One way to solve this issue (at the expense of increased complexity) is to enforce that the nonceManager address is associated with the EOA at the mempool level. If the nonceManager is a contract and its address is derived from the EOA address by perhaps using the EOA as a salt to CREATE2 (or similar), a proof for nonceManager address derivation which includes the EOA can be included with the transaction to prove that the nonceManager is associated with the EOA.
While this does increase complexity, I donât think these details should be included in the EIP and can perhaps be included in ERC7562.
One way to solve this issue (at the expense of increased complexity) is to enforce that the nonceManager address is associated with the EOA at the mempool level
Iâd argue we donât want to add more things into the mempool.
Doesnât this EIP also break an invariant for code not changing at an underlying address? If you have logic today that performs EXTCODEHASH, and store those results (in a mapping against address) you have the possibility of having an infinite number of results.
Assuming that the mempool allows submitting transactions with multiple nonces, wouldnât bumpNonce(k) allow invalidating all transactions between nonces c and c+k present in the mempool, where c is the current nonce of the EOA? Does this potentially qualify as a mass-invalidation attack vector?
Do I understand correct that in order to execute smart contract code from EOA via 4337, the TX type would set contract code and hence create(initCode) part of 4337 would not be needed to be called (code already exists)?
This EIP is to give some AA functionalities to EOAs.
Yes, EOA doesnât have code, and doesnât deploy it - the transaction is executed âas ifâ the code is there.
This is an interim solution, and by no means a replacement for a full-fledged AA solution.
From security perspective, youâre at a much better position if you deploy an ERC4337 account, rather than trying to use an EOA using this EIP-7702 transaction.
I strongly vote for 3074 to also be included, ourselves and many other embedded wallet providers simply want to remove friction with gas sponsorship & transaction without increasing costs.
For context, most / all embedded wallets already have a relatively high level of trust delegated from their customers or end users so 3074 works out perfectly. 3074 remains the perfect next step for all the wallets that rely on 2771 meta transactions to move to protocol-native solutions without the requirement to whitelist a forwarder, and for simpler solutions that donât require an entire paymaster infra.
Costs are significantly higher for 7702 compared to 3074 once you add revocation, chain verification and other things which is the highest worry for the majority of the ecosystem.
I want to highlight that incentive are very tricky in the conversation because several people chiming in here are building businesses that charge fees on sponsored gas so higher gas fees are better business-wise. But for any application, protocol, or business that donât make money off of sponsored gas: itâs a net negative.
Separately, 3074 is a lot simpler to support for many of us who may just want to maintain an invoker without much more involved work.
Finally, I do think that users should be able to choose on a per-transaction basis which path they prefer between 3074 & 7702 as the properties are very different in practice:
⢠3074: much cheaper, simpler, must be more trusted
⢠7702: more expensive, more complex, trust delegation scales with complexity
Thatâs quite interesting! If contract_code is deployed directly, then even if it checks chain id or nonce, an attacker could bundle any of your previous signatures to mess with token receipts for a particular bundle.
I think initcode would prevent this? The initcode could revert, making the deployment fail.
The root cause is not the initialization, so adding initcode wonât help here.
I only mentioned it as an issue that an EIP-7702-wallet should be aware of the fact, and not attempt to do anything special within this callback.
The only mitigation is have persistent code - that is, deploy a full-fledged AA contract at that address.
Assume that NonceStore is previously deployed at address 0x01, and Iâm using Ephemeral in a 7702 transaction. Works great, and my approve-and-transfer goes through fine. It even has replay protection!
Now imagine some time has elapsed, and you want to send me an an ERC-1363 (or ERC-1155 or whatever) token from your own 7702-enabled account.
A malicious person could take my old Ephemeral signature and put it in front of your signature in the 7702 bundle. Obviously the nonce check will fail, but because my EOA now has code in it, the receive callbacks will fail, and the bundler can cause your transaction to fail.
That would be fine. Doesnât matter if itâs the code or its hash, just as long as itâs not just an address. It also makes it more efficient since the hash doesnât need to be in the transaction itself. It can be read on-chain and used for verifying the transaction. Iâm in favor of doing that.
The contract would have to implement these functions. During a 7702 transaction the account is not an EOA, itâs a temporary contract. See âbest practicesâ above.
I agree. Thatâs what @yaonam suggested and I think itâs the right trade off. I support replacing contract_code with an address as long as the signature covers the contractâs code (which doesnât need to appear in the transaction since itâs on-chain). And then we still donât need chainid because it ensures the code is the same on every chain.
@SamWilsn - this is in contrast to what I said before about the address, so Iâm pointing it out here. Transaction becomes smaller (only an address), cross-chain functionality is preserved, and so is safety (due to the code hash verification). WDYT?
Right. 7702 is not a replacement for account abstraction. If you need the account to have the same logic when others interact with it, use a smart account. 7702 is meant to bring some of the benefits to EOA, not every benefit. Still a good trade off for many users.
Youâre proposing a way to make NonceManager âassociatedâ with the EOA in the ERC-7562 sense, much like associated storage. That would work but it means that every EOA needs to actually deploy a contract to be used as its NonceManager. If youâre already deploying a contract, why not just deploy a smart account and get the full benefits of AA?
It would have to be known to the protocol, and in fact ERC-7562 doesnât need to know about it. Revocation is a protocol feature, not a 4337-related feature. The protocol needs to stop respecting a signature if it has been revoked, which requires it to know about NonceManager. This does complicate the EIP and Iâm still not sure it brings much benefits beyond maxNonce - which keeps things as simple as possible while supporting protocol-level revocation.
Flags for what to sign over and whether to keep code at the end.
If EIP7702 has already been implemented, the cost of adding a new algorithm isnât high.
The risk of permanently upgrading an EOA to a CA is significant (as EOAs carry historical baggage), but addresses generated by algorithms like secp256r1 are not EOAs, so permanently setting code carries no additional risk.
People need a more stable way to ensure deterministic deployments.
For example:
0x00: Temporary upgrade And secp256k1
0x10: Permanent upgrade And secp256k1
0x01: Temporary upgrade And secp256r1
0x11: Permanent upgrade And secp256r1
âŚ
Or, if you think supporting secp256r1 isnât necessary, just determine the contract address using the eoa+1 method.
The higher-level abstraction of upgrading an EOA to a CA is verifying an address and setting code for it. Iâm sure someone will use your protocol to deploy contracts; otherwise, we should better support this operation at the protocol level.
Hm, that means you need to have the code you want to run already deployed on chain? A tiny bit less flexible I suppose, but Iâm not strictly opposed.
From a quick estimate, the smallest reasonable proxy is what, like 50 bytes? So weâd be saving 30 bytes per transaction. Weâre sure thatâs worth it?