ERC-1271 — Smart Contract Signatures

Back to Account & Authentication

ERC-1271: Smart Contract Signature Verification

ERC-1271 lets smart contracts "sign" messages — useful for multi-sigs, smart accounts, DAOs that need to authorize off-chain operations like marketplace listings or governance votes. The contract implements isValidSignature(hash, signature) and returns the magic value 0x1626ba7e on success.

Why It Exists on Ethereum

ecrecover only verifies EOA signatures. Without ERC-1271, a smart contract cannot participate in any flow that uses off-chain signatures (NFT marketplaces, DAO snapshot votes, meta-transactions).

Neo Equivalent

Neo doesn't differentiate "EOA signs" vs "contract signs". Every Neo address is the script hash of a verification script — single-sig CHECKSIG, multi-sig CHECKMULTISIG, or arbitrary contract via NEP-30 verify. The protocol invokes the right verifier automatically. Off-chain signature verification uses CryptoLib.VerifyWithECDsa.

Live on Neo TestNet

Both implementations deployed on Neo N3 TestNet.

Implementation	TestNet Address	Contract Hash
Solidity (neo-solc)	Nh2dZYCdvA6KfgeJ78712Twq5tZVRANtdk	0x88eec008…e92b9de7
Neo C# (nccs)	NXq82dqPfYsB4gYxpurbn2sft8tT9v4NL2	0x88079ecd…a8cfb682

Checked-in snapshot covers pre-setup state. The manifest now also exercises one-owner setup, threshold update, and owner membership; the C# version exposes Verify() for native NEP-30 multi-sig witnessing. docs/standards-mirror/deployments/erc-1271/.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

interface IERC1271 {
    function isValidSignature(bytes32 hash, bytes memory signature)
        external view returns (bytes4 magicValue);
}

contract MultiSigWallet is IERC1271 {
    address[] public owners;
    uint256   public threshold;
    bytes4 private constant MAGIC = 0x1626ba7e;

    function isValidSignature(bytes32 hash, bytes memory signatures)
        external view returns (bytes4)
    {
        require(signatures.length >= threshold * 65, "too few sigs");
        address[] memory seen = new address[](threshold);

        for (uint i; i < threshold; ++i) {
            (uint8 v, bytes32 r, bytes32 s) = _parse(signatures, i);
            address signer = ecrecover(hash, v, r, s);
            require(_isOwner(signer), "not owner");
            for (uint j; j < i; ++j) require(seen[j] != signer, "dup signer");
            seen[i] = signer;
        }
        return MAGIC;
    }

    function _parse(bytes memory sigs, uint i)
        internal pure returns (uint8 v, bytes32 r, bytes32 s)
    {
        assembly {
            r := mload(add(sigs, add(0x20, mul(i, 65))))
            s := mload(add(sigs, add(0x40, mul(i, 65))))
            v := byte(0, mload(add(sigs, add(0x60, mul(i, 65)))))
        }
    }

    function _isOwner(address a) internal view returns (bool) {
        for (uint i; i < owners.length; ++i)
            if (owners[i] == a) return true;
        return false;
    }
}

// Marketplace verifying a smart-contract signature:
contract Marketplace {
    bytes4 private constant ERC1271_MAGIC = 0x1626ba7e;

    function _verifyListing(address signer, bytes32 hash, bytes memory sig)
        internal view returns (bool)
    {
        if (signer.code.length == 0) {
            // EOA path — ecrecover boilerplate elided
            return false;
        }
        try IERC1271(signer).isValidSignature(hash, sig) returns (bytes4 m) {
            return m == ERC1271_MAGIC;
        } catch { return false; }
    }
}

using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

/// <summary>
/// On-chain authorization — same primitive for any account type.
/// </summary>
public static class AuthorizeAny
{
    public static bool Authorize(UInt160 account)
        => Runtime.CheckWitness(account);   // works for EOA, multi-sig, or contract account
}

/// <summary>
/// Off-chain signature verification — what marketplaces use to verify listings
/// signed by a wallet but submitted on-chain by another party.
/// </summary>
public static class ListingVerifier
{
    public static bool VerifySingleSig(
        UInt160 expectedAccount, ByteString message,
        ByteString signature, ECPoint pubKey)
    {
        var script = Contract.CreateStandardAccount(pubKey);
        if (!script.Equals(expectedAccount)) return false;
        return CryptoLib.VerifyWithECDsa(message, pubKey, signature, NamedCurveHash.secp256r1SHA256);
    }

    public static bool VerifyMultiSig(
        UInt160 expectedAccount, ByteString message,
        ECPoint[] pubKeys, ByteString[] signatures, int threshold)
    {
        var script = Contract.CreateMultisigAccount(threshold, pubKeys);
        if (!script.Equals(expectedAccount)) return false;

        int valid = 0;
        foreach (var sig in signatures)
            foreach (var pk in pubKeys)
                if (CryptoLib.VerifyWithECDsa(message, pk, sig, NamedCurveHash.secp256r1SHA256)) {
                    valid++; break;
                }
        return valid >= threshold;
    }
}

Why ERC-1271 Doesn't Exist on Neo

Concern	ERC-1271	Neo
EOA vs contract dispatch	Caller checks code.length and branches	Single primitive: account hash + verification script
Magic value	Contract must return 0x1626ba7e	Not applicable
Marketplace integration	Implement both branches	One verification path
Failure modes	Inconsistent (revert vs return wrong magic)	Verification scripts succeed or fail