feat: Deferred Validation Installation

[Zer0dot]

Motivation

We want to support flows like deferring session key installs until the first action that requires them.

Solution

During UO validation, use a specific (previously unused) bit in the signature field to indicate whether or not a deferred validation is necessary. If so, decode part of the signature field into the data needed to validate and install the inner validation. Note that the standard validation packing scheme (for the first 24 bytes of the signature) is, in this case, the validation used to validate the installation.

Post-installation, validate the user operation with the newly installed validation.

[github-actions]

Contract sizes:

| Contract                     | Size (B) | Margin (B) |
|------------------------------|----------|------------|
| AccountFactory               |    4,763 |     19,813 |
| ERC1967Proxy                 |      104 |     24,472 |
| ModularAccount               |   26,483 |     -1,907 |
| SemiModularAccount           |   27,540 |     -2,964 |
| SingleSignerValidationModule |    3,444 |     21,132 |
| TokenReceiverModule          |    2,189 |     22,387 |

Code coverage:

File	% Lines	% Statements	% Branches	% Funcs
src/account/AccountExecutor.sol	75.00% (3/4)	75.00% (3/4)	0.00% (0/1)	100.00% (1/1)
src/account/AccountFactory.sol	33.33% (10/30)	35.71% (15/42)	50.00% (1/2)	18.18% (2/11)
src/account/AccountStorageInitializable.sol	84.21% (16/19)	84.62% (22/26)	60.00% (3/5)	100.00% (2/2)
src/account/ModularAccount.sol	90.46% (218/241)	90.99% (293/322)	78.05% (32/41)	97.44% (38/39)
src/account/ModularAccountView.sol	96.55% (28/29)	95.24% (40/42)	100.00% (2/2)	100.00% (2/2)
src/account/ModuleManagerInternals.sol	84.92% (107/126)	84.62% (143/169)	42.86% (6/14)	100.00% (11/11)
src/account/SemiModularAccount.sol	0.00% (0/50)	0.00% (0/66)	0.00% (0/9)	0.00% (0/17)
src/helpers/HookConfigLib.sol	47.06% (8/17)	65.62% (21/32)	100.00% (0/0)	66.67% (8/12)
src/helpers/KnownSelectors.sol	100.00% (27/27)	100.00% (60/60)	100.00% (0/0)	100.00% (3/3)
src/helpers/ModuleEntityLib.sol	62.50% (5/8)	45.00% (9/20)	100.00% (0/0)	50.00% (3/6)
src/helpers/SparseCalldataSegmentLib.sol	100.00% (23/23)	100.00% (29/29)	100.00% (5/5)	100.00% (6/6)
src/helpers/ValidationConfigLib.sol	44.44% (8/18)	52.63% (20/38)	100.00% (0/0)	61.54% (8/13)
src/modules/BaseModule.sol	9.09% (1/11)	26.67% (4/15)	0.00% (0/1)	50.00% (1/2)
src/modules/ModuleEIP712.sol	100.00% (1/1)	100.00% (2/2)	100.00% (0/0)	100.00% (1/1)
src/modules/ReplaySafeWrapper.sol	100.00% (6/6)	100.00% (7/7)	100.00% (0/0)	100.00% (2/2)
src/modules/TokenReceiverModule.sol	69.23% (9/13)	69.23% (9/13)	100.00% (0/0)	28.57% (2/7)
src/modules/validation/SingleSignerValidationModule.sol	90.48% (19/21)	91.30% (21/23)	100.00% (3/3)	88.89% (8/9)
Total	75.93% (489/644)	76.70% (698/910)	62.65% (52/83)	68.06% (98/144)

[Zer0dot]

By the way, the use of the DeferredValidationInstallData struct internally literally just solves stack too deep :)

[octane-security-app-dev]

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

• AccountStorage.sol: Added a mapping to track used deferred install nonces in account storage.
• ModularAccount.sol: The smart contract now supports deferred validation installations, domain separation for signatures, and nonce invalidation mechanisms.
• SemiModularAccount.sol: Removed domain separator type hash and the _domainSeparator function for computing it, replacing _domainSeparator() call with domainSeparator() in replaySafeHash.

---

🔗 Commit Hash: 8f72474

[octane-security-app-dev]

Overview

Vulnerabilities found:	12
Severity breakdown:	2 High, 6 Medium, 2 Low, 2 Critical

Detailed findings

src/account/ModularAccount.sol

• Review potential Denial of Service issue that is exposed in the executeWithAuthorization function
• Review potential Denial of Service issue that is exposed in the isValidSignature function
• Review potential Denial of Service issue that is exposed in the __fallback__ function
• Review potential External Calls issue that is exposed in the executeUserOp function
• Review potential Frontrunning issue that is exposed in the execute function
• Review potential Frontrunning issue that is exposed in the invalidateDeferredValidationInstallNonce function
• Review potential Incorrectly Payable issue that is exposed in the upgradeToAndCall function
• Review potential Incorrect Nonce Update (Signature Replay Attack) issue that is exposed in the __fallback__ function
• Review potential Reentrancy issue that is exposed in the __fallback__ function
• Review potential Reentrancy issue that is exposed in the executeWithAuthorization function

src/account/SemiModularAccount.sol

• Review potential Frontrunning issue that is exposed in the setFallbackSignerDisabled function
• Review potential Frontrunning issue that is exposed in the updateFallbackSigner function

---

🔗 Commit Hash: 8f72474
🛡️ Octane Dashboard: All vulnerabilities

[adamegyed]

Awesome feature 🔥

Had a few small comments

[adamegyed]

question: can we use the internal _installValidation, or do we need to convert calldata types to memory types?

[Zer0dot]

so _installValidation() does do some calldata bytes slicing. It's possible to modify it to work internally in memory, but we might have efficiency loss in the standard installValidation() case. My thoughts were to just keep it simple and run a self-call. Wdyt?

[adamegyed]

Ah yep, that's what I thought. The current approach makes sense, no need to do big refactors at the moment imo.

[adamegyed]

Looks good, 1. small nit

[adamegyed]

tiny tiny nit: I think this comment only applies in the case where we're using the deferred validation install path, so could you move this comment to within the if (isDeferredInstallValidation) { block?

[Zer0dot]

Done!