Update ERC-7656: Improve security considerations

Merged by EIP-Bot.
ethereum · Jan 5, 2025 · b9de3d6 · b9de3d6
1 parent cae8562
commit b9de3d6
Showing 1 changed file with 23 additions and 20 deletions.
diff --git a/ERCS/erc-7656.md b/ERCS/erc-7656.md
@@ -33,6 +33,8 @@ The expansion of the registry's capabilities to manage contracts implementing an
 
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174.
 
+### Registry Interface
+
 The interface `IERC7656Registry` is defined as follows:
 
 ```solidity
@@ -101,6 +103,8 @@ interface IERC7656Registry {
 
 Any `ERC7656Registry` implementation MUST support the `IERC7656Registry`'s interface ID, i.e., `0xc6bdc908`.
 
+### Deployment Requirements
+
 The registry MUST deploy each token-linked service as an [ERC-1167](./eip-1167.md) minimal proxy with immutable constant data appended to the bytecode, similarly to existing token-bound account proposals.
 
 The deployed bytecode of each token-bound service MUST have the following structure:
@@ -114,6 +118,8 @@ ERC-1167 Footer               (15 bytes)
 <tokenId (uint256)>           (32 bytes)
 ```
 
+### Recommended Service Interface
+
 Any contract created using a `ERC7656Registry` SHOULD implement the `IERC7656Service` interface:
 
 ```solidity
@@ -130,7 +136,7 @@ interface IERC7656Service {
 }
 ```
 
-or an account interface or both. This flexibility makes existing account contracts compatible with this proposal out-of-the-box.
+but if the service is a specific type of contract that implements its own interface, like for example token bound smart-wallets, supporting that interface ID is acceptable, to make it compatible out-of-the-box with alternative existing standards.
 
 ## Rationale
 
@@ -176,37 +182,34 @@ contract LinkedService is IERC7656Service, EIP5313 {
 }
 ```
 
-
 ## Security Considerations
 
-### Fraud Prevention when linking accounts to NFTs
+### Ownership Cycles
 
-In order to enable trustless sales of token bound accounts, decentralized marketplaces will need to implement safeguards against fraudulent behavior by malicious account owners.
+If a token-linked service functions as a smart wallet, an ownership cycle can render all assets permanently inaccessible. For example, if an ERC-721 token is transferred to the same smart wallet that it owns, neither the token nor the wallet’s assets can be retrieved, because the wallet cannot transfer the token back.
 
-Consider the following potential scam:
+Preventing more complex ownership cycles on-chain is difficult, as it would require searching an unbounded number of possible transfers. Consequently, this proposal does not address cycle prevention. Projects adopting this proposal SHOULD include their own safeguards against such scenarios.
 
-- Alice owns an ERC-721 token X, which owns token bound account Y.
-- Alice deposits 10ETH into account Y
-- Bob offers to purchase token X for 11ETH via a decentralized marketplace, assuming he will receive the 10ETH stored in account Y along with the token
-- Alice withdraws 10ETH from the token bound account, and immediately accepts Bob's offer
-- Bob receives token X, but account Y is empty
+### Fraud Prevention when linking accounts to NFTs
 
-To mitigate fraudulent behavior by malicious account owners, decentralized marketplaces SHOULD implement protection against these sorts of scams at the marketplace level. Contracts which implement this EIP MAY also implement certain protections against fraudulent behavior.
+Token-linked services can take many forms—such as subscription services, smart wallets, or renting platforms—and a malicious seller could exploit this flexibility by altering or removing critical components just before finalizing a sale. For instance, the seller might transfer out assets from a wallet service, revoke access from a subscription, or break a rental agreement at the last moment, leaving the buyer with a compromised or worthless service.
 
-Here are a few mitigations strategies to be considered:
+Because this proposal accommodates a wide range of services, there is no one-size-fits-all fraud mitigation strategy. However, a common approach is to implement a lock mechanism that restricts changes for a certain period before the sale is completed, or until the buyer confirms the purchase. Such functionality MAY be included by service developers but is not mandated by this proposal.
 
-- Attach the current token bound account state to the marketplace order. If the state of the account has changed since the order was placed, consider the offer void. This functionality would need to be supported at the marketplace level.
-- Attach a list of asset commitments to the marketplace order that are expected to remain in the token bound account when the order is fulfilled. If any of the committed assets have been removed from the account since the order was placed, consider the offer void. This would also need to be implemented by the marketplace.
-- Submit the order to the decentralized market via an external smart contract which performs the above logic before validating the order signature. This allows for safe transfers to be implemented without marketplace support.
-- Implement a locking mechanism on the token bound account implementation that prevents malicious owners from extracting assets from the account while locked
+### Malicious or Unverified Implementations
+Since the registry cannot ensure that only the legitimate NFT owner can create services for a given token, there is a risk that malicious or unverified code could be used. Users and marketplaces SHOULD carefully review or audit any implementation before linking it to an NFT.
 
-Preventing fraud is outside the scope of this proposal.
+### Upgradability and Governance Risks
+If a token-linked service is upgradable, the current owner (or a compromised owner) could upgrade the contract to exfiltrate assets or change functionality unexpectedly. Projects SHOULD implement secure upgrade mechanisms, such as time-locked upgrades or multi-signature approvals.
 
-### Ownership Cycles
+### Re-entrancy and Cross-Contract Interactions
+Token-linked services (especially those that hold assets or interact with external protocols) may be vulnerable to re-entrancy attacks or other cross-contract exploits. Implementers SHOULD follow standard security patterns and best practices.
 
-All assets held in a token bound account may be rendered inaccessible if an ownership cycle is created. The simplest example is the case of an ERC-721 token being transferred to its own token bound account. If this occurs, both the ERC-721 token and all of the assets stored in the token bound account would be permanently inaccessible, since the token bound account is incapable of executing a transaction which transfers the ERC-721 token.
+### Denial of Service (DoS)
+If a service is designed or implemented incorrectly, it may become impossible to execute certain calls or transfer ownership, resulting in a DoS scenario. Implementers SHOULD consider fail-safes or recovery methods to prevent indefinite lockouts.
 
-Ownership cycles can be introduced in any graph of n>0 token bound accounts. On-chain prevention of cycles with depth>1 is difficult to enforce given the infinite search space required, and as such is outside the scope of this proposal. Application clients and account implementations wishing to adopt this proposal are encouraged to implement measures that limit the possibility of ownership cycles.
+### User Education and Phishing Risks
+Even with secure smart contracts, end-users can still be tricked into interacting with fraudulent services. Clear user interfaces, warnings, and contract verifications (e.g., Etherscan or similar tools) SHOULD be encouraged to reduce phishing and social engineering risks.
 
 ## Copyright