ERC-1271: Standard Signature Validation Method for Contracts

source Apr 10, 2026

ethereumeipercsignaturessmart-accountssmart-walletoff-chainaccount-abstraction

ERC-1271 is the Ethereum standard for letting smart contracts verify signatures on their own behalf. It defines a single interface method, isValidSignature(bytes32 hash, bytes signature) returns (bytes4 magicValue), that any contract can implement. Authored by Francisco Giordano, Matt Condon, Philippe Castonguay, Amir Bandeali, Jorge Izquierdo, and Bertrand Masius; created 2018-07-25. Standards Track, ERC (application-level) category.

Motivation

Externally Owned Accounts (EOAs) sign messages with their private keys and verifiers call ecrecover to confirm the signer. Smart contracts have no private key, so ecrecover is not an option for them. Without a standard, any dapp that accepted off-chain signatures implicitly required an EOA signer, and every contract-owned identity — smart wallets, DAOs, multisigs, escrows — was locked out of the signature layer.

The canonical motivating example is a decentralized exchange with an off-chain orderbook. Buyers and sellers sign orders off-chain; the exchange contract verifies the signatures when settling. An EOA signs with its private key; a Safe multisig owned by five people cannot. EIP-1271 gives the Safe a way to answer “yes, that order is valid on my behalf” without ever possessing a private key.

Specification

pragma solidity ^0.5.0;

contract ERC1271 {

  // bytes4(keccak256("isValidSignature(bytes32,bytes)")
  bytes4 constant internal MAGICVALUE = 0x1626ba7e;

  /**
   * @dev Should return whether the signature provided is valid for the provided hash
   * @param _hash      Hash of the data to be signed
   * @param _signature Signature byte array associated with _hash
   *
   * MUST return the bytes4 magic value 0x1626ba7e when function passes.
   * MUST NOT modify state (using STATICCALL for solc < 0.5, view modifier for solc > 0.5)
   * MUST allow external calls
   */
  function isValidSignature(
    bytes32 _hash,
    bytes memory _signature)
    public
    view
    returns (bytes4 magicValue);
}

Three requirements:

Returns the magic value on success: bytes4(0x1626ba7e) = bytes4(keccak256("isValidSignature(bytes32,bytes)")). Anything else — different bytes, a revert, no implementation at all — is a rejection.
Must not modify state: Enforced via view in Solidity 0.5+, STATICCALL in older versions. See isValidSignature for why this matters.
Must allow external calls: The method is public/external because verifiers are always external to the signing contract.

The isValidSignature method can call arbitrary internal logic to determine validity — ECDSA recovery, multisig threshold checking, BLS aggregation, pre-approved hash lookup, role-based permissions, time windows, state-based rules. The standard is agnostic about what “valid” means; it only standardizes the interface.

Who implements it

Any contract that wants to be treated as a signer:

Smart contract wallets — Safe (Gnosis), Argent, Ambire, Sequence, Biconomy
DAOs — governance contracts that authorize actions via proposal passage
Multisignature wallets — owner set plus threshold
ERC-4337 smart accounts — account abstraction implementations
Escrows and time-locks — contracts that hold assets on behalf of users
DEX aggregators — protocols that sign orders on behalf of pooled users

Who calls it

Any verifier that needs to check whether a signature is valid for a contract-owned address. The typical pattern is:

function verify(address signer, bytes32 hash, bytes calldata signature) internal view {
    if (signer.code.length > 0) {
        // Contract signer: use EIP-1271
        bytes4 result = IERC1271(signer).isValidSignature(hash, signature);
        require(result == 0x1626ba7e, "INVALID_SIGNATURE");
    } else {
        // EOA signer: use ecrecover
        require(ECDSA.recover(hash, signature) == signer, "INVALID_SIGNATURE");
    }
}

OpenZeppelin’s SignatureChecker.isValidSignatureNow(signer, hash, signature) implements exactly this fallback: probe ecrecover first, fall back to isValidSignature if the signer has code. See Smart Account Signatures for the full verification pattern and the branching conditions verifiers need.

Rationale

Why bytes4 instead of bool: A contract that does not implement isValidSignature at all — or that implements it incorrectly and returns arbitrary data — must not accidentally satisfy a validity check. A boolean return type would let truthy garbage pass. A specific four-byte magic value cannot be accidentally produced; only an implementation that knew the standard and intended to return success can do so.

Why two arguments: A single “raw message” argument would force every contract to agree on a hashing scheme. EIP-1271 instead takes a pre-hashed bytes32, leaving the hashing scheme out of scope. Callers and contracts must agree on the scheme — typically EIP-712 with a domain separator — but the standard does not mandate it.

Why state cannot be modified: Two reasons. First, it simplifies the implementation surface — there is no “what if the validation has side effects” question. Second, it rules out GasToken-style attacks where an attacker forces a contract to perform gas-refundable work by calling a signature check. Third, it makes off-chain queries cheap: a client can call isValidSignature via eth_call to probe whether a signature is acceptable without paying gas or broadcasting a transaction.

Reference implementation

A minimal example from the EIP — a contract that validates signatures by recovering the signer and checking it matches an owner:

function isValidSignature(
    bytes32 _hash,
    bytes calldata _signature
) external override view returns (bytes4) {
    if (recoverSigner(_hash, _signature) == owner) {
        return 0x1626ba7e;
    } else {
        return 0xffffffff;
    }
}

And a verifier calling it:

function callERC1271isValidSignature(
    address _addr,
    bytes32 _hash,
    bytes calldata _signature
) external view {
    bytes4 result = IERC1271Wallet(_addr).isValidSignature(_hash, _signature);
    require(result == 0x1626ba7e, "INVALID_SIGNATURE");
}

The reference implementation also includes recoverSigner, an ECDSA recovery helper with explicit signature-malleability mitigations (rejecting high-s values per EIP-2, rejecting v values outside {27, 28}, rejecting the zero address recovery). These mitigations are not part of EIP-1271 itself — they are general ECDSA best practice that any isValidSignature implementation should inherit if it uses ecrecover internally.

Security considerations

No gas limit: The signing contract may legitimately consume a large amount of gas — multisig checks across 20 owners, BLS aggregation, storage reads, nested calls. Callers MUST NOT hardcode a gas cap when invoking isValidSignature externally, or they will reject valid signatures whose verification happens to be expensive.
Contract responsibility: Each signing contract is fully responsible for the correctness of its own validation logic. A buggy implementation that returns the magic value for signatures it should reject is catastrophic — attackers gain arbitrary write access via forged signatures.
Verifier responsibility: Verifiers must refuse to accept anything other than the exact magic value. “Any non-zero return” is not a valid check. Neither is “did not revert”.

Applied example: Safe + Farcaster

The Creating a Farcaster Account by Hand walkthrough is a concrete EIP-1271 flow end to end:

A Safe multisig is the intended Farcaster account custody. Farcaster’s SignedKeyRequestValidator expects an EIP-712 signature on the SignedKeyRequest struct from the custody address.
The Safe cannot produce an ECDSA signature. Instead, the Safe pre-approves the Farcaster EIP-712 digest on-chain via a SignMessageLib.signMessage delegatecall, which writes into the Safe’s signedMessages storage mapping.
When Farcaster later calls Safe.isValidSignature(digest, "") (empty signature), the Safe’s CompatibilityFallbackHandler wraps the digest in a SafeMessage(bytes) struct under a Safe-specific EIP-712 domain, looks up the wrapped hash in signedMessages, finds it, and returns 0x1626ba7e.
Farcaster’s validator sees the magic value and accepts. The ed25519 signer goes live.

This is EIP-1271 in its pre-approved-hash form — a pure on-chain attestation standing in for a cryptographic signature. The same contract also supports the runtime-verified form where signature is non-empty and the Safe checks it against its current owner set and threshold.

Connections

EIP-1271 isValidSignature: the method signature, magic value, and state-purity requirement in detail
Smart Account Signatures: how EIP-1271 closes the gap between EOA and contract signers
Off-Chain Signatures: the broader pattern that EIP-1271 extends to smart accounts
EIP-712: Typed structured data hashing and signing: the hashing standard most commonly used with EIP-1271
Ethereum Signed Message Encoding: the leading-byte disambiguation that distinguishes the signed digest from transactions and raw messages
Creating a Farcaster Account by Hand: applied example routing an EIP-712 digest through a Safe via EIP-1271

Backlinks

ERC-1271: Standard Signature Validation Method for Contracts

ERC-1271: Standard Signature Validation Method for Contracts (source)

EIP-1271 isValidSignature (concept)

Smart Account Signatures (concept)

Off-Chain Signatures (concept — updated)

EIP-712: Typed structured data hashing and signing (concept — updated)

→

Message signatures (Safe Protocol Kit) Official Safe documentation explaining how to generate, sign, publish, and validate messages from a Safe account using the @safe-global/protocol-kit TypeScript SDK. It is the practical implementation companion to the abstract standards machinery — EIP-712, EIP-1271, and Safe's CompatibilityFallbackHandler + SignMessageLib contracts — showing the exact method calls a developer uses to collect ECDSA signatures from EOA owners, contract signatures from nested Safe owners, publish the result either off-chain to the Safe Transaction Service or on-chain via a signMessage delegatecall, and verify the final signature through isValidSignature. →

Message signatures (Safe Protocol Kit)

EIP-712 is the hashing scheme used by ETH_SIGN_TYPED_DATA_V4 and by hashSafeMessage (which wraps the inner EIP-712 digest in a SafeMessage(bytes) struct under Safe's own domain).

EIP-1271 is the interface that protocolKit.isValidSignature calls — through the CompatibilityFallbackHandler contract — to complete validation.

Smart Account Signatures describes the branching verifier logic; the Protocol Kit is the signer-side SDK that produces what those verifiers expect.

Off-Chain Signatures is the broader pattern; the Safe Transaction Service + API Kit is Safe's implementation of it.

Creating a Farcaster Account by Hand performs the same on-chain SignMessageLib pre-approval flow manually with cast. The Protocol Kit automates that same flow as a single function call: getSignMessageLibContract + encode('signMessage', [messageHash]) + createTransaction + executeTransaction.

→

EIP-1271 isValidSignature isValidSignature(bytes32 hash, bytes signature) returns (bytes4 magicValue) is the single interface method defined by EIP-1271. A contract that implements it is declaring itself willing to be asked "is this signature valid on your behalf?" — and to answer in a way that is strict, side-effect-free, and distinguishable from an unimplemented method. →

EIP-1271 isValidSignature

ERC-1271: Standard Signature Validation Method for Contracts: the full standard

Smart Account Signatures: how verifiers route between ecrecover and isValidSignature

Off-Chain Signatures: the broader pattern

EIP-712: Typed structured data hashing and signing: the hashing standard almost always used to produce the hash argument

Creating a Farcaster Account by Hand: applied example of the empty-signature Safe mode

→

EIP-712: Typed structured data hashing and signing

EIP-712 Typed Data: the type system and encoding rules

EIP-712 Domain Separator: binding signatures to chain, contract, name, version

EIP-712 hashStruct: the core hashing algorithm and its in-place EVM implementation

Off-Chain Signatures: the broader pattern of authorizing on-chain actions with off-chain signatures

Ethereum Signed Message Encoding: the \x19 leading-byte scheme from ERC-191

ERC-1271: Standard Signature Validation Method for Contracts: the standard that lets smart accounts verify EIP-712 signatures on their own behalf

Smart Account Signatures: the EOA vs contract signer verification pattern

Creating a Farcaster Account by Hand: applied example — computing an EIP-712 digest manually with cast and routing it through a Safe via EIP-1271

→

Digital Identity

EIP-712: Typed structured data hashing and signing — canonical standard for type-safe, human-readable signing

EIP-712 Typed Data — the type system for signable structured messages

EIP-712 hashStruct — core hashing algorithm

EIP-712 Domain Separator — binding signatures to chain, contract, protocol

Ethereum Signed Message Encoding — leading-byte disambiguation across message kinds

Off-Chain Signatures — the pattern EIP-712 secures

ERC-1271: Standard Signature Validation Method for Contracts — contract-owned identities signing via isValidSignature

EIP-1271 isValidSignature — the magic-value interface method in detail

Smart Account Signatures — bridging EOA and contract signers behind one verifier path

Creating a Farcaster Account by Hand — applied example: Safe custody + EIP-1271 + EIP-712 for self-sovereign Farcaster onboarding

→

Off-Chain Signatures EOAs sign with ecrecover. Smart contract accounts cannot — they have no private key. ERC-1271 bridges the gap: a contract implements isValidSignature(bytes32 hash, bytes signature) returns (bytes4 magicValue). Verifiers call this function instead of ecrecover when the signer is a contract. See Smart Account Signatures for the full branching pattern verifiers use. →

Off-Chain Signatures

EIP-712: Typed structured data hashing and signing: the standard that makes off-chain signing safe

EIP-712 Domain Separator: the mechanism preventing cross-domain replay

EIP-712 hashStruct: how the signed digest is computed

Ethereum Signed Message Encoding: the leading-byte disambiguation that prevents collisions

ERC-1271: Standard Signature Validation Method for Contracts: the standard extending off-chain signing to smart accounts

Smart Account Signatures: the EOA vs contract signer verification pattern

Creating a Farcaster Account by Hand: walkthrough of an off-chain signature flow with Safe + EIP-1271

→

Safe Nested Contract Signatures A Safe can be owned by other Safes. When that happens, the inner Safes must produce EIP-1271 contract signatures that the outer Safe's checkSignatures can resolve. The Safe Protocol Kit automates this recursive flow through SigningMethod.SAFE_SIGNATURE and buildContractSignature. →

Safe Nested Contract Signatures

Safe Protocol Kit: the SDK that provides buildContractSignature

Safe Protocol Kit Message Signatures: the full flow including nested signing

EthSafeMessage: the accumulator each nested Safe uses

Safe SigningMethod: the SAFE_SIGNATURE enum value that triggers nested signing

EIP-1271: Standard Signature Validation Method for Contracts: the interface used at every level of recursion

Smart Account Signatures: the broader EOA vs contract signer pattern

→

Safe Protocol Kit Message Signatures Official Safe guide describing the end-to-end flow for producing, publishing, and validating messages signed by a Safe account using the @safe-global/protocol-kit TypeScript SDK. It is the practical counterpart to EIP-712 and EIP-1271 — showing exactly which SDK methods to call for each step of the flow that those specifications describe abstractly. →

Safe Protocol Kit Message Signatures This guide is the missing link between the standards layer (EIP-712, EIP-1271, Off-Chain Signatures) and a working production implementation. It names the exact methods, enums, types, and API calls a developer uses, and it covers all the cases the standards leave implementation-defined: nested Safes, two publication modes, two validation modes, and the wrapping that Safe applies on top of raw EIP-712 digests. →

Safe Protocol Kit Message Signatures

Safe Protocol Kit: the SDK that provides these methods

EthSafeMessage: the in-memory signature accumulator

Safe SigningMethod: the enum that selects between ECDSA, EIP-712, and nested-Safe signing

Safe Nested Contract Signatures: the recursive pattern for Safes owned by Safes

SignMessageLib: the delegatecall target for on-chain message pre-approval

Safe Transaction Service: the off-chain storage backend for messages and signatures

EIP-712: Typed structured data hashing and signing: the hashing standard

EIP-1271: Standard Signature Validation Method for Contracts: the verification standard the SDK wraps

Smart Account Signatures: the verifier-side pattern this SDK feeds

Off-Chain Signatures: the broader pattern

Creating a Farcaster Account by Hand: applied example performing the same on-chain pre-approval flow manually

→

Safe Protocol Kit

Safe Protocol Kit Message Signatures: the end-to-end message signing flow

EthSafeMessage: the message signature accumulator

Safe SigningMethod: the signing-method enum

Safe Nested Contract Signatures: the recursive pattern for Safes owned by Safes

SignMessageLib: the delegatecall target the SDK uses for on-chain pre-approvals

Safe Transaction Service: the off-chain backend the API Kit talks to

EIP-712: the hashing standard the SDK produces signatures over

EIP-1271: the validation standard the SDK calls through for contract signers

→

Safe SigningMethod Used when the owner of the Safe being signed for is itself another Safe. The signing Safe cannot produce an ECDSA signature (it has no private key), so the Protocol Kit recursively collects signatures from the inner Safe's own owners and then wraps them into a single EIP-1271 contract signature for the outer Safe's checkSignatures to resolve. →

Safe SigningMethod

Safe Protocol Kit: the SDK that exposes SigningMethod

Safe Protocol Kit Message Signatures: the flow that uses the enum

EthSafeMessage: the accumulator where signed results land

Safe Nested Contract Signatures: the recursive flow triggered by SAFE_SIGNATURE

EIP-712: Typed structured data hashing and signing: what ETH_SIGN_TYPED_DATA_V4 produces

Ethereum Signed Message Encoding: what ETH_SIGN produces

EIP-1271: Standard Signature Validation Method for Contracts: what SAFE_SIGNATURE ultimately verifies through

→

SignMessageLib SignMessageLib is a Safe library contract whose sole purpose is to write a message hash into the calling Safe's signedMessages storage mapping. It exists to let a Safe pre-approve an arbitrary message hash on-chain so that a later EIP-1271 isValidSignature call can return the magic value without needing any live signatures at verification time. →

SignMessageLib

Safe Protocol Kit: the SDK wrapper around SignMessageLib

Safe Protocol Kit Message Signatures: the flow that uses the library

EIP-1271: Standard Signature Validation Method for Contracts: the interface the stored hash ultimately satisfies

EIP-1271 isValidSignature: the empty-signature pre-approved-hash mode

EIP-712: Typed structured data hashing and signing: the wrapping the library uses internally

Smart Account Signatures: the broader pattern of pre-approved hashes as on-chain signatures

Creating a Farcaster Account by Hand: applied example with manual cast commands

→

Smart Account Signatures A smart account — a Safe multisig, an Argent wallet, an ERC-4337 contract account, a DAO treasury — cannot sign messages the way an Externally Owned Account (EOA) can. It has no private key, so ecrecover cannot recover "its" address from a signature. Without a standard bridge, smart accounts are second-class citizens on the signature layer: every dapp that accepts off-chain signatures would implicitly require an EOA signer, and contract-owned identities would be locked out of everything from DEX orders to gasless approvals to social logins. EIP-1271 is that bridge. →

Smart Account Signatures

ERC-1271: Standard Signature Validation Method for Contracts: the standard this page depends on

EIP-1271 isValidSignature: the interface method in detail

Off-Chain Signatures: the broader pattern smart accounts need to participate in

EIP-712: Typed structured data hashing and signing: the hashing standard smart accounts almost always use

Creating a Farcaster Account by Hand: applied example of Safe + EIP-1271 + pre-approved hash

→