Update 3074 (#3769)

* require chain id in the authorisation message

* add some more clarifications to 3074

EIPS/eip-3074.md

@@ -7,6 +7,7 @@ status: Review
 type: Standards Track
 category: Core
 created: 2020-10-15
+requires: 155
 ---
 
 ## Simple Summary
@@ -74,7 +75,8 @@ A new opcode `AUTH` shall be created at `0xf6`. It shall take four stack element
 
 #### Behavior
 
-The arguments (`yParity`, `r`, `s`) are interpreted as an ECDSA signature on the secp256k1 curve over the message `keccak256(MAGIC || paddedInvokerAddress || commit)`, where:
+The arguments (`yParity`, `r`, `s`) are interpreted as an ECDSA signature on the secp256k1 curve over the message `keccak256(MAGIC || chainId || paddedInvokerAddress || commit)`, where:
+ - `chainId` is the current chain's [EIP-155](./eip-155.md) unique identifier padded to 32 bytes.
  - `paddedInvokerAddress` is the address of the contract executing `AUTH` (or the active state address in the context of `CALLCODE` or `DELEGATECALL`), left-padded with zeroes to a total of 32 bytes (ex. `0x000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`).
  - `commit`, one of the arguments passed into `AUTH`, is a 32-byte value that can be used to commit to specific additional validity conditions in the invoker's pre-processing logic (e.g. a nonce for replay protection).
 
@@ -113,10 +115,11 @@ A new opcode `AUTHCALL` shall be created at `0xf7`. It shall take eight stack el
 
 #### Behavior
 
-`AUTHCALL` is interpreted the same as `CALL`, except for:
+`AUTHCALL` is interpreted the same as `CALL`, except for (note: this list is also the order of precedence for the logical checks):
 
  - If `authorized` is unset, execution is invalid (as defined above). Otherwise, the caller address for the call is set to `authorized`.
  - The gas cost, including how much gas is available for the subcall, is specified in the Gas Cost section.
+ - If the `gas` operand is equal to `0`, the instruction will send all available gas as per [EIP-150](./eip-150).
  - If the gas available for the subcall would be less than `gas`, execution is invalid.
  - There is no gas stipend, even for non-zero `value`.
  - `value` is deducted from the balance of the executing contract. It is not paid by `authorized`. If `value` is higher than the balance of the executing contract, execution is invalid.
@@ -256,6 +259,10 @@ There are other approaches to mitigate this restriction which do not break the i
  * Set `tx.origin` to a special address derived from any of the sender, invoker, and/or signer addresses.
  * Disallow `authorized == tx.origin`. This would make the simple batching use cases impossible, but could be relaxed in the future.
 
+### `AUTHCALL` cheaper than `CALL` when sending value
+
+Sending non-zero value with `CALL` increases its cost by 9,000. Of that, 6,700 covers the increased overhead of the balance transfer and 2,300 is used as a stipend into the subcall to seed its gas counter. `AUTHCALL` does not provide a stipend and thus only charges the base 6,700.
+
 ## Backwards Compatibility
 
 No known issues.
@@ -269,7 +276,6 @@ The following is a non-exhaustive list of checks/pitfalls/conditions that invoke
  - Replay protection (ex. a nonce) should be implemented by the invoker, and included in `commit`. Without it, a malicious actor can reuse a signature, repeating its effects.
  - `value` should be included in `commit`. Without it, a malicious sponsor could cause unexpected effects in the callee.
  - `gas` should be included in `commit`. Without it, a malicious sponsor could cause the callee to run out of gas and fail, griefing the sponsee.
- - The current chain id should be included in `commit` and checked against `CHAINID` on *every transaction*. Without it, a malicious sponsor could replay a signature on a different chain.
  - `addr` and `calldata` should be included in `commit`. Without them, a malicious actor may call arbitrary functions in arbitrary contracts.
 
 A poorly implemented invoker can _allow a malicious actor to take near complete control over a signer's EOA_.