Alchemy ERC-4337 Paymasters
Summary
In this audit, we reviewed two paymaster implementations. The two implementations are almost identical, except that one supports EntryPoint V0.6 infrastructure and the other one supports EntryPoint V0.7. The paymasters provide 4 ways of operations, all relying on an approving signature by the `verifyingSigner` entity by Alchemy. The first type of payment is unconditional and the paymaster is not reimbursed for the payment they made. More interesting are the following three options, divided into so-called `modes`, where the paymaster receives a payment in some ERC-20 token back for covering the gas costs in ETH. `mode = 0` requires the user to already have set an ERC-20 approval of the token the paymaster gets reimbursed in, enabling the token transfer to happen in the validation phase. `mode = 1` is reserved for use cases where the execution of the `UserOperation` is assumed to include the setting of an approval for the paymaster that will then be transferred to the Paymaster in the `postOp()` call. `mode = 2` includes support for ERC-2612 permits that set the approval as part of the validation, enabling the paymaster payment upfront in the validation phase. Overall, the code is very robust and well tested.
Issues (9)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 6 | - | - | - | 6 |
Fixed | 2 | 1 | - | - | 3 |
| Total | 8 | 1 | 0 | 0 | 9 |