Standards

Session Key

A session key is a limited key authorized by a wallet or smart account to perform constrained actions for a limited time or scope.

A session key is a temporary helper key with restricted permissions.

Session Key Explained in Detail

A session key lets a smart account delegate limited authority. It may allow a specific action, target, token, value limit, time window, or app session without exposing the primary owner key.

The important detail is the constraint set. A session key is only safe if the account enforces its limits on-chain.

Smart contract example

session key -> allowed target + selector + value limit + expiry

The session should fail outside those rules.

Session Key in Auditing

Session keys intentionally delegate account power. A small constraint bug can turn limited permission into full account control.

Auditors test whether session keys can escape their scope.

Red flags in code

  • No expiry or revocation path.

  • Target, selector, token, value, or chain is not bound into the permission.

  • Constraints are checked only off-chain.

  • Session key can install modules, change owners, or approve unlimited spending.

  • Batched calls smuggle unauthorized actions behind allowed calls.

How to test or review it

  • Attempt calls outside the allowed target, selector, token, value, and time window.

  • Test expired, revoked, and replayed sessions.

  • Try cross-chain or cross-account replay.

  • Test batched execution with mixed allowed and forbidden calls.

  • Verify session permissions are enforced by the smart account, not just the UI.

Account Abstraction

Account abstraction lets smart contract accounts define their own validation rules instead of relying only on externally owned account transaction rules.

UserOperation

A UserOperation is the ERC-4337 data structure that describes a smart account action, including sender, nonce, calldata, gas fields, optional paymaster data, and signature.

Smart Account Module

A smart account module is a plug-in that adds validation, execution, recovery, hooks, or other behavior to a smart account.

Practice this in real audit scenarios

Definitions help, but auditors need reps. SCH turns concepts like Session Key into exploit labs, code review habits, and report-writing practice.

Start the free trial or see the full smart contract auditing course.

Sources