Security and Griefing Protection¶
How Paymasters are secured in ERC-4337 and the risks of abuse or DoS.¶
Paymasters introduce a new layer of gas abstraction, but they also open new attack surfaces. A malicious user could try to:
- Drain the Paymasterβs deposit by spamming invalid operations
- Trick the Paymaster into sponsoring high-cost or reverted calls
- Exploit timeouts or race conditions in verification logic
ERC-4337 includes several protections to prevent these issues.
π Stake Requirement¶
To operate, a Paymaster must:
- Register with the EntryPoint contract
- Stake ETH (minimum amount set by EntryPoint)
- Maintain a deposit to pay for gas
Staked Paymasters are subject to slashing if they misbehave or allow griefing.
π§ͺ Deterministic Validation¶
validatePaymasterUserOp() must:
- Avoid
SSTORE,BLOCKHASH, or other non-deterministic behavior - Not depend on variable external state (unless staked)
- Run within strict gas bounds enforced by bundlers
These constraints reduce DoS risk and make validation safely simulatable.
π¦ Bundler Simulation¶
Before including a UserOp in a bundle, a bundler will:
- Simulate the full operation off-chain
- Measure gas cost and return data
- Reject anything that might revert or exceed limits
This ensures Paymasters donβt get unexpectedly charged on-chain.
π‘οΈ PostOp Protections¶
Paymasters can implement logic in postOp() to:
- Reclaim unspent gas
- Log usage or enforce backend quotas
- Blocklist abusers
However, postOp() runs after the UserOp executes, and must also be gas-safe.
β Summary¶
Paymasters must balance flexibility with caution. The ERC-4337 spec enforces staking, deterministic validation, and bundler simulation to keep Paymasters safe from griefing and gas theft. A well-designed Paymaster should assume hostile inputs and protect its deposit at all times.