Skip to content

Smart Sessions

filmakarov edited this page Sep 17, 2024 · 23 revisions

Smart Sessions Module is an ERC-7579 Validator Module, whose main purpose is to allow permissioned validation of ERC-4337 User Operations and ERC-1271 Signatures.

Smart Sessions Module is designed to support DApps requesting permissions from users via ERC-7715 standard flow.

The obvious use case for permissioned userOps validation is Session Keys. Smart Sessions Module allows configuring sophisticated permissions for various kinds of session keys by stacking several kinds of Submodules together.

However, the Smart Sessions Module is capable of unlocking more functionality than just session keys, i.e. subscriptions, recurring payments, ownership, and others.

Smart Sessions Module ensures additional security by allowing to check attestations from Module Registry for every Submodule involved in the configuration of a Permission.

Smart Sessions ships equipped with submodules that unlock the vast majority of existing use cases. However, if there’s no perfect match for your use case amongst pre-built submodules, feel free to build your own according to the interface specifications.

Permission Structure

Permission consists of:

  • ISessionValidator: performs signature verification. More info..
  • Policies: introduce limitations (i.e. when the permission is valid and what is it allowed to do)
    • ERC-4337 Policies
      • UserOp Policies: enforce limitations that are going to be applied to all userOps (i.e. the general Permissions expiry timeframe). More info..
      • Action Policies: enforce limitations that apply based on a specific action that UserOp is executing. More info.
    • ERC-1271 Policies: scope the verification of ERC-1271 signatures. More info.

Smart Session validation flow

// diagram

PermissionId

SignerId acts as a main identifier for permission. You can think of SignerId as of username in *nix operation systems. In *nix systems every user comes with a strict set of access rules, the same applies to SignerId’s. Permission configuration is stored per Signer Id. So every SignerId has its own set of it is capable of signing and executing on behalf of a given Smart Account. Different Smart Accounts can empower the same SignerId with different permissions in the same way as the same user can have different rights on different *nix machines.

Currently, SignerId is generated by hashing the ISigner submodule address and data that is used to configure it. This data is called configuration data and it contains the information about the signer. For example, for a simple EOA ISigner, the configuration data would be just the signer’s EOA address. So the SignerId is in some way the derivative of the signer’s credentials.

ISessionValidator

ISigner is a submodule that performs the verification of a signature issued by the signer of the ERC-4337 User Operation or ERC-1271 data.

For every signerId there is one and and only one ISigner. However, such an ISigner can be very complex. For example, there is MultiKey ISigner included in the repo, that allows configuring n of n signatures rule, where each of those signatures can be whether secp256k1 (EOA) or secp256r1 (Passkey) signature.

ISigners are just algorithms. So they are stateless and they expect the configuration data for a given ISigner to be provided by the multiplexer (i.e. Smart Sessions Module) that stores it.

This allows ISigner submodules to be reusable across ERC-7579 ecosystem and even work as a standalone ERC-7579 module for Smart Accounts that choose to support them by storing configs in their storage.

IPolicies

IPolicy is a submodule that puts restrictions on what kind of ERC-4337 UserOps or ERC-1271 data can be signed by a signer and when such signatures are valid.

The same IPolicy can be used as UserOp level policy, Action policy, and/or ERC-1271 policy, allowing for efficient code sharing: sharing the same algorithm with different interfaces.

UserOp Policies

UserOp Policies configured for a given SignerId apply for every User Operation signed by this SignerId.

Examples of UserOp-level policies are:

  • TimeFrame Policy: applied as a UserOp-level policy, TimeFrame policy configures the validity timeframe for a given Permission
  • Gas Limit Policy: limits how much gas User Operations signed by a given signer can spend in total.
  • Simple Counter Policy: sets a total amount of UserOps that can be successfully validated for a Smart Account when signed by a given SignerId’s signer

Actions and Action Policies

Action Policies work only if the action that is about to be executed matches the configured action.

Action is defined by an ActionId which is a hash of the target smart contract address and function selector.

Smart Session Module identifies all the actions that are going to be executed in an execution phase of a User Operation and applies Action Policies accordingly.

For example, if the User Operation involves batched execution of several calls, every call will be scoped separately depending on what action policies are configured for it.

Examples of Action policies are:

  • Universal Action Policy: allows configuration of any arguments for any function call. For example, for an ERC-20 token transfer, receiver, maximum amount per transfer and total transfer limit per signer can be configured.
  • TimeFrame Policy: applied as an Action policy, TimeFrame policy configures the timeframe when a certain action can be executed if signed by a given signer
  • Simple Counter Policy: how many times given action can be executed in all the user operations signed by a signer

ERC-1271 Policies

Can scope the validation of ERC-1271 signatures. Since isValidSignature calls are not allowed to modify the Smart Account state, the ERC-1271 Policies currently have a very limited range of limitations they can apply. This however may change in the future when a sustainable way of passing not only signed hash, but more info on signed data can be passed to the signature validation method of an IPolicy.

Examples of ERC-1271 policies are:

  • TimeFrame Policy: sets the timeframe when a given signer’s ERC-1271 signatures can be validated
  • Sender Policy: defines what protocol may request ERC-1271 signature verification for a given signer

Enable Mode

There are many cases, and ERC-7715 flow is one of them, when dApp may need to enable the Permission inside the same User Operation when the Permission is leveraged. Even when this is not a must, it is still a feature that increases efficiency by packing two actions into the same User Operation, minimizing the ERC-4337 gas overhead.

That’s where Smart Sessions Enable Mode comes into play. It allows the inclusion of the Permission (Session) Enable object into the UserOperation which is used to enable the permission before validating the UserOp signed by a signer from this exact Permission.

This Permission Enable object contains the Permission itself and the signature over the EIP-712 digest. This signature should be valid when verified via the SmartAccount's isValidSignature method. So it should be signed by an owner of a given SA or by a user with appropriate rights to enable permissions.

This signature will be verified, and in case the verification succeeds, the Smart Sessions module will enable the Permission before validating the User Operation signed by the signer from this Permission.

Enable mode significantly improves UX for Session Keys, by reducing the number of UserOps => reducing the cost and latency for executing actions scoped by those Sessions.

Note, that Enable Mode doesn’t work for ERC-1271 sigs validation, as it is not allowed to modify state in ERC-1271 flow.

Special Cases

Smart Sessions Module unlocks use cases of scoped access to a Smart Account beyond Session Keys.

Subscriptions / Recurring Payments

Some use cases such as Subscriptions involve making recurrent payments. Since the automatic execution initiated by Smart Contract itself is not possible because of EVM architecture, there’s always a party that initiates such a payment.

To ensure better UX for Smart Account owners we can not expect them to manually pay for every Subscription Period. So users can authorize the subscription provider (or even anyone) to initiate such a payment, as long as this execution is within set limitations: how much to pay and how often to do it.

Such a permission pattern can be implemented with Smart Sessions by carefully configuring policies (for example: RateLimit policy to ensure the payment is done only once per defined period of time and the Universal Action Policy to limit the amount of a stablecoin paid for every subscription period). When the execution parameters are properly scoped it is safe to use the all-approving ISigner (YesSigner), so anyone can trigger the payment as long as it corresponds to the rules defined above.

Ownership

Even ownership can be configured via Smart Sessions by using the appropriate ISigner and no policies. So this given signer can do anything on behalf of a Smart Account.

This pattern unlocks many opportunities, such as turning a Smart Account into a Multisig by configuring some Multisig Signer and no policies.

Clone this wiki locally