Account abstraction and onchain identity: EIP-4337 and beyond

At all major Ethereum events this past year, the phrase "Every account is a smart contract" was frequently repeated when discussing EIP-4337 and account abstraction. The idea behind this phrase is that the distinction between externally-owned accounts (EOAs) and smart contract accounts are blurred, as every account can now be seen as a smart contract wallet. This means that every account has its own logic and can initiate transactions and pay the fee, which opens up new possibilities for creating secure and user-friendly wallets. This blog post will be a self-contained explanation of EIP-4337 and the impact it can have on the onchain identity-based infrastructure. Learn more about Ethereum Improvement Proposals (EIP) and their role in governance decisions here.

What is account abstraction and EIP-4337?

One of the critical issues exposed by recent scams in the crypto ecosystem is that there is no safety without self-custody. This means that the safety of the user's account relies on the signer being able to handle, use, and store the keys safely. Even crypto natives have fallen victim to sophisticated attacks, which has made it clear that there is a need for better security measures. EIP-4337 addresses this issue by decoupling the relationship between the signer and the account, allowing greater flexibility and security.

EIP-4337 introduces the concept of account abstraction, which means that every account is now a smart-contract wallet that can initiate transactions and pay the fee. This means that the account defines what a valid smart contract can look like, which allows for different signature schemes, elliptic curves, multiple signers, and the ability to replace signers. This is a significant improvement over the current system, which limits the functionality of wallets and makes them more vulnerable to attacks.

Smart contract wallets are a key feature of EIP-4337, allowing users to program smart contracts to secure their assets. This enables social recovery, on-chain fraud monitoring, and other advanced security measures previously unavailable in the Ethereum ecosystem. By allowing users to create custom wallets with their own logic, EIP-4337 opens up new possibilities for creating secure and user-friendly wallets. Scammers will now have a more challenging time draining wallets by pretending to be Metamask or Discord and phishing innocent users. For example, adding logic that prevents funds over a certain threshold and adding multiple signers will make it extremely hard to mount wallet-draining attacks.

The journey towards EIP-4337 began in 2016 with EIP-86, which introduced the concept of the "forwarding contract" to abstract signature verification and nonce. In 2020, EIP-2938 introduced a new AA (account abstraction) transaction to enable smart contracts to act as top-level accounts. EIP-3074 made existing EOAs behave like smart contracts by allowing users to delegate control of their EOA to a contract. Finally, EIP-4337 decentralizes the infrastructure needed to write and operate smart-contract wallets without requiring a protocol change. This means that EIP-4337 builds on previous EIPs and provides a clear path forward for improving the security and usability of Ethereum wallets.

A smart-contract wallet that is supported by EIP-4337 works differently from traditional Ethereum wallets. Users now send user operations instead of a transaction to a high-level mempool maintained by bundlers, similar to miners.

These bundlers can bundle many user operations into a standard L1 transaction, which is then sent to a specific contract called the entry point. When the transaction reaches the entry point contract, it orchestrates the validation and execution of the user operation by calling two wallet methods. The first method validates the transaction by checking with the wallet logic if it is acceptable to execute that operation and if it allows for paying the fee to execute it. The second method performs the execution. This approach shows a clear divide between the logic validation and execution for Ethereum accounts.

The impact on onchain identity

The functionality that the onchain identity infrastructure will now support will be much richer, safer, and user-friendly. Let's think about it using the following example:

In the EIP-4337 world, smart-contract wallets can interact with each other. Over the years, onchain activity has emerged as a proxy for credit scores, social graphs, status, etc. What if your government had a smart-contract wallet and an Ethereum address. You do in-person KYC once and link specific facts to your account. Your government can now help issue anonymous credentials attesting to facts about your onchain identity such as ''US-citizen'', "not in a ban list," etc. In the future, the government will allow US-based DeFi platforms to serve any account that owns a ''US-citizen'' soulbound NFT. When a user interacts with the DeFi platform, the smart contract checks if the user account is eligible. The logic will be extremely simple and fast to execute with account abstraction.

One of the primary benefits of onchain identity is increased security. Users can prove their identity without revealing sensitive personal information using decentralized identifiers and verifiable credentials. This reduces the risk of identity theft and other types of fraud, providing users with greater confidence when interacting with others online. Onchain identity also offers greater privacy compared to traditional identity systems. With onchain identity, users have more control over their personal data and can choose to reveal only the information necessary for a particular transaction. This reduces personal data exposure to third parties, mitigating the risk of data breaches and other privacy violations.

Finally, onchain identity enables greater interoperability between different applications and platforms. Using a standard set of protocols and technologies, onchain identity can seamlessly integrate with other web3 applications, providing users with a more cohesive and connected experience. Overall, the security, privacy, and interoperability benefits of onchain identity make it a valuable ecosystem component. By giving users greater control over their personal data, onchain identity can help to foster greater trust and collaboration in the decentralized internet. Add EIP 4337 to the equation, and identity facts can be checked by smart contract logic. This can easily enable online social groups based on shared POAPs (can act as proxies for interests), social circles (using social graphs), and professional (using onchain credentials that represent real-world expertise) circles.

From the perspective of cryptography and zero-knowledge proofs: account abstraction will provide greater flexibility in terms of signature schemes and elliptic curves, which are used to generate public and private key pairs used for authentication and encryption. This will enable users to choose the identity verification methods that work best for them, increasing the level of trust and security in the system. For example, ECDSA signatures are extremely expensive to verify with zk. Using a signature scheme that is zk-friendly will enable anonymous credentials and access gating with short proofs that can be generated client-side at blazing fast speeds.

Zero-knowledge proofs were an afterthought in the cryptocurrency world when the need and importance for privacy took the stage. Consequently, the cryptography that supports account authentication and security was not designed with zk-compatibility in mind. The EIP-4337 future brings a lot of promise to all these exciting directions!