Trusted Forwarder Explained in Detail
A trusted forwarder receives a signed request, checks it, and calls the recipient contract. The recipient trusts that the forwarder appended the real signer address.
If the forwarder is wrong or malicious, the recipient's caller checks can become wrong too.
Smart contract example
function isTrustedForwarder(address forwarder) public view returns (bool);
ERC2771 recipients use this check before treating calldata as forwarded.
Trusted Forwarder in Auditing
The forwarder is a security dependency. If it skips nonce checks, accepts bad signatures, or can be upgraded by a weak admin, users may be impersonated.
Auditors review both the recipient and the forwarder contract.
Red flags in code
-
The recipient trusts any forwarder.
-
The forwarder omits signer, target, calldata, nonce, deadline, or chain from signed data.
-
Forwarder upgrade rights are controlled by a weak owner.
-
Multiple trusted forwarders are configured without clear purpose.
-
Relayed calls bypass normal access control.
How to test or review it
-
Test bad signer, wrong nonce, expired deadline, and wrong target.
-
Try appending a fake signer from a non-forwarder caller.
-
Review EIP-712 domain construction.
-
Check whether the forwarder target must trust the forwarder.
-
Verify admin controls for changing or upgrading the forwarder.