EIP-712 — Typed Structured Data Signing

Back to Account & Authentication

EIP-712: Typed Structured Data Hashing and Signing

Before EIP-712, off-chain signing showed users a hex blob that even technical users couldn't verify. EIP-712 introduced typed structured data: signing requests carry a typed schema that wallets render as human-readable fields ("Approve 100 USDC for Uniswap until 2026-01-01").

Mechanics

1. Define a Solidity-like type schema: struct Permit { address owner; ...; uint256 deadline; }.
2. Compute domainSeparator from (name, version, chainId, verifyingContract).
3. Compute structHash = keccak256(typeHash || encoded fields).
4. The digest is keccak256(0x1901 || domainSeparator || structHash).
5. Wallet signs the digest; ecrecover verifies on-chain.

Why Neo Doesn't Need It

Neo wallets sign the actual transaction by default, and Neo transactions are already structured: Signers, Witnesses, Script. Wallets render the script's invocation parameters (which contract, which method, which args) — humans see exactly what they're authorising.

For off-chain signed messages (e.g. marketplace listings), Neo uses a similar "sign hashed message" primitive but without the EIP-712 schema layer because the message format is application-specific and already documented in the dApp.

Live on Neo TestNet

Both implementations are deployed on Neo N3 TestNet (network magic 894710606).

Implementation	Contract Hash	Deploy Tx
Solidity (neo-solc)	0x8e501310318f17d20674c639fc49b5e6100f5fdd	(reused — see 0x8e501310318f17d20674c639fc49b5e6100f5fdd)
Neo C# (nccs)	0x38e8f069271cbbbdfd2032629e733a528cd57c9a	(reused — see 0x38e8f069271cbbbdfd2032629e733a528cd57c9a)

The source pair exposes the same domain separator, and the manifest now asserts it on both implementations. Source pairs under docs/standards-mirror/deployments/eip-712/.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

contract EIP712Verifier {
    bytes32 public DOMAIN_SEPARATOR;

    struct Order {
        address maker;
        address asset;
        uint256 amount;
        uint256 nonce;
        uint256 deadline;
    }

    bytes32 private constant ORDER_TYPEHASH = keccak256(
        "Order(address maker,address asset,uint256 amount,uint256 nonce,uint256 deadline)"
    );

    constructor() {
        DOMAIN_SEPARATOR = keccak256(abi.encode(
            keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
            keccak256("MyDApp"),
            keccak256("1"),
            block.chainid,
            address(this)
        ));
    }

    function hashOrder(Order memory o) public pure returns (bytes32) {
        return keccak256(abi.encode(
            ORDER_TYPEHASH, o.maker, o.asset, o.amount, o.nonce, o.deadline
        ));
    }

    function digest(Order memory o) public view returns (bytes32) {
        return keccak256(abi.encodePacked("\x19\x01", DOMAIN_SEPARATOR, hashOrder(o)));
    }

    function executeSigned(Order memory o, uint8 v, bytes32 r, bytes32 s) external {
        require(block.timestamp <= o.deadline, "expired");
        address signer = ecrecover(digest(o), v, r, s);
        require(signer == o.maker, "bad signer");
        // ... execute order ...
    }
}

using System;
using System.ComponentModel;
using System.Numerics;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

/// <summary>
/// Neo equivalent — verify an off-chain signed order. The "digest" is just
/// the serialised order; Neo wallets sign the bytes directly. No schema
/// hashing dance because there's no need to disambiguate domains:
/// the contract hash itself is the domain separator.
/// </summary>
[DisplayName("OrderBook")]
[ContractPermission("*", "*")]
public class OrderBook : SmartContract
{
    public struct Order
    {
        public UInt160    Maker;
        public UInt160    Asset;
        public BigInteger Amount;
        public BigInteger Nonce;
        public BigInteger Deadline;
    }

    public static ByteString HashOrder(Order o)
    {
        // Domain separation: contract hash is part of the message.
        var encoded = StdLib.Serialize(new object[] {
            Runtime.ExecutingScriptHash,
            (BigInteger)Runtime.GetNetwork(),
            o.Maker, o.Asset, o.Amount, o.Nonce, o.Deadline
        });
        return CryptoLib.Sha256(encoded);
    }

    public static void ExecuteSigned(Order o, ECPoint pubKey, ByteString signature)
    {
        if (Runtime.Time / 1000 > o.Deadline) throw new Exception("expired");

        // Verify signature
        var digest = HashOrder(o);
        if (!CryptoLib.VerifyWithECDsa(digest, pubKey, signature, NamedCurveHash.secp256r1SHA256))
            throw new Exception("bad signature");

        // Confirm pubKey corresponds to maker
        var script = Contract.CreateStandardAccount(pubKey);
        if (!script.Equals(o.Maker)) throw new Exception("pubKey doesn't match maker");

        // Replay protection — track seen nonces
        var nonceKey = new byte[] { 0x01 }.Concat(o.Maker)
                                          .Concat((ByteString)o.Nonce.ToByteArray());
        if (Storage.Get(Storage.CurrentContext, nonceKey) != null)
            throw new Exception("nonce already used");
        Storage.Put(Storage.CurrentContext, nonceKey, 1);

        // ... execute order ...
    }
}

What's Different

• Domain separator is implicit: the contract's script hash + Neo network ID uniquely identify the verifying contract; no separate constant.
• No type hash: Neo serialises with StdLib.Serialize, which is canonical and collision-free for the structures it accepts.
• Same replay protection via per-maker nonces (when needed). For one-shot authorisations, transaction-level uniqueness is sufficient.