Try   HackMD

Bundler anti-replay attack scheme (researching)

background

In the account abstraction of 4337, in order to prevent replay attacks, a nonce variable is introduced into the AA wallet contract, which must be updated every time Tx is executed, thereby increasing the Gas overhead

direction:

  • We need to meet our anti-replay attack requirements in a relatively Gas-saving way
  • Combining Tx's nonce + chainId two fields
    • The nonce in the tx of each account should increase monotonically by +1
    • chainId is bound to the corresponding network
      • It can be solved by adding chainId to the off-chain signature parameter, and using block.chainId to calculate the hash comparison on the chain

plan

  • The correctness of the nonce of the user Tx is guaranteed by ZKP
  • The EP contract does not need to maintain the nonce for each user separately, but maintains two StateHash and RecrusiveStateHash values ​​in the Verify contract (great gas savings)

StateHash, RecrusiveStateHash iterative maintenance process

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Questions to be confirmed

  • Performance improvement of off-chain ZKP
    • Need to choose the appropriate merkel data structure
  • Process security audit (not found yet)
  • DA problem with user Nonce
    • The user's actual nonce is all stored off-chain, and nodes need to ensure data availability
    • When the EP contract executes Tx, it needs to log a nonce, which is convenient for users to build the state of the nonce by themselves – by Wen Bo

Pseudocode description

Prove process circom syntax description:

signal input UserAddress[N];

signal input CurUserNonce[N];
signal input CurRecrusiveStateHash;
signal input PreRecrusiveStateHash;
signal input CurStateHash;

signal input NewUserNonce[N];
signal output NewRecrusiveStateHash;
signal output NewStateHash;
signal output PubCurStateHash;
signal output PubCurRecrusiveStateHash;

assert(MerkelHash(CurUserNonce[N]) == CurHash);

assert(Hash(PreRecrusiveStateHash, CurHash) == CurRecrusiveStateHash);

for(var i = 0; i < N;i ++) {
    assert(CurUserNonce[i] + 1 == NewUserNonce[i]);
}


NewStateHash <== MerkelHash(NewUserNonce[N]);
NewRecrusiveStateHash <== Hash(CurRecrusiveStateHash, NewStateHash);
PubCurStateHash <== MerkleHash(CurUserNonce[N]);
PubCurRecrusiveStateHash <== CurRecrusiveStateHash;

Prove results:

ProofData;
PublicInputs:{
    NewStateHash,
    NewRecrusiveStateHash,
    PubCurStateHash,
    PubCurRecrusiveStateHash,
}

The process of updating the status after Verify (EVM environment):


require(Verify(ProofData,PublicInputs)==True);

require(self.CurStateHash == PublicInputs.PubCurStateHash);
require(self.CurRecrusiveStateHash == PublicInputs.PubCurRecrusiveStateHash);

self.CurStateHash = PublicInputs.NewStateHash;
self.CurRecrusiveStateHash = PublicInputs.PubCurRecrusiveStateHash;
Last changed by 
Orbiter Docs
Orbiter Docs
0
187

Read more

EIP-4337 for off-chain verification signature supported by zero-knowledge proof

With the EIP-4337 account abstraction contract deployed to the Ethereum mainnet, in the not-too-distant future, the AA (Account Abstraction) contract will gradually become a very important activity carrier among Ethereum ecological users in the future. AA will be deployed in the Ethereum network in the form of smart contracts, and its operational flexibility will be greatly enhanced. Compared with EOA account, it can bring users:

May 4, 2023
ESP Account Abstraction Grant Proposal

Objectives In the EIP-4337 account abstract contract, transaction signature verification, nonce value and Gas fee calculation and deduction logic are all carried out in the process of aggregation, resulting in more Gas consumption than normal transaction execution. We designed a bundler service based on zero-knowledgement prove architecture to handle the verification of the signature correctness of user Tx, Merkel world state tree, to maintain the nonce value of AA account and Gas balance, Merkle Root was finally updated to the EntryPoint contract on the Ethereum mainnet to reduce the threshold for AA usage, while also retaining the flexibility of AA trading on L1. Outcomes It will reduce the cost of using the EIP-4337 AA account on the Ethereum ecological network, reaching the level of mass production and use, and each ERC20 transfer can reduce Gas by 20% to 30% Grant Scope We wish to apply for this funding to support the team to carry out the research and development of the function, mainly involving the point

Apr 6, 2023
Bundler Tx Gas settlement process optimization

background In the 4337 scenario, after each Tx is executed by the EntryPoint contract agent, the Gas fee used by the Tx must be paid in a timely manner. After analysis, the Gas consumption caused by this operation is relatively large, which is equivalent to an ERC20 The Gas used for transfer needs to be optimized. If this step is removed, 9k+ Gas can be saved Optimization ideas Adopt an optimistic approach to perform batch delay execution on the transfer of Gas fee In the L1 environment, all the steps of settlement Gas are transferred to the cheaper L2 for executionUsers are required to deposit funds on L1 first to pay for Gas fees Synchronize the information to the L2 contract, How to avoid the situation that the user&apos;s fee asset may be empty due to the delayed settlement of the fee?

Feb 16, 2023
Compression optimization scheme in Bundler CallData Rollup environment (little benefit, temporarily put it)

Do L1 first, L2 compression Gas benefits are not great The core principle is in the Rollup environment, taking ERC20 transfers as an example, compressing the callData of L2Tx will have 6.5% room for gas optimization, but ERC20 transfers under L1 will not have obvious room for gas optimization Source of conclusion:SHORT ABIS FOR CALLDATA OPTIMIZATION Compress the overall solution What fields are generally involved in the Tx of a contract interaction?

Feb 13, 2023
Read more from Orbiter Docs
Published on HackMD