ERC-6492 — Signatures for Pre-deployed Contracts

Back to Account & Authentication

ERC-6492: Signatures for Pre-deployed Smart Accounts

ERC-6492 solves a niche but painful problem with smart accounts: a user can have a "counterfactual" smart account address (deterministic from CREATE2) that they haven't actually deployed yet. They want to sign a marketplace listing or DAO vote before spending gas to deploy. ERC-6492 wraps signatures with (factory, factoryCalldata, signature) so a verifier can check the signature using the yet-to-be-deployed account's eventual code.

Mechanics

A 6492-wrapped signature appended with 0x6492649264926492649264926492649264926492649264926492649264926492 magic suffix tells the verifier:

1. If the contract isn't deployed yet, deploy it (via factory.factoryCalldata).
2. Then validate via ERC-1271's isValidSignature.
3. If still invalid, treat as standard ECDSA signature.

Neo Equivalent

Neo doesn't have counterfactual deploys: a contract address is the script hash, and you must deploy bytecode before you can be signed-for. But a Neo user can sign a listing as their EOA (which always exists at its public-key-derived hash), then upgrade to a smart-contract account later via NEP-30 verify. The C# tab shows how a verifier handles both cases without the wrapping ceremony.

Live on Neo TestNet

Both implementations are deployed on Neo N3 TestNet (network magic 894710606).

Implementation	Contract Hash	Deploy Tx
Solidity (neo-solc)	0x95170df70a3c425fdaad9795f77a68430ac659d9	(reused — see 0x95170df70a3c425fdaad9795f77a68430ac659d9)
Neo C# (nccs)	0x7dd2cd08072ab383cf7152bf5ed734d7d240bfc9	(reused — see 0x7dd2cd08072ab383cf7152bf5ed734d7d240bfc9)

Cross-implementation invocations match on the marker-verification counter. Source pairs under docs/standards-mirror/deployments/erc-6492/.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

interface IERC1271 {
    function isValidSignature(bytes32, bytes memory) external view returns (bytes4);
}

library SignatureValidator {
    bytes32 constant ERC6492_MAGIC =
        0x6492649264926492649264926492649264926492649264926492649264926492;

    function isValidSig(address signer, bytes32 hash, bytes memory sig)
        internal view returns (bool)
    {
        // Strip & detect ERC-6492 wrapping
        bool is6492 = sig.length >= 32
            && _readBytes32(sig, sig.length - 32) == ERC6492_MAGIC;

        if (is6492) {
            // Decode (factory, factoryCalldata, innerSig) from sig[:-32]
            (address factory, bytes memory call, bytes memory inner) =
                abi.decode(_strip(sig, 32), (address, bytes, bytes));

            if (signer.code.length == 0) {
                (bool ok, ) = factory.call(call);
                require(ok, "deploy failed");
            }
            sig = inner;
        }

        if (signer.code.length > 0) {
            try IERC1271(signer).isValidSignature(hash, sig) returns (bytes4 m) {
                return m == 0x1626ba7e;
            } catch { return false; }
        }
        // Fall through to ecrecover...
        return false;
    }

    function _strip(bytes memory b, uint n) internal pure returns (bytes memory) {
        bytes memory out = new bytes(b.length - n);
        for (uint i; i < b.length - n; ++i) out[i] = b[i];
        return out;
    }

    function _readBytes32(bytes memory b, uint offset) internal pure returns (bytes32 r) {
        assembly { r := mload(add(b, add(32, offset))) }
    }
}

using System;
using System.ComponentModel;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

[DisplayName("SigVerifier")]
[ContractPermission("*", "*")]
public class SigVerifier : SmartContract
{
    /// <summary>
    /// Verify a signature for an account that may be either:
    ///   (a) a single-sig EOA-style address (script hash of CHECKSIG script), or
    ///   (b) a deployed contract account (NEP-30 verify or arbitrary script).
    ///
    /// On Neo, the signer's address is the script hash of its verification
    /// script. For (a), the script is canonical and we can verify via
    /// CryptoLib.VerifyWithECDsa. For (b), we delegate to the deployed
    /// contract's verify method.
    /// </summary>
    public static bool IsValid(UInt160 signer, ByteString digest,
                               ECPoint pubKey, ByteString signature)
    {
        // Case (a): EOA-style — pubKey-derived script matches signer hash.
        var derived = (UInt160)CryptoLib.Ripemd160(CryptoLib.Sha256(
            Helper.CreateSignatureCheckScript(pubKey)));
        if (derived.Equals(signer))
            return CryptoLib.VerifyWithECDsa(digest, pubKey, signature, NamedCurveHash.secp256r1SHA256);

        // Case (b): deployed contract — call its verify method.
        var contract = ContractManagement.GetContract(signer);
        if (contract != null)
        {
            try
            {
                var ok = (bool)Contract.Call(signer, "verify", CallFlags.ReadOnly,
                                             new object[] { digest, signature });
                return ok;
            }
            catch { return false; }
        }
        return false;
    }
}

Why "Counterfactual" Isn't an Issue on Neo

On Neo, an account address is one of three things:

• A single-sig EOA — exists by virtue of its public key, no deploy needed.
• A multi-sig — also derivable from (threshold, pubkeys), no deploy needed.
• A deployed smart contract — has a script hash from its NEF + manifest.

Cases 1 and 2 are "always deployed" implicitly — the signature can be verified without any prior on-chain action. Case 3 requires the contract to exist for the NEP-30 path. Users who want a smart-contract account migrate from case 1 to case 3 when they're ready, with no signature-replay concern because the address itself changes.