Session enhanced replay protection

ScreamingHawk · ScreamingHawk · commit 7d99a1d2ad42 · 2025-10-30T09:22:40.000+13:00
diff --git a/packages/wallet/core/src/signers/session/explicit.ts b/packages/wallet/core/src/signers/session/explicit.ts
@@ -263,10 +263,13 @@ export class Explicit implements ExplicitSessionSigner {
     }
 
     // Sign it
-    const useDeprecatedHash =
-      Address.isEqual(sessionManagerAddress, Extensions.Dev1.sessions) ||
-      Address.isEqual(sessionManagerAddress, Extensions.Dev2.sessions)
-    const callHash = SessionSignature.hashCallWithReplayProtection(payload, callIdx, chainId, useDeprecatedHash)
+    const callHash = SessionSignature.hashCallWithReplayProtection(
+      wallet,
+      payload,
+      callIdx,
+      chainId,
+      sessionManagerAddress,
+    )
     const sessionSignature = await this._privateKey.signDigest(Bytes.fromHex(callHash))
     return {
       permissionIndex: BigInt(permissionIndex),
diff --git a/packages/wallet/core/src/signers/session/implicit.ts b/packages/wallet/core/src/signers/session/implicit.ts
@@ -115,10 +115,13 @@ export class Implicit implements ImplicitSessionSigner {
     if (!isSupported) {
       throw new Error('Unsupported call')
     }
-    const useDeprecatedHash =
-      Address.isEqual(sessionManagerAddress, Extensions.Dev1.sessions) ||
-      Address.isEqual(sessionManagerAddress, Extensions.Dev2.sessions)
-    const callHash = SessionSignature.hashCallWithReplayProtection(payload, callIdx, chainId, useDeprecatedHash)
+    const callHash = SessionSignature.hashCallWithReplayProtection(
+      wallet,
+      payload,
+      callIdx,
+      chainId,
+      sessionManagerAddress,
+    )
     const sessionSignature = await this._privateKey.signDigest(Bytes.fromHex(callHash))
     return {
       attestation: this._attestation,
diff --git a/packages/wallet/primitives/src/session-signature.ts b/packages/wallet/primitives/src/session-signature.ts
@@ -1,4 +1,5 @@
 import { Address, Bytes, Hash, Hex } from 'ox'
+import { Attestation, Extensions, Payload } from './index.js'
 import { MAX_PERMISSIONS_COUNT } from './permission.js'
 import {
   decodeSessionsTopology,
@@ -10,7 +11,6 @@ import {
 } from './session-config.js'
 import { RSY } from './signature.js'
 import { minBytesFor, packRSY, unpackRSY } from './utils.js'
-import { Attestation, Payload } from './index.js'
 
 export type ImplicitSessionCallSignature = {
   attestation: Attestation.Attestation
@@ -273,20 +273,37 @@ export function decodeSessionSignature(encodedSignatures: Bytes.Bytes): {
 
 // Call encoding
 
+/**
+ * Hashes a call with replay protection parameters.
+ * @param payload The payload to hash.
+ * @param callIdx The index of the call to hash.
+ * @param chainId The chain ID. Use 0 when noChainId enabled.
+ * @param sessionManagerAddress The session manager address to compile the hash for. Only required to support deprecated hash encodings for Dev1, Dev2 and Rc3.
+ * @returns The hash of the call with replay protection parameters for sessions.
+ */
 export function hashCallWithReplayProtection(
+  wallet: Address.Address,
   payload: Payload.Calls,
   callIdx: number,
   chainId: number,
-  skipCallIdx: boolean = false, // Deprecated. Dev1 and Dev2 support
+  sessionManagerAddress?: Address.Address,
 ): Hex.Hex {
   const call = payload.calls[callIdx]!
+  // Support deprecated hashes for Dev1, Dev2 and Rc3
+  const ignoreCallIdx =
+    sessionManagerAddress &&
+    (Address.isEqual(sessionManagerAddress, Extensions.Dev1.sessions) ||
+      Address.isEqual(sessionManagerAddress, Extensions.Dev2.sessions))
+  const ignoreWallet =
+    ignoreCallIdx || (sessionManagerAddress && Address.isEqual(sessionManagerAddress, Extensions.Rc3.sessions))
   return Hex.fromBytes(
     Hash.keccak256(
       Bytes.concat(
+        ignoreWallet ? Bytes.from([]) : Bytes.fromHex(wallet),
         Bytes.fromNumber(chainId, { size: 32 }),
         Bytes.fromNumber(payload.space, { size: 32 }),
         Bytes.fromNumber(payload.nonce, { size: 32 }),
-        skipCallIdx ? Bytes.from([]) : Bytes.fromNumber(callIdx, { size: 32 }),
+        ignoreCallIdx ? Bytes.from([]) : Bytes.fromNumber(callIdx, { size: 32 }),
         Bytes.fromHex(Payload.hashCall(call)),
       ),
     ),
diff --git a/packages/wallet/primitives/test/session-signature.test.ts b/packages/wallet/primitives/test/session-signature.test.ts
@@ -21,6 +21,7 @@ import {
   sessionCallSignatureToJson,
 } from '../src/session-signature.js'
 import { RSY } from '../src/signature.js'
+import { Extensions } from '../src/index.js'
 
 describe('Session Signature', () => {
   // Test data
@@ -446,22 +447,23 @@ describe('Session Signature', () => {
   describe('Helper Functions', () => {
     describe('hashCallWithReplayProtection', () => {
       it('should hash call with replay protection parameters', () => {
-        const result = hashCallWithReplayProtection(samplePayload, 0, testChainId)
+        const result = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
 
         expect(result).toMatch(/^0x[0-9a-f]{64}$/) // 32-byte hex string
         expect(Hex.size(result)).toBe(32)
       })
 
       it('should produce different hashes for different chain IDs', () => {
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, ChainId.MAINNET)
-        const hash2 = hashCallWithReplayProtection(samplePayload, 0, ChainId.POLYGON)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, ChainId.MAINNET)
+        const hash2 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, ChainId.POLYGON)
 
         expect(hash1).not.toBe(hash2)
       })
 
       it('should produce different hashes for different spaces', () => {
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
         const hash2 = hashCallWithReplayProtection(
+          testAddress1,
           { ...samplePayload, space: samplePayload.space + 1n },
           0,
           testChainId,
@@ -471,8 +473,9 @@ describe('Session Signature', () => {
       })
 
       it('should produce different hashes for different nonces', () => {
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
         const hash2 = hashCallWithReplayProtection(
+          testAddress1,
           { ...samplePayload, nonce: samplePayload.nonce + 1n },
           0,
           testChainId,
@@ -488,17 +491,51 @@ describe('Session Signature', () => {
         }
         const payload2 = { ...samplePayload, calls: [call2] }
 
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
-        const hash2 = hashCallWithReplayProtection(payload2, 0, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
+        const hash2 = hashCallWithReplayProtection(testAddress1, payload2, 0, testChainId)
 
         expect(hash1).not.toBe(hash2)
       })
 
+      it('should produce different hashes for different wallets', () => {
+        const payload = { ...samplePayload, calls: [sampleCall, sampleCall] }
+
+        const hash1 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId)
+        const hash2 = hashCallWithReplayProtection(testAddress2, payload, 0, testChainId)
+
+        expect(hash1).not.toBe(hash2)
+      })
+
+      it('should NOT produce different hashes for different wallets when using deprecated hash encoding for Dev1 and Dev2', () => {
+        // This is ONLY for backward compatibility with Dev1 and Dev2
+        // This is exploitable and should not be used in practice
+        const payload = { ...samplePayload, calls: [sampleCall, sampleCall] }
+
+        const hash1 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId, Extensions.Dev1.sessions)
+        const hash2 = hashCallWithReplayProtection(testAddress2, payload, 0, testChainId, Extensions.Dev2.sessions)
+
+        expect(hash1).toBe(hash2)
+      })
+
+      it('should produce different hashes for different wallets when using deprecated hash encoding for Dev1/2, Rc3 and latest', () => {
+        // This is ONLY for backward compatibility with Rc3
+        // This is exploitable and should not be used in practice
+        const payload = { ...samplePayload, calls: [sampleCall, sampleCall] }
+
+        const hash1 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId, Extensions.Dev1.sessions)
+        const hash2 = hashCallWithReplayProtection(testAddress2, payload, 0, testChainId, Extensions.Rc3.sessions)
+        const hash3 = hashCallWithReplayProtection(testAddress2, payload, 0, testChainId)
+
+        expect(hash1).not.toBe(hash2)
+        expect(hash1).not.toBe(hash3)
+        expect(hash2).not.toBe(hash3)
+      })
+
       it('should produce different hashes for same call at different index', () => {
         const payload = { ...samplePayload, calls: [sampleCall, sampleCall] }
 
-        const hash1 = hashCallWithReplayProtection(payload, 0, testChainId)
-        const hash2 = hashCallWithReplayProtection(payload, 1, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId)
+        const hash2 = hashCallWithReplayProtection(testAddress1, payload, 1, testChainId)
 
         expect(hash1).not.toBe(hash2)
       })
@@ -508,15 +545,15 @@ describe('Session Signature', () => {
         // This is exploitable and should not be used in practice
         const payload = { ...samplePayload, calls: [sampleCall, sampleCall] }
 
-        const hash1 = hashCallWithReplayProtection(payload, 0, testChainId, true)
-        const hash2 = hashCallWithReplayProtection(payload, 1, testChainId, true)
+        const hash1 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId, Extensions.Dev1.sessions)
+        const hash2 = hashCallWithReplayProtection(testAddress1, payload, 1, testChainId, Extensions.Dev1.sessions)
 
         expect(hash1).toBe(hash2)
       })
 
       it('should be deterministic', () => {
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
-        const hash2 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
+        const hash2 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
 
         expect(hash1).toBe(hash2)
       })
@@ -527,6 +564,7 @@ describe('Session Signature', () => {
         const largeNonce = 2n ** 24n
 
         const result = hashCallWithReplayProtection(
+          testAddress1,
           { ...samplePayload, space: largeSpace, nonce: largeNonce },
           0,
           largeChainId,
@@ -535,7 +573,7 @@ describe('Session Signature', () => {
       })
 
       it('should handle zero values', () => {
-        const result = hashCallWithReplayProtection({ ...samplePayload, space: 0n, nonce: 0n }, 0, 0)
+        const result = hashCallWithReplayProtection(testAddress1, { ...samplePayload, space: 0n, nonce: 0n }, 0, 0)
         expect(result).toMatch(/^0x[0-9a-f]{64}$/)
       })
 
@@ -546,7 +584,7 @@ describe('Session Signature', () => {
         }
         const payload = { ...samplePayload, calls: [callWithEmptyData] }
 
-        const result = hashCallWithReplayProtection(payload, 0, testChainId)
+        const result = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId)
         expect(result).toMatch(/^0x[0-9a-f]{64}$/)
       })
 
@@ -557,8 +595,8 @@ describe('Session Signature', () => {
         }
         const payload = { ...samplePayload, calls: [delegateCall] }
 
-        const hash1 = hashCallWithReplayProtection(samplePayload, 0, testChainId)
-        const hash2 = hashCallWithReplayProtection(payload, 0, testChainId)
+        const hash1 = hashCallWithReplayProtection(testAddress1, samplePayload, 0, testChainId)
+        const hash2 = hashCallWithReplayProtection(testAddress1, payload, 0, testChainId)
 
         expect(hash1).not.toBe(hash2)
       })
@@ -735,12 +773,15 @@ describe('Session Signature', () => {
       const calls: Payload.Call[] = [
         sampleCall,
         { ...sampleCall, to: testAddress2 },
+        { ...sampleCall, to: testAddress2 }, // Repeat call
         { ...sampleCall, value: 500000000000000000n },
       ]
       const payload = { ...samplePayload, calls: calls }
 
       // Generate hashes for each call
-      const hashes = calls.map((call) => hashCallWithReplayProtection(payload, calls.indexOf(call), testChainId))
+      const hashes = calls.map((call) =>
+        hashCallWithReplayProtection(testAddress1, payload, calls.indexOf(call), testChainId),
+      )
 
       // All hashes should be valid and different
       for (let i = 0; i < hashes.length; i++) {
