Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AA-427: New aggregated signatures ERC #9

Closed
wants to merge 6 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
145 changes: 145 additions & 0 deletions ERCS/erc-4337-agg.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
---
eip:
description: An ERC-4337 improvement to aggregation of all UserOperation signatures in a bundle
title: Signature Aggregation for Account Abstraction
author: Vitalik Buterin (@vbuterin), Yoav Weiss (@yoavw), Dror Tirosh (@drortirosh), Shahaf Nacson (@shahafn), Alex Forshtat (@forshtat)
discussions-to:
status: Draft
type: Standards Track
category: ERC
created:
requires: 4337, 7562
---

## Abstract

[ERC-4337](./eip-4337) defined a way to achieve Account Abstraction on Ethereum using an alternative `UserOperation` mempool.

However, one big limitation remains:
each transaction must carry its own `signature` or other form of validation input in order to be included.

We propose an extension to the ERC-4337 that introduces a new entity, aggregator, that is called during validation, to validate multiple user operations at once.

This addition will enable `UserOperations` to support sharing validation inputs, saving gas and guaranteeing atomicity of the bundle.

## Motivation

Using validation schemes that allow signature aggregation enables significant optimisations and savings on

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Using validation schemes that allow signature aggregation enables significant optimisations and savings on
On rollup networks, the cost of a transaction depends mostly on the calldata size when comitted to L1. Various compression schemes can be applied to UserOperations bundle, but the signature on each UserOp can't be compressed.
Instead, We allow a signature aggregator to aggregate all UserOperation signatures, and thus instead of N signatures, only a single signatures per bundle is required.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm this is still the case for rollups using EIP-4844 transactions? Even so, I am not sure "comitted to L1" is the right wording in such cases.

gas for execution and transaction data cost. This is especially relevant in the context of rollups that publish data on
the Ethereum mainnet.

## Specification

### Aggregator - a new ERC-4337 `UserOperation` entity contract

* **Aggregator** - a helper contract trusted by accounts to validate an aggregated signature.
Bundlers/Clients whitelist the supported aggregators.

### Using Signature Aggregator

A signature aggregator exposes the following interface:

```solidity
interface IAggregator {

function validateUserOpSignature(PackedUserOperation calldata userOp)
external view returns (bytes memory sigForUserOp);

function aggregateSignatures(PackedUserOperation[] calldata userOps) external view returns (bytes memory aggregatesSignature);

function validateSignatures(PackedUserOperation[] calldata userOps, bytes calldata signature) view external;
}
```

* An account signifies it uses signature aggregation by returning its address from `validateUserOp`.
* During `simulateValidation`, this aggregator is returned to the bundler as part of the `aggregatorInfo` field in the `ValidationResult` struct.
* All aggregators MUST be staked.
* The bundler should first verify the aggregator is not throttled or banned according to [ERC-7562](./eip-7562) rules.
* To accept the `UserOperation`, the bundler must call `validateUserOpSignature()` to validate the `UserOperation` signature.
This method returns an "alternate signature" that should be used during bundling.\
An "alternative signature" is normally an empty byte array but can also contain some data for the `acccount`.
* The bundler MUST call `validateUserOp` a second time on the account with the `UserOperation` using the
returned "alternative signature", and make sure it returns the same value.
* Implementations of an `aggregateSignatures()` function must aggregate all UserOp signatures into a single value.
* Note that the above methods are helper methods for the bundler.
The bundler MAY use a native library to perform the same validation and aggregation logic.
* Implementations of a `validateSignatures()` function MUST verify the aggregated signature's validity
for all `UserOperations` in the array, and revert otherwise.
This method is called on-chain by `handleAggregatedOps()`

```solidity

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AttregatorStakeInfo is returned by simulation.

(however, I'm not sure simulateHandleOps is part of the "protocol" - the ERC, or we can define it only as "implementation")

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only did very minimal changes to the "Specification" part of the aggregation ERC, and "simulations" with state override were never mentioned in the original ERC-4337. Should we?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that "simulation" is not a standard, but implementation issue.
It is a mechanism that is really required only for estimation - which is also not part of the 4337 standard itself.
The reference implementation needs a fix not to use the simulation contract during validation

struct AggregatorStakeInfo {
address aggregator;
StakeInfo stakeInfo;
}
```
### Bundling changes

In addition to the steps described in ERC-4337, during bundling the bundler should:

* Sort UserOps by aggregator, to create the lists of UserOps-per-aggregator.
* For each aggregator, call `aggregateSignatures()` to create aggregated signature, and update the UserOps.

### New "entry point" function in the ERC-4337 `EntryPoint` contract

We define the following addition to the core interface of the `EntryPoint` contract:

```solidity
function handleAggregatedOps(
UserOpsPerAggregator[] calldata opsPerAggregator,
address payable beneficiary
);

struct UserOpsPerAggregator {
PackedUserOperation[] userOps;
IAggregator aggregator;
bytes signature;
}
```

An account that works with aggregated signature should return its signature aggregator address
in the `authorizer` return value of the `validateUserOp` function.
It MAY ignore the signature field.

* `handleAggregatedOps` can handle a batch that contains userOps of multiple aggregators (and also requests without any aggregator)
* `handleAggregatedOps` performs the same logic as `handleOps`, but it must transfer the correct aggregator to each
userOp, and also must call `validateSignatures` on each aggregator before doing all the per-account validation.

* **code: -32506** - transaction rejected because wallet specified unsupported signature aggregator
* The `data` field SHOULD contain an `aggregator` value

## Rationale

### Account returning the "alternative signature"

When using an `aggregator` contract, the accounts delegate their ability to authenticate `UserOperations`.
The entire contents of the

In order to allow the validation function of the account to perform other checks, the `validateUserOpSignature`
function generates a byte array that will replace the `UserOperation` signature when executed on-chain.

## Backwards Compatibility

As ERC-4337 was created with signature aggregation on the roadmap, no modifications are needed to the
deployed EntryPoint smart contracts.

This proposal introduces new features without affecting the existing ones, and does not break backwards compatibility.

## Reference Implementation

See `https://github.com/eth-infinitism/account-abstraction/tree/main/contracts`

## Security Considerations

### Malicious aggregators

The `aggregator` contracts are among te most trusted contracts in the entire ecosystem.
They can authorize transactions on behalf of accounts, and they can invalidate large numbers of transactions with
a simple storage change.

Both account developers and block builders should be extremely careful with the selection of `aggregator` contracts
that they are willing to support.

## Copyright

Copyright and related rights waived via [CC0](../LICENSE.md).
Loading