Account Abstraction Explained in Detail
Account abstraction moves wallet behavior into contract code. A smart account can validate signatures, use guardians, batch actions, recover access, or accept sponsored gas under rules written by the account developer.
In Ethereum's ERC-4337 model, users submit UserOperations to bundlers, and an EntryPoint contract coordinates validation and execution.
Smart contract example
function validateUserOp(
UserOperation calldata userOp,
bytes32 userOpHash,
uint256 missingFunds
) external returns (uint256 validationData);
This function is security-critical because it decides whether the account accepts the operation.
Account Abstraction in Auditing
Account abstraction changes the meaning of authorization. Auditors cannot assume a private key signature is the only gate. The smart account may use modules, session keys, paymasters, batched calls, or upgradeable logic.
The main questions are: who can make the account act, what exactly did they approve, and can the same approval be replayed?
Red flags in code
-
Validation does not restrict calls to the trusted EntryPoint.
-
Signed data omits chain ID, nonce, account address, or EntryPoint address.
-
Modules can execute arbitrary calls without clear authority.
-
Upgradeable account storage is not reviewed for storage collision.
-
Batched calls bypass per-action checks.
How to test or review it
-
Replay the same operation with changed nonce, chain, EntryPoint, or calldata.
-
Test invalid signatures, expired validation windows, and duplicate operations.
-
Try direct calls to validation and execution functions from non-EntryPoint callers.
-
Review module installation, removal, and execution permissions.
-
Fuzz batched calls and account recovery flows.