Skip to main content

Module signing

Module signing 

Source
Expand description

Derive self-custodial action signing.

Derive signs every state-changing request with an EIP-712 typed-data signature over secp256k1, against per-action module contracts on the Derive Chain. The pipeline (matching derive_action_signing/signed_action.py from the upstream Python SDK derivexyz/v2-action-signing-python) is:

action_hash = keccak256(abi.encode(
    [bytes32, uint, uint, address, bytes32, uint, address, address],
    [ACTION_TYPEHASH, subaccount_id, nonce, module_address,
     keccak256(module_data_abi_encoded), signature_expiry_sec, owner, signer],
))
typed_data_hash = keccak256(0x1901 || DOMAIN_SEPARATOR || action_hash)
signature = secp256k1_sign(typed_data_hash, signer_key)

Per-action module_data ABI encodings live under modules. REST and WebSocket session authentication use the simpler eth_sign(timestamp_ms) pattern in auth. Per-(wallet, subaccount) nonce allocation lives in nonce.

Differential testing against the upstream Python SDK is the byte-equivalence oracle: fixtures are captured from derive_action_signing and replayed against this implementation under test_data/.

Protocol constants (DOMAIN_SEPARATOR, ACTION_TYPEHASH, module addresses) are sourced from the Protocol Constants reference at https://docs.derive.xyz.

Modulesยง

auth
Derive REST/WebSocket session authentication.
context
Execution signing context resolution for Derive.
eip712
EIP-712 typed-data hashing and signing for Derive self-custodial actions.
encoding
Shared signing utilities.
modules
Per-action module_data ABI encoders.
nonce
Per-(wallet, subaccount) nonce manager for Derive self-custodial requests.