Account
This directory includes contracts to build accounts for ERC-4337. These include:
-
Account: An ERC-4337 smart account implementation that includes the core logic to process user operations. -
AccountERC7579: An extension ofAccountthat implements support for ERC-7579 modules. -
AccountERC7579Hooked: An extension ofAccountERC7579with support for a single hook module (type 4). -
ERC7821: Minimal batch executor implementation contracts. Useful to enable easy batch execution for smart contracts. -
ERC4337Utils: Utility functions for working with ERC-4337 user operations. -
ERC7579Utils: Utility functions for working with ERC-7579 modules and account modularity.
Core
Account
import "@openzeppelin/contracts/account/Account.sol";A simple ERC4337 account implementation. This base implementation only includes the minimal logic to process user operations.
Developers must implement the AbstractSigner._rawSignatureValidation function to define the account’s validation logic.
| This core account doesn’t include any mechanism for performing arbitrary external calls. This is an essential feature that all Account should have. We leave it up to the developers to implement the mechanism of their choice. Common choices include ERC-6900, ERC-7579 and ERC-7821 (among others). |
Implementing a mechanism to validate signatures is a security-sensitive operation as it may allow an
attacker to bypass the account’s security measures. Check out SignerECDSA, SignerP256, or SignerRSA for
digital signature validation implementations.
|
@custom:stateless
entryPoint() → contract IEntryPoint public
Canonical entry point for the account that forwards and validates user operations.
validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash, uint256 missingAccountFunds) → uint256 public
Validates a user operation.
-
MUST validate the caller is a trusted EntryPoint
-
MUST validate that the signature is a valid signature of the userOpHash, and SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch. Any other error MUST revert.
-
MUST pay the entryPoint (caller) at least the “missingAccountFunds” (which might be zero, in case the current account’s deposit is high enough)
Returns an encoded packed validation data that is composed of the following elements:
-
authorizer(address): 0 for success, 1 for failure, otherwise the address of an authorizer contract -
validUntil(uint48): The UserOp is valid only up to this time. Zero for “infinite”. -
validAfter(uint48): The UserOp is valid only after this time.
_validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash) → uint256 internal
Returns the validationData for a given user operation. By default, this checks the signature of the
signable hash (produced by _signableUserOpHash) using the abstract signer (AbstractSigner._rawSignatureValidation).
| The userOpHash is assumed to be correct. Calling this function with a userOpHash that does not match the userOp will result in undefined behavior. |
_signableUserOpHash(struct PackedUserOperation, bytes32 userOpHash) → bytes32 internal
Virtual function that returns the signable hash for a user operations. Since v0.8.0 of the entrypoint,
userOpHash is an EIP-712 hash that can be signed directly.
_payPrefund(uint256 missingAccountFunds) internal
Sends the missing funds for executing the user operation to the entryPoint.
The missingAccountFunds must be defined by the entrypoint when calling validateUserOp.
_checkEntryPoint() internal
Ensures the caller is the entryPoint.
_checkEntryPointOrSelf() internal
Ensures the caller is the entryPoint or the account itself.
Extensions
AccountERC7579
import "@openzeppelin/contracts/account/extensions/AccountERC7579.sol";Extension of Account that implements support for ERC-7579 modules.
To comply with the ERC-1271 support requirement, this contract defers signature validation to
installed validator modules by calling IERC7579Validator.isValidSignatureWithSender.
This contract does not implement validation logic for user operations since this functionality is often delegated to self-contained validation modules. Developers must install a validator module upon initialization (or any other mechanism to enable execution from the account):
contract MyAccountERC7579 is AccountERC7579, Initializable {
function initializeAccount(address validator, bytes calldata validatorData) public initializer {
_installModule(MODULE_TYPE_VALIDATOR, validator, validatorData);
}
}
|
| Removing all validator modules will render the account inoperable, as no user operations can be validated thereafter. |
onlyModule(uint256 moduleTypeId, bytes additionalContext) modifier
Modifier that checks if the caller is an installed module of the given type.
fallback(bytes) → bytes external
See _fallback.
supportsExecutionMode(bytes32 encodedMode) → bool public
Supported call types:
* Single (0x00): A single transaction execution.
* Batch (0x01): A batch of transactions execution.
* Delegate (0xff): A delegate call execution.
Supported exec types:
* Default (0x00): Default execution type (revert on failure).
* Try (0x01): Try execution type (emits ERC7579TryExecuteFail on failure).
supportsModule(uint256 moduleTypeId) → bool public
Supported module types:
-
Validator: A module used during the validation phase to determine if a transaction is valid and should be executed on the account.
-
Executor: A module that can execute transactions on behalf of the smart account via a callback.
-
Fallback Handler: A module that can extend the fallback functionality of a smart account.
installModule(uint256 moduleTypeId, address module, bytes initData) public
Installs a Module of a certain type on the smart account
uninstallModule(uint256 moduleTypeId, address module, bytes deInitData) public
Uninstalls a Module of a certain type on the smart account
isModuleInstalled(uint256 moduleTypeId, address module, bytes additionalContext) → bool public
Returns whether a module is installed on the smart account
execute(bytes32 mode, bytes executionCalldata) public
Executes a transaction on behalf of the account.
executeFromExecutor(bytes32 mode, bytes executionCalldata) → bytes[] returnData public
Executes a transaction on behalf of the account. This function is intended to be called by Executor Modules
isValidSignature(bytes32 hash, bytes signature) → bytes4 public
Implement ERC-1271 through IERC7579Validator modules. If module based validation fails, fallback to "native" validation by the abstract signer.
_validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash) → uint256 internal
Validates a user operation with _signableUserOpHash and returns the validation data
if the module specified by the first 20 bytes of the nonce key is installed. Falls back to
Account._validateUserOp otherwise.
See _extractUserOpValidator for the module extraction logic.
_execute(Mode mode, bytes executionCalldata) → bytes[] returnData internal
ERC-7579 execution logic. See supportsExecutionMode for supported modes.
Reverts if the call type is not supported.
_installModule(uint256 moduleTypeId, address module, bytes initData) internal
Installs a module of the given type with the given initialization data.
For the fallback module type, the initData is expected to be the (packed) concatenation of a 4-byte
selector and the rest of the data to be sent to the handler when calling IERC7579Module.onInstall.
Requirements:
-
Module type must be supported. See
supportsModule. Reverts with {ERC7579UnsupportedModuleType}. -
Module must be of the given type. Reverts with {ERC7579MismatchedModuleTypeId}.
-
Module must not be already installed. Reverts with {ERC7579AlreadyInstalledModule}.
Emits a {ModuleInstalled} event.
_uninstallModule(uint256 moduleTypeId, address module, bytes deInitData) internal
Uninstalls a module of the given type with the given de-initialization data.
For the fallback module type, the deInitData is expected to be the (packed) concatenation of a 4-byte
selector and the rest of the data to be sent to the handler when calling IERC7579Module.onUninstall.
Requirements:
-
Module must be already installed. Reverts with {ERC7579UninstalledModule} otherwise.
_fallback() → bytes internal
Fallback function that delegates the call to the installed handler for the given selector.
Reverts with ERC7579MissingFallbackHandler if the handler is not installed.
Calls the handler with the original msg.sender appended at the end of the calldata following
the ERC-2771 format.
_fallbackHandler(bytes4 selector) → address internal
Returns the fallback handler for the given selector. Returns address(0) if not installed.
_checkModule(uint256 moduleTypeId, address module, bytes additionalContext) internal
Checks if the module is installed. Reverts if the module is not installed.
_extractUserOpValidator(struct PackedUserOperation userOp) → address internal
Extracts the nonce validator from the user operation.
To construct a nonce key, set nonce as follows:
<module address (20 bytes)> | <key (4 bytes)> | <nonce (8 bytes)>| The default behavior of this function replicates the behavior of Safe adapter, Etherspot’s Prime Account, and ERC7579 reference implementation. |
This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.
For example, Biconomy’s Nexus uses a similar yet incompatible approach (the validator address is also part of the nonce, but not at the same location)
_extractSignatureValidator(bytes signature) → address module, bytes innerSignature internal
Extracts the signature validator from the signature.
To construct a signature, set the first 20 bytes as the module address and the remaining bytes as the signature data:
<module address (20 bytes)> | <signature data>| The default behavior of this function replicates the behavior of Safe adapter, Biconomy’s Nexus, Etherspot’s Prime Account, and ERC7579 reference implementation. |
This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.
_decodeFallbackData(bytes data) → bytes4 selector, bytes remaining internal
Extract the function selector from initData/deInitData for MODULE_TYPE_FALLBACK
If we had calldata here, we could use calldata slice which are cheaper to manipulate and don’t require
actual copy. However, this would require _installModule to get a calldata bytes object instead of a memory
bytes object. This would prevent calling _installModule from a contract constructor and would force the use
of external initializers. That may change in the future, as most accounts will probably be deployed as
clones/proxy/ERC-7702 delegates and therefore rely on initializers anyway.
|
_rawSignatureValidation(bytes32, bytes) → bool internal
By default, only use the modules for validation of userOp and signature. Disable raw signatures.
ERC7579MissingFallbackHandler(bytes4 selector) error
The account’s fallback was called with a selector that doesn’t have an installed handler.
AccountERC7579Hooked
import "@openzeppelin/contracts/account/extensions/AccountERC7579Hooked.sol";Extension of AccountERC7579 with support for a single hook module (type 4).
If installed, this extension will call the hook module’s IERC7579Hook.preCheck before executing any operation
with _execute (including execute and executeFromExecutor by default) and IERC7579Hook.postCheck thereafter.
Hook modules break the check-effect-interaction pattern. In particular, the IERC7579Hook.preCheck hook can
lead to potentially dangerous reentrancy. Using the withHook() modifier is safe if no effect is performed
before the preHook or after the postHook. That is the case on all functions here, but it may not be the case if
functions that have this modifier are overridden. Developers should be extremely careful when implementing hook
modules or further overriding functions that involve hooks.
|
withHook() modifier
Calls IERC7579Hook.preCheck before executing the modified function and IERC7579Hook.postCheck
thereafter.
supportsModule(uint256 moduleTypeId) → bool public
Supports hook modules. See AccountERC7579.supportsModule
isModuleInstalled(uint256 moduleTypeId, address module, bytes data) → bool public
Returns whether a module is installed on the smart account
_installModule(uint256 moduleTypeId, address module, bytes initData) internal
Installs a module with support for hook modules. See AccountERC7579._installModule
_uninstallModule(uint256 moduleTypeId, address module, bytes deInitData) internal
Uninstalls a module with support for hook modules. See AccountERC7579._uninstallModule
_execute(Mode mode, bytes executionCalldata) → bytes[] internal
Hooked version of AccountERC7579._execute.
_fallback() → bytes internal
Hooked version of AccountERC7579._fallback.
ERC7821
import "@openzeppelin/contracts/account/extensions/ERC7821.sol";Minimal batch executor following ERC-7821.
Only supports supports single batch mode (0x01000000000000000000). Does not support optional "opData".
@custom:stateless
execute(bytes32 mode, bytes executionData) public
Executes the calls in executionData with no optional opData support.
Access to this function is controlled by _erc7821AuthorizedExecutor. Changing access permissions, for
example to approve calls by the ERC-4337 entrypoint, should be implemented by overriding it.
|
Reverts and bubbles up error if any call fails.
supportsExecutionMode(bytes32 mode) → bool result public
This function is provided for frontends to detect support.
Only returns true for:
- bytes32(0x01000000000000000000…): does not support optional opData.
- bytes32(0x01000000000078210001…): supports optional opData.
_erc7821AuthorizedExecutor(address caller, bytes32, bytes) → bool internal
Access control mechanism for the execute function.
By default, only the contract itself is allowed to execute.
Override this function to implement custom access control, for example to allow the ERC-4337 entrypoint to execute.
function _erc7821AuthorizedExecutor(
address caller,
bytes32 mode,
bytes calldata executionData
) internal view virtual override returns (bool) {
return caller == address(entryPoint()) || super._erc7821AuthorizedExecutor(caller, mode, executionData);
}Utilities
ERC4337Utils
import "@openzeppelin/contracts/account/utils/draft-ERC4337Utils.sol";Library with common ERC-4337 utility functions.
See ERC-4337.
parseValidationData(uint256 validationData) → address aggregator, uint48 validAfter, uint48 validUntil internal
Parses the validation data into its components. See packValidationData.
packValidationData(address aggregator, uint48 validAfter, uint48 validUntil) → uint256 internal
Packs the validation data into a single uint256. See parseValidationData.
packValidationData(bool sigSuccess, uint48 validAfter, uint48 validUntil) → uint256 internal
Same as packValidationData, but with a boolean signature success flag.
combineValidationData(uint256 validationData1, uint256 validationData2) → uint256 internal
Combines two validation data into a single one.
The aggregator is set to SIG_VALIDATION_SUCCESS if both are successful, while
the validAfter is the maximum and the validUntil is the minimum of both.
getValidationData(uint256 validationData) → address aggregator, bool outOfTimeRange internal
Returns the aggregator of the validationData and whether it is out of time range.
hash(struct PackedUserOperation self, address entrypoint) → bytes32 internal
Get the hash of a user operation for a given entrypoint
factory(struct PackedUserOperation self) → address internal
Returns factory from the PackedUserOperation, or address(0) if the initCode is empty or not properly formatted.
factoryData(struct PackedUserOperation self) → bytes internal
Returns factoryData from the PackedUserOperation, or empty bytes if the initCode is empty or not properly formatted.
verificationGasLimit(struct PackedUserOperation self) → uint256 internal
Returns verificationGasLimit from the PackedUserOperation.
callGasLimit(struct PackedUserOperation self) → uint256 internal
Returns callGasLimit from the PackedUserOperation.
maxPriorityFeePerGas(struct PackedUserOperation self) → uint256 internal
Returns the first section of gasFees from the PackedUserOperation.
maxFeePerGas(struct PackedUserOperation self) → uint256 internal
Returns the second section of gasFees from the PackedUserOperation.
gasPrice(struct PackedUserOperation self) → uint256 internal
Returns the total gas price for the PackedUserOperation (ie. maxFeePerGas or maxPriorityFeePerGas + basefee).
paymaster(struct PackedUserOperation self) → address internal
Returns the first section of paymasterAndData from the PackedUserOperation.
paymasterVerificationGasLimit(struct PackedUserOperation self) → uint256 internal
Returns the second section of paymasterAndData from the PackedUserOperation.
paymasterPostOpGasLimit(struct PackedUserOperation self) → uint256 internal
Returns the third section of paymasterAndData from the PackedUserOperation.
paymasterData(struct PackedUserOperation self) → bytes internal
Returns the fourth section of paymasterAndData from the PackedUserOperation.
ERC7579Utils
import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";Library with common ERC-7579 utility functions.
See ERC-7579.
execSingle(bytes executionCalldata, ExecType execType) → bytes[] returnData internal
Executes a single call.
execBatch(bytes executionCalldata, ExecType execType) → bytes[] returnData internal
Executes a batch of calls.
execDelegateCall(bytes executionCalldata, ExecType execType) → bytes[] returnData internal
Executes a delegate call.
encodeMode(CallType callType, ExecType execType, ModeSelector selector, ModePayload payload) → Mode mode internal
Encodes the mode with the provided parameters. See decodeMode.
decodeMode(Mode mode) → CallType callType, ExecType execType, ModeSelector selector, ModePayload payload internal
Decodes the mode into its parameters. See encodeMode.
encodeSingle(address target, uint256 value, bytes callData) → bytes executionCalldata internal
Encodes a single call execution. See decodeSingle.
decodeSingle(bytes executionCalldata) → address target, uint256 value, bytes callData internal
Decodes a single call execution. See encodeSingle.
encodeDelegate(address target, bytes callData) → bytes executionCalldata internal
Encodes a delegate call execution. See decodeDelegate.
decodeDelegate(bytes executionCalldata) → address target, bytes callData internal
Decodes a delegate call execution. See encodeDelegate.
encodeBatch(struct Execution[] executionBatch) → bytes executionCalldata internal
Encodes a batch of executions. See decodeBatch.
decodeBatch(bytes executionCalldata) → struct Execution[] executionBatch internal
Decodes a batch of executions. See encodeBatch.
This function runs some checks and will throw a ERC7579DecodingError if the input is not properly formatted.
|
ERC7579TryExecuteFail(uint256 batchExecutionIndex, bytes returndata) event
Emits when an EXECTYPE_TRY execution fails.
ERC7579UnsupportedCallType(CallType callType) error
The provided CallType is not supported.
ERC7579UnsupportedExecType(ExecType execType) error
The provided ExecType is not supported.
ERC7579MismatchedModuleTypeId(uint256 moduleTypeId, address module) error
The provided module doesn’t match the provided module type.