-
Notifications
You must be signed in to change notification settings - Fork 10
Access Control
Nexus is a modular smart account system compliant with ERC-7579 and ERC-4337, designed to provide customizable and secure account management for blockchain transactions. This document outlines the access control mechanisms that safeguard the Nexus Smart Account from unauthorized access and manipulation.
Nexus follows the UUPS Proxy Pattern from ERC-1822, enabling future upgrades while maintaining access control integrity. Only the EntryPoint contract or the Nexus smart account itself can authorize upgrades, ensuring the system remains secure.
Note
EntryPoint Contract:
The EntryPoint contract, used across all EVM-compatible chains, handles key operations like validating and executing user transactions. While Nexus relies on it, it’s not exclusive to Nexus. Every Account Abstraction implementation uses EntryPoint to manage transaction flow.
Nexus enforces access control through several key modifiers, ensuring that only authorized entities can interact with its functions. These are:
-
onlyEntryPointOrSelf
Restricts access to the EntryPoint contract or the smart account itself. This prevents external contracts from executing sensitive functions. -
onlyEntryPoint
Limits access strictly to the EntryPoint for critical operations like transaction validation and execution. -
onlyExecutorModule
Ensures that only authorized Executor modules can initiate transaction executions. This adds an additional layer of security around execution control. -
withHook
Adds pre- and post-execution checks using hook modules. These hooks allow custom logic to be executed before and after each transaction, enhancing flexibility and security. -
withRegistry
Verifies modules via the ERC-7484 registry to ensure they meet required attestation standards. This ensures secure third-party integrations.
Important
Module Installation:
Modules are added using the installModule
function, which checks for duplicates or incompatible modules, ensuring that only necessary and valid modules are installed on the smart account.
The validateUserOp
function ensures each transaction is authorized and correctly structured by verifying signatures and nonce alignment. Validation tasks are forwarded to the relevant Validator module, which checks compliance with security rules.
Note
Secure Transaction Flow:
Only transactions validated through this process are allowed, providing a strong defense against unauthorized transactions or replay attacks.
Nexus enables flexible transaction execution through the executeFromExecutor
function, allowing Executor modules to perform transactions on behalf of the smart account.
- Executor Verification: Only registered Executor modules are permitted to trigger transactions.
- Hook Integration: Transactions go through hook modules for additional checks before and after execution.
Caution
Secure Execution:
This ensures that only authorized modules can perform transaction executions, protecting the account from unauthorized operations.
Nexus employs advanced technical features to improve security and prevent operational conflicts between modules.
Nexus uses ERC-7201 to manage storage, ensuring that different modules do not interfere with each other’s data. This provides state integrity and prevents storage collisions between modules.
Tip
Isolated Storage:
Each module operates within its own storage, preventing data corruption and unintended behavior.
Nexus regularly undergoes security audits by leading firms like OpenZeppelin, Spearbit, and Cyfrin, focusing on:
- Access Control: Ensuring all access control mechanisms are correctly implemented and enforced.
- System Integrity: Identifying vulnerabilities and ensuring overall system security.
Tip
Security Audits:
These audits verify the robustness of Nexus's security architecture and ensure it operates as intended.
Although Nexus provides a highly secure and audited environment, users are ultimately responsible for managing their accounts. Thus, users should follow best practices in securing their private keys and account access.
Important
User Accountability:
Biconomy cannot recover lost funds or access for compromised accounts. Always secure your private keys and manage your account responsibly.
- Home
- Nexus Architecture
- Access Control
- Execution Framework
- Modules
- Factories
- Migration Guide
- Testing Documentation
- Configuration and Security
- Libraries
- FAQ
- Biconomy Solidity Style Guide
- Security Considerations
- Team
-
Contracts
- Nexus
- Base
- Common
- Factory
- AbstractNexusFactory
- BiconomyMetaFactory
- K1ValidatorFactory
- ModuleWhitelistFactory
- NexusAccountFactory
- Modules
- Utils