Account

Revert if the caller is not the entry point or the account itself.

Revert if the caller is not the entry point.

Canonical entry point for the account that forwards and validates user operations.

Return the account nonce for the canonical sequence.

Return the account nonce for a given sequence (key).

Validates a user operation.

Returns an encoded packed validation data that is composed of the following elements:

Returns the validationData for a given user operation. By default, this checks the signature of the signable hash (produced by _signableUserOpHash) using the abstract signer (AbstractSigner._rawSignatureValidation).

Virtual function that returns the signable hash for a user operations. Since v0.8.0 of the entrypoint, userOpHash is an EIP-712 hash that can be signed directly.

Sends the missing funds for executing the user operation to the entryPoint. The missingAccountFunds must be defined by the entrypoint when calling validateUserOp.

Ensures the caller is the entryPoint.

Ensures the caller is the entryPoint or the account itself.

Receive Ether.

Unauthorized call to the account.

Modifier that checks if the caller is an installed module of the given type.

See _fallback.

Returns the account id of the smart account

Supported call types: * Single (0x00): A single transaction execution. * Batch (0x01): A batch of transactions execution. * Delegate (0xff): A delegate call execution.

Supported exec types: * Default (0x00): Default execution type (revert on failure). * Try (0x01): Try execution type (emits ERC7579TryExecuteFail on failure).

Supported module types:

Installs a Module of a certain type on the smart account

Uninstalls a Module of a certain type on the smart account

Returns whether a module is installed on the smart account

Executes a transaction on behalf of the account.

Executes a transaction on behalf of the account. This function is intended to be called by Executor Modules

Implement ERC-1271 through IERC7579Validator modules. If module based validation fails, fallback to "native" validation by the abstract signer.

Validates a user operation with _signableUserOpHash and returns the validation data if the module specified by the first 20 bytes of the nonce key is installed. Falls back to Account._validateUserOp otherwise.

See _extractUserOpValidator for the module extraction logic.

ERC-7579 execution logic. See supportsExecutionMode for supported modes.

Reverts if the call type is not supported.

Installs a module of the given type with the given initialization data.

For the fallback module type, the initData is expected to be the (packed) concatenation of a 4-byte selector and the rest of the data to be sent to the handler when calling {IERC7579Module-onInstall}.

Requirements:

Emits a {ModuleInstalled} event.

Uninstalls a module of the given type with the given de-initialization data.

For the fallback module type, the deInitData is expected to be the (packed) concatenation of a 4-byte selector and the rest of the data to be sent to the handler when calling {IERC7579Module-onUninstall}.

Requirements:

Fallback function that delegates the call to the installed handler for the given selector.

Reverts with ERC7579MissingFallbackHandler if the handler is not installed.

Calls the handler with the original msg.sender appended at the end of the calldata following the ERC-2771 format.

Returns the fallback handler for the given selector. Returns address(0) if not installed.

Checks if the module is installed. Reverts if the module is not installed.

Extracts the nonce validator from the user operation.

To construct a nonce key, set nonce as follows:

This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.

For example, Biconomy’s Nexus uses a similar yet incompatible approach (the validator address is also part of the nonce, but not at the same location)

Extracts the signature validator from the signature.

To construct a signature, set the first 20 bytes as the module address and the remaining bytes as the signature data:

This is not standardized in ERC-7579 (or in any follow-up ERC). Some accounts may want to override these internal functions.

Extract the function selector from initData/deInitData for MODULE_TYPE_FALLBACK

By default, only use the modules for validation of userOp and signature. Disable raw signatures.

The account’s fallback was called with a selector that doesn’t have an installed handler.

Calls {IERC7579Hook-preCheck} before executing the modified function and {IERC7579Hook-postCheck} thereafter.

Returns the account id of the smart account

Returns the hook module address if installed, or address(0) otherwise.

Supports hook modules. See AccountERC7579.supportsModule

Returns whether a module is installed on the smart account

Installs a module with support for hook modules. See AccountERC7579._installModule

Uninstalls a module with support for hook modules. See AccountERC7579._uninstallModule

Hooked version of AccountERC7579._execute.

Hooked version of AccountERC7579._fallback.

A hook module is already present. This contract only supports one hook module.

Executes the calls in executionData with no optional opData support.

Reverts and bubbles up error if any call fails.

This function is provided for frontends to detect support. Only returns true for:

Access control mechanism for the execute function. By default, only the contract itself is allowed to execute.

Override this function to implement custom access control, for example to allow the ERC-4337 entrypoint to execute.

Returns boolean value if module is a certain type

Executes an operation and returns the result data from the executed operation. Restricted to the account itself by default. See _execute for requirements and _validateExecution for authorization checks.

Validates whether the execution can proceed. This function is called before executing the operation and returns the execution calldata to be used.

Example extension:

Internal version of execute. Emits ERC7579ExecutorOperationExecuted event.

Requirements:

Emitted when an operation is executed.

Current state of an operation.

Same as state, but for a specific operation id.

Minimum delay after which setDelay takes effect. Set as default delay if not provided during onInstall.

Delay for a specific account.

Expiration delay for account operations.

Schedule for an operation. Returns default values if not set (i.e. uint48(0), uint48(0), uint48(0)).

Same as getSchedule but with the operation id.

Returns the operation id.

Default expiration for account operations. Set if not provided during onInstall.

Sets up the module’s initial configuration when installed by an account. The account calling this function becomes registered with the module.

The initData may be abi.encode(uint32(initialDelay), uint32(initialExpiration)). The delay will be set to the maximum of this value and the minimum delay if provided. Otherwise, the delay will be set to minSetback and defaultExpiration respectively.

Behaves as a no-op if the module is already installed.

Requirements:

Allows an account to update its execution delay (see getDelay).

The new delay will take effect after a transition period defined by the current delay or minSetback, whichever is longer. This prevents immediate security downgrades. Can only be called by the account itself.

Allows an account to update its execution expiration (see getExpiration).

Schedules an operation to be executed after the account’s delay period (see getDelay). Operations are uniquely identified by the combination of salt, mode, and data. See _validateSchedule for authorization checks.

Cancels a previously scheduled operation. Can only be called by the account that scheduled the operation. See _cancel.

Cleans up the getDelay and getExpiration values by scheduling them to 0 and respecting the previous delay and expiration values.

Returns data as the execution calldata. See ERC7579Executor._execute.

Validates whether an operation can be canceled.

Example extension:

Validates whether an operation can be scheduled.

Example extension:

Internal implementation for setting an account’s delay. See getDelay.

Emits an ERC7579ExecutorDelayUpdated event.

Internal implementation for setting an account’s expiration. See getExpiration.

Emits an ERC7579ExecutorExpirationUpdated event.

Internal version of schedule that takes an account address to schedule an operation that starts its security window at at and expires after delay.

Requirements:

Emits an ERC7579ExecutorOperationScheduled event.

See ERC7579Executor._execute.

Requirements:

Internal version of cancel that takes an account address as an argument.

Requirements:

Canceled operations can’t be rescheduled. Emits an ERC7579ExecutorOperationCanceled event.

Check that the current state of a operation matches the requirements described by the allowedStates bitmap. This bitmap should be built using _encodeStateBitmap.

If requirements are not met, reverts with a ERC7579ExecutorUnexpectedOperationState error.

Encodes a OperationState into a bytes32 representation where each bit enabled corresponds to the underlying position in the OperationState enum. For example:

Emitted when a new operation is scheduled.

Emitted when a new operation is canceled.

Emitted when the execution delay is updated.

Emitted when the expiration delay is updated.

The current state of a operation is not the expected. The expectedStates is a bitmap with the bits enabled for each OperationState enum position counting from right to left. See _encodeStateBitmap.

The module is not installed on the account.

Returns boolean value if module is a certain type

Validates a UserOperation

See {IERC7579Validator-isValidSignatureWithSender}.

Ignores the sender parameter and validates using _rawERC7579Validation. Consider overriding this function to implement custom validation logic based on the original sender.

Validation algorithm.

Return the ERC-7913 signer (i.e. verifier || key).

See {IERC7579Module-onInstall}.

See {IERC7579Module-onUninstall}.

Sets the ERC-7913 signer (i.e. verifier || key) for the calling account.

Internal version of setSigner that takes an account as argument without validating signer_.

See ERC7579Validator._rawERC7579Validation.

Validates a signature using ERC-7913 verification.

This base implementation ignores the sender parameter and validates using the account’s stored signer. Derived contracts can override this to implement custom validation logic based on the sender.

Emitted when the signer is set.

Thrown when the signer length is less than 20 bytes.

Sets up the module’s initial configuration when installed by an account. See ERC7579DelayedExecutor.onInstall. Besides the delay setup, the initdata can include signers and threshold.

The initData should be encoded as: abi.encode(bytes[] signers, uint256 threshold)

If no signers or threshold are provided, the multisignature functionality will be disabled until they are added later.

Cleans up module’s configuration when uninstalled from an account. Clears all signers and resets the threshold.

See ERC7579DelayedExecutor.onUninstall.

Returns the set of authorized signers for the specified account.

Returns whether the signer is an authorized signer for the specified account.

Returns the set of authorized signers for the specified account.

Returns the minimum number of signers required to approve a multisignature operation for the specified account.

Adds new signers to the authorized set for the calling account. Can only be called by the account itself.

Requirements:

Removes signers from the authorized set for the calling account. Can only be called by the account itself.

Requirements:

Sets the threshold for the calling account. Can only be called by the account itself.

Requirements:

Returns whether the number of valid signatures meets or exceeds the threshold set for the target account.

The signature should be encoded as: abi.encode(bytes[] signingSigners, bytes[] signatures)

Where signingSigners are the authorized signers and signatures are their corresponding signatures of the operation hash.

Adds the newSigners to those allowed to sign on behalf of the account.

Requirements:

Removes the oldSigners from the authorized signers for the account.

Requirements:

Sets the signatures threshold required to approve a multisignature operation.

Requirements:

Validates the current threshold is reachable with the number of signers.

Requirements:

Validates the signatures using the signers and their corresponding signatures. Returns whether the signers are authorized and the signatures are valid for the given hash.

The signers must be ordered by their keccak256 hash to prevent duplications and to optimize the verification process. The function will return false if any signer is not authorized or if the signatures are invalid for the given hash.

Requirements:

Validates that the number of signers meets the threshold requirement. Assumes the signers were already validated. See _validateSignatures for more details.

Emitted when signers are added.

Emitted when signers are removed.

Emitted when the threshold is updated.

The signer already exists.

The signer does not exist.

The signer is less than 20 bytes long.

The threshold is unreachable given the number of signers.

Sets up the module’s initial configuration when installed by an account. Besides the standard delay and signer configuration, this can also include signer weights.

The initData should be encoded as: abi.encode(bytes[] signers, uint256 threshold, uint256[] weights)

If weights are not provided but signers are, all signers default to weight 1.

Cleans up module’s configuration when uninstalled from an account. Clears all signers, weights, and total weights.

See ERC7579Multisig.onUninstall.

Gets the weight of a signer for a specific account. Returns 0 if the signer is not authorized.

Gets the total weight of all signers for a specific account.

Sets weights for signers for the calling account. Can only be called by the account itself.

Gets the weight of the current signer. Returns 1 if not explicitly set. This internal function doesn’t check if the signer is authorized.

Sets weights for multiple signers at once. Internal version without access control.

Requirements:

Emits ERC7579MultisigWeightChanged for each signer.

Override to add weight tracking. See ERC7579Multisig._addSigners. Each new signer has a default weight of 1.

Override to handle weight tracking during removal. See ERC7579Multisig._removeSigners.

Override to validate threshold against total weight instead of signer count.

Validates that the total weight of signers meets the threshold requirement. Overrides the base implementation to use weights instead of count.

Calculates the total weight of a set of signers.

Emitted when a signer’s weight is changed.

Thrown when a signer’s weight is invalid.

Thrown when the arrays lengths don’t match.

Generates a hash that signers must sign to confirm their addition to the multisig of account.

Extends ERC7579Multisig._addSigners _addSigners to require confirmation signatures Each entry in newSigners must be ABI-encoded as:

The function verifies each signature before adding the signer. If any signature is invalid, the function reverts with ERC7579MultisigInvalidConfirmationSignature.

Error thrown when a `signer’s confirmation signature is invalid

Error thrown when a confirmation signature has expired

Revert if the caller is not the entry point.

Canonical entry point for the account that forwards and validates user operations.

Validates whether the paymaster is willing to pay for the user operation. See {IAccount-validateUserOp} for additional information on the return value.

Verifies the sender is the entrypoint.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

The requiredPreFund is the amount the paymaster has to pay (in native tokens). It’s calculated as requiredGas * userOp.maxFeePerGas, where required gas can be calculated from the user operation as verificationGasLimit + callGasLimit + paymasterVerificationGasLimit + paymasterPostOpGasLimit + preVerificationGas

Handles post user operation execution logic. The caller must be the entry point.

It receives the context returned by _validatePaymasterUserOp. Function is not called if no context is returned by validatePaymasterUserOp.

Calls {IEntryPointStake-depositTo}.

Calls {IEntryPointStake-withdrawTo}.

Calls {IEntryPointStake-addStake}.

Calls {IEntryPointStake-unlockStake}.

Calls {IEntryPointStake-withdrawStake}.

Ensures the caller is the entryPoint.

Checks whether msg.sender withdraw funds stake or deposit from the entrypoint on paymaster’s behalf.

Use of an access control modifier such as {Ownable-onlyOwner} is recommended.

Unauthorized call to the paymaster.

See PaymasterCore._validatePaymasterUserOp.

Attempts to retrieve the token and tokenPrice from the user operation (see _fetchDetails) and prefund the user operation using these values and the maxCost argument (see _prefund).

Returns abi.encodePacked(userOpHash, token, tokenPrice, prefundAmount, prefunder, prefundContext) in context if the prefund is successful. Otherwise, it returns empty bytes.

Prefunds the userOp by charging the maximum possible gas cost (maxCost) in ERC-20 token.

The token and tokenPrice is obtained from the {fetchDetails} function and are funded by the prefunder, which is the user operation sender by default. The prefundAmount is calculated using _erc20Cost.

Returns a prefundContext that’s passed to the _postOp function through its context return value.

Attempts to refund the user operation after execution. See _refund.

Reverts with PaymasterERC20FailedRefund if the refund fails.

Refunds any unused gas back to the user (i.e. prefundAmount - actualAmount) in token.

The actualAmount is calculated using _erc20Cost and the actualGasCost, actualUserOpFeePerGas, prefundContext and the tokenPrice from the _postOp's context.

Retrieves payment details for a user operation.

The values returned by this internal function are:

Over-estimates the cost of the post-operation logic.

Denominator used for interpreting the tokenPrice returned by _fetchDetails as "fixed point" in _erc20Cost.

Calculates the cost of the user operation in ERC-20 tokens.

Public function that allows the withdrawer to extract ERC-20 tokens resulting from gas payments.

Emitted when a user operation identified by userOpHash is sponsored by this paymaster using the specified ERC-20 token. The tokenAmount is the amount charged for the operation, and tokenPrice is the price of the token in native currency (e.g., ETH).

Throws when the paymaster fails to refund the difference between the prefundAmount and the actualAmount of token.

Prefunds the user operation using either the guarantor or the default prefunder. See PaymasterERC20._prefund.

Returns abi.encodePacked(…​, userOp.sender) in prefundContext to allow the refund process to identify the user operation sender.

Handles the refund process for guaranteed operations.

If the operation was guaranteed, it attempts to get repayment from the user first and then refunds the guarantor. Otherwise, fallback to PaymasterERC20._refund.

Fetches the guarantor address and validation data from the user operation.

Over-estimates the cost of the post-operation logic. Added on top of guaranteed userOps post-operation cost.

Emitted when a user operation identified by userOpHash is guaranteed by a guarantor for prefundAmount.

ERC-721 token used to validate the user operation.

Sets the ERC-721 token used to validate the user operation.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

Emitted when the paymaster token is set.

Virtual function that returns the signable hash for a user operations. Given the userOpHash contains the paymasterAndData itself, it’s not possible to sign that value directly. Instead, this function must be used to provide a custom mechanism to authorize an user operation.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

Decodes the user operation’s data from paymasterAndData.