ERC-7562 - Account Abstraction Validation Scope Rules

Abstract

This document describes the rules Account Abstraction protocols should follow, during the validation phase of Account Abstraction transactions, such as ERC-4337 UserOperation or RIP-7560 (Native Account Abstraction), which are enforced off-chain by a block builder or a standalone bundler, and the rationale behind each one of them.

Motivation

With Account-Abstraction, instead of hard-coded logic for processing a transaction (validation, gas-payment, and execution), this logic is executed by EVM code. The benefits for the account are countless - - abstracting the validation allows the contract to use different signature schemes, multisig configuration, custom recovery, and more. - abstracting gas payments allows easy onboarding by 3rd party payments, paying with tokens, cross-chain gas payments - abstracting execution allows batch transactions

All of the above are missing from the EOA account model.

However, there is one rule a transaction must follow to preserve the decentralized network: once submitted into the network (the mempool), the transaction is guaranteed to pay. This comes to prevent denial-of-service attacks on the network.

The EOA model implicitly follows the rule: a valid transaction can't become invalid without payment by the account: e.g. account balance can't be reduced (except with a higher paying transaction)

This rule makes the network sustainable and DoS-protected: the network can't be cheaply attacked by a mass of transactions. An attack (sending a mass of transactions) is expensive, and gets more expensive as the network clogs. Legitimate users pay more, and can delay operations to avoid the cost, but the attacker pays a huge (and increasing) amount to keep the network clogged.

To mimic the same incentive structure in any Account Abstraction system, we suggest the following transaction validation rules. These validation rules only apply to the validation phase of Account Abstraction transactions, not their entire executed code path.

For the actual interfaces of those contract-based accounts see the definitions in ERC-4337 and RIP-7560.

This documentation uses the terminology "UserOperation" for a transaction created by a smart contract account, and closely follows ERC-4337 terminology. However, the rules apply to any Account Abstraction framework that uses EVM code to perform transaction validation and makes a distinction between validation (whether the operation is eligible for inclusion on the protocol level) and execution (on-chain execution and gas payment) in a public mempool.

Specification

Validation Rules Types

We define two types of validation rules: network-wide rules and local rules.

A violation of any validation rule by a UserOperation results in the UserOperation being dropped from the mempool and excluded from a bundle.

Network-wide rule is a rule, that its violation by a UserOperation validation should result in a reputation damage for the peer bundler that sent this UserOperation in the p2p mempool. A peer bundler with a critically low reputation will eventually be marked as a malicious spammer peer.

Local rule is a rule that is enforced in the context of each bundler's local state, which may be different for each bundler and different bundlers may not always be in agreement on these rules' violations. Thus, The bundler that sent the violating UserOperation should not suffer a p2p reputation damage by its peers.

Constants

Title	Value	Comment
MIN_UNSTAKE_DELAY	86400	1 day, which provides a sufficient withdrawal delay to prevent most sybil attacks
MIN_STAKE_VALUE	Adjustable per chain value	Equivalent to ~$1000 in native tokens, which provides a sufficient capital requirement to prevent most sybil attacks
SAME_SENDER_MEMPOOL_COUNT	4	Maximum number of allowed userops in the mempool from a single sender.
SAME_UNSTAKED_ENTITY_MEMPOOL_COUNT	10	Maximum number allowed in the mempool of UserOperations referencing the same unstaked entity
THROTTLED_ENTITY_MEMPOOL_COUNT	4	Number of UserOperations with a throttled entity that can stay in the mempool
THROTTLED_ENTITY_LIVE_BLOCKS	10	Number of blocks a UserOperations with a throttled entity can stay in mempool
THROTTLED_ENTITY_BUNDLE_COUNT	4	Number of UserOperations with a throttled entity that can be added in a single bundle
MIN_INCLUSION_RATE_DENOMINATOR	100 (client) \ 10 (bundler)	A denominator of a formula for entity reputation calculation
THROTTLING_SLACK	10	Part of a reputation formula that allows entities to legitimately reject some transactions without being throttled
BAN_SLACK	50	Part of a reputation formula that allows throttled entities to reject some transactions without being throttled
BAN_OPS_SEEN_PENALTY	10000	A value to put into the opsSeen counter of entity to declare as banned
MAX_OPS_ALLOWED_UNSTAKED_ENTITY	10000
PRE_VERIFICATION_OVERHEAD_GAS	50000	Gas used by the EntryPoint per UserOp that cannot be tracked on-chain
MAX_VERIFICATION_GAS	500000	Maximum gas verification functions may use
MAX_USEROP_SIZE	8192	Maximum size of a single packed and ABI-encoded UserOperation in bytes
MAX_CONTEXT_SIZE	2048	Maximum size of a context byte array returned by a paymaster in a single UserOperation in bytes
MAX_BUNDLE_SIZE	262144	Maximum size of an ABI-encoded bundle call to the handleOps function in bytes
MAX_BUNDLE_CONTEXT_SIZE	65536	Maximum total size of all context byte arrays returned by all paymasters in all UserOperations in a bundle in bytes
VALIDATION_GAS_SLACK	4000	An amount of gas that must be added to the estimations of verificationGasLimit and paymasterVerificationGasLimit

Validation Rules

Definitions:

1. Validation Phase: there are up to three frames during the validation phase onchain

   1. sender deployment frame (once per account)
   2. sender validation (required)
   3. paymaster validation frame (optional)

2. Execution Phase: there are up to two frames during the execution phase onchain

3. sender execution frame (required)
4. paymaster post-transaction frame (optional)

The validation rules only apply during the validation phase. Once a UserOperation is validated, it is guaranteed to pay. There are no restrictions on execution, neither account (callData) nor paymaster (postOp)

1. Entity: a contract that is explicitly specified by the UserOperation. Includes the factory, paymaster, aggregator, and staked account, as discussed below. \ Each "validation frame" is attributed to a single entity. \ Entity contracts must have non-empty code on-chain.
2. Canonical Mempool: The rules defined in this document apply to the main mempool shared by all bundlers on the network.
3. Staked Entity: an entity that has a locked stake of at least MIN_STAKE_VALUE and an unstake delay of at least MIN_UNSTAKE_DELAY.
4. Associated storage: a storage slot of any smart contract is considered to be "associated" with address A if:
   1. The slot value is A
   2. The slot value was calculated as keccak(A||x)+n, where x is a bytes32 value, and n is a value in the range 0..128
5. Using an address: accessing the code of a given address in any way. This can be done by executing *CALL or EXTCODE* opcodes for a given address.
6. Spammer - a P2P peer bundler that attempts a DoS attack on the mempool by sending other peers with a large number of invalid UserOperations. Bundlers MUST detect and disconnect from such peers, as described in the Mempool Validation Rules section.

Reputation Definitions

1. opsSeen: a per-entity counter of how many times a unique valid UserOperation referencing this entity was received by this bundler. This includes UserOperation received via incoming RPC calls or through a P2P mempool protocol.

2. opsIncluded: a per-entity counter of how many times a unique valid UserOperation referencing this entity appeared in an actual included UserOperation. \ Calculation of this value is based on UserOperationEvents and is only counted for UserOperations that were previously counted as opsSeen by this bundler.

3. Refresh rate: Both of the above values are updated every hour as value = value * 23 // 24 \ Effectively, the value is reduced to 1% after 4 days.
4. inclusionRate: Ratio of opsIncluded to opsSeen

Reputation Calculation

We define a value max_seen = opsSeen // MIN_INCLUSION_RATE_DENOMINATOR.

The reputation state of each entity is determined as follows:

1. BANNED: max_seen > opsIncluded + BAN_SLACK
2. THROTTLED: max_seen > opsIncluded + THROTTLING_SLACK
3. OK: otherwise

Note that new entities start with an OK reputation.

Because of the reputation refresh rate, note that a malicious paymaster can at most cause the network (only the p2p network, not the blockchain) to process BAN_SLACK * MIN_INCLUSION_RATE_DENOMINATOR / 24 non-paying ops per hour.

Running the Validation Rules

1. A block builder or a bundler should perform a full validation once before accepting a UserOperation into its mempool, and again before including it in a bundle/block.
2. The bundler should trace the validation phase of the UserOperation and apply all the rules defined in this document.
3. A bundler should also perform a full validation of the entire bundle before submission.
4. The validation rules prevent an unstaked entity from altering its behavior between simulation and execution of the UserOperation. However, a malicious staked entity can detect that it is running in a bundle validation and cause a revert. Thus, a third tracing simulation of the entire bundle should be performed before submission.
5. The failed UserOperation should be dropped from the bundle.
6. The bundler should update the reputation of the staked entity that violated the rules, and consider it THROTTLED/BANNED as described below.

Mempool Validation Rules

1. A UserOperation is broadcast over the P2P protocol with the following information:
   1. The UserOperation itself
   2. The blockhash this UserOperation was originally verified against.
2. Once a UserOperation is received from another bundler it should be verified locally by a receiving bundler.
3. A received UserOperation may fail any of the reasonable static checks, such as: invalid format, values below minimum, submitted with a blockhash that isn't recent, etc. In this case, the bundler should drop this particular UserOperation but keep the connection.
4. The bundler should check the UserOperation against the nonces of last-included bundles and silently drop UserOperations with nonce that was recently included. This invalidation is likely attributable to a network race condition and should not cause a reputation change.
5. If a received UserOperation fails against the current block:
   1. Retry the validation against the block the UserOperation was originally verified against.
   2. If it succeeds, silently drop the UserOperation and keep the connection.
   3. If it fails, mark the sender as a "spammer" (disconnect from that peer and block it permanently).

Opcode Rules

• Block access from opcodes that access information outside of storage and code (aka "environment").
  • [OP-011] Blocked opcodes:
    • ORIGIN (0x32)
    • GASPRICE (0x3A)
    • BLOCKHASH (0x40)
    • COINBASE (0x41)
    • TIMESTAMP (0x42)
    • NUMBER (0x43)
    • PREVRANDAO/DIFFICULTY (0x44)
    • GASLIMIT (0x45)
    • BASEFEE (0x48)
    • BLOBHASH (0x49)
    • BLOBBASEFEE (0x4A)
    • CREATE (0xF0) (except in the "Contract Creation" and "Staked factory creation" sections, below)
    • INVALID (0xFE)
    • SELFDESTRUCT (0xFF)
  • [OP-012] GAS (0x5A) opcode is allowed, but only if followed immediately by *CALL instructions, else it is blocked.\ This is a common way to pass all remaining gas to an external call, and it means that the actual value is consumed from the stack immediately and cannot be accessed by any other opcode.
  • [OP-13] any "unassigned" opcode.
• [OP-020] Revert on "out of gas" is forbidden as it can "leak" the gas limit or the current call stack depth.
• Contract creation:
  • [OP-031] CREATE2 is allowed exactly once in the deployment frame and must deploy code for the "sender" address. (Either by the factory itself, or by a utility contract it calls)
  • [OP-032] If there is a factory (even unstaked), the sender contract is allowed to use CREATE opcode (That is, only the sender contract itself, not through utility contract)
• Access to an address without a deployed code is forbidden:
  • [OP-041] For EXTCODE* and *CALL opcodes.
  • [OP-042] Exception: access to the "sender" address is allowed. This is only possible in factory code during the deployment frame.
• Allowed access to the EntryPoint address:
  • [OP-051] May call EXTCODESIZE ISZERO\ This pattern is used to check destination has a code before the depositTo function is called.
  • [OP-052] May call depositTo(sender) with any value from either the sender or factory.
  • [OP-053] May call the fallback function from the sender with any value.
  • [OP-054] Any other access to the EntryPoint (either of the *CALL or EXT* opcodes) is forbidden.
  • [OP-055] May call incrementNonce()) from the sender
• *CALL opcodes:
  • [OP-061] CALL with value is forbidden. The only exception is a call to the EntryPoint described above.
  • [OP-062] Precompiles:
    • Only allow known accepted precompiles on the network, that do not access anything in the blockchain state or environment.
    • The core precompiles 0x1 .. 0x11
    • The RIP-7212 secp256r1 precompile, on networks that accepted it.
• [OP-070] Transient Storage slots defined in EIP-1153 and accessed using TLOAD (0x5c) and TSTORE (0x5d) opcodes are treated exactly like persistent storage (SLOAD/SSTORE).
• [OP-080] BALANCE (0x31) and SELFBALANCE (0x47) are allowed only from a staked entity, else they are blocked.

Code Rules

• [COD-010] Between the first and the second validations, the EXTCODEHASH value of any visited address, entity, or referenced library, may not be changed.\ If the code is modified, the UserOperation is considered invalid.

Storage Rules

The storage access with SLOAD and SSTORE (and TLOAD, TSTORE) instructions within each phase is limited as follows:

• [STO-010] Access to the "account" storage is always allowed.
• Access to associated storage of the account in an external (non-entity) contract is allowed if either:
  • [STO-021] The account already exists.
  • [STO-022] There is an initCode and the factory contract is staked.
• If the entity (paymaster, factory) is staked, then it is also allowed:
  • [STO-031] Access the entity's own storage.
  • [STO-032] Read/Write Access to storage slots that are associated with the entity, in any non-entity contract.
  • [STO-033] Read-only access to any storage in non-entity contract.

Local Rules

Local storage rules protect the bundler against denial of service at the time of bundling. They do not affect mempool propagation and cannot cause a bundler to be marked as a "spammer". * [STO-040] UserOperation may not use an entity address (factory/paymaster/aggregator) that is used as an "account" in another UserOperation in the mempool. \ This means that Paymaster, Factory or Aggregator contracts cannot practically be an "account" contract as well. * [STO-041] UserOperation may not use associated storage (of either its account or from staked entity) in a contract that is a "sender" of another UserOperation in the mempool.

General Reputation Rules

The following reputation rules apply for all staked entities, and for unstaked paymasters. All rules apply to all of these entities unless specified otherwise.

• [GREP-010] A BANNED address is not allowed into the mempool.\ Also, all existing UserOperations referencing this address are removed from the mempool.
• [GREP-020] A THROTTLED address is limited to:
  • THROTTLED_ENTITY_MEMPOOL_COUNT entries in the mempool.
  • THROTTLED_ENTITY_BUNDLE_COUNT UserOperations in a bundle.
  • Can remain in the mempool only for THROTTLED_ENTITY_LIVE_BLOCKS.
• [GREP-040] If an entity fails the bundle creation after passing second validation, its opsSeen set to BAN_OPS_SEEN_PENALTY, and opsIncluded to zero, causing it to be BANNED.
• [GREP-050] When a UserOperation is replaced (by submitting a new UserOperation, with higher gas fees), and an entity (e.g. a paymaster) is replaced, then the removed entity has its reputation (opsSeen counter) decremented by 1.

Staked Entities Reputation Rules

• [SREP-010] The "canonical mempool" defines a staked entity if it has MIN_STAKE_VALUE and unstake delay of MIN_UNSTAKE_DELAY
• [SREP-020] MOVED TO GREP-010
• [SREP-030] MOVED TO GREP-020
• [SREP-040] An OK staked entity is unlimited by the reputation rule.
  • Allowed in unlimited numbers in the mempool.
  • Allowed in unlimited numbers in a bundle.
• [SREP-050] MOVED TO GREP-040

Entity-specific Rules

• [EREP-010] For each paymaster, the bundler must track the total gas UserOperations using this paymaster may consume.
  • Bundler should not accept a new UserOperation with a paymaster to the mempool if the maximum total gas cost of all userops in the mempool, including this new UserOperation, is above the deposit of that paymaster at the current gas price.
• [EREP-011] REMOVED
• [EREP-015] A paymaster should not have its opsSeen incremented in case of a failure of factory or account
• When running 2nd validation (before inclusion in a bundle), if a UserOperation fails because of factory or account error (either a FailOp revert or validation rule), then the paymaster's opsSeen valid is decremented by 1.
• [EREP-016] An aggregator should not have its opsSeen incremented in case of a failure of a factory, an account or a paymaster
• When running 2nd validation (before inclusion in a bundle), if a UserOperation fails because of a factory, an account or a paymaster error (either a FailOp revert or validation rule), then the aggregator's opsSeen valid is decremented by 1.
• [EREP-020] If a staked factory is used, its reputation is updated for the account violating any of the validation rules accordingly. \ That is, if the validateUserOp() is rejected for any reason in a UserOperation that has an initCode, it is treated as if the factory caused this failure, and thus this affects its reputation.
• [EREP-030] If a staked account is used, its reputation is updated for failures in other entities (paymaster, aggregator) even if they are staked.
• [EREP-040] An aggregator must be staked, regardless of storage usage.
• [EREP-050] An unstaked paymaster may not return a context.
• [EREP-055] A context size may not change between validation and bundle creation. \ If a bundle creation reverts, and a paymaster's context size was modified, that paymaster \ is BANNED, regardless if the UserOperation that reverted used that paymaster or not.
• Staked factory creation rules:
• [EREP-060] If the factory is staked, either the factory itself or the sender may use the CREATE2 and CREATE opcode (the sender is allowed to use the CREATE with unstaked factory, with OP-032)
• [EREP-061] A staked factory may also use a utility contract that calls the CREATE
• [EREP-070] During bundle creation, if a staked entity reduce its validation gas by more than 10% compared to the second validation, that entity is throttled, even if the UserOperation itself didn't revert. (as it might affect the gas calculation based on EIP-7623 )

Unstaked Entities Reputation Rules

• Definitions:
  • opsSeen, opsIncluded, and reputation calculation are defined above.
  • UnstakedReputation of an entity determines the maximum number of entries using this entity allowed in the mempool.
  • opsAllowed is a reputation-based calculation for an unstaked entity, representing how many UserOperations it is allowed to have in the mempool.
  • Rules:
    • [UREP-010] An unstaked sender (that is not throttled/banned) is only allowed to have SAME_SENDER_MEMPOOL_COUNT UserOperations in the mempool.
    • [UREP-020] For an unstaked paymaster only that is not throttled/banned: \ opsAllowed = SAME_UNSTAKED_ENTITY_MEMPOOL_COUNT + inclusionRate * min(opsIncluded, MAX_OPS_ALLOWED_UNSTAKED_ENTITY).
    • This is a default of SAME_UNSTAKED_ENTITY_MEMPOOL_COUNT for new entity
    • [UREP-030] REMOVED

Alt-mempools Rules

Alternate mempool is an agreed-upon rule that the bundlers may opt into, in addition to the canonical mempool The alt-mempool "topic" is a unique identifier. By convention, this is the IPFS hash of the document describing (in clear test and YAML file) the specifics of this alt mempool.

• [ALT-010] The bundler listens to the alt-mempool "topic" over the P2P protocol
• [ALT-020] The alt mempool rules MUST be checked only when a canonical rule is violated
  • That is, if validation follows the canonical rules above, it is not considered part of an alt-mempool.
• [ALT-021] Such a UserOperation (that violates the canonical rules) is checked against all the "alternate mempools", and is considered part of all those alt-mempools
• [ALT-030] Bundlers SHOULD forward UserOperations to other bundlers only once, regardless of how many (shared) alt-mempools they have. \ The receiving bundler validates the UserOperations, and based on the above rules (and subscribed alt-mempools) decides which alt-mempools to propagate it to.
• [ALT-040] opsInclude and opsSeen of entities are kept per alt-mempool. That is, an entity can be considered throttled (or banned) in one mempool, while still active on another.

Alt-mempool Reputation

Alt-mempools are served by the same bundlers participating in the canonical mempool, but change the rules and may introduce denial-of-service attack vectors. To prevent them from taking the canonical mempool or other alt mempools down with them, a reputation is managed for each. An alt mempool that causes too many invalidations gets throttled. This limits the scope of the attack and lets the bundler continue doing its work for other mempools.

• [AREP-010] each alt-mempool has "opsSeen" and "opsIncluded", much like entities. The opsSeen is incremented after UserOperation initial validation, where it is considered part of this mempool. The "opsIncluded" is incremented after this UserOperation is included on-chain (either by this bundler, or another)
• [AREP-020] the alt-mempool becomes THROTTLED/BANNED based on the Reputation Calculation
• [AREP-030] REMOVED

Authorizations

• [AUTH-010] A UserOperation may only contain a single EIP-7702 authorization tuple.
• [AUTH-020] An account with EIP-7702 delegation can only be used as the Sender of the UserOperation. Using authorized account as any other kind of UserOperation entity is not allowed.
• [AUTH-030] An account with EIP-7702 delegation can only be accessed (using *CALL or EXTCODE* opcodes) if it is the Sender of the current UserOperation.
• [AUTH-040] If there are multiple UserOperations by the same sender with an authorization tuple in the mempool, they all MUST have the same delegate address.

Limitations

The validation rules attempt to guarantee a degree of isolation between individual UserOperations' validations. In order to prevent hitting the memory expansion limitations (imposed by ethereum EVM) when creating a bundle, UserOperations must meet the following limitations:

• [LIM-010] Maximum size of a single packed and ABI-encoded UserOperation in bytes MUST not exceed MAX_USEROP_SIZE
• [LIM-020] Maximum size of a context byte array returned by a paymaster in a single UserOperation in bytes MUST not exceed MAX_CONTEXT_SIZE
• [LIM-030] The verificationGasLimit and paymasterVerificationGasLimit parameters MUST exceed the actual usage during validation of the UserOperation by VALIDATION_GAS_SLACK
• [LIM-040] Maximum size of an ABI-encoded bundle call to the handleOps function in bytes SHOULD not exceed MAX_BUNDLE_SIZE
• [LIM-050] Maximum total size of all context byte arrays returned by all paymasters in all UserOperations in a bundle in bytes SHOULD not exceed MAX_BUNDLE_CONTEXT_SIZE

Rationale

All transactions initiated by EOAs have an implicit validation phase where balance, nonce, and signature are checked to be valid for the current state of the Ethereum blockchain. Once the transaction is checked to be valid by a node, only another transaction by the same EOA can modify the Ethereum state in a way that makes the first transaction invalid.

With Account Abstraction, however, the validation can also include an arbitrary EVM code and rely on storage as well, which means that unrelated UserOperations or transactions may invalidate each other.

If not addressed, this would make the job of maintaining a mempool of valid UserOperations and producing valid bundles computationally infeasible and susceptible to DoS attacks.

This document describes a set of validation rules that if applied by a bundler before accepting a UserOperation into the mempool can prevent such attacks.

The high-level goal

The purpose of this specification is to define a consensus between nodes (bundlers or block-builders) when processing incoming UserOperations from an external source. This external source for UserOperations is either an end-user node (via RPC ERC-7769) or another node in the p2p network.

The protocol tries to detect "spam" - which are large bursts of UserOperations that cannot be included on-chain (and thus can't pay). The network is protected by throttling down requests from such spammer nodes.

All nodes in the network must have the same definition of "spam": otherwise, if some nodes accept some type of UserOperations and propagate them while others consider them spam, those "forgiving" nodes will be considered "spammers" by the rest of the nodes, and the network effectively gets split.

The processing flow of a UserOperation

• First, a UserOperation is received - either via RPC (submitted on behalf of a single application) or via the p2p protocol, from another node in the mempool.
• The node performs validation on the UserOperation, and then adds it to its in-memory mempool, and submits it to its peers.
• Lastly, when building a block, a node collects UserOperations from the mempool, performs a 2nd validation to make sure they are all still valid as a bundle and submits them into the next block.

The need for 2nd validation before submitting a block

A normal Ethereum transaction in the mempool can be invalidated if another transaction was received with the same nonce. That other transaction had to increase the gas price in order to replace the first one, so it satisfied the rule of "must pay to get included into the mempool". With contract-based accounts, since the UserOperation validity may depend on mutable state, other transactions may invalidate a previously valid UserOperation, so we must check it before inclusion.

Rationale of limiting opcodes:

• the validation is performed off-chain, before creating a block. Some opcodes access information that is known only when creating the block.
• using those opcodes while validating a transaction can easily create a validation rule that will succeed off-chain, but always revert on-chain, and thus cause a DoS attack.
• a simple example is require block.number==12345. It can be valid when validating the UserOperation and adding it to the mempool but will be invalid when attempting to include it on-chain at a later block.

Rationale for limiting storage access

• We need UserOperation validations not to overlap so that a single storage change can't easily invalidate a large number of UserOperations in the mempool. By limiting UserOperations to access storage associated with the account itself, we know that we can for sure include a single UserOperation for each account in a bundle
• (A bundler MAY include multiple UserOperations of the same account in a bundle, but MUST first validate them together)

Rationale of requiring a stake

We want to be able to allow globally-used contracts (paymasters, factories, aggregators) to use storage not associated with the account, but still prevent them from spamming the mempool. If a contract causes too many UserOperations to fail in their second validation after succeeding in their first, we can throttle its use in the mempool. By requiring such a contract to have a stake, we prevent a "Sybil attack", by making it expensive to create a large number of such paymasters to continue the spam attack.

By following the validation rules, we can detect contracts that cause spam UserOperations, and throttle them. The stake comes to prevent the fast re-creation of malicious entities. The stake is never slashed (since it is only used for off-chain detection) but is locked for a period of time, which makes such an attack much more expensive.

Definition of the mass invalidation attack

A possible set of actions is considered to be a mass invalidation attack on the network if a large number of UserOperations that did pass the initial validation and were accepted by nodes and propagated further into the mempool to other bundlers in the network becomes invalid and not eligible for inclusion in a block.

There are 3 ways to perform such an attack:

1. Submit UserOperations that pass the initial validation, but later fail the re-validation that is performed during the bundle creation.
2. Submit UserOperations that are valid in isolation during validation, but when bundled together become invalid.
3. Submit valid UserOperations but "front-run" them by executing a state change on the network that causes them to become invalid. The "front-run" in question must be economically viable.

To prevent such attacks, we attempt to "sandbox" the validation code. We isolate the validation code from other UserOperations, from external changes to the storage, and from information about the environment such as a current block timestamp.

What is not considered a mass invalidation attack

A UserOperation that fails the initial validation by a receiving node without entering its mempool is not considered an attack. The node is expected to apply web2 security measures and throttle requests based on API key, source IP address, etc. RPC nodes already do that to prevent being spammed with invalid transactions which also have a validation cost. P2P nodes already have (and should apply) a scoring mechanism to determine spammer nodes.

Also, if the invalidation of N UserOperations from the mempool costs N*X with a sufficiently large X, it is not considered an economically viable attack.

• The minimum change to cause an invalidation is a storage change (5k gas)
• Assuming a Node can sustain processing 2000 invalid UserOps per block, the cost of a DoS attack is 10M gas per block.
• The above value is high, but we take further measures to make such an attack more expensive.

Security Considerations

This document describes the security considerations bundlers must take to protect themselves (and the entire mempool network) from denial-of-service attacks.

Copyright

Copyright and related rights waived via CC0.