βHackMDπ °οΈπ °οΈ EIP-2938 Account Abstraction Explained π§΅π
This is the first of two posts describing account abstraction. You can find the second post here.
What is Account Abstraction
As of the Muir Glacier hard-fork, out of Ethereum's two kinds of accountsβexternally owned accounts (EOAs, like your MetaMask wallet) and smart contractsβonly EOAs may pay gas fees for transactions. Lifting that restriction and allowing custom validity logic is, at an extremely high level, Account Abstraction (AA).
In this article, we want to give a brief and understandable explanation of EIP-2938, our proposal to bring AA to Ethereum.
A Concrete Example
The best way to explore AA is to see what you can build with it! So without further ado, here's a 2-of-2 multisig wallet that pays for its own transactions:
This is a rough sketch of how AA support could look in solidity, based on our early prototypes (available in the playground).
What is EIP-2938?
EIP-2938 is a specification for one flavor of AA, designed to be fairly simple to implement while allowing new and more powerful features to be developed in the future.
Consensus Changes
The EIP contains three consensus critical changes:
- Add a new EIP-2718 transaction type with fields
[nonce, target, data], wheretargetis the AA contract's address. Note the omission ofto,gas_price,gas_limit, and signature fields. Transactions of this type settx.originto0xffff...ff; a special address known as the AA entry point. - Add a
NONCEopcode (tx.noncein solidity) that pushes the transaction's nonce field. - Add a
PAYGASopcode which:- Creates an irrevertible checkpoint, guaranteeing state changes before
PAYGAScannot be undone by subsequent code. - Accepts a version argument, followed by a variable number of arguments. Initially the version is always
1, but exists for future compatibility with, for example, EIP-1559. - In this first version:
- Accepts a gas price and gas limit, signaling the contract's willingness to pay for the transaction.
- Creates an irrevertible checkpoint, guaranteeing state changes before
Other Changes
When the existing transaction pool logic is combined with AA's arbitrary transaction validity a new[1] type of attack on the Ethereum network is possible: a single transaction included in a mined block can invalidate a large number of previously valid pending transactions. Under a sustained attack, nodes would waste significant computation validating, propagating, then discarding these transactions. The EIP introduces a number of transaction pool restrictions to mitigate this attack, bringing the risk to a level comparable to non-AA transactions.
First, nodes will not accept AA transactions with nonces higher than the currently valid nonce. If multiple transactions arrive with the same nonce, only the highest paying transaction will be kept. When the currently valid nonce for an AA contract changes (i.e. upon receipt of a new block with a transaction for that contract), nodes will drop the pending transaction for that contract, if one exists.
Second, the EIP proposes a standard bytecode prefix for AA contracts. For non-AA invocations (i.e. msg.sender != 0xffff...ff) the prefix emits a log of msg.sender and msg.value. For AA invocations, the prefix passes execution to the main contract. Nodes will drop any AA transactions targeting a contract which doesn't begin with this standard prefix. Over time, more prefixes can be added (without a hard fork) to allow further functionality.
Finally, encountering any of the following conditions before PAYGAS will cause the node to immediately drop the transaction:
- An environment opcode (
BLOCKHASH,COINBASE, β¦); - Retrieving the
BALANCEof any account, including the target itself; - An external call/create (except to precompiles);
- An external state access that reads code (
EXTCODEHASH, β¦); - More than a fixed validation gas limit (currently 90,000) has been consumed.
These restrictions ensure that the only state accessible to the validity logic is state internal to the AA contract, and that this state can only be modified by the contract itself. Therefore, a pending transaction to an AA contract may only be invalidated by a block containing another transaction targeting the same contract.
Furthermore, these restrictions give nodes assurances regarding AA transaction validity similar to those that non-AA transactions already have. As these are not consensus changes, miners are free to include transactions in a block that break these rules.
What isn't EIP-2938?
If you've been following AA over the last couple years, you might have some expectations. Sorry to disappoint, but here's some of what you won't be getting with EIP-2938:
- Nonce Abstraction: EIP-2938 transactions still require a sequential nonce[2], enforced by the protocol, to maintain transaction hash uniqueness.
- Generally Efficient Transaction Propagation: Nodes will only store and propagate the single highest paying EIP-2938 transaction per AA contract. This works fine for single-tenant applications like smart wallets, and can be extended to multi-tenant applications in the future.
- Calling into AA Contracts: Requires EIP-2970 to prevent attacks that invalidate large numbers of pending transactions.
DELEGATECALL: Requires EIP-2937 for the same reason.- Meta-transactions: Setting
msg.senderand/ortx.originis way out of scope.
An EIP-2938 Transaction: From MetaMask to Etherscan
Using the same 2-of-2 multisig contract introduced earlier, this section walks through how an AA transaction is different than a traditional transaction.
Transaction Creation
Most of structure of an AA transaction is up to the contract itself (besides the mandatory fields). To create a simple transfer transaction for our multisig, first we collect the function arguments:
Then we compute the keccak hash and sign it with both owner keys to give the full calldata:
Finally, the calldata is inserted into the transaction envelope (the mandatory fields mentioned above):
Note the difference in envelope fields from a traditional transaction; specifically:
- No gas price or limit,
- No value to send,
- No signature fields, and
targetinstead ofto.
Instead, for the multisig contract, these fields are conveyed in the calldata and handled by the contract itself! Other contracts could use entirely different fields.
Transaction Propagation
When a traditional transaction arrives at a node, it is checked for validity. The same is true for AA transactions, though the checks are different.
When processing incoming traditional transactions, nodes check that:
- Their nonce matches the account's next nonce or is Close Enoughβ’,
- The account balance is sufficient to cover their value plus maximum gas fees, and
- Their signature matches the account's address.
When processing incoming AA transactions, however, nodes check that:
- Their nonce matches the contract's next nonce exactly,
- The contract's bytecode begins with a standard prefix,
- The validation logic calls
PAYGASbefore reaching the validation gas limit, - No banned opcodes are called before
PAYGAS, and - The contract's balance is sufficient to cover the gas fees set by
PAYGAS.
Block Propagation
When the block arrives containing the AA transaction, any other pending transactions for the same account are dropped. This is different from traditional transactions, which get revalidated and possibly broadcast upon receipt of a new block.
Call to Action
Feedback & Questions
Time to celebrate! You made it through the explainer. You're not done yet though. EIP-2938 is still rather short on feedback. If you have any questions or suggestions please leave a comment! You can also find us on the Ethereum R&D Discord in the #account-abstraction channel.
You're a dApp developer?
Are you a smart contract or dApp developer interested in AA? Drop by the Ethereum R&D Discord (#account-abstraction), we'd love to hear about your use case!
You're a core dev?
What implementation challenges stand in the way of this EIP? Are you afraid AA will collapse the network? We're pretty sure it won't, but we'd be happy to talk about it!
You want to try AA?
Quilt has built an AA playground on top of Geth, but it's a little out of sync with the EIP. Let us know how you'd like to try it, and we can update it!
Next Post
This is the first of two posts describing account abstraction. You can find the second post here.
This isn't strictly a novel attack, but it is significantly more problematic with AA contracts. For a more in-depth discussion, see DoS Vectors in Account Abstraction (AA) or Validation Generalization, a Case Study in Geth. β©οΈ
Quilt has done some limited research into how contracts can combine multiple transactions into one bundle transaction. β©οΈ
