Six mistakes in ERC-4337 smart accounts

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2026/03/11/six-mistakes-in-erc-4337-smart-accounts/
• Blog Title: Six mistakes in ERC-4337 smart accounts
• Suggested Section: Blockchain & Crypto (Web3) -> Add/extend a page on ERC-4337 Account Abstraction / Smart Account Security Pitfalls (incl. validateUserOp patterns, gas-field signing, ERC-1271 domain separation, validation statefulness, fee-drain via revert-after-validation, ERC-7702 init frontrun protections)

🎯 Content Summary

This Trail of Bits post (dated 2026-03-11) explains the ERC-4337 "account abstraction" execution model and highlights six recurring vulnerability patterns observed during audits of ERC-4337 smart accounts ("smart wallets"). The key security takeaway is that account abstraction turns your wallet into a programmable system: a single bug can become as catastrophic as a private-key leak (i.e., full funds loss).

How ERC-4337 works (mental model + where the attack surface comes from)

Ethereum has tw...

🔧 Technical Details

1. Bypass ERC-4337 validation via direct calls to unprotected privileged methods: If a smart account exposes execute (or any fund-moving/privileged function) as external/public without enforcing require(msg.sender == entryPoint) (or a vetted executor module), an attacker can call it directly on-chain and perform arbitrary calls (including value transfers), draining funds while completely bypassing UserOperation validation.

2. Drain ETH by mutating unsigned/unchecked gas parameters in a UserOperation: If signature validation checks only the "intent" (e.g., callData) and does not verify the EntryPoint-provided userOpHash that binds the full operation (including preVerificationGas, verificationGasLimit, callGasLimit, maxFeePerGas, maxPriorityFeePerGas), a bundler or frontrunner can inflate these fields—especially preVerificationGas, which directly increases bundler reimbursement—to cause systematic overpayment and drain ETH. Fix by signing/verifying userOpHash and/or enforcing strict cap...

🤖 Agent Actions

Summary of changes:

• Added a new ERC-4337 smart account security pitfalls page with six vulnerability patterns, mitigations, and a pre-merge checklist.
• Linked the new page from the Blockchain & Crypto index.

Files modified/created:

• src/blockchain/blockchain-and-crypto-currencies/erc-4337-smart-account-security-pitfalls.md
• src/blockchain/blockchain-and-crypto-currencies/README.md

If you want adjustments or additional cross-links within other sections, tell me where you’d like them.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2026/03/11/six-mistakes-in-erc-4337-smart-accounts/

Content Categories: Based on the analysis, this content was categorized under "Blockchain & Crypto (Web3) -> Add/extend a page on ERC-4337 Account Abstraction / Smart Account Security Pitfalls (incl. validateUserOp patterns, gas-field signing, ERC-1271 domain separation, validation statefulness, fee-drain via revert-after-validation, ERC-7702 init frontrun protections)".

Repository Maintenance:

• MD Files Formatting: 955 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0