update ERC-7656: Move to Last Call Merged by EIP-Bot. --- ERCS/erc-7656.md | 176 ++++++++-------------------- assets/erc-7656/ERC7656Registry.sol | 113 ++++++++++++++++++ 2 files changed, 160 insertions(+), 129 deletions(-) create mode 100644 assets/erc-7656/ERC7656Registry.sol diff --git a/ERCS/erc-7656.md b/ERCS/erc-7656.md index 8083137097..b8075d546f 100644 --- a/ERCS/erc-7656.md +++ b/ERCS/erc-7656.md @@ -4,27 +4,28 @@ title: Generalized Token-Linked Services description: Define a registry for generic services linked to a specific NFT author: Francesco Sullo (@sullof) discussions-to: https://ethereum-magicians.org/t/variation-to-erc6551-to-deploy-any-kind-of-contract-linked-to-an-nft/19223 -status: Review +status: Last Call +last-call-deadline: 2024-12-30 type: Standards Track category: ERC created: 2024-03-15 -requires: 165, 1167, 5313, 6551 +requires: 165, 1167, 5313 --- ## Abstract -This proposal introduces a variation of [ERC-6551](./eip-6551.md) that extends to all types of services linked to non-fungible tokens (NFTs), i.e., contracts extending an NFT, owned by a single NFT and thus by the owner of the NFT. It achieves this goal using generic language for functions, errors, and events, and avoids conflicting with the strict restrictions imposed by the original proposal. +This proposal defines a registry for generic services linked to specific non-fungible tokens (NFTs), i.e., contracts extending an NFT, owned by a single NFT and thus by the owner of the NFT. It achieves this goal using generic language for functions, errors, and events, and avoids conflicting with strict restrictions imposed by other proposals. ## Motivation -[ERC-6551](./eip-6551.md) aims to bind smart accounts to tokens, allowing its registry to deploy accounts owned by a specific tokenID. The issue we attempt to address with this new proposal is that [ERC-6551](./eip-6551.md) explicitly requires any contract deployed via the `ERC6551Registry` to implement `IERC6551Account` and `IERC6551Execute`, i.e., it must be an account. This requirement is underscored by the choices for the names of functions and events in the interface. Additionally, [ERC-6551](./eip-6551.md) specifies that the `ERC6551Registry` smart contract is deployed as a singleton at a specific address on any chain. Due to this centralization of services, projects building on it are prone to consider any contract deployed via that registry that is not an account as spam or invalid. +Existing proposals aim to bind smart accounts to tokens, allowing their registries to deploy accounts owned by specific token IDs. The issue we attempt to address with this new proposal is that these proposals often explicitly require any contract deployed via their registries to implement specific interfaces to handle assets and execute transactions, effectively mandating that the deployed contract must be an account. This requirement is underscored by the choices for the names of functions and events in their interfaces. Additionally, some proposals specify that their registry smart contracts are deployed as singletons at specific addresses on any chain. Due to this centralization of services, projects building on them are prone to consider any contract deployed via that registry that is not an account as spam or invalid. -With this new ERC, we propose a more generic registry that uses generic function/event names to allow the deployment of any kind of contract that makes sense when associated with an NFT, so that the contract is under the full control of the NFT's owner. In comparison with [ERC-6551](./eip-6551.md), since one of this proposal's goals is flexibility, there is no expectation for an `ERC7656Registry` contract to be deployed as a singleton, allowing any project to adjust it to their needs; consequently, we require that any registry explicitly supports the `IERC7656Registry` interface. +With this new ERC, we propose a generic registry that uses generic function/event names to allow the deployment of any kind of contract that makes sense when associated with an NFT, so that the contract is under the full control of the NFT's owner. Since one of this proposal's goals is flexibility, there is no expectation for an `ERC7656Registry` contract to be deployed as a singleton, allowing any project to adjust it to their needs; consequently, we require that any registry explicitly supports the `IERC7656Registry` interface. The expansion of the registry's capabilities to manage contracts implementing any kind of service beyond accounts provides several advantages: - **Flexibility**: Developers can allow NFTs to interact with a broader range of linked contracts, unlocking new use cases and functionalities (lending systems, vested asset distribution, fractional ownership, identity, etc.) -- **Compatibility**: By ensuring that account-like contracts can still be identified as such, the proposal maintains backward compatibility with [ERC-6551](./eip-6551.md). +- **Compatibility**: By ensuring that account-like contracts can still be identified as such, the proposal maintains backward compatibility with existing account-based proposals. - **Innovation**: This proposal encourages further innovation in the NFT space by removing limitations on the types of contracts that can be associated with NFTs, opening the door to pure-utility NFTs. @@ -100,9 +101,9 @@ interface IERC7656Registry { Any `ERC7656Registry` implementation MUST support the `IERC7656Registry`'s interface ID, i.e., `0xc6bdc908`. -Similarly to [ERC-6551](./eip-6551.md), The registry MUST deploy each token linked service as an [ERC-1167](./eip-1167.md) minimal proxy with immutable constant data appended to the bytecode. +The registry MUST deploy each token-linked service as an [ERC-1167](./eip-1167.md) minimal proxy with immutable constant data appended to the bytecode, similarly to existing token-bound account proposals. -The deployed bytecode of each token bound service MUST have the following structure: +The deployed bytecode of each token-bound service MUST have the following structure: ``` ERC-1167 Header (10 bytes) (20 bytes) @@ -129,140 +130,30 @@ interface IERC7656Service { } ``` -or the `IERC6551Account` interface or both. This flexibility makes [ERC-6551](./eip-6551.md) accounts compatible with this proposal out-of-the-box. +or an account interface or both. This flexibility makes existing account contracts compatible with this proposal out-of-the-box. ## Rationale The technical foundation of [ERC-7656](./eip-7656.md) centers on the extension and generalization of contract types that can be associated with NFTs. This approach was chosen to address specific limitations and opportunities identified in the design and application of NFT-linked contracts. Key technical decisions in this proposal include: -- Generic Function/Event Names: The choice to adopt a generic naming convention for functions, errors, and events is deliberate. This design decision enables the [ERC-7656](./eip-7656.md) registry to support a wide array of contract types beyond mere accounts. By not prescribing specific roles or functionalities, we allow for greater innovation and flexibility in the types of applications that can be built on this standard. This also simplifies the interface and makes it more adaptable to various use cases. +- **Addressing ERC Proliferation and Contract Size Limitations**: The increasing number of ERC proposals extending the [ERC-721](./eip-721.md) standard has led to complexity and potential confusion within the developer community. Since smart contracts have size limitations, incorporating multiple extensions into a single contract can become impractical or even impossible. [ERC-7656](./eip-7656.md) offers a solution by enabling the deployment of services that extend standard [ERC-721](./eip-721.md) NFTs without requiring modifications to the [ERC-721](./eip-721.md) standard itself. For example, instead of creating new ERCs to associate real-world assets with NFTs, developers can deploy specialized smart contracts owned by NFTs to add these features. This approach allows NFTs to seamlessly expand their capabilities while maintaining compliance with the existing [ERC-721](./eip-721.md) standard, promoting a more efficient and modular development process. -- No Singleton Requirement for the Registry: Unlike its predecessor, [ERC-7656](./eip-7656.md) does not mandate that the registry be deployed as a singleton. This decision was influenced by the recognition that different projects may have unique requirements and constraints. By allowing for multiple instances of the registry, projects can customize and optimize the registry's deployment to fit their specific needs, enhancing the ecosystem's overall diversity and resilience. +- **Generic Function/Event Names**: The choice to adopt a generic naming convention for functions, errors, and events is deliberate. This design decision enables the [ERC-7656](./eip-7656.md) registry to support a wide array of contract types beyond mere accounts. By not prescribing specific roles or functionalities, we allow for greater innovation and flexibility in the types of applications that can be built on this standard. This also simplifies the interface and makes it more adaptable to various use cases. -- Explicit Support for the `IERC7656Registry` Interface: Requiring that any registry explicitly supports the `IERC7656Registry` interface is a technical decision aimed at ensuring interoperability and recognition. This requirement facilitates the identification and interaction with compliant registries, promoting a more standardized and cohesive ecosystem. +- **No Singleton Requirement for the Registry**: Unlike some previous proposals, [ERC-7656](./eip-7656.md) does not mandate that the registry be deployed as a singleton. This decision was influenced by the recognition that different projects may have unique requirements and constraints. By allowing for multiple instances of the registry, projects can customize and optimize the registry's deployment to fit their specific needs, enhancing the ecosystem's overall diversity and resilience. However, for convenience, the registry has been deployed to the `erc7656.eth` address on the most used networks. -- Flexibility in Contract Association: The proposal is designed to accommodate not just accounts, but any contract that can meaningfully be associated with an NFT. This decision stems from a technical evaluation of the evolving landscape of NFT use cases, recognizing the need for a standard that can support a broader range of functionalities, from complex financial instruments to identity verification systems. +- **Explicit Support for the `IERC7656Registry` Interface**: Requiring that any registry explicitly supports the `IERC7656Registry` interface is a technical decision aimed at ensuring interoperability and recognition. This requirement facilitates the identification and interaction with compliant registries, promoting a more standardized and cohesive ecosystem. -- Backward Compatibility: The proposal includes provisions for backward compatibility, particularly with account-like contracts from [ERC-6551](./eip-6551.md). This technical choice ensures that projects built on the earlier standard can transition to or leverage the new standard without discarding existing infrastructure or investments. +- **Flexibility in Contract Association**: The proposal is designed to accommodate not just accounts, but any contract that can meaningfully be associated with an NFT. This decision stems from a technical evaluation of the evolving landscape of NFT use cases, recognizing the need for a standard that can support a broader range of functionalities, from complex financial instruments to identity verification systems. + +- **Backward Compatibility**: The proposal includes provisions for backward compatibility, particularly with account-like contracts from existing standards. This technical choice ensures that projects built on earlier standards can transition to or leverage the new standard without discarding existing infrastructure or investments. These technical decisions collectively aim to broaden the scope and applicability of NFT-linked contracts, empower developers with more tools for innovation, and support a growing ecosystem of decentralized applications. By addressing both current limitations and future opportunities, [ERC-7656](./eip-7656.md) seeks to lay a flexible and robust foundation for the next generation of NFT technologies. ## Reference Implementation -The reference implementation of `ERC7656Registry` is mutated from `ERC6551Registry`, with minor changes to rename over-specific functions, emit a different event and error, and a `supportsInterface` function that returns true only for the `IERC7656Registry` interfaceId. - -```solidity -contract ERC7656Registry is IERC7656Registry { - function create( - address implementation, - bytes32 salt, - uint256 /* chainId */, - address tokenContract, - uint256 tokenId - ) external override returns (address) { - // solhint-disable-next-line no-inline-assembly - assembly { - // Memory Layout: - // ---- - // 0x00 0xff (1 byte) - // 0x01 registry (address) (20 bytes) - // 0x15 salt (bytes32) (32 bytes) - // 0x35 Bytecode Hash (bytes32) (32 bytes) - // ---- - // 0x55 ERC-1167 Constructor + Header (20 bytes) - // 0x69 implementation (address) (20 bytes) - // 0x5D ERC-1167 Footer (15 bytes) - // 0x8C salt (uint256) (32 bytes) - // 0xAC chainId (uint256) (32 bytes) - // 0xCC tokenContract (address) (32 bytes) - // 0xEC tokenId (uint256) (32 bytes) - - // Copy bytecode + constant data to memory - calldatacopy(0x8c, 0x24, 0x80) // salt, chainId, tokenContract, tokenId - mstore(0x6c, 0x5af43d82803e903d91602b57fd5bf3) // ERC-1167 footer - mstore(0x5d, implementation) // implementation - mstore(0x49, 0x3d60ad80600a3d3981f3363d3d373d3d3d363d73) // ERC-1167 constructor + header - - // Copy create2 computation data to memory - mstore8(0x00, 0xff) // 0xFF - mstore(0x35, keccak256(0x55, 0xb7)) // keccak256(bytecode) - mstore(0x01, shl(96, address())) // registry address - mstore(0x15, salt) // salt - - // Compute service address - let computed := keccak256(0x00, 0x55) - - // If the service has not yet been deployed - if iszero(extcodesize(computed)) { - // Deploy service contract - let deployed := create2(0, 0x55, 0xb7, salt) - - // Revert if the deployment fails - if iszero(deployed) { - mstore(0x00, 0xd786d393) // `CreationFailed()` - revert(0x1c, 0x04) - } - - // Store service address in memory before salt and chainId - mstore(0x6c, deployed) - - // Emit the Created event - log4( - 0x6c, - 0x60, - 0xc6989e4f290074742210cbd6491de7ded9cfe2cd247932a53d31005007a6341a, - implementation, - tokenContract, - tokenId - ) - - // Return the service address - return(0x6c, 0x20) - } - - // Otherwise, return the computed service address - mstore(0x00, shr(96, shl(96, computed))) - return(0x00, 0x20) - } - } - - function compute( - address implementation, - bytes32 salt, - uint256 /* chainId */, - address /* tokenContract */, - uint256 /* tokenId */ - ) external view override returns (address) { - // solhint-disable-next-line no-inline-assembly - assembly { - // Copy bytecode + constant data to memory - calldatacopy(0x8c, 0x24, 0x80) // salt, chainId, tokenContract, tokenId - mstore(0x6c, 0x5af43d82803e903d91602b57fd5bf3) // ERC-1167 footer - mstore(0x5d, implementation) // implementation - mstore(0x49, 0x3d60ad80600a3d3981f3363d3d373d3d3d363d73) // ERC-1167 constructor + header - - // Copy create2 computation data to memory - mstore8(0x00, 0xff) // 0xFF - mstore(0x35, keccak256(0x55, 0xb7)) // keccak256(bytecode) - mstore(0x01, shl(96, address())) // registry address - mstore(0x15, salt) // salt - - // Store computed service address in memory - mstore(0x00, shr(96, shl(96, keccak256(0x00, 0x55)))) - - // Return computed service address - return(0x00, 0x20) - } - } - - /// @dev Returns true if interfaceId is IERC7656Registry's interfaceId - /// This contract does not explicitly extend IERC165 to keep the bytecode as small as possible - function supportsInterface(bytes4 interfaceId) external pure returns (bool) { - return interfaceId == 0xc6bdc908; - } -} -``` +See [`ERC7656Registry.sol`](../assets/eip-7656/ERC7656Registry.sol) for an example implementation of `IERC7656Registry`. An example of implementation of `IERC7656Service`: @@ -271,7 +162,7 @@ contract LinkedService is IERC7656Service, EIP5313 { function token() public view virtual returns (uint256, address, uint256) { bytes memory footer = new bytes(0x60); - assembly { + assembly { extcodecopy(address(), add(footer, 0x20), 0x4d, 0x60) } return abi.decode(footer, (uint256, address, uint256)); @@ -288,7 +179,34 @@ contract LinkedService is IERC7656Service, EIP5313 { ## Security Considerations -This proposal does not introduce any new security considerations beyond those already addressed in [ERC-6551](./eip-6551.md). +### Fraud Prevention when linking accounts to NFTs + +In order to enable trustless sales of token bound accounts, decentralized marketplaces will need to implement safeguards against fraudulent behavior by malicious account owners. + +Consider the following potential scam: + +- Alice owns an ERC-721 token X, which owns token bound account Y. +- Alice deposits 10ETH into account Y +- Bob offers to purchase token X for 11ETH via a decentralized marketplace, assuming he will receive the 10ETH stored in account Y along with the token +- Alice withdraws 10ETH from the token bound account, and immediately accepts Bob's offer +- Bob receives token X, but account Y is empty + +To mitigate fraudulent behavior by malicious account owners, decentralized marketplaces SHOULD implement protection against these sorts of scams at the marketplace level. Contracts which implement this EIP MAY also implement certain protections against fraudulent behavior. + +Here are a few mitigations strategies to be considered: + +- Attach the current token bound account state to the marketplace order. If the state of the account has changed since the order was placed, consider the offer void. This functionality would need to be supported at the marketplace level. +- Attach a list of asset commitments to the marketplace order that are expected to remain in the token bound account when the order is fulfilled. If any of the committed assets have been removed from the account since the order was placed, consider the offer void. This would also need to be implemented by the marketplace. +- Submit the order to the decentralized market via an external smart contract which performs the above logic before validating the order signature. This allows for safe transfers to be implemented without marketplace support. +- Implement a locking mechanism on the token bound account implementation that prevents malicious owners from extracting assets from the account while locked + +Preventing fraud is outside the scope of this proposal. + +### Ownership Cycles + +All assets held in a token bound account may be rendered inaccessible if an ownership cycle is created. The simplest example is the case of an ERC-721 token being transferred to its own token bound account. If this occurs, both the ERC-721 token and all of the assets stored in the token bound account would be permanently inaccessible, since the token bound account is incapable of executing a transaction which transfers the ERC-721 token. + +Ownership cycles can be introduced in any graph of n>0 token bound accounts. On-chain prevention of cycles with depth>1 is difficult to enforce given the infinite search space required, and as such is outside the scope of this proposal. Application clients and account implementations wishing to adopt this proposal are encouraged to implement measures that limit the possibility of ownership cycles. ## Copyright diff --git a/assets/erc-7656/ERC7656Registry.sol b/assets/erc-7656/ERC7656Registry.sol new file mode 100644 index 0000000000..b3dc38892e --- /dev/null +++ b/assets/erc-7656/ERC7656Registry.sol @@ -0,0 +1,113 @@ +// SPDX-License-Identifier: MIT + +contract ERC7656Registry is IERC7656Registry { + function create( + address implementation, + bytes32 salt, + uint256 /* chainId */, + address tokenContract, + uint256 tokenId + ) external override returns (address) { + // solhint-disable-next-line no-inline-assembly + assembly { + // Memory Layout: + // ---- + // 0x00 0xff (1 byte) + // 0x01 registry (address) (20 bytes) + // 0x15 salt (bytes32) (32 bytes) + // 0x35 Bytecode Hash (bytes32) (32 bytes) + // ---- + // 0x55 ERC-1167 Constructor + Header (20 bytes) + // 0x69 implementation (address) (20 bytes) + // 0x5D ERC-1167 Footer (15 bytes) + // 0x8C salt (uint256) (32 bytes) + // 0xAC chainId (uint256) (32 bytes) + // 0xCC tokenContract (address) (32 bytes) + // 0xEC tokenId (uint256) (32 bytes) + + // Copy bytecode + constant data to memory + calldatacopy(0x8c, 0x24, 0x80) // salt, chainId, tokenContract, tokenId + mstore(0x6c, 0x5af43d82803e903d91602b57fd5bf3) // ERC-1167 footer + mstore(0x5d, implementation) // implementation + mstore(0x49, 0x3d60ad80600a3d3981f3363d3d373d3d3d363d73) // ERC-1167 constructor + header + + // Copy create2 computation data to memory + mstore8(0x00, 0xff) // 0xFF + mstore(0x35, keccak256(0x55, 0xb7)) // keccak256(bytecode) + mstore(0x01, shl(96, address())) // registry address + mstore(0x15, salt) // salt + + // Compute service address + let computed := keccak256(0x00, 0x55) + + // If the service has not yet been deployed + if iszero(extcodesize(computed)) { + // Deploy service contract + let deployed := create2(0, 0x55, 0xb7, salt) + + // Revert if the deployment fails + if iszero(deployed) { + mstore(0x00, 0xd786d393) // `CreationFailed()` + revert(0x1c, 0x04) + } + + // Store service address in memory before salt and chainId + mstore(0x6c, deployed) + + // Emit the Created event + log4( + 0x6c, + 0x60, + 0xc6989e4f290074742210cbd6491de7ded9cfe2cd247932a53d31005007a6341a, + implementation, + tokenContract, + tokenId + ) + + // Return the service address + return(0x6c, 0x20) + } + + // Otherwise, return the computed service address + mstore(0x00, shr(96, shl(96, computed))) + return(0x00, 0x20) + } + } + + function compute( + address implementation, + bytes32 salt, + uint256 /* chainId */, + address /* tokenContract */, + uint256 /* tokenId */ + ) external view override returns (address) { + // solhint-disable-next-line no-inline-assembly + assembly { + // Copy bytecode + constant data to memory + calldatacopy(0x8c, 0x24, 0x80) // salt, chainId, tokenContract, tokenId + mstore(0x6c, 0x5af43d82803e903d91602b57fd5bf3) // ERC-1167 footer + mstore(0x5d, implementation) // implementation + mstore(0x49, 0x3d60ad80600a3d3981f3363d3d373d3d3d363d73) // ERC-1167 constructor + header + + // Copy create2 computation data to memory + mstore8(0x00, 0xff) // 0xFF + mstore(0x35, keccak256(0x55, 0xb7)) // keccak256(bytecode) + mstore(0x01, shl(96, address())) // registry address + mstore(0x15, salt) // salt + + // Store computed service address in memory + mstore(0x00, shr(96, shl(96, keccak256(0x00, 0x55)))) + + // Return computed service address + return(0x00, 0x20) + } + } + + /// @dev Returns true if interfaceId is IERC7656Registry's interfaceId + /// This contract does not explicitly extend IERC165 to keep the bytecode as small as possible + function supportsInterface(bytes4 interfaceId) external pure returns (bool) { + return interfaceId == 0xc6bdc908; + } +} + +// This implementation is a variation of https://github.com/erc6551/reference/blob/main/src/ERC6551Registry.sol