This document is better viewed at https://docs.openzeppelin.com/contracts/api/account

This directory includes contracts to build accounts for ERC-4337. These include:

Account: An ERC-4337 smart account implementation that includes the core logic to process user operations.
AccountERC7579: An extension of Account that implements support for ERC-7579 modules.
AccountERC7579Hooked: An extension of AccountERC7579 with support for a single hook module (type 4).
ERC7821: Minimal batch executor implementation contracts. Useful to enable easy batch execution for smart contracts.
ERC4337Utils: Utility functions for working with ERC-4337 user operations.
ERC7579Utils: Utility functions for working with ERC-7579 modules and account modularity.

Extensions

AccountERC7579

AccountERC7579Hooked

ERC7821

`Account` 📁

import "@openzeppelin/contracts/account/Account.sol";

A simple ERC4337 account implementation. This base implementation only includes the minimal logic to process user operations.

Developers must implement the AbstractSigner._rawSignatureValidation function to define the account's validation logic.

NOTE: This core account doesn't include any mechanism for performing arbitrary external calls. This is an essential feature that all Account should have. We leave it up to the developers to implement the mechanism of their choice. Common choices include ERC-6900, ERC-7579 and ERC-7821 (among others).

IMPORTANT: Implementing a mechanism to validate signatures is a security-sensitive operation as it may allow an attacker to bypass the account's security measures. Check out SignerECDSA, SignerP256, or SignerRSA for digital signature validation implementations.

@custom:stateless

Functions

entryPoint()
getNonce()
getNonce(key)
validateUserOp(userOp, userOpHash, missingAccountFunds)
_validateUserOp(userOp, userOpHash)
_signableUserOpHash(, userOpHash)
_payPrefund(missingAccountFunds)
_checkEntryPoint()
_checkEntryPointOrSelf()
receive()

IAccount

AbstractSigner

_rawSignatureValidation(hash, signature)

Errors

AccountUnauthorized(sender)

IAccount

AbstractSigner

`onlyEntryPointOrSelf()`

Revert if the caller is not the entry point or the account itself.

`onlyEntryPoint()`

Revert if the caller is not the entry point.

`entryPoint() → contract IEntryPoint`

public

Canonical entry point for the account that forwards and validates user operations.

`getNonce() → uint256`

public

Return the account nonce for the canonical sequence.

`getNonce(uint192 key) → uint256`

public

Return the account nonce for a given sequence (key).

`validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash, uint256 missingAccountFunds) → uint256`

public

Validates a user operation.

MUST validate the caller is a trusted EntryPoint
MUST validate that the signature is a valid signature of the userOpHash, and SHOULD return SIG_VALIDATION_FAILED (and not revert) on signature mismatch. Any other error MUST revert.
MUST pay the entryPoint (caller) at least the “missingAccountFunds” (which might be zero, in case the current account’s deposit is high enough)

Returns an encoded packed validation data that is composed of the following elements:

authorizer (address): 0 for success, 1 for failure, otherwise the address of an authorizer contract
validUntil (uint48): The UserOp is valid only up to this time. Zero for “infinite”.
validAfter (uint48): The UserOp is valid only after this time.

`_validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash) → uint256`

internal

Returns the validationData for a given user operation. By default, this checks the signature of the signable hash (produced by Account._signableUserOpHash) using the abstract signer (AbstractSigner._rawSignatureValidation).

NOTE: The userOpHash is assumed to be correct. Calling this function with a userOpHash that does not match the userOp will result in undefined behavior.

`_signableUserOpHash(struct PackedUserOperation, bytes32 userOpHash) → bytes32`

internal

Virtual function that returns the signable hash for a user operations. Since v0.8.0 of the entrypoint, userOpHash is an EIP-712 hash that can be signed directly.

`_payPrefund(uint256 missingAccountFunds)`

internal

Sends the missing funds for executing the user operation to the entrypoint. The missingAccountFunds must be defined by the entrypoint when calling Account.validateUserOp.

`_checkEntryPoint()`

internal

Ensures the caller is the entrypoint.

`_checkEntryPointOrSelf()`

internal

Ensures the caller is the entrypoint or the account itself.

`receive()`

external

Receive Ether.

`AccountUnauthorized(address sender)`

error

Unauthorized call to the account.

`AccountERC7579` 📁

import "@openzeppelin/contracts/account/extensions/draft-AccountERC7579.sol";

Extension of Account that implements support for ERC-7579 modules.

To comply with the ERC-1271 support requirement, this contract defers signature validation to installed validator modules by calling IERC7579Validator.isValidSignatureWithSender.

This contract does not implement validation logic for user operations since this functionality is often delegated to self-contained validation modules. Developers must install a validator module upon initialization (or any other mechanism to enable execution from the account):

contract MyAccountERC7579 is AccountERC7579, Initializable {
  function initializeAccount(address validator, bytes calldata validatorData) public initializer {
    _installModule(MODULE_TYPE_VALIDATOR, validator, validatorData);
  }
}

[NOTE]

Hook support is not included. See AccountERC7579Hooked for a version that hooks to execution.
Validator selection, when verifying either ERC-1271 signature or ERC-4337 UserOperation is implemented in internal virtual functions AccountERC7579._extractUserOpValidator and AccountERC7579._extractSignatureValidator. Both are implemented following common practices. However, this part is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.
When combined with ERC7739, resolution ordering of AccountERC7579.isValidSignature may have an impact (ERC7739 does not call super). Manual resolution might be necessary.
Static calls (using callType 0xfe) are currently NOT supported. ====

WARNING: Removing all validator modules will render the account inoperable, as no user operations can be validated thereafter.

Modifiers

onlyModule(moduleTypeId, additionalContext)

Functions

fallback()
accountId()
supportsExecutionMode(encodedMode)
supportsModule(moduleTypeId)
installModule(moduleTypeId, module, initData)
uninstallModule(moduleTypeId, module, deInitData)
isModuleInstalled(moduleTypeId, module, additionalContext)
execute(mode, executionCalldata)
executeFromExecutor(mode, executionCalldata)
isValidSignature(hash, signature)
_validateUserOp(userOp, userOpHash)
_execute(mode, executionCalldata)
_installModule(moduleTypeId, module, initData)
_uninstallModule(moduleTypeId, module, deInitData)
_fallback()
_fallbackHandler(selector)
_checkModule(moduleTypeId, module, additionalContext)
_extractUserOpValidator(userOp)
_extractSignatureValidator(signature)
_decodeFallbackData(data)
_rawSignatureValidation(, )

IERC7579ModuleConfig

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

entryPoint()
getNonce()
getNonce(key)
validateUserOp(userOp, userOpHash, missingAccountFunds)
_signableUserOpHash(, userOpHash)
_payPrefund(missingAccountFunds)
_checkEntryPoint()
_checkEntryPointOrSelf()
receive()

IAccount

AbstractSigner

Events

IERC7579ModuleConfig

ModuleInstalled(moduleTypeId, module)
ModuleUninstalled(moduleTypeId, module)

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

IAccount

AbstractSigner

Errors

ERC7579MissingFallbackHandler(selector)

IERC7579ModuleConfig

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

AccountUnauthorized(sender)

IAccount

AbstractSigner

`onlyModule(uint256 moduleTypeId, bytes additionalContext)`

Modifier that checks if the caller is an installed module of the given type.

`fallback(bytes) → bytes`

external

See AccountERC7579._fallback.

`accountId() → string`

public

Returns the account id of the smart account

`supportsExecutionMode(bytes32 encodedMode) → bool`

public

Supported call types:

Single (0x00): A single transaction execution.
Batch (0x01): A batch of transactions execution.
Delegate (0xff): A delegate call execution.

Supported exec types:

Default (0x00): Default execution type (revert on failure).
Try (0x01): Try execution type (emits ERC7579TryExecuteFail on failure).

`supportsModule(uint256 moduleTypeId) → bool`

public

Supported module types:

Validator: A module used during the validation phase to determine if a transaction is valid and should be executed on the account.
Executor: A module that can execute transactions on behalf of the smart account via a callback.
Fallback Handler: A module that can extend the fallback functionality of a smart account.

`installModule(uint256 moduleTypeId, address module, bytes initData)`

public

Installs a Module of a certain type on the smart account

`uninstallModule(uint256 moduleTypeId, address module, bytes deInitData)`

public

Uninstalls a Module of a certain type on the smart account

`isModuleInstalled(uint256 moduleTypeId, address module, bytes additionalContext) → bool`

public

Returns whether a module is installed on the smart account

`execute(bytes32 mode, bytes executionCalldata)`

public

Executes a transaction on behalf of the account.

`executeFromExecutor(bytes32 mode, bytes executionCalldata) → bytes[] returnData`

public

Executes a transaction on behalf of the account. This function is intended to be called by Executor Modules

`isValidSignature(bytes32 hash, bytes signature) → bytes4`

public

Implement ERC-1271 through IERC7579Validator modules. If module based validation fails, fallback to "native" validation by the abstract signer.

NOTE: when combined with ERC7739, resolution ordering may have an impact (ERC7739 does not call super). Manual resolution might be necessary.

`_validateUserOp(struct PackedUserOperation userOp, bytes32 userOpHash) → uint256`

internal

Validates a user operation with Account._signableUserOpHash and returns the validation data if the module specified by the first 20 bytes of the nonce key is installed. Falls back to Account._validateUserOp otherwise.

See AccountERC7579._extractUserOpValidator for the module extraction logic.

`_execute(Mode mode, bytes executionCalldata) → bytes[] returnData`

internal

ERC-7579 execution logic. See AccountERC7579.supportsExecutionMode for supported modes.

Reverts if the call type is not supported.

`_installModule(uint256 moduleTypeId, address module, bytes initData)`

internal

Installs a module of the given type with the given initialization data.

For the fallback module type, the initData is expected to be the (packed) concatenation of a 4-byte selector and the rest of the data to be sent to the handler when calling IERC7579Module.onInstall.

Requirements:

Module type must be supported. See AccountERC7579.supportsModule. Reverts with ERC7579Utils.ERC7579UnsupportedModuleType.
Module must be of the given type. Reverts with ERC7579Utils.ERC7579MismatchedModuleTypeId.
Module must not be already installed. Reverts with ERC7579Utils.ERC7579AlreadyInstalledModule.

Emits a IERC7579ModuleConfig.ModuleInstalled event.

`_uninstallModule(uint256 moduleTypeId, address module, bytes deInitData)`

internal

Uninstalls a module of the given type with the given de-initialization data.

For the fallback module type, the deInitData is expected to be the (packed) concatenation of a 4-byte selector and the rest of the data to be sent to the handler when calling IERC7579Module.onUninstall.

Requirements:

Module must be already installed. Reverts with ERC7579Utils.ERC7579UninstalledModule otherwise.

`_fallback() → bytes`

internal

Fallback function that delegates the call to the installed handler for the given selector.

Reverts with AccountERC7579.ERC7579MissingFallbackHandler if the handler is not installed.

Calls the handler with the original msg.sender appended at the end of the calldata following the ERC-2771 format.

`_fallbackHandler(bytes4 selector) → address`

internal

Returns the fallback handler for the given selector. Returns address(0) if not installed.

`_checkModule(uint256 moduleTypeId, address module, bytes additionalContext)`

internal

Checks if the module is installed. Reverts if the module is not installed.

`_extractUserOpValidator(struct PackedUserOperation userOp) → address`

internal

Extracts the nonce validator from the user operation.

To construct a nonce key, set nonce as follows:

<module address (20 bytes)> | <key (4 bytes)> | <nonce (8 bytes)>

NOTE: The default behavior of this function replicates the behavior of Safe adapter, Etherspot's Prime Account, and ERC7579 reference implementation.

This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.

For example, Biconomy's Nexus uses a similar yet incompatible approach (the validator address is also part of the nonce, but not at the same location)

`_extractSignatureValidator(bytes signature) → address module, bytes innerSignature`

internal

Extracts the signature validator from the signature.

To construct a signature, set the first 20 bytes as the module address and the remaining bytes as the signature data:

<module address (20 bytes)> | <signature data>

NOTE: The default behavior of this function replicates the behavior of Safe adapter, Biconomy's Nexus, Etherspot's Prime Account, and ERC7579 reference implementation.

This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.

`_decodeFallbackData(bytes data) → bytes4 selector, bytes remaining`

internal

Extract the function selector from initData/deInitData for MODULE_TYPE_FALLBACK

NOTE: If we had calldata here, we could use calldata slice which are cheaper to manipulate and don't require actual copy. However, this would require _installModule to get a calldata bytes object instead of a memory bytes object. This would prevent calling _installModule from a contract constructor and would force the use of external initializers. That may change in the future, as most accounts will probably be deployed as clones/proxy/ERC-7702 delegates and therefore rely on initializers anyway.

`_rawSignatureValidation(bytes32, bytes) → bool`

internal

By default, only use the modules for validation of userOp and signature. Disable raw signatures.

`ERC7579MissingFallbackHandler(bytes4 selector)`

error

The account's AccountERC7579.fallback was called with a selector that doesn't have an installed handler.

`AccountERC7579Hooked` 📁

import "@openzeppelin/contracts/account/extensions/draft-AccountERC7579Hooked.sol";

Extension of AccountERC7579 with support for a single hook module (type 4).

If installed, this extension will call the hook module's IERC7579Hook.preCheck before executing any operation with AccountERC7579._execute (including AccessManager.execute and AccountERC7579.executeFromExecutor by default) and IERC7579Hook.postCheck thereafter.

NOTE: Hook modules break the check-effect-interaction pattern. In particular, the IERC7579Hook.preCheck hook can lead to potentially dangerous reentrancy. Using the withHook() modifier is safe if no effect is performed before the preHook or after the postHook. That is the case on all functions here, but it may not be the case if functions that have this modifier are overridden. Developers should be extremely careful when implementing hook modules or further overriding functions that involve hooks.

IERC7579ModuleConfig

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

entryPoint()
getNonce()
getNonce(key)
validateUserOp(userOp, userOpHash, missingAccountFunds)
_signableUserOpHash(, userOpHash)
_payPrefund(missingAccountFunds)
_checkEntryPoint()
_checkEntryPointOrSelf()
receive()

IAccount

AbstractSigner

Events

AccountERC7579

IERC7579ModuleConfig

ModuleInstalled(moduleTypeId, module)
ModuleUninstalled(moduleTypeId, module)

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

IAccount

AbstractSigner

Errors

ERC7579HookModuleAlreadyPresent(hook)

AccountERC7579

ERC7579MissingFallbackHandler(selector)

IERC7579ModuleConfig

IERC7579AccountConfig

IERC7579Execution

IERC1271

Account

AccountUnauthorized(sender)

IAccount

AbstractSigner

`withHook()`

Calls IERC7579Hook.preCheck before executing the modified function and IERC7579Hook.postCheck thereafter.

`accountId() → string`

public

Returns the account id of the smart account

`hook() → address`

public

Returns the hook module address if installed, or address(0) otherwise.

`supportsModule(uint256 moduleTypeId) → bool`

public

Supports hook modules. See AccountERC7579.supportsModule

`isModuleInstalled(uint256 moduleTypeId, address module, bytes data) → bool`

public

Returns whether a module is installed on the smart account

`_installModule(uint256 moduleTypeId, address module, bytes initData)`

internal

Installs a module with support for hook modules. See AccountERC7579._installModule

`_uninstallModule(uint256 moduleTypeId, address module, bytes deInitData)`

internal

Uninstalls a module with support for hook modules. See AccountERC7579._uninstallModule

`_execute(Mode mode, bytes executionCalldata) → bytes[]`

internal

Hooked version of AccountERC7579._execute.

`_fallback() → bytes`

internal

Hooked version of AccountERC7579._fallback.

`ERC7579HookModuleAlreadyPresent(address hook)`

error

A hook module is already present. This contract only supports one hook module.

`ERC7821` 📁

import "@openzeppelin/contracts/account/extensions/draft-ERC7821.sol";

Minimal batch executor following ERC-7821.

Only supports supports single batch mode (0x01000000000000000000). Does not support optional "opData".

@custom:stateless

Functions

execute(mode, executionData)
supportsExecutionMode(mode)
_erc7821AuthorizedExecutor(caller, , )

IERC7821

Errors

UnsupportedExecutionMode()

IERC7821

`execute(bytes32 mode, bytes executionData)`

public

Executes the calls in executionData with no optional opData support.

NOTE: Access to this function is controlled by ERC7821._erc7821AuthorizedExecutor. Changing access permissions, for example to approve calls by the ERC-4337 entrypoint, should be implemented by overriding it.

Reverts and bubbles up error if any call fails.

`supportsExecutionMode(bytes32 mode) → bool result`

public

This function is provided for frontends to detect support. Only returns true for:

bytes32(0x01000000000000000000...): does not support optional opData.
bytes32(0x01000000000078210001...): supports optional opData.

`_erc7821AuthorizedExecutor(address caller, bytes32, bytes) → bool`

internal

Access control mechanism for the AccessManager.execute function. By default, only the contract itself is allowed to execute.

Override this function to implement custom access control, for example to allow the ERC-4337 entrypoint to execute.

function _erc7821AuthorizedExecutor(
  address caller,
  bytes32 mode,
  bytes calldata executionData
) internal view virtual override returns (bool) {
  return caller == address(entryPoint()) || super._erc7821AuthorizedExecutor(caller, mode, executionData);
}

`UnsupportedExecutionMode()`

error

`EIP7702Utils` 📁

import "@openzeppelin/contracts/account/utils/EIP7702Utils.sol";

Library with common EIP-7702 utility functions.

See ERC-7702.

Functions

fetchDelegate(account)

`fetchDelegate(address account) → address`

internal

Returns the address of the delegate if account as an EIP-7702 delegation setup, or address(0) otherwise.

`IEntryPointExtra` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC4337Utils.sol";

This is available on all entrypoint since v0.4.0, but is not formally part of the ERC.

Functions

getUserOpHash(userOp)

`getUserOpHash(struct PackedUserOperation userOp) → bytes32`

external

`ERC4337Utils` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC4337Utils.sol";

Library with common ERC-4337 utility functions.

See ERC-4337.

Functions

parseValidationData(validationData)
packValidationData(aggregator, validAfter, validUntil)
packValidationData(sigSuccess, validAfter, validUntil)
combineValidationData(validationData1, validationData2)
getValidationData(validationData)
hash(self, entrypoint)
factory(self)
factoryData(self)
verificationGasLimit(self)
callGasLimit(self)
maxPriorityFeePerGas(self)
maxFeePerGas(self)
gasPrice(self)
paymaster(self)
paymasterVerificationGasLimit(self)
paymasterPostOpGasLimit(self)
paymasterData(self)

`parseValidationData(uint256 validationData) → address aggregator, uint48 validAfter, uint48 validUntil`

internal

Parses the validation data into its components. See ERC4337Utils.packValidationData.

`packValidationData(address aggregator, uint48 validAfter, uint48 validUntil) → uint256`

internal

Packs the validation data into a single uint256. See ERC4337Utils.parseValidationData.

`packValidationData(bool sigSuccess, uint48 validAfter, uint48 validUntil) → uint256`

internal

Same as ERC4337Utils.packValidationData, but with a boolean signature success flag.

`combineValidationData(uint256 validationData1, uint256 validationData2) → uint256`

internal

Combines two validation data into a single one.

The aggregator is set to ERC4337Utils.SIG_VALIDATION_SUCCESS if both are successful, while the validAfter is the maximum and the validUntil is the minimum of both.

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

`CallType` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

`ExecType` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

`ModeSelector` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

`ModePayload` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

`ERC7579Utils` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

Library with common ERC-7579 utility functions.

See ERC-7579.

Functions

execSingle(executionCalldata, execType)
execBatch(executionCalldata, execType)
execDelegateCall(executionCalldata, execType)
encodeMode(callType, execType, selector, payload)
decodeMode(mode)
encodeSingle(target, value, callData)
decodeSingle(executionCalldata)
encodeDelegate(target, callData)
decodeDelegate(executionCalldata)
encodeBatch(executionBatch)
decodeBatch(executionCalldata)

Events

ERC7579TryExecuteFail(batchExecutionIndex, returndata)

Errors

ERC7579UnsupportedCallType(callType)
ERC7579UnsupportedExecType(execType)
ERC7579MismatchedModuleTypeId(moduleTypeId, module)
ERC7579UninstalledModule(moduleTypeId, module)
ERC7579AlreadyInstalledModule(moduleTypeId, module)
ERC7579UnsupportedModuleType(moduleTypeId)
ERC7579DecodingError()

NOTE: This function runs some checks and will throw a ERC7579Utils.ERC7579DecodingError if the input is not properly formatted.

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

Compares two CallType values for equality.

`eqCallType(CallType a, CallType b) → bool`

internal

Compares two CallType values for equality.

`eqExecType` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

Compares two ExecType values for equality.

`eqExecType(ExecType a, ExecType b) → bool`

internal

Compares two ExecType values for equality.

`eqModeSelector` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

Compares two ModeSelector values for equality.

`eqModeSelector(ModeSelector a, ModeSelector b) → bool`

internal

Compares two ModeSelector values for equality.

`eqModePayload` 📁

import "@openzeppelin/contracts/account/utils/draft-ERC7579Utils.sol";

Compares two ModePayload values for equality.

`eqModePayload(ModePayload a, ModePayload b) → bool`

internal

Compares two ModePayload values for equality.