Kernel v4 — release/v4#149
Open
leekt wants to merge 144 commits into
Open
Conversation
v1.9.6
added simple account comparison data
Feat/hook execution check
Feat/raw erc1271
* feat: return 1 if call failed * chore: few optimization to lower gas cost * temp * test fixed * test: happy case for validator * test: enable mode test done * test: tested erc1271 flow for replayable * update runs
* chore: removed initialize and make it virtual * chore: test kernel ecdsa factory * chore: fmt changes * add kernel snapshot result updated for install module * removed .swp * chore: use efficientHashLib * chore: code refactor * chore: remove initcode check * chore: remove initcode check * chore: staker tested
* ep v9 support * temp * force update the dependencies for 0.9 * updated module type id to 10 * updated * fmt
* fix: removed deployWithCall * fix: test
…nd if it's only policies that are installed, permission is not valid (#36)
* fix: _checkNonce reverts * fix: update checkAndIncrementNonce
* fix: signature bypass update * fmt * fmt * fix: test
* used nonce to clear out the validator * fix: removed console.log
…on other branch (#37)
* fix: _setRoot to check vType * fix: added VALIDATION_TYPE_FALLBACK * fix: import VALIDATION_TYPE_FALLBACK * fix: test to use proper encoding * fix: assertFalse => assertTrue
* fix: forward the msg.value to factory * fix: deployECDSA also forwards msg.value * fix: test
* done: testing * fix: no unchecked block * fix: overflow on multiplying validation result
* chore: update build config for Solidity 0.8.33 * refactor: centralize type definitions, errors, events, and constants * refactor: centralize constants in libs and update patterns * fix: security and correctness improvements * docs: add NatSpec documentation to variant contracts * test: add mock contracts and update test infrastructure * test: add BTT trees and tests for Kernel, Factory, and Staker * test: add unit, integration, fuzz, invariant, and halmos tests * docs: update README, gas snapshots, and add release v0.4.0
* fix: bump nonce on validation init to default-deny selectors * fix: validate validator returndata length and require code * fix: filter permission stateless match by module type * fix: require root validation be installed * test: adapt empty-returndata test to graceful-failure behavior * chore: update gas snapshots after rebase onto v0.4.0 * test(halmos): prove Lib4337.intersectValidationData aggregator precedence (6 rules) * test(halmos): prove KernelUUPS.upgradeToAndCall gates on EntryPoint or self * test(halmos): prove _verifyStatelessSignature filters by moduleType * test(halmos): prove parseNonce roundtrips validator and permission * test(halmos): prove Kernel7702 + KernelImmutableECDSA fallback ECDSA iff * test(halmos): prove Staker.approveFactoryWithSignature replay safety * test(halmos): prove KernelFactory.deploy determinism and idempotency * test(halmos): prove _checkAndIncrementNonce cannot overflow uint64 * test(halmos): prove _initializeValidation bumps nonce on every path * docs(audit): add FV round 1 plan, gap audit, and findings log * test(halmos): prove _checkNonce and _checkAndIncrementNonce agree below saturation * docs(audit): record Phase B finding (nonce check/increment agreement) * chore(certora): scaffold harness for Kernel v4 formal verification * test(certora): add KernelHarness for read-only storage accessors * test(certora): prove executeUserOp inner-delegatecall gated by validateUserOp * docs(audit): record Phase C finding (fast-path privilege escalation) * fix: block executeUserOp.selector grant to non-root validations * test(certora): re-verify executeUserOp fix; surface setRoot residual finding * fix: bump old root nonce on _setRoot rotation * docs(certora): close Phase C — invariant unprovable under CVL summaries * test(certora): Phase D — prove permission totality, setRoot LIFO, view/write equivalence * docs(audit): record Phase D Certora results (3/3 properties verified) * test(kontrol): scaffold #15 ERC1271 nested EIP-712 claim (partial; timeout) * test(halmos): prove ERC1271 nested EIP-712 PersonalSign verifier-bypass property * docs(audit): record Phase E results (#15 PersonalSign proven, TypedDataSign partial) * docs(audit): FV Round 2 plan — proof-obligation coverage strategy * test(kontrol): tighten #15 bound to signature.length <= 96 (Round 2 retry) * docs(audit): manual CFG proof closes #15 nested EIP-712 verifier-bypass property * test(certora): writer-local decomposition closes Phase C bypass-impossible invariant * docs(audit): mark Phase C invariant closed via writer-local decomposition * docs(audit): bootstrap FV_COVERAGE.md — proof-obligation matrix for Round 2 Phase 2 * test(halmos): prove _verifyInstallSignatureRaw signature gate * test(halmos): prove _executeCall + _executeDelegateCall return shape and revert handling * test(halmos): prove _installHash determinism and field-sensitivity * test(halmos): prove onlyOwner on Staker stake/approveFactory functions * test(certora): prove _checkValidation routing predicate per vType * test(certora): writer-local invariants for executor/selector/hook storage * docs(audit): update FV_COVERAGE matrix — Phase 2 closure (~83% obligations proven) * test(halmos): prove top-level execute and executeFromExecutor access control * fix: reject zero-address module in _installSelector at install boundary * test(certora): prove validateUserOp then executeUserOp inner-selector composition * docs(audit): FV_COVERAGE — all Round 2 remaining gaps closed * ci: lower optimizer_runs to 10 + skip oversized halmos harnesses from --sizes * docs(audit): FV_COVERAGE — close stale ModuleManager._verifyInstallSignatureRaw row * chore: update gas snapshots after optimizer_runs drop * test(halmos): prove chainAgnosticUserOpHash determinism, chain-agnosticism, field-sensitivity * docs(audit): FV_COVERAGE — sync _installSelector row with shipped hardening + bump commit count * ci: enable via_ir to restore optimizer_runs=200 with comfortable EIP-170 margin * docs: sync FV coverage metadata * chore: gitignore .claude local state and FV research scratch --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Kernel v4 —
release/v4Brings the Kernel v4 codebase into this repository as
release/v4, alongside the existingrelease/v3.xlines.What is Kernel v4
A ground-up rewrite of the ZeroDev modular smart account on ERC-4337 / ERC-7702, implementing ERC-7579 for standardized module interfaces. v4 collapses validation, execution, and hooks into a clean six-module architecture and adds a first-class permission system for granular session keys.
Six pluggable module types (ERC-7579)
executeFromExecutorto act on behalf of the accountPermission system (session keys)
A permission = one signer + one or more policies. A dapp can be handed a signer scoped to specific selectors under specific policies, without ever touching the root validator. Policies install/uninstall LIFO; the signature carries one entry per policy (install order) plus the signer's, last.
Three account variants
KernelUUPS— UUPS upgradeable proxy; full module lifecycle + proxy upgrade via UserOp. Deploy viaKernelFactory.deploy().KernelImmutableECDSA— ERC-1967 clone with an ECDSA fallback signer fixed in immutable args; stillsetRoot-able and UUPS-upgradeable. Deploy viaKernelFactory.deployECDSA().Kernel7702— EIP-7702 EOA delegation; the EOA itself is the fallback signer, no init needed, supports raw ERC-1271.Enable mode
Install modules atomically with the first UserOp — no setup transaction. The nonce encodes an enable flag; the signature carries the install payload (root-validator-approved) + the UserOp signature. Chain-specific and replayable (chain-agnostic) variants.
Nonce-encoded validation
The 32-byte 4337 nonce selects the validator/permission, giving each its own nonce namespace:
vType:0x00root ·0x01validator (20-byte addr) ·0x02permission (4-byte id).vModeflags enable / replayable-enable-sig / replayable-userOp-hash.Hook system
Hooks bind independently to validators (
executeUserOp), executors (executeFromExecutor), and fallback selectors. Sentinels:address(0)= not installed,address(1)= installed with no hook.Signatures (ERC-1271 / ERC-7739)
isValidSignaturesupports raw (7702 only), chain-specific nested EIP-712, and replayable nested EIP-712 — selected by the first 21 bytes of the signature, for both validator- and permission-based verification.Standards
ERC-4337 (EntryPoint v0.9) · ERC-7579 · ERC-7702 · ERC-7739 · ERC-7201 (namespaced storage) · ERC-1271.
Release notes — v0.4.0
_setRootvType check,intersectValidationDataaggregator fix, factorymsg.valueforwarding, root-validator uninstall protection, audit batch 1: 3 HIGH / 1 MEDIUM / 3 LOW.releases/v0.4.0.json.Mergeability
v4 has an independent history from this repo's
devtrunk. This branch recordsdevas a merge parent viagit merge -s ours, so:v0.4.0(pure v4 code, no v3 files mixed in);devis an ancestor → this PR merges cleanly, no unrelated-history conflicts;Merging advances
devto the v4 codebase. v3 stays preserved onrelease/v3.0/release/v3.1/release/v3.3.