-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ERC-4337: Use ERC-7746 for userOp and PaymasterOp validation #631
base: master
Are you sure you want to change the base?
Conversation
File
|
Hi @peersky |
Hi @shahafn Thank you for your feedback! I'd like to clarify how my proposal relates to the potential dispatching issue you raised. My proposed change focuses on modifying the interface (API) of an external contract, not altering the internal dispatching mechanism within the entry point contract. The Solidity compiler should continue to generate optimized dispatching code for function calls within the contract, regardless of how the external contract's API is structured. Thus, I don't anticipate my proposal introducing any gas inefficiencies related to custom dispatching within the entry point contract itself. Regarding breaking changes: I understand your concern, but given that this ERC is still in the |
Maybe I misunderstand something: for instance, you replaced |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peersky although the ERC-4337 is still in Draft
stage, it has been pretty stable for a long time and is not expected to be changed unless there is a serious security threat discovered. If you still wish to propose an ERC-7746 derived Account Abstraction solution it can be done in a separate ERC, but not through modifying ERC-4337.
Thank you!
|
@forshtat, while I appreciate your point about the relative stability of ERC-4337, I believe suggesting the creation of deprecation ERCs for a standard still in "Draft" status sets a concerning precedent. It undermines trust in the ecosystem, discourages active participation, and signals a lack of commitment to maintaining standards. The very essence of standardization is to establish guidelines that endure for the long term, ensuring the competitiveness and longevity of Ethereum. In this context, prioritizing interests over the collective, long-term success of the ecosystem is counterproductive. I firmly believe that embracing a collaborative and forward-thinking approach to standards development is crucial for the continued growth and success of Ethereum. That said, the ultimate question lies in whether the proposed changes add sufficient value to justify any potential disruption. I've outlined my considerations in my previous reply, and in my view, they make a strong case for introducing changes that accommodate the evolving landscape of security oracles. |
As @forshtat mentioned, while the erc is draft, it's already widely used, will be moved from draft soon, and we don't see the benefit of breaking the api for reasons that are not critical security risks. |
ERC-7746 empowers USERS to directly enhance their wallet security without relying on wallet developers for updates or feature implementations. This can be done with great UX, by simply allowing, within a wallet, to configure destination where all of user operation checks are to be proxied. This also widens doors for general use of security oracles and other extensions that can be daisy-chained with same API. This flexibility is crucial as it allows users to adapt their security measures to evolving threats or personal preferences. In contrast, your proposed scenario would necessitate wallet developers to incorporate new function names, potentially leading to delays, compatibility issues, or even requiring users to migrate to updated wallet contracts. Also, gas issues are going to be diminishing in the next 10 years as consensus technology improves. Standards defined today should prioritise long term, lasting security architecture rather than minor gas savings in short run, and given rollup-centric development of Ethereum, I think it's fair to assume that most of ERC-4337 accounts will operate on L2s or even App-chains, where gas costs are not an issue.
The current ERC standard creates an inconsistency:
This discrepancy raises concerns:
If this design choice is intentional, a clear and detailed explanation is needed:
The absence of such an explanation suggests either an oversight in the standard's design or a lack of consideration for the security needs of users in the account abstraction paradigm. |
The API was designed to provide the minimal required functions.
|
On your last point: Please elaborate, who has the authority to demand that changes to a Draft standard MUST be security-critical, simply because it's been around for a year or two and its complexity has stalled progress? Where is that written? It's well-known that web3 user experience is poor [1], and improving UX has been a goal of @vbuterin from the start. I've already explained how this change not only enhances security but also paves the way for better UX in the long run. Therefore, in my opinion, EITHER this argument is irrelevant, OR it must be acknowledged that keeping this standard in Draft status is hindering its adoption. The metric you mentioned (15M wallets) would likely be higher, not lower, if the standard was in a more advanced stage like "Review" or "Last Call." |
The whole point of this ERC is not to be compatible with a vague idea of a project/ecosystem in 10 years, but to be ready to be used now. If gas costs are going to be diminishing in 10 years, and 7746 is widely used, we can adjust in the future.
I'm not sure that you understood the whole motivation of the ERC, the differences between users and paymasters, and therefore the security and functionality considerations for the different decisions for them. This decision was not made unintentionally as an oversight. I'm not criticizing you for it, as the ERC may not be explaining that well, but assuming lack of consideration for security needs isn't true here. I don't think that we should get to an argument here about the pros and cons for every decision we made behind the ERC, as this PR suggests a concrete change that we rejected for other reasons anyway. |
We don't consider your suggestion as an improvement. We understand your points and your objections, but as explained several times, the benefit doesn't outweigh the cost here in our opinion.
From my understanding of the EIP/ERC processes, authorship implies authority of the content of the document. Thus, as authors of the ERC, we decided, considering the state of the ecosystem and projects within it (that you may not be aware of), that changes to the ERC should be for security-critical reasons. With all due respect, you're coming late here, demanding changes to the ERC, and expecting us to oblige.
This change, as I said, should be in a different ERC.
Thank you for your input. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If relevant, should be a new ERC
Partially agree on first. Users already are used to this with every major OS providing upgrades time-to time, yet (this is my personal experience assumption, I don't have wide statistical data on hands, please share if any) only advanced users are really happy of having to do upgrades as this usually involves (re)learning for the changes. Therefore, a well designed wallet, should provision a well designed upgradability, that is as seamless as possible (in crypto context - does not break trust assumptions), yet it should not be done with mind of frequent upgrades as this might be daunting. With last, having moving parts delegated trough generic API seems like a great idea, that's why I proposed it. From that follows an answer to your second point: With this proposal, the wallet developers are not same as security providers, who may develop wallet implementation agnostic API for securing transactions & upgrading wallet security. Last, not least, reason for this proposal is to avoid excess fragmentation of solutions, if all of security firms developing screening solutions would see such a bold adaption of 7746, this would encourage all of them to re-use 7746 within their screening APIs instead of developing custom in-house solutions as it is today. Plus, that fact that security providers already today trend to seek for API that can treat wallet operations as a middleware wrapped within a security layer, just bubbles up that question of paymaster vs user op security model. |
Makes sense, that might was a bit emotional from my side, as I'd like eventually to see more decentralized process of forging such industry impactful decisions (globally, not just in Ethereum). |
This PR proposes replacing
validateUserOp
andvalidatePaymasterOp
with the generic middleware hook standard outlined inERC-7746
. This change introducesbeforeCall
andafterCall
hooks, providing a more generalized approach to user operation and paymaster validations.This approach is beneficial due to few reasons:
afterCall
on user operation validation, which is not included explicitly in current ERC, as well increased security as it specifies to revert within user/paymaster contract