You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ERC-4337 limits the op-codes that can be used in account creation with initCode and validateUserOp. In particular, it limits CREATE2 calls to only a single call that results in the user operations account. This is a problem if you want to account setup to deploy more than one contract.
In particular this is interesting in the context of P-256 signature verification (elliptic curve used by Passkeys and WebAuthn). It is typically implemented as:
P256Signer
contractP256Signer {
// The X and Y coordinates of the public keyuint256immutablepublic X;
uint256immutablepublic Y;
constructor(uint256x, uint256y) {
X = x;
Y = y;
}
function isValidSignature(bytes32message, bytescalldatasignature) externalviewreturns (bytes4) {
// check that the signature for the message matches the public key
}
}
This means that, when deploying a Safe with a single P-256 signer that has never been used before, we would need the initialisation to deploy two contracts:
The SafeProxy for the new account
The P256Signer contract for the specified public key
ERC-4337 does not allow this, even for staked factories (see #147). In order to work around this, we use a “deferred setup” strategy, where the init code deploys what we call a “launchpad” contract and is tied to specific UserOperation parameters, and the user operation execution does the actual setup:
sequenceDiagram
actor B as Bundler
participant E as EntryPoint
participant F as SafeProxyFactory
participant P as SafeProxy (Account)
participant L as SafeOpLaunchpad
participant S as Safe (Singleton)
participant M as Safe4337Module
actor T as Target
B ->> +E: handleOps([userOp])
E ->> +F: CALL(userOp.initCode[:20])
F ->> P: CREATE2
F ->> P: setup(initHash)
P ->> L: setup(initHash)
note over L: SSTORE(initHash)
F -->> -E: ok
E ->> +P: validateUserOp(userOp)
P ->> L: validateUserOp(userOp)
note over L: require(getInitHash(userOp) == initHash)
L -->> P: validationData
P -->> -E: validationData
E ->> +P: initializeThenUserOp<br>(singleton,setup,callData,signatures)
P ->> L: initializeThenUserOp(...)
note over L: SafeStorage.singleton = singleton
L ->> S: DELEGATECALL(setup)
note over S: standard Safe setup
note over P: At ths point, the Safe is deployed
L ->> P: DELEGATECALL(callData)
P ->> S: DELEGATECALL(callData)
S ->> M: execUserOp(...)
M ->> P: executeFromModule(...)
P ->> S: executeFromModule(...)
S ->> T: Ether
P -->> -E: ok
Loading
An E2E test was added to verify this strategy works with the reference bundler (and, to no surprise, it does).
Implementation Notes
The _getInitHash function is strange - but a work around to ensure that the initHash is not self-referential.
Downsides
The way it was currently implemented the Safe’s address is tied to the first user operation that the Safe executes. This means that given an owner (for example a P-256 signer) there is no way of knowing what the final address of the Safe account will be as it depends on the user operation’s calldata, gas parameters, etc.
nlordell
changed the title
Launchpad Contract for ERC-4337-Compatible Complex Initialisation
Launchpad Contract for ERC-4337-Compatible Initialisation
Dec 6, 2023
This means that given an owner (for example a P-256 signer) there is no way of knowing what the final address of the Safe account will be as it depends on the user operation’s calldata, gas parameters, etc.
While I like the overall solution, in my opinion, this is a huge downside, in my experience, many projects care about deterministic addresses and the "deploy as you go" approach. Also, this prevents cross-chain replays because the hash includes the chain ID, and even without it, it may be tricky because of the fluctuations in gas parameters.
I agree - I don't think this is a great approach (just wanted to create the PR for completeness/documentation purposes). In the context of ERC-4337 + WebAuthn signer deployment, I do much prefer #184. If you are OK with it, I will close this PR in favour of the latter.
I agree - I don't think this is a great approach (just wanted to create the PR for completeness/documentation purposes). In the context of ERC-4337 + WebAuthn signer deployment, I do much prefer #184. If you are OK with it, I will close this PR in favour of the latter.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
nlordell
force-pushed
the
launchpad-contract
branch
from
Related to #149
ERC-4337 limits the op-codes that can be used in account creation with
initCodeandvalidateUserOp. In particular, it limitsCREATE2calls to only a single call that results in the user operations account. This is a problem if you want to account setup to deploy more than one contract.In particular this is interesting in the context of P-256 signature verification (elliptic curve used by Passkeys and WebAuthn). It is typically implemented as:
P256SignerThis means that, when deploying a Safe with a single P-256 signer that has never been used before, we would need the initialisation to deploy two contracts:
SafeProxyfor the new accountP256Signercontract for the specified public keyERC-4337 does not allow this, even for staked factories (see #147). In order to work around this, we use a “deferred setup” strategy, where the init code deploys what we call a “launchpad” contract and is tied to specific
UserOperationparameters, and the user operation execution does the actual setup:sequenceDiagram actor B as Bundler participant E as EntryPoint participant F as SafeProxyFactory participant P as SafeProxy (Account) participant L as SafeOpLaunchpad participant S as Safe (Singleton) participant M as Safe4337Module actor T as Target B ->> +E: handleOps([userOp]) E ->> +F: CALL(userOp.initCode[:20]) F ->> P: CREATE2 F ->> P: setup(initHash) P ->> L: setup(initHash) note over L: SSTORE(initHash) F -->> -E: ok E ->> +P: validateUserOp(userOp) P ->> L: validateUserOp(userOp) note over L: require(getInitHash(userOp) == initHash) L -->> P: validationData P -->> -E: validationData E ->> +P: initializeThenUserOp<br>(singleton,setup,callData,signatures) P ->> L: initializeThenUserOp(...) note over L: SafeStorage.singleton = singleton L ->> S: DELEGATECALL(setup) note over S: standard Safe setup note over P: At ths point, the Safe is deployed L ->> P: DELEGATECALL(callData) P ->> S: DELEGATECALL(callData) S ->> M: execUserOp(...) M ->> P: executeFromModule(...) P ->> S: executeFromModule(...) S ->> T: Ether P -->> -E: okAn E2E test was added to verify this strategy works with the reference bundler (and, to no surprise, it does).
Implementation Notes
The
_getInitHashfunction is strange - but a work around to ensure that theinitHashis not self-referential.Downsides
The way it was currently implemented the Safe’s address is tied to the first user operation that the Safe executes. This means that given an owner (for example a P-256 signer) there is no way of knowing what the final address of the Safe account will be as it depends on the user operation’s calldata, gas parameters, etc.