network id + account address + contract address -- delegate AENS and Oracle operations
network id + account address + name hash + contract address -- delegate an AENS name to a contract
network id + query id + contract address -- delegate ability to reply to an oracle query
The addresses and ids are encoded as raw data, losing information on the entity type. In existing combinations, I can re-encode the current account address as an oracle query id and request the wallet to sign an oracle query delegation (3) and get a general delegation (1) instead.
If later we would introduce additional delegation signatures like network id + account address + channel address + contract address then functions signing a delegation of a new type can be misused to generate name delegation (2).
Currently, implementing a wallet API the correct way to name methods would be "sign network id, account address, and 32 bytes" instead of "sign network id, account address, and contract address".
I've found 3 types of delegation signatures:
network id + account address + contract address
-- delegate AENS and Oracle operationsnetwork id + account address + name hash + contract address
-- delegate an AENS name to a contractnetwork id + query id + contract address
-- delegate ability to reply to an oracle queryThe addresses and ids are encoded as raw data, losing information on the entity type. In existing combinations, I can re-encode the current account address as an oracle query id and request the wallet to sign an oracle query delegation (3) and get a general delegation (1) instead.
If later we would introduce additional delegation signatures like
network id + account address + channel address + contract address
then functions signing a delegation of a new type can be misused to generate name delegation (2).Currently, implementing a wallet API the correct way to name methods would be "sign network id, account address, and 32 bytes" instead of "sign network id, account address, and contract address".
The above issues may be solved by encoding address the same way as in transactions, using this mapping https://github.com/aeternity/aeserialization/blob/177bf604b2a05e940f92cf00e96e6e269e708245/src/aeser_id.erl#L97-L102