cross-chain signature replay succeeds when UserOperations omit chain_id from the signed message

# cross-chain signature replay succeeds when UserOperations omit chain_id from the signed message In ERC-4337, a `UserOperation` is a signed bundle submitted to a bundler. When the signed message omits `chain_id`, a valid signature on one chain is valid on any chain where the same account contract exists at the same address. Since AA wallets commonly deploy to identical addresses across chains via CREATE2, this condition is easily met. The attack: observe a signed UserOperation on chain A, submit the same bytes to a bundler on chain B. The EntryPoint verifies the structurally valid signature and executes the operation on the victim's account without authorization. The fix: include `chain_id` in the signed payload and validate it on-chain during execution. Since [[signature replay attacks succeed when contracts verify signatures without tracking processed message hashes]] is the parent pattern and [[signature expiration deadlines are necessary because signatures without timestamps function as irrevocable lifetime licenses]] covers the temporal dimension, this note adds the chain-binding dimension. Since [[EIP-7702 delegation phishing enables persistent EOA account takeover through a single signed authorization tuple with effects invisible in standard transaction inspection]], the same pattern (chainId=0 amplification) appears in EOA delegation. Since [[ERC-4337 signature replay across wallets exploits isValidSignature implementations that authenticate a bytes32 hash without binding the signature to a specific account address]], chain-binding (this note) and address-binding are orthogonal dimensions of the same domain-separation requirement. Distinct from [[EIP-712 domain separator computed at deployment becomes stale after chain forks enabling cross-chain replay]]: that vulnerability arises from a cached domain separator becoming stale post-fork; here chain_id is never included at all. Relevant Notes: - [[signature replay attacks succeed when contracts verify signatures without tracking processed message hashes]]: parent pattern: replay enabled by insufficient binding - [[signature expiration deadlines are necessary because signatures without timestamps function as irrevocable lifetime licenses]]: sibling: temporal dimension of signature binding - [[EIP-7702 delegation phishing enables persistent EOA account takeover through a single signed authorization tuple with effects invisible in standard transaction inspection]]: sibling: the same chain-binding omission pattern in EIP-7702 EOA delegation context (chainId=0 cross-chain amplification); both enable multi-chain compromise from a single signature - [[ERC-4337 signature replay across wallets exploits isValidSignature implementations that authenticate a bytes32 hash without binding the signature to a specific account address]]: sibling within AA: cross-wallet replay from missing address binding; together with this note they define the complete domain-binding requirement (chain + address) for AA signatures - [[EIP-712 domain separator computed at deployment becomes stale after chain forks enabling cross-chain replay]]: related but distinct: that note's chain-binding failure is about a cached domain separator becoming stale post-fork; this note's failure is the absence of chain_id from the UserOperation payload entirely Topics: - [[vulnerability-patterns]]