Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4337 signature flow #64

Merged
merged 6 commits into from
Nov 13, 2023
Merged

4337 signature flow #64

merged 6 commits into from
Nov 13, 2023

Conversation

nlordell
Copy link
Collaborator

@nlordell nlordell commented Nov 6, 2023

Fixes #59

This PR documents the research around ERC-4337 flows, in particular including signature validation flow.

Most of the rationale for decisions captured in the specification itself (well, should be in principle 😅). Some of the working assumptions when implementing this specification are:

  1. We want 4337 to be implemented over the Safe{Core} Protocol; that being said, requiring accounts to implement 4337 natively is a viable alternative (one that ERC-6900 takes for example)
  2. We do not want to require a staked paymaster for user operations over the Safe{Core} Protocol.

@nlordell nlordell requested a review from a team as a code owner November 6, 2023 11:59
@nlordell nlordell requested review from rmeissner, akshay-ap and mmv08 and removed request for a team November 6, 2023 11:59
mmv08
mmv08 reviewed Nov 7, 2023
View reviewed changes
manager/4337/README.md
In order to help protect accounts from any eventual vulnerabilities that may be discovered in the ERC-4337 _entrypoint_, The manager MUST validate `UserOperation` execution with the registry for the particular _entrypoint_ being used. Practically speaking this implies that the ERC-4337 `UserOperation` execution:
1. SHOULD be implemented as a fallback handler module with an immutable associated _entrypoint_ contract
2. MUST verify that the _entrypoint_ has been explicitely enabled by the account
3. MUST verify that the _entrypoint_ has not been flagged
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do the storage read rules permit this? Or how will it work?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is in executeUserOp (i.e. post-UserOperation validation in validateUserOp), so AFAIU there are no storage restrictions here.

What could happen if the Registry has flagged the entrypoint would be that:

  1. The user's validateUserOp still succeeds, and the account pays the prefund
  2. The user operation would revert instead of executing

So, while this is not ideal (the gas is spent), the account is still slightly more protected in case of:

  1. A vulnerability in the EntryPoint allowing for arbitrary UserOperation execution
  2. A vulnerability in the 4337 plugin, that would allow for arbitrary UserOperation execution.

It isn't fully protected, however, because validateUserOp still transfers missingAccountFunds to msg.sender, but it does prevent the account from executing arbitrary transactions in case of a bug somewhere.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, understood, I missed the word "execution" in the specs

@nlordell nlordell mentioned this pull request Nov 8, 2023
Closed
rmeissner
rmeissner reviewed Nov 9, 2023
View reviewed changes
manager/4337/README.md Outdated

### Staking

The account SHOULD implement a staked _factory_ in order to enable `UserOperations` with `initCode`. ERC-4337 requires a staked _factory_ for `UserOperation` validation that reads associated account storage when `initCode` is specified. Since this specification permits Manager implementations that read account associated storage during `UserOperation` validation, the account _factory_ needs to be staked in order for bundlers to accept `UserOperations` with `initCode`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add more context what storage is accessed that make this necessary? I.e. for validateUserOp it is outlined that the registry check is problematic. What would be problematic here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some more context in the section above about the registry storage access which is considered problematic.

Regarding factory staking, what storage in particular do you think we need to explicitly mention? My argument in this sentence is basically:

Account factories SHOULD be staked because the spec allows the Manager and 4337 support to access storage associated with the account which requires a staked factory

This is basically needed because there are additional restrictions to validateUserOp storage access when paired with initCode.

rmeissner
rmeissner reviewed Nov 9, 2023
View reviewed changes
manager/4337/README.md
One of the main value propositions of the Safe{Core} Protocol is account security by verifying modules in the Registry. However, because of storage access restrictions imposed by the ERC-4337 spec (see Compatibility section above), this is not possible when validating user operations. However, this restriction does not apply to `UserOperation` execution.

In order to help protect accounts from any eventual vulnerabilities that may be discovered in the ERC-4337 _entrypoint_, The manager MUST validate `UserOperation` execution with the registry for the particular _entrypoint_ being used. Practically speaking this implies that the ERC-4337 `UserOperation` execution:
1. SHOULD be implemented as a fallback handler module with an immutable associated _entrypoint_ contract
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would a sequence diagram help here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I referenced the sequence diagram from the Execution Flow section, as it describes this.

rmeissner
rmeissner reviewed Nov 9, 2023
View reviewed changes
manager/4337/README.md Outdated Show resolved Hide resolved
@nlordell
Copy link
Collaborator Author

@rmeissner - I’m merging this to not be blocked for the sprint. I also captured some additional open questions regarding signature validation use cases which I believe are important to be answered to better refine a signature flow in the spec: #63

@nlordell nlordell merged commit ce2b76f into main Nov 13, 2023
1 check passed
@github-actions github-actions bot locked and limited conversation to collaborators Nov 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mmv08 mmv08 mmv08 approved these changes

@akshay-ap akshay-ap Awaiting requested review from akshay-ap akshay-ap was automatically assigned from safe-global/safe-protocol

@rmeissner rmeissner Awaiting requested review from rmeissner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Protocol Specs] Research 4337 signature validation flow
3 participants
@nlordell @rmeissner @mmv08