feat: ERC-7579 Modular Smart Account Architecture #162
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements ERC-7579 Validator module (Type 1) for session keys: - Session key permission structure with time bounds (validAfter/validUntil) - Target and selector restrictions for fine-grained access control - Per-transaction and total spending limits with tracking - ECDSA signature validation for session key signatures - Session key management (create, revoke, query) - ERC-7201 namespaced storage for collision resistance Tests: - 6 tests covering session key lifecycle - All 87 modular tests passing
hadv
force-pushed
the
feat/ERC-7579-MMSA-148
branch
from
ad15db7 to
8fd2b6c
Compare
- Added SessionKeyValidatorModule documentation with storage, interface, use cases, and validation flow - Removed PasskeyManagerModule (passkey management is now built into P256MFAValidatorModule) - Updated P256MFAValidatorModule interface to show passkey management is called by account directly - Updated module hierarchy diagram
- Updated AuraAccount.validateUserOp() to extract validator address from first 20 bytes of signature instead of using first validator in linked list - Updated AuraAccount.isValidSignature() (ERC-1271) to use same signature-based validator selection pattern - Updated P256MFAValidatorModule to skip first 20 bytes (validator prefix) in both validateUserOp() and isValidSignatureWithSender() - Updated SessionKeyValidatorModule signature format to 105 bytes: [validator(20B)][sessionKey(20B)][ecdsaSig(65B)] - Added comprehensive documentation in erc7579-module-architecture.md explaining signature-based validator selection and security benefits - Updated test_IsValidSignature() to use new signature format Security benefits over nonce-based selection: - Validator address is cryptographically bound to signature - Cannot be swapped by attacker after signing - Simpler frontend implementation (no nonce manipulation) - Critical installation check prevents malicious validator injection
- Added CannotRemoveLastValidator error - Added check in _uninstallValidator() to prevent removing the last validator - Without this protection, users could permanently lock their account by accidentally uninstalling all validators - Added test_RevertUninstallLastValidator() to verify the protection - Added test_UninstallValidatorWithMultiple() to verify normal uninstall works
- Added check in uninstallModule() to reject SENTINEL address (0x1) - SENTINEL is a linked list implementation detail, not a real module - Uninstalling SENTINEL would corrupt the validator linked list - Added test_RevertUninstallSentinel() to verify the protection
BREAKING CHANGE: SessionKey is now an Executor module (Type 2) instead of Validator (Type 1) Why this change: - Session keys have temporal validity (expire after validUntil) - If SessionKey was a Validator and user removed P256MFAValidator, the account would be permanently locked after session keys expire - As an Executor, P256MFAValidator remains the only validator, ensuring the 'last validator' protection works correctly - Cleaner architecture: session keys are 'delegated execution' not 'alternative authentication' Changes: - Deleted src/modular/modules/validators/SessionKeyValidatorModule.sol - Created src/modular/modules/executors/SessionKeyExecutorModule.sol - Added nonce-based replay protection (since we can't rely on EntryPoint nonces) - Added chainId to signature for cross-chain replay protection - Updated docs/erc7579-module-architecture.md to reflect the change
…dator - Changed AuraAccount from linked list to single validator storage - Factory now requires P256MFAValidator address in constructor - createAccount() no longer takes defaultValidator parameter - installModule(VALIDATOR) atomically replaces existing validator - uninstallModule(VALIDATOR) reverts with CannotUninstallValidator() - Simplified isValidSignature() - no signature prefix needed - Updated all test files for new API - All 83 modular tests pass
- AuraAccountFactory: p256MFAValidator -> validator - AuraAccount.initialize: defaultValidator -> validator - More flexible design allows any validator type at deployment
- Removed CALLTYPE_DELEGATECALL from imports - _execute() now reverts on delegatecall mode with UnsupportedExecutionMode - Removed _executeDelegatecall() function entirely - supportsExecutionMode() returns false for delegatecall - Prevents storage corruption from arbitrary delegatecalls Note: fallback() still uses delegatecall to installed fallback handlers, which is safe because only installed modules can be handlers.
- Add tests for MultiHook: preCheck/postCheck with hooks, removeHookFromMiddle - Add tests for LargeTransactionExecutorModule: getPendingTx, getThreshold, disable - Add tests for LargeTransactionGuardHook: revert on large tx not from executor - Add tests for AuraAccount: fallback handler success/failure, accountId - Total 251 tests passing for modular components
hadv
force-pushed
the
feat/ERC-7579-MMSA-148
branch
from
fc33e20 to
6d27af6
Compare
BREAKING CHANGE: Remove legacy P256Account in favor of modular AuraAccount Deleted: - src/P256Account.sol - Legacy monolithic account - src/P256AccountFactory.sol - Legacy factory - test/P256Account.t.sol - Legacy tests - test/P256AccountFactory.t.sol - Legacy tests - script/CreateAccount.s.sol - Legacy script - script/Demo2FA.s.sol - Legacy demo - script/GetInitCodeHash.s.sol - Legacy helper - script/Verify.s.sol - Legacy verification - script/VerifyCreate2.s.sol - Legacy verification - script/VerifyVanityAddress.s.sol - Legacy verification Updated: - script/Deploy.s.sol - Now deploys AuraAccountFactory and P256MFAValidatorModule using Solady CREATE2 factory for deterministic vanity addresses across all networks The new modular architecture provides: - ERC-7579 compliant modular smart accounts - Pluggable validator modules (P256MFAValidatorModule) - Support for executor, fallback, and hook modules - Same deterministic deployment via CREATE2
- GetInitCodeHash.s.sol: Computes hash for P256MFAValidatorModule - GetFactoryInitCodeHash.s.sol: Computes hash for AuraAccountFactory (requires validator address as input since it's a constructor arg) Workflow: 1. Run GetInitCodeHash.s.sol to get validator hash 2. Mine validator vanity salt, compute expected address 3. Run GetFactoryInitCodeHash.s.sol with expected validator address 4. Mine factory vanity salt 5. Update Deploy.s.sol with both salts
Consistent naming with GetFactoryInitCodeHash.s.sol
P256MFAValidatorModule: 0x000000b07799b322d076669ef32b247d02279c7e AuraAccountFactory: 0x0000004b2941659deb7472b46f7b84caf27dce44 Successfully deployed to Sepolia testnet.
- Add modular factory addresses to NetworkContext - Create ModularAccountManager and SessionKeyManager classes - Add useModularAccount hooks for React integration - Update HomeScreen with account type selector (modular vs legacy) - Add ModuleManager component for viewing installed modules - Add SessionKeyManager component for session key management - Add SpendingLimitConfig component for spending limits - Update WalletSettingsScreen with new tabs for modular accounts - Add ERC-7579 ABIs to constants Part of: ERC-7579 Modular Smart Account Architecture migration
- Configure Foundry fuzz settings (1000 runs, dictionary weight 40) - Configure invariant testing (256 runs, depth 15) Fuzz Tests (43 tests): - AuraAccount: execution, module installation, access control - P256MFAValidator: passkey management, signature validation, MFA toggle - SessionKeyExecutor: validity periods, spending limits, permissions - SocialRecovery: guardian management, timelock, recovery flow Invariant Tests (9 tests): - Account always has owner and at least one passkey - Validator module always installed - Session key tracking consistency - Account balance non-negative All 303 tests pass including 52 new fuzz/invariant tests. Closes #163
hadv
force-pushed
the
feat/ERC-7579-MMSA-148
branch
from
581ed68 to
bbbb10b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements ERC-7579 Modular Smart Account architecture for EthAura.
Changes
Phase 2: Core Account
AuraAccount.sol- ERC-7579 compliant modular smart accountAuraAccountFactory.sol- Factory using Solady's canonical ERC1967FactoryPhase 3: Modules
Validators (
src/modular/modules/validators/)P256MFAValidatorModule.sol- Owner ECDSA + passkey MFA validationSessionKeyValidatorModule.sol- Session key management with time bounds, target/selector restrictions, and spending limitsExecutors (
src/modular/modules/executors/)SocialRecoveryModule.sol- Guardian-based recovery with 24-hour timelockHookManagerModule.sol- Dynamic hook managementLargeTransactionExecutorModule.sol- Timelocked large transactionsHooks (
src/modular/modules/hooks/)MultiHook.sol- Aggregates multiple hooksLargeTransactionGuardHook.sol- Guards large transactionsFallback (
src/modular/modules/fallback/)ERC721ReceiverModule.sol- ERC-721 token receiverERC1155ReceiverModule.sol- ERC-1155 token receiverTesting
Folder Structure
Closes #148, #154, #155