Account

Current state of an operation.

Same as ERC7579DelayedExecutor.state, but for a specific operation id.

Minimum delay after which ERC7579DelayedExecutor.setDelay takes effect. Set as default delay if not provided during ERC7579DelayedExecutor.onInstall.

Delay for a specific account.

Expiration delay for account operations.

Schedule for an operation. Returns default values if not set (i.e. uint48(0), uint48(0), uint48(0)).

Same as ERC7579DelayedExecutor.getSchedule but with the operation id.

Returns the operation id.

Default expiration for account operations. Set if not provided during ERC7579DelayedExecutor.onInstall.

Sets up the module's initial configuration when installed by an account. The account calling this function becomes registered with the module.

The initData may be abi.encode(uint32(initialDelay), uint32(initialExpiration)). The delay will be set to the maximum of this value and the minimum delay if provided. Otherwise, the delay will be set to ERC7579DelayedExecutor.minSetback and ERC7579DelayedExecutor.defaultExpiration respectively.

Behaves as a no-op if the module is already installed.

Requirements:

• The account (i.e msg.sender) must implement the IERC7579ModuleConfig interface.
• initData must be empty or decode correctly to (uint32, uint32).

Allows an account to update its execution delay (see ERC7579DelayedExecutor.getDelay).

The new delay will take effect after a transition period defined by the current delay or ERC7579DelayedExecutor.minSetback, whichever is longer. This prevents immediate security downgrades. Can only be called by the account itself.

Allows an account to update its execution expiration (see ERC7579DelayedExecutor.getExpiration).

Schedules an operation to be executed after the account's delay period (see ERC7579DelayedExecutor.getDelay). Operations are uniquely identified by the combination of salt, mode, and data. See ERC7579DelayedExecutor._validateSchedule for authorization checks.

Cancels a previously scheduled operation. Can only be called by the account that scheduled the operation. See ERC7579DelayedExecutor._cancel.

Cleans up the ERC7579DelayedExecutor.getDelay and ERC7579DelayedExecutor.getExpiration values by scheduling them to 0 and respecting the previous delay and expiration values.

could potentially be re-executed if the module is reinstalled later. This is a deliberate design choice for efficiency, but module implementations may want to override this behavior to clear scheduled operations during uninstallation for their specific use cases.

NOTE: Calling this function directly will remove the expiration (ERC7579DelayedExecutor.getExpiration) value and will schedule a reset of the delay (ERC7579DelayedExecutor.getDelay) to 0 for the account. Reinstalling the module will not immediately reset the delay if the delay reset hasn't taken effect yet.

Returns data as the execution calldata. See ERC7579Executor._execute.

NOTE: This function relies on the operation state validation in ERC7579DelayedExecutor._execute for authorization. Extensions of this module should override this function to implement additional validation logic if needed.

Validates whether an operation can be canceled.

Example extension:

 function _validateCancel(address account, bytes32 salt, bytes32 mode, bytes calldata data) internal override {
   // e.g. require(msg.sender == account);
 }

Validates whether an operation can be scheduled.

Example extension:

 function _validateSchedule(address account, bytes32 salt, bytes32 mode, bytes calldata data) internal override {
   // e.g. require(msg.sender == account);
 }

Internal implementation for setting an account's delay. See ERC7579DelayedExecutor.getDelay.

Emits an ERC7579DelayedExecutor.ERC7579ExecutorDelayUpdated event.

Internal implementation for setting an account's expiration. See ERC7579DelayedExecutor.getExpiration.

Emits an ERC7579DelayedExecutor.ERC7579ExecutorExpirationUpdated event.

Internal version of ERC7579DelayedExecutor.schedule that takes an account address to schedule an operation that starts its security window at at and expires after delay.

Requirements:

• The operation must be Unknown.

Emits an ERC7579DelayedExecutor.ERC7579ExecutorOperationScheduled event.

See ERC7579Executor._execute.

Requirements:

• The operation must be Ready.

Internal version of ERC7579DelayedExecutor.cancel that takes an account address as an argument.

Requirements:

• The operation must be Scheduled or Ready.

Canceled operations can't be rescheduled. Emits an ERC7579DelayedExecutor.ERC7579ExecutorOperationCanceled event.

Check that the current state of a operation matches the requirements described by the allowedStates bitmap. This bitmap should be built using ERC7579DelayedExecutor._encodeStateBitmap.

If requirements are not met, reverts with a ERC7579DelayedExecutor.ERC7579ExecutorUnexpectedOperationState error.

Encodes a OperationState into a bytes32 representation where each bit enabled corresponds to the underlying position in the OperationState enum. For example:

0x000...10000
  ^^^^^^------ ...
        ^----- Canceled
         ^---- Executed
          ^--- Ready
           ^-- Scheduled
            ^- Unknown

Emitted when a new operation is scheduled.

Emitted when a new operation is canceled.

Emitted when the execution delay is updated.

Emitted when the expiration delay is updated.

The current state of a operation is not the expected. The expectedStates is a bitmap with the bits enabled for each OperationState enum position counting from right to left. See ERC7579DelayedExecutor._encodeStateBitmap.

NOTE: If expectedState is bytes32(0), the operation is expected to not be in any state (i.e. not exist).

The module is not installed on the account.

Returns boolean value if module is a certain type

Executes an operation and returns the result data from the executed operation. Restricted to the account itself by default. See ERC7579DelayedExecutor._execute for requirements and ERC7579DelayedExecutor._validateExecution for authorization checks.

Validates whether the execution can proceed. This function is called before executing the operation and returns the execution calldata to be used.

Example extension:

 function _validateExecution(address account, bytes32 salt, bytes32 mode, bytes calldata data)
     internal
     override
     returns (bytes calldata)
 {
     // custom logic
     return data;
 }

TIP: Pack extra data in the data arguments (e.g. a signature) to be used in the validation process. Calldata can be sliced to extract it and return only the execution calldata.

Internal version of ERC7579Executor.execute. Emits ERC7579Executor.ERC7579ExecutorOperationExecuted event.

Requirements:

• The account must implement the IERC7579Execution-executeFromExecutor function.

Emitted when an operation is executed.

Sets up the module's initial configuration when installed by an account. See ERC7579DelayedExecutor.onInstall. Besides the delay setup, the initdata can include signers and threshold.

The initData should be encoded as: abi.encode(bytes[] signers, uint64 threshold)

If no signers or threshold are provided, the multisignature functionality will be disabled until they are added later.

NOTE: An account can only call onInstall once. If called directly by the account, the signer will be set to the provided data. Future installations will behave as a no-op.

Cleans up module's configuration when uninstalled from an account. Clears all signers and resets the threshold.

See ERC7579DelayedExecutor.onUninstall.

See EnumerableSet-clear.

Returns a slice of the set of authorized signers for the specified account.

Using start = 0 and end = type(uint64).max will return the entire set of signers.

can be expensive. This is designed for view accessors queried without gas fees. Using it in state-changing functions may become uncallable if the slice grows too large.

Returns the number of authorized signers for the specified account.

Returns whether the signer is an authorized signer for the specified account.

Returns the minimum number of signers required to approve a multisignature operation for the specified account.

Adds new signers to the authorized set for the calling account. Can only be called by the account itself.

Requirements:

• Each of newSigners must be at least 20 bytes long.
• Each of newSigners must not be already authorized.

Removes signers from the authorized set for the calling account. Can only be called by the account itself.

Requirements:

• Each of oldSigners must be authorized.
• After removal, the threshold must still be reachable.

Sets the threshold for the calling account. Can only be called by the account itself.

Requirements:

• The threshold must be reachable with the current number of signers.

Returns whether the number of valid signatures meets or exceeds the threshold set for the target account.

The signature should be encoded as: abi.encode(bytes[] signingSigners, bytes[] signatures)

Where signingSigners are the authorized signers and signatures are their corresponding signatures of the operation hash.

Adds the newSigners to those allowed to sign on behalf of the account.

Requirements:

• Each of newSigners must be at least 20 bytes long. Reverts with ERC7579Multisig.ERC7579MultisigInvalidSigner if not.
• Each of newSigners must not be authorized. Reverts with ERC7579Multisig.ERC7579MultisigAlreadyExists if it already exists.

Removes the oldSigners from the authorized signers for the account.

Requirements:

• Each of oldSigners must be authorized. Reverts with ERC7579Multisig.ERC7579MultisigNonexistentSigner if not.
• The threshold must remain reachable after removal. See ERC7579Multisig._validateReachableThreshold for details.

Sets the signatures threshold required to approve a multisignature operation.

Requirements:

• The threshold must be greater than 0. Reverts with ERC7579Multisig.ERC7579MultisigZeroThreshold if not.
• The threshold must be reachable with the current number of signers. See ERC7579Multisig._validateReachableThreshold for details.

Validates the current threshold is reachable with the number of ERC7579Multisig._signersSetByAccount.

Requirements:

• The number of signers must be >= the threshold. Reverts with ERC7579Multisig.ERC7579MultisigUnreachableThreshold if not.

Validates the signatures using the signers and their corresponding signatures. Returns whether the signers are authorized and the signatures are valid for the given hash.

The signers must be ordered by their keccak256 hash to prevent duplications and to optimize the verification process. The function will return false if any signer is not authorized or if the signatures are invalid for the given hash.

Requirements:

• The signatures array must be at least the signers array's length.

Validates that the number of signers meets the ERC7579Multisig.threshold requirement. Assumes the signers were already validated. See ERC7579Multisig._validateSignatures for more details.

Emitted when signers are added.

Emitted when signers are removed.

Emitted when the threshold is updated.

The signer already exists.

The signer does not exist.

The signer is less than 20 bytes long.

The threshold is zero.

The threshold is unreachable given the number of signers.

Generates a hash that signers must sign to confirm their addition to the multisig of account.

Extends ERC7579Multisig._addSigners _addSigners to require confirmation signatures Each entry in newSigners must be ABI-encoded as:

abi.encode(deadline,signer,signature); // uint256, bytes, bytes

• signer: The ERC-7913 signer to add
• signature: The signature from this signer confirming their addition

The function verifies each signature before adding the signer. If any signature is invalid, the function reverts with ERC7579MultisigConfirmation.ERC7579MultisigInvalidConfirmationSignature.

Error thrown when a signer's confirmation signature is invalid

Error thrown when a confirmation signature has expired

Returns whether a signer has presigned a specific hash for the account

Allows a signer to presign a hash by providing a valid signature. The signature will be verified and if valid, the presignature will be stored.

Emits ERC7579MultisigStorage.ERC7579MultisigStoragePresigned if the signature is valid and the hash is not already signed, otherwise acts as a no-op.

NOTE: Does not check if the signer is authorized for the account. Valid signatures from invalid signers won't be executable. See ERC7579Multisig._validateSignatures for more details.

See ERC7579Multisig._validateSignatures.

If a signature is empty, it indicates a presignature and the validation will check the storage mapping instead of cryptographic verification. See ERC7579Multisig._signersSetByAccount for more details.

Emitted when a signer signs a hash

Sets up the module's initial configuration when installed by an account. Besides the standard delay and signer configuration, this can also include signer weights.

The initData should be encoded as: abi.encode(bytes[] signers, uint64 threshold, uint64[] weights)

If weights are not provided but signers are, all signers default to weight 1.

NOTE: An account can only call onInstall once. If called directly by the account, the signer will be set to the provided data. Future installations will behave as a no-op.

Cleans up module's configuration when uninstalled from an account. Clears all signers, weights, and total weights.

See ERC7579Multisig.onUninstall.

Gets the weight of a signer for a specific account. Returns 0 if the signer is not authorized.

Gets the total weight of all signers for a specific account.

Sets weights for signers for the calling account. Can only be called by the account itself.

Sets weights for multiple signers at once. Internal version without access control.

Requirements:

• signers and weights arrays must have the same length. Reverts with ERC7579MultisigWeighted.ERC7579MultisigMismatchedLength on mismatch.
• Each signer must exist in the set of authorized signers. Reverts with ERC7579Multisig.ERC7579MultisigNonexistentSigner if not.
• Each weight must be greater than 0. Reverts with ERC7579MultisigWeighted.ERC7579MultisigInvalidWeight if not.
• See ERC7579Multisig._validateReachableThreshold for the threshold validation.

Emits ERC7579MultisigWeighted.ERC7579MultisigWeightChanged for each signer.

Override to add weight tracking. See ERC7579Multisig._addSigners. Each new signer has a default weight of 1.

In cases where ERC7579MultisigWeighted.totalWeight is almost type(uint64).max (due to a large _totalExtraWeight), adding new signers could cause the ERC7579MultisigWeighted.totalWeight computation to overflow. Adding a ERC7579MultisigWeighted.totalWeight call after the new signers are added ensures no such overflow happens.

Override to handle weight tracking during removal. See ERC7579Multisig._removeSigners.

Just like ERC7579Multisig._addSigners, this function does not emit ERC7579MultisigWeighted.ERC7579MultisigWeightChanged events. The ERC7579Multisig.ERC7913SignerRemoved event emitted by ERC7579Multisig._removeSigners is enough to track weights here.

Override to validate threshold against total weight instead of signer count.

NOTE: This function intentionally does not call super._validateReachableThreshold because the base implementation assumes each signer has a weight of 1, which is a subset of this weighted implementation. Consider that multiple implementations of this function may exist in the contract, so important side effects may be missed depending on the linearization order.

Validates that the total weight of signers meets the ERC7579Multisig.threshold requirement. Overrides the base implementation to use weights instead of count.

NOTE: This function intentionally does not call super._validateThreshold because the base implementation assumes each signer has a weight of 1, which is incompatible with this weighted implementation.

Emitted when a signer's weight is changed.

NOTE: Not emitted in ERC7579Multisig._addSigners or ERC7579Multisig._removeSigners. Indexers must rely on ERC7579Multisig.ERC7913SignerAdded and ERC7579Multisig.ERC7913SignerRemoved to index a default weight of 1. See ERC7579MultisigWeighted.signerWeight.

Thrown when a signer's weight is invalid.

Thrown when the arrays lengths don't match.

Returns the set of authorized selectors for the specified account.

can be expensive or may result in unbounded computation.

Sets up the module's initial configuration when installed by an account. The initData should be encoded as: abi.encode(bytes4[] selectors)

Cleans up module's configuration when uninstalled from an account. Clears all selectors.

See EnumerableSetExtended.clear.

Adds selectors to the set for the calling account

Removes a selector from the set for the calling account

Internal version of ERC7579SelectorExecutor.addSelectors that takes an account as argument

Internal version of ERC7579SelectorExecutor.removeSelectors that takes an account as argument

See ERC7579Executor._validateExecution. Validates that the selector (first 4 bytes of the actual callData) is authorized before execution.

Emitted when a selector is added to the set

Emitted when a selector is removed from the set

Error thrown when attempting to execute a non-authorized selector

Return the ERC-7913 signer (i.e. verifier || key).

See IERC7579Module-onInstall.

NOTE: An account can only call onInstall once. If called directly by the account, the signer will be set to the provided data. Future installations will behave as a no-op.

See IERC7579Module-onUninstall.

making the account unusable. As an account operator, make sure to uninstall to a predefined path in your account that properly handles side effects of uninstallation. See AccountERC7579-uninstallModule.

Sets the ERC-7913 signer (i.e. verifier || key) for the calling account.

Internal version of ERC7579Signature.setSigner that takes an account as argument without validating signer_.

See ERC7579Validator._rawERC7579Validation.

Validates a signature using ERC-7913 verification.

This base implementation ignores the sender parameter and validates using the account's stored signer. Derived contracts can override this to implement custom validation logic based on the sender.

Emitted when the signer is set.

Thrown when the signer length is less than 20 bytes.

Returns boolean value if module is a certain type

Validates a UserOperation

See IERC7579Validator-isValidSignatureWithSender.

Ignores the sender parameter and validates using ERC7579Multisig._rawERC7579Validation. Consider overriding this function to implement custom validation logic based on the original sender.

Validation algorithm.

handle cryptographic verification to prevent unauthorized access.

Revert if the caller is not the entry point.

Canonical entry point for the account that forwards and validates user operations.

Validates whether the paymaster is willing to pay for the user operation. See IAccount-validateUserOp for additional information on the return value.

NOTE: Bundlers will reject this method if it modifies the state, unless it's whitelisted.

Verifies the sender is the entrypoint.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

The requiredPreFund is the amount the paymaster has to pay (in native tokens). It's calculated as requiredGas * userOp.maxFeePerGas, where required gas can be calculated from the user operation as verificationGasLimit + callGasLimit + paymasterVerificationGasLimit + paymasterPostOpGasLimit + preVerificationGas

Handles post user operation execution logic. The caller must be the entry point.

It receives the context returned by _validatePaymasterUserOp. Function is not called if no context is returned by PaymasterCore.validatePaymasterUserOp.

NOTE: The actualUserOpFeePerGas is not tx.gasprice. A user operation can be bundled with other transactions making the gas price of the user operation to differ.

Calls IEntryPointStake-depositTo.

Calls IEntryPointStake-withdrawTo.

Calls IEntryPointStake-addStake.

Calls IEntryPointStake-unlockStake.

Calls IEntryPointStake-withdrawStake.

Ensures the caller is the entrypoint.

Checks whether msg.sender withdraw funds stake or deposit from the entrypoint on paymaster's behalf.

Use of an access control modifier such as Ownable-onlyOwner is recommended.

function _authorizeUpgrade() internal onlyOwner {}

Unauthorized call to the paymaster.

See PaymasterCore._validatePaymasterUserOp.

Attempts to retrieve the token and tokenPrice from the user operation (see PaymasterERC20._fetchDetails) and prefund the user operation using these values and the maxCost argument (see PaymasterERC20._prefund).

Returns abi.encodePacked(userOpHash, token, tokenPrice, prefundAmount, prefunder, prefundContext) in context if the prefund is successful. Otherwise, it returns empty bytes.

Prefunds the userOp by charging the maximum possible gas cost (maxCost) in ERC-20 token.

The token and tokenPrice is obtained from the PaymasterERC20._fetchDetails function and are funded by the prefunder_, which is the user operation sender by default. The prefundAmount is calculated using PaymasterERC20._erc20Cost.

Returns a prefundContext that's passed to the PaymasterCore._postOp function through its context return value.

NOTE: Consider not reverting if the prefund fails when overriding this function. This is to avoid reverting during the validation phase of the user operation, which may penalize the paymaster's reputation according to ERC-7562 validation rules.

Attempts to refund the user operation after execution. See PaymasterERC20._refund.

Reverts with PaymasterERC20.PaymasterERC20FailedRefund if the refund fails.

reverting the user operation itself. Consider implementing a mechanism to handle this case gracefully.

Refunds any unused gas back to the user (i.e. prefundAmount - actualAmount) in token.

The actualAmount is calculated using PaymasterERC20._erc20Cost and the actualGasCost, actualUserOpFeePerGas, prefundContext and the tokenPrice from the PaymasterCore._postOp's context.

Retrieves payment details for a user operation.

The values returned by this internal function are:

• validationData: ERC-4337 validation data, indicating success/failure and optional time validity (validAfter, validUntil).
• token: Address of the ERC-20 token used for payment to the paymaster.
• tokenPrice: Price of the token in native currency, scaled by _tokenPriceDenominator().

==== Calculating the token price

Given gas fees are paid in native currency, developers can use the ERC20 price unit / native price unit ratio to calculate the price of an ERC20 token price in native currency. However, the token may have a different number of decimals than the native currency. For a a generalized formula considering prices in USD and decimals, consider using:

(<ERC-20 token price in $> / 10**<ERC-20 decimals>) / (<Native token price in $> / 1e18) * _tokenPriceDenominator()

For example, suppose token is USDC ($1 with 6 decimals) and native currency is ETH (assuming$2524.86 with 18 decimals), then each unit (1e-6) of USDC is worth (1 / 1e6) / ((252486 / 1e2) / 1e18) = 396061563.8094785 wei. The _tokenPriceDenominator() ensures precision by avoiding fractional value loss. (i.e. the 0.8094785 part).

Over-estimates the cost of the post-operation logic.

Denominator used for interpreting the tokenPrice returned by PaymasterERC20._fetchDetails as "fixed point" in PaymasterERC20._erc20Cost.

Calculates the cost of the user operation in ERC-20 tokens.

Public function that allows the withdrawer to extract ERC-20 tokens resulting from gas payments.

Emitted when a user operation identified by userOpHash is sponsored by this paymaster using the specified ERC-20 token. The tokenAmount is the amount charged for the operation, and tokenPrice is the price of the token in native currency (e.g., ETH).

Throws when the paymaster fails to refund the difference between the prefundAmount and the actualAmount of token.

Prefunds the user operation using either the guarantor or the default prefunder. See PaymasterERC20._prefund.

Returns abi.encodePacked(..., userOp.sender) in prefundContext to allow the refund process to identify the user operation sender.

Handles the refund process for guaranteed operations.

If the operation was guaranteed, it attempts to get repayment from the user first and then refunds the guarantor. Otherwise, fallback to PaymasterERC20._refund.

NOTE: For guaranteed user operations where the user paid the actualGasCost back, this function doesn't call super._refund. Consider whether there are side effects in the parent contract that need to be executed.

Fetches the guarantor address and validation data from the user operation.

NOTE: Return address(0) to disable the guarantor feature. If supported, ensure explicit consent (e.g., signature verification) to prevent unauthorized use.

Over-estimates the cost of the post-operation logic. Added on top of guaranteed userOps post-operation cost.

Emitted when a user operation identified by userOpHash is guaranteed by a guarantor for prefundAmount.

ERC-721 token used to validate the user operation.

Sets the ERC-721 token used to validate the user operation.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

NOTE: The default context is bytes(0). Developers that add a context when overriding this function MUST also override PaymasterCore._postOp to process the context passed along.

Emitted when the paymaster token is set.

Virtual function that returns the signable hash for a user operations. Given the userOpHash contains the paymasterAndData itself, it's not possible to sign that value directly. Instead, this function must be used to provide a custom mechanism to authorize an user operation.

Internal validation of whether the paymaster is willing to pay for the user operation. Returns the context to be passed to postOp and the validation data.

NOTE: The context returned is bytes(0). Developers overriding this function MUST override PaymasterCore._postOp to process the context passed along.

Decodes the user operation's data from paymasterAndData.