I think the audits actually came before the security concerns I raised. The audits were finished on the June 14 2021 and May 19 2021, and my post above is from June 16 2021 and mentions risks that are not in the audits, as far as I recall.
I’m glad to see chainid was subsequently added to the signed message, which mitigates one of the attacks I demonstrated. Thanks for adding that!
I still feel that the risk outweighs the benefit, for the reasons I mentioned before. E.g. no way to revoke a previously signed AUTH. Revoking is hard to implement, but how about a deadline block number, like the one used in EIP 2612? It would at least cap the risk to recent approvals.
Even if we had a way to revoke old AUTH or set a deadline, attacks like the Governance Hijack I described would still be possible. (Quick reminder: an invoker that helps users do something useful, but also delegates their voting tokens to an attacker. Users won’t notice anything since they still have the tokens, but the attacker steals everyone’s voting power).
Another concern is that EIP 3074 enshrines certain things we’re trying to change. It enshrines ECDSA signatures, which we’re working to abstract away. At a higher level it enshrines the EOA model rather than move Ethereum towards a contracts-only model.
While EIP 4337 hasn’t been finalized yet, and new features like BLS aggregation are still work in progress, there are several wallets being built around EIP 4337 and a growing community of developers around it. Building wallets takes time, and they’re doing it while the EIP is undergoing breaking changes.
To name a few, Stackup is ERC-4337 compliant, Candide is making progress, Soul Wallet is building an 4337 wallet for soulbound NFTs. I’m aware of a couple of others who haven’t published yet, and a couple of teams working on ERC 4337 tooling to make wallet integration easier. You’re welcome to monitor progress on the Account Abstraction discord.
While ERC 4337 is not a protocol change, I think we can build upon it and get all the benefits of EIP 3074 and beyond, without compromising on security. I hope we can join forces and work on a set of EIPs that will take us there.