Skip to content

Kernel v4 — release/v4#149

Open
leekt wants to merge 144 commits into
devfrom
release/v4
Open

Kernel v4 — release/v4#149
leekt wants to merge 144 commits into
devfrom
release/v4

Conversation

@leekt

@leekt leekt commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Kernel v4 — release/v4

Brings the Kernel v4 codebase into this repository as release/v4, alongside the existing release/v3.x lines.

Build: solc 0.8.33 · optimizer 200 runs · evm prague · via-IR off · deterministic CREATE2 (0x4e59…956C, salt 0x00).

What is Kernel v4

A ground-up rewrite of the ZeroDev modular smart account on ERC-4337 / ERC-7702, implementing ERC-7579 for standardized module interfaces. v4 collapses validation, execution, and hooks into a clean six-module architecture and adds a first-class permission system for granular session keys.

Six pluggable module types (ERC-7579)

Type Role
Validator Validates UserOps and signatures — owns a nonce-key namespace
Executor Calls executeFromExecutor to act on behalf of the account
Fallback Extends the account with new selectors (call or delegatecall)
Hook Pre/post execution checks on validators, executors, fallback selectors
Policy Half of a permission — enforces rules (spending caps, allowlists, time windows)
Signer Half of a permission — provides signature verification (passkey, multisig, …)

Permission system (session keys)

A permission = one signer + one or more policies. A dapp can be handed a signer scoped to specific selectors under specific policies, without ever touching the root validator. Policies install/uninstall LIFO; the signature carries one entry per policy (install order) plus the signer's, last.

Three account variants

  • KernelUUPS — UUPS upgradeable proxy; full module lifecycle + proxy upgrade via UserOp. Deploy via KernelFactory.deploy().
  • KernelImmutableECDSA — ERC-1967 clone with an ECDSA fallback signer fixed in immutable args; still setRoot-able and UUPS-upgradeable. Deploy via KernelFactory.deployECDSA().
  • Kernel7702 — EIP-7702 EOA delegation; the EOA itself is the fallback signer, no init needed, supports raw ERC-1271.

Enable mode

Install modules atomically with the first UserOp — no setup transaction. The nonce encodes an enable flag; the signature carries the install payload (root-validator-approved) + the UserOp signature. Chain-specific and replayable (chain-agnostic) variants.

Nonce-encoded validation

The 32-byte 4337 nonce selects the validator/permission, giving each its own nonce namespace:

| 1 byte | 1 byte | 20 bytes | 2 bytes  | 8 bytes |
| vMode  | vType  | vId      | nonceKey | seq     |

vType: 0x00 root · 0x01 validator (20-byte addr) · 0x02 permission (4-byte id). vMode flags enable / replayable-enable-sig / replayable-userOp-hash.

Hook system

Hooks bind independently to validators (executeUserOp), executors (executeFromExecutor), and fallback selectors. Sentinels: address(0) = not installed, address(1) = installed with no hook.

Signatures (ERC-1271 / ERC-7739)

isValidSignature supports raw (7702 only), chain-specific nested EIP-712, and replayable nested EIP-712 — selected by the first 21 bytes of the signature, for both validator- and permission-based verification.

Standards

ERC-4337 (EntryPoint v0.9) · ERC-7579 · ERC-7702 · ERC-7739 · ERC-7201 (namespaced storage) · ERC-1271.

Release notes — v0.4.0

  • Initial v4 release: six-module ERC-7579 architecture, permission/session-key system, three account variants, enable mode, nonce-encoded validation, hook system, ERC-7739 signatures.
  • EntryPoint v0.9 support; EntryPoint v0.8 paths removed.
  • Security hardening from internal + Trail of Bits audits — e.g. signature-replay nonce, signature-bypass fix, _setRoot vType check, intersectValidationData aggregator fix, factory msg.value forwarding, root-validator uninstall protection, audit batch 1: 3 HIGH / 1 MEDIUM / 3 LOW.
  • Deterministic CREATE2 release artifact at releases/v0.4.0.json.
  • Test suite spans unit, integration, invariant/fuzz, and formal verification (Halmos / Kontrol / Certora).

Mergeability

v4 has an independent history from this repo's dev trunk. This branch records dev as a merge parent via git merge -s ours, so:

  • the branch tree is exactly v0.4.0 (pure v4 code, no v3 files mixed in);
  • dev is an ancestor → this PR merges cleanly, no unrelated-history conflicts;
  • the diff below reflects the real v3 → v4 change.

Merging advances dev to the v4 codebase. v3 stays preserved on release/v3.0 / release/v3.1 / release/v3.3.

leekt added 30 commits February 15, 2025 00:13
@leekt
chore: forge init
3617f83
@leekt
forge install: forge-std
460f329 
v1.9.6
@leekt
removed counter
4472974
@leekt
temp - install module signature
335eb4f
@leekt
execution manager done
788512a
@leekt
Execution done
23c3017
@leekt
removed coverage
784bf62
@leekt
removed lcov
bb98f28
@leekt
updated gitignore
f923659
@leekt
fmt
f71d3e3
@leekt
temporary validator for validateUserOp
5344bb4
@leekt
fmt with 1.2
5affa76
@leekt
module test cases
d4737c6
@leekt
userop test case
828fa8f
@leekt
uninstall policy/signer
a9fe29a
@leekt
preparing execute with signature
3023d7e
@leekt
no more via ir
8a4d14a
@leekt
instalAndExecute
44c35f6
@leekt
install and execute
3f8acd8
@leekt
test done with factory, todo:7702 and ecdsa
5b6bf04
@leekt
updated readme to show coverage command
a449911
@leekt
erc7579 helper functions done
fb541da
@leekt
fmt
8ceebf0
@leekt
fix: typehash for individual hash
4a82d11
@leekt
fix kernel helper same hash
47c5c91
@leekt
todo: working on 7702
7200ea5
@leekt
7702 tested
965ca65
@leekt
erc1271 flow tested
a7b95ff
@leekt
personal sign done
a76e494
@leekt
fmt
d8c959c
leekt and others added 29 commits October 17, 2025 14:58
@leekt
test erc1271
8999222
@leekt
erc1271 test done
776fe04
@leekt
erc1271 test renamed
83d6e32
@leekt
using via_ir false
ea57984
@leekt
optimial run = 7500
413aa41
@leekt
Merge pull request #21 from zerodevapp/test/add_simpleaccount_compare
053797e 
added simple account comparison data
@leekt
Merge pull request #22 from zerodevapp/feat/hook_execution_check
fa6a1bd 
Feat/hook execution check
@leekt
Merge pull request #24 from zerodevapp/feat/raw_erc1271
40b0ff6 
Feat/raw erc1271
@leekt
Feat/enablemode signature (#25)
7a578c2 
* feat: return 1 if call failed

* chore: few optimization to lower gas cost

* temp

* test fixed

* test: happy case for validator

* test: enable mode test done

* test: tested erc1271 flow for replayable

* update runs
@leekt
Test/cleanup (#26)
a5029ae 
* chore: removed initialize and make it virtual

* chore: test kernel ecdsa factory

* chore: fmt changes

* add kernel snapshot result updated for install module

* removed .swp

* chore: use efficientHashLib

* chore: code refactor

* chore: remove initcode check

* chore: remove initcode check

* chore: staker tested
@leekt
removed checkInitialized
25e51e1
@leekt
changelog (#27)
216b034
@leekt
ep v9 support (#28)
b0edee2 
* ep v9 support

* temp

* force update the dependencies for 0.9

* updated module type id to 10

* updated

* fmt
@leekt
fix: LIFO for setRoot (#31)
abf2b60
@leekt
fix: added nonce to prevent signature replay (#29)
c3ec2b1
@leekt
Remove deployWithCall variants (#33)
8705be4 
* fix: removed deployWithCall

* fix: test
@leekt
fix: policy does not accept hook/selector info when being installed a…
f164bc7 
…nd if it's only policies that are installed, permission is not valid (#36)
@leekt
fix: _checkNonce reverts (#39)
9d820af 
* fix: _checkNonce reverts

* fix: update checkAndIncrementNonce
@leekt
fix: signature bypass update (#30)
20cce05 
* fix: signature bypass update

* fmt

* fmt

* fix: test
@leekt
used nonce to clear out the validator (#35)
de0f834 
* used nonce to clear out the validator

* fix: removed console.log
@leekt
fix: root cannot be uninstalled, test_uninstall_policy will be fixed …
023da85 
…on other branch (#37)
@leekt
chore: update foundry solidity runs to lower the contract size
36db289
@leekt
fix: _setRoot to check vType (#38)
5fbfcaa 
* fix: _setRoot to check vType

* fix: added VALIDATION_TYPE_FALLBACK

* fix: import VALIDATION_TYPE_FALLBACK

* fix: test to use proper encoding

* fix: assertFalse => assertTrue
@leekt
fix: forward the msg.value to factory (#34)
d4a0df3 
* fix: forward the msg.value to factory

* fix: deployECDSA also forwards msg.value

* fix: test
@leekt
fix: intersectValidationData to not override the aggregator (#32)
a836274 
* done: testing

* fix: no unchecked block

* fix: overflow on multiplying validation result
@leekt
v0.4.0 release (#50)
560f15d 
* chore: update build config for Solidity 0.8.33

* refactor: centralize type definitions, errors, events, and constants

* refactor: centralize constants in libs and update patterns

* fix: security and correctness improvements

* docs: add NatSpec documentation to variant contracts

* test: add mock contracts and update test infrastructure

* test: add BTT trees and tests for Kernel, Factory, and Staker

* test: add unit, integration, fuzz, invariant, and halmos tests

* docs: update README, gas snapshots, and add release v0.4.0
@leekt
chore: remove ep 0.8 (#51)
3779635
@leekt
fix: audit batch 1 - 3 HIGH / 1 MEDIUM / 3 LOW (kernel side) (#54)
3ec9fcd 
* fix: bump nonce on validation init to default-deny selectors

* fix: validate validator returndata length and require code

* fix: filter permission stateless match by module type

* fix: require root validation be installed

* test: adapt empty-returndata test to graceful-failure behavior

* chore: update gas snapshots after rebase onto v0.4.0

* test(halmos): prove Lib4337.intersectValidationData aggregator precedence (6 rules)

* test(halmos): prove KernelUUPS.upgradeToAndCall gates on EntryPoint or self

* test(halmos): prove _verifyStatelessSignature filters by moduleType

* test(halmos): prove parseNonce roundtrips validator and permission

* test(halmos): prove Kernel7702 + KernelImmutableECDSA fallback ECDSA iff

* test(halmos): prove Staker.approveFactoryWithSignature replay safety

* test(halmos): prove KernelFactory.deploy determinism and idempotency

* test(halmos): prove _checkAndIncrementNonce cannot overflow uint64

* test(halmos): prove _initializeValidation bumps nonce on every path

* docs(audit): add FV round 1 plan, gap audit, and findings log

* test(halmos): prove _checkNonce and _checkAndIncrementNonce agree below saturation

* docs(audit): record Phase B finding (nonce check/increment agreement)

* chore(certora): scaffold harness for Kernel v4 formal verification

* test(certora): add KernelHarness for read-only storage accessors

* test(certora): prove executeUserOp inner-delegatecall gated by validateUserOp

* docs(audit): record Phase C finding (fast-path privilege escalation)

* fix: block executeUserOp.selector grant to non-root validations

* test(certora): re-verify executeUserOp fix; surface setRoot residual finding

* fix: bump old root nonce on _setRoot rotation

* docs(certora): close Phase C — invariant unprovable under CVL summaries

* test(certora): Phase D — prove permission totality, setRoot LIFO, view/write equivalence

* docs(audit): record Phase D Certora results (3/3 properties verified)

* test(kontrol): scaffold #15 ERC1271 nested EIP-712 claim (partial; timeout)

* test(halmos): prove ERC1271 nested EIP-712 PersonalSign verifier-bypass property

* docs(audit): record Phase E results (#15 PersonalSign proven, TypedDataSign partial)

* docs(audit): FV Round 2 plan — proof-obligation coverage strategy

* test(kontrol): tighten #15 bound to signature.length <= 96 (Round 2 retry)

* docs(audit): manual CFG proof closes #15 nested EIP-712 verifier-bypass property

* test(certora): writer-local decomposition closes Phase C bypass-impossible invariant

* docs(audit): mark Phase C invariant closed via writer-local decomposition

* docs(audit): bootstrap FV_COVERAGE.md — proof-obligation matrix for Round 2 Phase 2

* test(halmos): prove _verifyInstallSignatureRaw signature gate

* test(halmos): prove _executeCall + _executeDelegateCall return shape and revert handling

* test(halmos): prove _installHash determinism and field-sensitivity

* test(halmos): prove onlyOwner on Staker stake/approveFactory functions

* test(certora): prove _checkValidation routing predicate per vType

* test(certora): writer-local invariants for executor/selector/hook storage

* docs(audit): update FV_COVERAGE matrix — Phase 2 closure (~83% obligations proven)

* test(halmos): prove top-level execute and executeFromExecutor access control

* fix: reject zero-address module in _installSelector at install boundary

* test(certora): prove validateUserOp then executeUserOp inner-selector composition

* docs(audit): FV_COVERAGE — all Round 2 remaining gaps closed

* ci: lower optimizer_runs to 10 + skip oversized halmos harnesses from --sizes

* docs(audit): FV_COVERAGE — close stale ModuleManager._verifyInstallSignatureRaw row

* chore: update gas snapshots after optimizer_runs drop

* test(halmos): prove chainAgnosticUserOpHash determinism, chain-agnosticism, field-sensitivity

* docs(audit): FV_COVERAGE — sync _installSelector row with shipped hardening + bump commit count

* ci: enable via_ir to restore optimizer_runs=200 with comfortable EIP-170 margin

* docs: sync FV coverage metadata

* chore: gitignore .claude local state and FV research scratch

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
@leekt
chore: stitch kernel v3 dev history into release/v4 for mergeability
5bd75a5
@leekt leekt changed the title Kernel v4 (release/v4) Kernel v4 — release/v4 Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leekt