From how I see it, you could have different validators for the same executionSelector.

The ExecutionUpdate struct allows for an array of AssociatedFuntions, so based on some conditions in validateUserOp you could select which implAddress/implSelector you want.

I guess it depends on how the plugin information is stored… but like you asked above, I think I’ll go for some mappings in the MSCA. Could be worth standardising that storage into some IPluginManager interface so dapps could easily check if particular plugins are enabled

While the rhinestone team has been initiating open discourse about modularising ERC-4337 with multiple teams working in the space and we have been looking to push the space forward in a positive sum way, we feel that this EIP does not aim to start a conversation about this topic but is rather a way for the authors to further their own reputations.

The main reason we have for thinking this is that the EIP is clearly very heavily inspired by the work we did during the ETHDenver hackathon, yet fails to attribute or even mention our project (GitHub - kopy-kat/ethdenver-aa: Account Abstraction Project for ETHDenver). During the hackathon we built the (to our knowledge) first implementation of ERC-4337 using the Diamond Proxy Standard.

It is obvious that this EIP takes inspiration from our code for several reasons, most notably because it exactly follows our peculiar naming convention exactly and repeats many of the errors and security vulnerabilities present in our proof of concept.

Unlike Safe, who call their extensions modules, or ERC-2535, who call them facets, this EIP has chosen to call them plugins, naming that we hadn’t seen in solidity before we chose it. Further, while the extensions are called plugins, the functions that call them are called hooks, a name inspired by frontend libraries and that is completely absent in other solidity contracts today. Further, our names for the specific hooks, such as preExecution and postExecution have equally been retained exactly by the authors.

Unlike ERC-2535, which stores function selectors in a mapping, this EIP has chosen to use arrays, something that we had done during the hackathon but is, on second thought, a very suboptimal implementation. Perhaps most interestingly, during the hackathon we were unable to finish testing our implementations of the hooks, so they are left blank on the public GitHub repo. It seems that rather than trying to figure out our intentions and planned implementation of these hooks, the authors just left them out of the EIP, perhaps hoping for others to tell them how to implement these.

Since we have been working on improving the code we had written during ETHDenver over the last month, there are many design choices that we have now revisited in order to make a modular implementation of ERC-4337 using diamond Proxies viable to be used in production. As stated above, we are happy to share our progress in public in order to propel the space forward and have already done so with select teams. However, because we are not yet confident in the security guarantees of our code, we have for now kept most of it internal and are planning on releasing it, together with detailed explanations of our design choices and extensive testing, at a later date.

Due to the numerous “coincidental” similarities to our code, examples of which were given above, but the clear lack of attribution or even mention of the rhinestone project, we feel like this EIP does not aim to create and improve public discourse around modular ERC-4337 in a positive-sun way and hence we will abstain from commenting and pointing out the numerous flaws that we have since discovered in our original code, most of which have been repeated in this EIP.

We want to quickly address the above comment, which we’ve attempted to mediate directly, in a public comment and then move towards focusing discussions on technical criteria and improvements.

1. Our motivation for creating this EIP is not to “further our reputations” and indeed an EIP is not a vehicle to do that. We see contract accounts as an absolute requirement to get 1B people on crypto rails, and to that extent we’re pushing things forward where we can, including standards, open source software, and developer products. Standards specifically streamline the ecosystem, maximize developer leverage, minimize fragmentation and developer lock-in, and allow more cohesion in moving the space forward.
2. We were actually entirely unaware of Rhinestone when publishing. We reached out to engage the Rhinestone team as soon as a community member flagged the similarities. It’s actually cool to see convergence in design here. That generally means as a collective group we’re trending in the right direction. That said, similarities are a large step from copies - we demonstrated live to the Rhinestone team the history of how we landed at this conclusion after months of iteration. Nomenclature like “plugins” and “preExecution” are not unique to either this standard or Rhinestone’s implementation and are canonical and intuitive terms to capture the intended meaning.
3. The reason we moved our internal discussions into a public forum is to engage in the discourse and discussions, such as the ones from @rmeissner, @fmc, and @jamesmccomish, that forces us to either justify our design decisions or incorporate feedback and adapt the design. To that point, all decisions in the standard now have been prototyped and battle tested internally, and we have not seen counter arguments to standard specifications - including when we presented these “error laden” decisions to the Rhinestone team.
4. We’d been hoping to reach a resolution directly with the Rhinestone team, but unfortunately the asks they were making were not appropriate for this EIP or any other. Specifically, the two asks are:

a) Calling out Rhinestone in the EIP abstract. EIPs are not a vehicle for products or teams to gain relative standing or distribution. This is a conscious decision to maintain neutrality in standards for an open decentralized platform, and to that extent Alchemy is not mentioned a single time in the EIP, and we reference examples we researched in design where appropriate in the context of the specification.
b) Adding a Rhinestone author to the EIP authorset. We plan on collaboratively defining a set of criteria for expanding the author set that we can apply equally to everyone. We’ll share those in the TG facilitating these discussions next week, but can’t create special cases. That’s not to say Rhinestone doesn’t or won’t eventually qualify based on these criteria but we need a system that is uniform and applies equally to everyone in the community based on contributions and body of work. Working on parallel implementations that result in similarities to the standard likely don’t suffice and aren’t sufficient constraints on growing the authorset responsibly.

Taking a step back here: the goal is to provide an open standard that streamlines development and maximizes outcomes for the ecosystem. The goal here is not to assume individual ownership of this standard, use it to promote teams or products, or otherwise bias it towards a particular entity. To make sure that we’re able to do this, we need to enforce an equal process for each stakeholder and a conscious mitigation of any brand and product associations.The TL;DR of this situation:

1. We unequivocally did not copy work, and demonstrated our methodology to the Rhinestone team.
2. To that point this work is now in the public domain and should be owned by the ecosystem.
3. This is not a zero sum game, and the most outsized outcome will be a result of everyone working together, agreeing on scope, charter, and process, and pushing this forward in a timely manner.
4. This is not a vehicle for products or teams to gain standing or distribution.

Moving forward, let’s keep the discussions on Eth Magicians and similar public forums focused on technical discussions. There’s an open Telegram group as well to facilitate higher bandwidth conversation, per suggestion from the Rhinestone team. We’re always happy and available to chat with any teams directly on other matters.

I fully agree with your point that this discussion should be reserved for comments on this EIP, so I think it makes sense to leave it at this. However, we also don’t want any misrepresentations to hang around so I just wanted to briefly clarify a few points:

Primarily, the asks that you mention were in fact not our asks, but your suggestion on the call with myself, you (Noam), Adam and Fangting (all from the Alchemy team) on Friday April 21. After discussing your proposal to add me as co-author and referencing our code from ETHDenver in exchange for removing my comment above, my team agreed to this and informed you over the weekend. After this you changed your mind, said this was no longer an option and followed up with this comment.

My understanding was that our discussions were centred around collaboration and clearing the air between us, not promoting rhinestone, so this comment is disappointing.

We are committed to building modular AA in the open and ensuring it is valuable to all in the ecosystem (as seen in the telegram conversations Telegram: Join Group Chat). However, as I pointed out on the call, we do not think that it is beneficial for the ecosystem to try to enshrine a specific implementation of modular AA as a standard, but we should rather aim to standardise interfaces for modules and how they interact with smart accounts, allowing for a diverse set of implementations to exist. We have initiated discussion about this in the group chat and will move some of the arguments into this forum should that be useful in the future.

I looked at the standard and in general I like it and I think it is a great idea. In order to leverage the EIP-2535 Diamonds community and its tooling, interoperability and documentation I think it would be great, if possible, to make the smart contract accounts compliant with EIP-2535 Diamonds.

Making it compliant with EIP-2535 Diamonds may be easier than first considered.

The upgrade function diamondCut specified in EIP-2535 Diamonds is optional so smart contract accounts would not have to implement that and the standard allows other custom or standardized upgrade functions to be used like updatePlugins.

The EIP-2535 Diamonds standard only requires that the DiamondCut event be emitted and the four IDiamondLoupe read-only functions be implemented. The standard requires these for interoperability and interfacing with tooling and other software, for example louper.dev. A great article on EIP-2535 Diamond compliance is here: Compliance with EIP-2535 Diamonds Standard

It seems possible to me that a smart contract account could implement the IPluginLoupe interface and IPluginUpdate interface other interfaces defined by the smart contract account EIP as well as implement the IDiamondLoupe interface and emit the DiamondCut event when adding/replacing/removing functions.

I would love for EIP-2535 Diamonds and this smart contract accounts EIP to work together.

“EIP: Modular Smart Contract Accounts and Plugins” is generally feasible!

But I think there are several points that may need attention:

1. add/remove Hook plugins may need to be divided into two parts:
   For example: 1. add plugin → 2. wait for a security time delay (e.g. 48 hours) → 3. user confirms that the plugin has been added.At least the implementation in soulwallet is like this, this is mainly for security reasons, for full context see the previous discussion with the author of ‘EIP-2535 Diamonds’ mudgen at here . So for us only PluginAdd function is not enough, at least a PluginPreAdd similar process is needed, and this process for monitoring purposes, will also emit event

2. validateUserOp because it will be called at high frequency, so we need to consider the ‘gas efficiency’, in our consideration for the time being will be validateUserOp logic fixed in the contract (rather than through the plugin way to achieve), later if user need to upgrade the logic of validateUserOp, the user can update the ‘proxy contract’->‘logic contract’ address pointer(lower gas).

3. I think MSCA implicitly aims to create a set of standards that any standard-compliant SCA can use any standard-compatible frontEnd (users don’t need to rely on ‘ONE’ frontEnd only), while the signature assembly and verification process often differs from one SCA to another (gas efficiency first｜stability first｜code readability first… etc.), I’m thinking that this area could be a major challenge for MSCA implementation.

Can you elaborate on this topic please, and/or drop code examples from Soul Wallet repo?

Hi everyone, I’m happy to check in on this thread and provide an update on this proposal’s progress. There is now an updated and merged draft of the proposal on the main EIP site:

https://eips.ethereum.org/EIPS/eip-6900

The current draft is a response to the helpful and engaged dialogue happening here and on the related telegram channel. The feedback so far has pointed to some concerns about the the multi-facet proxy approach and interfaces, particularly in the context of where storage can feasibly reside. We’ve revised the EIP to be more explicitly agnostic in its approach to proxies and interfaces — this version allows for (but no longer requires) ERC-2535 style ‘delegatecall’ operations as the basis for execution.

This change has had a number of implications for security, interoperability, plugin management, and other issues that we’re currently exploring through research and development. In particular, we’re currently working on a library to address some of the storage limitations for plugins when using call. (In more detail, this library would aid in storing bulk data within an account’s associated storage, allowing for “nested” mappings and dynamic arrays). We are also working on benchmarking some of the implementation options allowed by the new spec, and on developing a reference implementation. We look forward to sharing the results of that work in the coming weeks.

In the meantime, we’d be very grateful for your perspectives on some key unanswered questions that we’re also working on. First, interfaces: the changes we’ve made to IPluginUpdate.sol and IPluginLoupe.sol have made them more flexible, but with some tradeoffs in complexity. Are there implications for this approach that we haven’t yet discussed? We would appreciate your feedback in either implementing an account or writing plugins for modular accounts.

Second, changing the interaction flow from accounts to plugins to use call instead of delegatecall requires both standardizing execution and explicitly allowing for multiple validator functions on the same execution function. These are additional changes to the spec that we’re considering, while also weighing the costs of added complexity. Thank you to @fmc for the suggestion on self-identifying signatures, that strategy (or a similar one in calldata) can provide the flexibility needed to adopt these changes. We would appreciate any additional insight into what baseline features execute function(s) should have.

Also, at this time I’d like to introduce @JasonW to the ERC-6900 author team. He will be helping with research and organization, making sure this standard is the best it can be and enabling community members to become contributors.

Thanks, Adam, glad to hear my suggestion has been helpful.

Here are the links to the wip implementation of this strategy: Smart Account and sample EOA Ownership Module following Associated Storage requirements.

Excited to hear about the library that addresses storage limitations for plugins when using call! Let me know if you need any assistance with r&d of it

must of discussion at the link above. In terms of adding and removing plugins, we think it’s slightly different. We think it’s more important for the user to have the wallet address ‘forever’, but plugins pose a security risk, for example, if a hacker steals your private key, can the hacker modify the storage by adding a plugin ( This would make the social recovery function unavailable), and we are trying to make the social recovery always available if the user is concerned

Hi everyone - thank you everyone who has continued to work with us on this proposal. We wanted to give an update to bring everyone up to speed on some of the design decisions we’re considering as a result of these conversations, including open areas we’re still working through.

We’re still in the process of formalizing the wording around this proposed change, and would like to get feedback and and bring the community into the decision process around these changes. The current draft is viewable here:

We’re still actively seeking collaboration and co-authorship in order to make this as useful as possible for the ecosystem. Please reach out if you want to work together on this proposal!

Proposed updates to the spec

The biggest change we’ve been testing is the idea of updating all function invocations, including execution functions, validation functions, and hooks, to use call instead of delegatecall. This isolates storage and execution code to be per-plugin, preventing accidental or malicious storage overrides across plugins and fundamentally changes the plugin trust model.

• To preserve the capabilities of modular accounts to make arbitrary external calls, we introduce two standardized execution functions to ERC-6900, grouped together in a new interface IStandardExecutor. The two functions are execute and executeBatch, taking the same names as the functions from ERC-4337’s SimpleAccount but with new parameters.
• These functions become necessary to provide through the standard when moving from delegatecall to call, because otherwise every single new contract interaction target would need to be added as a new plugin.
• The IPlugin interface (with the method pluginStorageRoot()) would be removed, due to the changes in storage management no longer necessitating this.

We propose consolidating global hooks and regular hooks into one concept called “hook groups”. Hook groups have each hook type as an optional field, and accounts must maintain an association between execution functions and which hook groups apply for the execution function. This addresses a comment from @dror on how postExecHooks can take in data parsed from a preExecHook to reduce the number of calldata copies.

We propose a new hook type, pre-validation hooks, that run before either a user op validator or a runtime validator. The intended use case for these hooks is permission checking and similar pre-transaction checks that are not related to signature validation itself.

• With the new storage model, it is possible to limit the blast radius of unverified validation and execution plugins using pre-validation hooks. These hooks can scope which external contracts or what parameters a given function is using.
• The code implementations and storage of these two contracts are independent, which allows for independent security assessments to be valid. E.g. a formally verified permissions plugin can limit an unverified validation plugin.

Plugin Loupe functions have been scoped down to reduce implementation overhead. We are actively looking for feedback in this area, as it affects the implementation process for off-chain entities.

Tradeoffs we’re considering

The current plugin update function (updatePlugins in IPluginUpdate) allows for “slim” updates that only specify the fields that actually need to be set. This is done by using only the minimum number of array fields needed to express the desired plugin configuration, specifying function types using the defined enums and omitting any function types that aren’t used.

• This allows, for example, a function that only has a user op validator and an execution function to not need to specify anything for other fields, like hook groups or a runtime validator. This reduces calldata size when the other fields are not needed.

• However, this requires all function references to be casted as bytes24. This is what Solidity internally uses as the ABI-encoded type, but requires casting back to a function (or unpacking into address + selector) to perform the call. It might be possible to change the interface to take in function types in the struct (i.e. declare a struct as follows), but doing so would require defining new structs for each function type:

  struct UserOpValidatorUpdate {
      PluginAction action;
      function(UserOperation calldata, bytes32) external validatorFunction;
  }
  

With hooks passing data from preExec to postExec, it now requires a pairwise association with across each, to be able to track which preExecHook returned data should be sent to which postExecHook. However, with the introduction of preValidate hooks, it is unclear exactly what the data flows should look like, if any.

• The group association is still valuable with the new hook types, as some preValidation hooks will want to defer state updates until execution. For example, preValidate hook that enforces an ETH spend limit will not want to perform the state update for tallying up ETH used by a key during the validateUserOp step. That should be avoided because in the case that execution reverts, the validation step will not be reverted, resulting in the spend limit usage increasing without an actual spend. For this reason, a preHook that performs the state update should be used.

Specifying the intended validator in the calldata of the standard execute functions limits the custom validation routing to just those two functions. This reduces the account-internal storage requirements (how the mappings and/or arrays look) for ERC-6900 implementing accounts. As an alternative, @fmc has suggested specifying the validator in the signature. We’re leaning towards not taking this direction to limit the scope of required validator storage in the modular account, but if there’s interest and a compelling reason to move it into the signature field, we can make that change.

PluginStorageLib

We’re still hard at work on testing and securing a reference implementation. In the meantime, we’ve realized there are some common components that many plugin developers will need to create when developing using the new call model that they did not need to do under the previous delegatecall model, specifically around designing storage layouts that abide by the account-associated storage rules of ERC-4337. To aid in developing these plugins, we’re sharing the first version of PluginStorageLib - a solidity library that presents account associated storage as one giant (bytes32 => bytes) mapping, allowing for both nested mappings and dynamic arrays in associated storage. This is intended for singleton plugin contracts to have storage per-account.

This is an unaudited library intended only as a starting point for plugin development. DO NOT USE THIS IN A PRODUCTION ENVIRONMENT. It requires custom serialization and deserialization for data stored, and care when designing key derivation schemes (i.e. protecting from manufactured key collisions).

We hope this can help explain and potentially alleviate some of the tradeoffs of switching from delegatecall to call, and look forward to feedback on its implementation and usage.

Conclusion

These proposed changes to ERC-6900 need to involve community input. Please feel free to leave comments and let us know what you think!

Very happy to hear about the pivot from delegatecall to call.
Can’t wait get my hands dirty with the Plugin Storage lib!
Meanwhile, msged you on Telegram regarding contributing to the proposal.

Thanks @adamegyed for worth proposition!
This standardization of modular architecture is a very important proposition, given the variety of wallet providers that will enter the wallet market in the future.

BACKGROUND
We’re building a borrow/lend application that requests to prohibit execution transfer() and related modules, setApprovalForAll(), approve() and burn() methods to borrower’s wallet.

Those prohibit logic was implement into Safe’s guard contract so that borrower doesn’t be required to deploy each app-specific contract wallets but they are only required to apply guard to their wallet.

• At ETHGlobal Istanbul, Pinky team also built an application which implement prohibited logic into guard contract.
• If the each application provide own “app-specific” wallet, Users has to deploy each wallet that they want to use.

Following above, I could say that, from application developer side of view, this topic is much important for usability and account based identity contexts.

I draw a shape of composability like below (from this tweet).

image1920×1345 112 KB

STATUS QUO
The safe’s guard can be bypassed by module logic and this issue was flagged couple years ago and Safe V2 will implement “global guard” (details are unknown).

IMO, the reason why they didn’t support it at V1 that the Safe designed their architecture for organizations who is motivated to manage treasury by Multi-Sig so module would be setup by member of HQ, not setup by outside application.

OPINION
So, standing to above problem, I think the global preHook also need to implement logic below:

• With Opt-In, global preHook enables applications to prohibit transactions to wallet user.
• User can’t disable global preHook without application permission.
  *In case of our application, if borrower will return NFT from their wallet, wallet user could disable global preHook.

When updatePlugins is called with PluginAction.REPLACE or PluginAction.REMOVE, the calls MUST be validated by preHook and postHook.

   function updatePlugins(PluginUpdate[] memory pluginUpdates, address init, bytes calldata callData) external;
   function updateGlobalPlugins(GlobalPluginUpdate[] memory globalPluginUpdates, address init, bytes calldata callData)
       external;

I’d like to discuss two issues and suggest a model that might solve them:

1. The use of DELEGATECALL.

While the latest version of the ERC doesn’t require DELEGATECALL, at least one operation still does:

The function updatePlugins takes in arrays of execution updates, hook updates, and hook group updates to perform. It also takes in an optional initialization function. The function MUST perform the update operation sequentially, then, if the address provided in init is not address(0) , MUST execute init with the calldata callData through a delegatecall .

Using DELEGATECALL for init is a risky default. We may need DELEGATECALL for some use cases but CALL should also be supported and used by default. Therefore an ExecutionMode should be specified for init.

2. The need to enforce permissions in the pre-validation hooks, based on calldata alone.

It is hard to enforce permissions in pre-validation functions if the subsequent function runs in the context of the account itself. Real enforcement must happen inline. An alternative is to run the functions themselves outside the account context and provide callbacks that enforce permissions.

Permissions model

Plugins have unlimited power, especially if they use DELEGATECALL. Permissions can’t really be enforced in pre-validation if the plugin operates in the context of the account itself.

This unstructured access This makes auditing and formal verification of plugin challenging. This might limit the growth of the plugins ecosystem.

I’d like to propose a permissions system loosely modeled after Android’s:

The plugin declares its requested permissions, as well as the components it has:

• Initialization function and how it should be called (CALL/DELEGATECALL)
• Hooks it needs to use and how they should be called (CALL/DELEGATECALL)
• Execution functions it adds to the account.

It may also declare custom permissions defined by the plugin itself, which other plugins may request in order to interact with this plugin in certain ways.

This definition is similar to AndroidManifest.xml which every Android app includes. It should be returned by a pure function by the plugin, e.g. getManifest(), and the wallet would communicate it to the user before accepting it. The account will also use it for setting things up when adding/updating the plugin.

Here’s what the permissions might look like:

The default

By default (if the plugin doesn’t ask for any permissions), no DELEGATECALL, no special permissions in any account callbacks, the plugin is not trusted by the account beyond just calling the requested functions (CALL only). Some plugins may be able to work without any permissions.

For example, a spending-limit guard could be implemented using just a pre-execution hook which checks the current balance and returns it as a context, and a post-execution hook that reverts if the balance change is over the limit. Users will be able to add it with little risk because it won’t ask for any scary permissions.

DELEGATECALL permission

Requiring ongoing DELEGATECALL is the riskiest permission and should be avoided unless there is no other way to achieve the same functionality. This is equivalent to Android’s SYSTEM permission and would be used only by the most trusted plugins.

It might make sense for account devs to prevent users from adding such a plugin unless they explicitly whitelisted it, to prevent users from getting scammed. This is how Android handles apps that require SYSTEM - they must be signed by the manufacturer or by Google.

DELEGATECALL permission only during init

DELEGATECALL only during init is a bit safer since it’s easier to verify what it does, so it is considered a separate permission. But should also be avoided when possible. It might make sense to also treat it as a SYSTEM permission that requires whitelisting.

Specific storage permission

Specific-slot permissions can be given through setter/getter functions in the account, allowing plugins to access only certain slots. Similarly, the account may provide permissioned setters for certain mappings, arrays and structs. Specific-storage permission could allow a plugin to manage certain aspects of the account without giving up full control.

For example, a plugin that adds social recovery capability would need access to manage guardians and to set the account’s control key, but it doesn’t need access to manage modules or to transact on behalf of the account. It would ask for a PERMISSION.SET_KEY permission that allows it to call a callback that sets the key, and that’s it.

Per-plugin storage

A per-plugin getter/setter can be used for the plugin storage itself, providing unrestricted access to a mapping indexed by msg.sender. Each plugin has implicit permission to its own storage.

If the plugin is the only one that uses this mapping, it may be redundant since the plugin could use account-associated-storage in its own storage to store its data, but it will be useful for cross-plugin storage since it will be stored in the account itself and managed by the permissions system. Plugin1 may maintain a mapping in the account and define a PERMISSION.Plugin1.storage_read. Plugin2 will request that permission and be able to access that mapping as well. It enables splitting plugins to multiple modules with different permissions.

In the social recovery plugin example, there may be a complex module that manages the guardians and offers permissioned read access to the guardians. And then a very simple module that verifies guardian signatures according to the stored configuration, and sets the key. The complex module has no permissions (but declares a custom permission), and the simple module requests two permissions: PERMISSION.SET_KEY and PERMISSION.Plugin1.storage_read.

Execution from plugin

PERMISSION.execute_from_plugin, enabling calls to an executeFromPlugin function, similar to Safe’s executeFromModule. It allows the plugin to perform specific operations on behalf of the account without modifying its storage. E.g. send eth or transfer an ERC20 token.

Inside the account’s executeFromPlugin it is possible to enforce granular permissions for each plugin, e.g. the plugin can only transact with a specified contract. A plugin that create pre-execution hooks may declare custom permission such as PERMISSION.transact_with_contract_X and get called from executeFromPlugin before execution, where it’ll be able to check if the calling plugin has the permission to transact with contract X (or with all contracts). And a plugin that adds an execution function would only need to ask for the permission to transact with the contract it needs.

For example, a game plugin might ask for permission to transact with the game contract (and no other permissions). Users will be able to add it without worrying that it might steal assets.

Custom permissions

The account (or any of the plugins) may add custom permissions, similarly to how Android apps can create custom permissions. These permissions are not a part of the ERC but they are defined in the context of the account, the wallet knows how to interpret them to the user, and plugins may request these permissions when available.

Popular custom permissions may be standardized later if they are used by multiple account implementations and plugins.

PluginManifest

The model above requires the plugin to expose a structure, similar to AndroidManifest.xml to define the plugin’s required permissions, hooks with their execution modes, execution functions, etc. It should also have a protocol version to allow future upgrade, and a list of optional capabilities, e.g. declare that it only supports an account that implements a certain ERC beyond just 6900.

The manifest may also specify dependencies on other plugins. E.g. if PluginA adds a new execution function and PluginB uses it, then PluginB’s manifest would require PluginA. The wallet will detect this and install them together as needed (with the user’s approval).

The plugin’s getManifest() will return the manifest, RLP-encoded.

The update function could be replaced with an installation function that calls the plugin’s getManifest(). It’ll then install the plugin (unless it requires capabilities or a version that the account doesn’t have), grant the needed permissions, configure hooks, etc.

The wallet will first show the user the manifest and explain the meaning of the requested permissions. The user will be asked to sign a installPlugin(pluginAddress,manifestHash) transaction. The manifestHash is included to prevent the plugin from baiting and switching the requested permissions.

Example - social recovery plugin

Manager plugin doesn’t ask for permissions, only declares a permission and a few execution functions. All of them require the validation function ownerOnly which validates the owner’s key.

<manifest plugin="socialrecovery.manager" version:"1">
  <permission name="PERMISSION.socialrecovery.READ">
  <execution name="addGuardian(address)" validation="ownerOnly">
  <execution name="removeGuardian(address)" validation="ownerOnly">
  <execution name="setRecoveryPolicy(PolicyStruct)" validation="ownerOnly">
</manifest>

Recovery plugin asks for the SET_KEY permission. It also adds a validation function that validates the guardian signatures (so it needs the socialrecovery.READ permission defined by the manager module). And an execution function that sets the key, validated by the guardians validation function

<manifest plugin="socialrecovery.recovery" version:"1">
  <uses-permission name="PERMISSION.SET_KEY">
  <uses-permission name="PERMISSION.socialrecovery.READ">
  <validation name="validateGuardians">
  <execution name="setKeyByGuardians(bytes[])" validation="validateGuardians">
</manifest>

We’re not really going to use the XML format on-chain. It’ll be a more efficient RLP representation of this information. We should also optimize this model to better suit the ERC’s need. In this post I deliberately followed the Android model to show how it could work, but we can deviate from it when it makes sense.

Misc

Aside from the permission model and installation method, I’d like to propose another minor change:

In Calls to execution functions, If no corresponding plugin is found, the MSCA MUST revert. makes it incompatible with Safe fallback modules. Maybe we could consider supporting a “default plugin” with an associated validation function. Fallback modules built for Safe could then be compatible with this ERC with little or no changes.

Yes, I completely agree with what Yoav said:

1. For modular wallets, plugin is not enough. This is the solution we implemented (a detailed document will be released by David in a few days):

   1. Plugin is a collection of hooks.
   2. Because the Pre-UserOpValidate hook, plugins can only access associated storage. To address the issue of dynamic storage for plugins, we introduced Plugin storage (plugins can read and write the wallet’s storage, but each plugin has its own separate storage).
      2. There is a significant use case: 2FA. We introduced out of signature data in the Pre-UserOpValidate hook to address this. Even if the data are outside the signature, data security can still be ensured easily (【1】 【2】). To avoid conflicts when different plugins parse guardData, the wallet must parse ExtData and pass it to the respective plugin based on its needs.

2. Module is an external contract authorized to execute a specific list of functions.

   1. As Yoav mentioned, a permissions model needs to be defined. In our implementation, we require the Permission list to be pure [module] pure [plugin]. However, this cannot solve the problem (as it is actually invoked using staticcall on chain) unless the contract source code is audited to ensure “pure” functions.

   2. Yoav suggest can use sstore2, and Dror suggest can use Bundler.UserOpValidate.simulate. All reasonable. However , taking into account security and simplicity of implementation, I suggest using an Request -> Approval Model:

      1. Plugins have a permission request manifest. When users add a plugin, they need to input the corresponding permission manifest code. This ensures that all necessary permissions are granted, considering that if only certain hooks are allowed, the plugin may not function properly.

      2. Modules have a permission request manifest. When users add a module, they need to input a list of permissions (bytes4[]) that the user allows. This allows customization of permissions based on user requirements.

3. I suggest removing ExecutionMode.DELEGATECALL because it poses unresolved security risks that cannot be mitigated.

   1. In our current implementation, only the upgradeTo(address) function ( in UpgradeManager.sol) can access delegatecall, but this function is accessible to any authorized module:
      • Users have the freedom to choose their wallet implementation (with a 48-hour waiting period).
      • In case of any big issues, we can add our new version of the implementation to the whitelist, allowing users manual to upgrade immediately.
      • [context: by default, users trust our whitelist, and only modules in the whitelist can be added immediately. Other modules need to wait for 48 hours to take effect.]

Looking forward to the author’s reply.

Hi @in2xx !

To answer your question directly, updatePlugins and other functions defined directly on the account (as opposed to defiined via plugin execution functions) still run hooks. It is possible to design, under the current architecture, a custom validation function and/or preExec hook to enforce that type of check. On a standards-compliant account, there should be no way to bypass hooks.

Hi @yoavw and @cejay,

Thank you for your detailed feedback. We think the plugin manifest - some form of a self-descriptive view function that describes what functions a plugin provides and how they can be added to the account - makes a lot of sense. For the execution-related permissions, we’re generally leaning towards removing mandatory delegatecall usage entirely from the specification, so accounts that implement such features do so at their own risk.

For the “exec from plugin” workflow, we hear you and realize that runtime validators are not a good enough solution on their own. So, we’ll take a look at how we can adapt the spec and the way it represents associations to support this use case. Hopefully, sharing the reference implementation we’ve been working on can provide clarity in this area too.

Let’s wait on the the account storage API for now, and see how plugins can rely on existing tools to perform cross-plugin reads and writes. These include functions defined in the account fallback, and on the upcoming “exec from plugin” function, which can allow specific plugins to view and edit the data of other plugins. If we see the direct shared storage become a critical feature in plugin development, we can choose to add it to this spec. In the meantime, because the account storage API is defined as an interface on the account, it can be represented as a “required capability” of a plugin that needs it in its plugin manifest.

Hi @in2xx,

To answer your question directly, updatePlugins and other functions defined directly on the account (as opposed to via execution functions) still run hooks. It is possible to design, under the current architecture, custom validation and execution functions that enforce that type of check. On a standards-compliant account, there should be no way to bypass hooks.

There’s also a small batch of ERC changes that we’re getting ready to merge soon. Here’s what’s included and what’s planned for future work:

ERC Changelog:

• Removed the execution mode enum from IStandardExecutor. Now, it is only expected to use call.
  • Non-standard native account functions that use other call modes, such as delegatecall, are not prohibited by the spec.
• Changed plugin init operation to an array of call operations instead of a delegatecall.
• All plugin function signatures have been collected in one spec section for clarity.
• Pre user op validation functions now return a packed time bound, which is intersected with the validator-returned value.
• Specified behavior for natively-defined functions on the account.
• Specified operation order for updatePlugins (pending plugin function updates do not apply until after execution completes - i.e. after all postExec hooks return and the call frame is complete.
• Updated rationale section, fixed a typo, and updated the two call paths diagram.

Areas we’re still working on

• How to use a plugin manifest to replace the declaration of individual functions within updatePlugins.
  • This would also replace the current usage of hook groups.
• How to expose and control the ordering of hooks by the user.
• How to specify default fallback functions via the plugin update interface
• How to provide msg.sender and value as a meta-context to execution functions.
• Possible hook consolidation, especially as these type declarations are growing to be similar.

PR: Update ERC-6900: Spec update 2 by adam-alchemy · Pull Request #7247 · ethereum/EIPs · GitHub

Thank you all for your feedback!

I agree, that this is the only way for plugins to access MSCA’s storage that makes sense.

The purpose of Smart Accounts is to “store” and manage assets.
Since SA is a wallet, all operations made by SA should be managing the assets, and for this, there’s no need of using the SA’s storage.

IMO, Modular Smart Account should only use its own storage to store information about modules. And do it in the safest way to avoid situations, when SA can be upgraded to use another logic that can work in an unexpected way with an existing storage.

Thus, if as Adam mentioned we see a strong need for a direct shared storage, mapping indexed by module address could be the most straightforward and long-term oriented way of implementing it.

Overall looks excellent! This is very comprehensive, so much sothat it might be beneficial to consider a phased approach or provide more detailed guidance and support to facilitate its integration amongst the community.

Maybe this EIP should just focus on the hooks, then once those are finalized, more EIPs can build on top to eventually reach the current scope of this design. I think even just the hooks have a lot of nuance, and reminds me of iptables. Ensuring those are well thought through is critical.

Hi all, we’re excited to share some updates to the proposal taking into account feedback provided thus far.

Most notable are changes to the way plugins are configured on the account and the introduction of an interface for plugins. Updates related to the plugin manifest that enable plugin installation and removal are largely a product of suggestions and feedback by @yoavw, who will be joining as a coauthor to this proposal. As a result of these updates, the former IPluginUpdate interface and the updatePlugins function have been removed.

The full changelog, along with areas we’re still thinking through can be found below.

ERC Changelog:

• Updated shared components diagram to more accurately depict modular functions and their relationship to plugins.
• Added “native function” definition under Terms.
• Added the IPlugin interface that describes the functions a plugin must implement.
  • Plugins must implement ERC-165 and support this interface.
  • Associated functions in the interface take a uint8 function identifier to support multiple implementations of the same type of associated function.
• Removed the FunctionReference custom type, as function identifiers do not represent function selectors.
• Removed the hook group concept and its associated types.
• Replaced the IPluginUpdate interface with the IPluginManager interface.
  • The function updatePlugins has been replaced by the functions installPlugin and uninstallPlugin.
• Updated the IPluginLoupe interface to reflect the above changes.
• Added the IPluginExecutor interface, which introduces new functions executeFromPlugin and executeFromPluginExternal that allow plugins to interact with execution functions on the modular account as well as external contracts.
• Standard execution functions and executeFromPluginExternal should not allow calls to contracts that implement the IPlugin interface to maintain the integrity of account and plugin configuration.
• Added a section describing the plugin manifest, and the expected behavior for installPlugin and uninstallPlugin.
• Added a section describing the expected behavior for calls made from plugins.
• Style updates and typo fixes.

Areas we’re still working on

• We’re actively working on introducing a permissions model similar to what @yoavw has described in an earlier comment. We hope to release an update on this in the next couple of weeks.
• Using ERC-165 is one way to enforce data integrity on the account and associated data within plugins, but presents additional overhead during standard execution. We’re still exploring ways we can improve this flow.
• The way dependencies are requested by the plugin manifest and provided during installation prevents having to make immutable dependency references in the manifest, and offers flexibility for the user in providing a plugin of their choice for the dependency. However, there is still some rigidity in that the expected class of plugins for a given dependency must all implement the same interface. We’re giving more thought to this area to see if there is room for improvement.

As stated, some details are still in flux and will be ironed out in subsequent updates. We’d love to continue to refine the proposal with input from the community. Let us know what you think!

PR: Update EIP-6900: Spec update 3 by jaypaik · Pull Request #7516 · ethereum/EIPs · GitHub