ERC-7754: adding key security detail to the TWIST verification spec

uni-guillaume · uni-guillaume · commit d72a579e9199 · 2025-07-23T16:10:45.000-07:00
Signed-off-by: Guillaume Grosbois &lt;guillaume.grosbois@uniswap.org&gt;
diff --git a/ERCS/erc-7754.md b/ERCS/erc-7754.md
@@ -156,9 +156,12 @@ const result = await ethereum.request({
 #### Signature verification
 
 1. Upon receiving an [EIP-1193](./eip-1193.md) call, the wallet MUST check of the existence of the TWIST manifest for the `sender.tab.url` domain
-   a. The wallet MUST verify that the manifest is hosted on the `sender.tab.url` domain
-   b. The wallet SHOULD find the DNS TXT record to find the manifest location
-   b. The wallet MAY first try the `/.well-known/twist.json` location
+   a. The wallet MUST enforce HTTPS as HTTP call would be vulnerable to DNS spoofing
+   b. The wallet MUST verify that the manifest is hosted on the `sender.tab.url` domain
+   c. The wallet SHOULD find the DNS TXT record to find the manifest location
+   d. The wallet MAY first try the `/.well-known/twist.json` location
+   e. The wallet MUST NOT follow redirects when querying the manifest location as it could lead to open redirect attacks
+   f. The wallet SHOULD validate the `Content-Type` header of the response is specifically set to `application/json`
 2. If TWIST is NOT configured for the `sender.tab.url` domain, then proceed as usual
 3. If TWIST is configured and the `request` method is used, then the wallet SHOULD display a visible and actionable warning to the user
    a. If the user opts to ignore the warning, then proceed as usual
@@ -201,6 +204,9 @@ async function signedRequest(
 
   // 3. Parse the manifest and get the key and algo based on `keyId`
   const manifestReq = await fetch(manifestPath);
+  if(manifestReq.headers['content-type']!=='application/json'){
+    throw new Error('The manifest is not a proper json file')
+  }
   const manifest = await manifestReq.json();
   const keyData = manifest.publicKeys.filter((x) => x.id == keyId);
   if (!keyData) {
@@ -251,6 +257,15 @@ which are of very limited value for an attacker.
 For these reason, we do not recommend a specific replay protection mechanism at this time. If/when the need arise, the extensibility of
 the manifest will provide the necessary room to enforce a replay protection envelope (eg:JWT) for affected dapp.
 
+### Malicious manifests
+
+The manifest itself could be attacked, defeating the purpose of TWIST. We identified the following possible attacks, and their counter measure:
+
+1. An attacker can spoof DNS entries and use it to serve their own manifest: to avoid this, the wallet implementation MUST only query the manifest from `'https://' + sender.tab.url + '/' + pathFromDNSRecord
+2. An attacker can leverage other flaws in a dapp to host a malicious manifest on the dapp domain itself
+   a. by leveraging open redirect: consequently the wallet MUST NOT follow redirect when querying the manifest
+   b. by managing to host a file on the dapp domain: consequently the wallet SHOULD verify the `content-type` header is equal to `application/json` to mitigate this attack vector
+
 ## Copyright
 
 Copyright and related rights waived via [CC0](../LICENSE.md).
