Cointime

Download App
iOS & Android

Redline DAO In-Depth Research: Why Do We See a Bright Future for Web3 Wallets?

Validated Individual Expert

Abstract:

  • “Not your key, not your coin” holds true for both smart contract wallets and personal account wallets — the private key wields absolute control over the wallet, and if it is lost, the wallet is left vulnerable to risk.
  • The private key forms the foundation of the wallet, and the recovery phrase serves as a means of recovery for it. This is currently a hindrance to the development of wallets.
  • Multi-Party Computing (MPC) and social recovery bring the possibility of a recovery phrase-free solution, which is essential for mass adoption.
  • There is potential for even more possibilities in the future of wallets, and we are excited about EIP-4337.

In 2010, Ethereum founder Vitalik Buterin had a Warlock account in World of Warcraft. One day, Blizzard decided to nerf the Warlock class and removed the spell damage component of the Life Drain spell. He cried himself to sleep and on that day realized the horrors of centralized servers, so he quit and created the decentralized network Ethereum. In November 2022, the world’s largest derivatives exchange, FTX, was exposed for misusing user funds, and its founder, SBF, was arrested by the Bahamian police and is awaiting trial in the United States.

From the Warlock player who was inexplicably backstabbed by Blizzard 13 years ago, to today’s FTX users who are fighting for their rights, we are increasingly aware of the importance of the phrase “Not your key, not your coin”: Even with third-party auditing/regulatory agencies, centralized servers can still arbitrarily alter and whitewash data, while on decentralized networks, the blockchain ledger is transparent and cannot be altered, as long as we have the private key for our own account, we have absolute control over our personal assets.

As individuals living in the crypto space, we are the primary custodians of our personal assets. When most users choose a blockchain wallet, the crucial trade-off is: “How much risk and responsibility am I willing to bear for my assets?” Taking traditional financial institutions as an example:

  • In the eyes of users who prioritize security, they prefer to put their money in a bank with a cumbersome account opening process but a large-scale backed asset: the solvency of a large bank (risk) > the strict standards of the account opening process (responsibility).
  • In the eyes of users who prioritize applicability, they are satisfied with simply keeping their money in WeChat and Alipay, which can facilitate P2P transactions and only require an ID and phone number to register, even though WeChat and Alipay are only listed companies and not national banks: the convenience of WeChat (responsibility) > the operating condition of WeChat (risk).

Returning to Web3, there are two ways to store assets in Web3: custodial wallets and non-custodial wallets. Before we delve into these options, it’s important to have a brief understanding of how blockchain wallets work:

Wallets and Private Keys

The process of generating an account is the same as creating a private key. On Ethereum, there are two types of accounts: EOA accounts (External Owned Accounts) and contract accounts (smart contracts deployed on the chain by EOA accounts):

  • Taking EOA accounts as an example, a private key is generated by creating a random 256-bit number. The corresponding public key is then derived from the private key using the SHA3 algorithm. The address (the last 20 bytes of the original hash) is then calculated using the keccak-256 function, resulting in a personal account associated with a unique private key. In this process, the private key generates 12 mnemonic phrases which can be used to re-derive the private key.
Source:https://www.liaoxuefeng.com/files/attachments/1381807125692481/l
EOA address
  • Currently, the most popular dApp wallets on major chains are EOA wallets, such as Metamask, Phantom (Solana), BSC Wallet (BSC), and Keplr (Cosmos).
  • Smart accounts, on the other hand, are EVM codes deployed on the chain by EOA accounts that can perform various functions. However, unlike EOA accounts, smart contract accounts do not have private keys and cannot be actively executed. They can only be called by EOA accounts. Therefore, the ultimate control of smart contract wallets = the private key of the EOA account used to deploy the contract. From this perspective, smart contract accounts are also controlled by private keys. Any wallet address that is a contract is a smart contract wallet
  • 1. Smart contract wallets are divided into multi-sig wallets and abstract account wallets:
  • 2. Multisig wallets: As early as 2013, multi-sig wallets have been the primary choice for fund organizations. This technology was originally developed in the Bitcoin ecosystem and now exists in excellent form on Ethereum as well, such as the Gnosis Safe. The Ethereum Foundation uses a 4-of-7 multi-sig wallet (i.e., a smart contract is created to hold the fund, and 7 EOA accounts control the contract. Only when 4 or more of the EOA accounts sign can the signature be completed)
  • 3. Abstract accounts, on the other hand, use a single EOA wallet to control the contract address, achieving the effect of simulating an EOA with a smart contract. Popular projects like Argent/Loopring are examples of abstract account wallets.
Apecoin Contract Address
  • After creating an account, we cannot participate in any activities on the chain without the involvement of a private key. In a decentralized network, there is no trust institution like a bank. In order to reach a transaction between two nodes, we must implement a mechanism for safe transactions without trust.
  • We assume that Bob and Amy want to reach a transaction, one method of creating a transaction is that Amy claims Bob gave him 10,000 pieces of money, which is clearly not credible;
  • Another method of creating a transaction is: Bob claims he gave Amy 10,000 pieces of money, as long as it can be verified that this statement was made by Bob, and Bob really has 10,000 pieces of money, then this transaction is considered valid:
  • How to verify Bob’s statement?
  • 1. The signature created by the private key allows the verifier to confirm the initiator of the statement: anyone can verify the result of the digital signature and transfer through the public key, because only Bob, who has the private key, can initiate this statement, so it can be confirmed that the statement was indeed made by Bob.
  • 2. In the Ethereum network, such transactions include not only P2P transfer transactions but also calls to smart contracts.
  • 3. Therefore, when we use wallets on a daily basis, we are essentially calling the local private key through the wallet platform to complete the signature on the chain.

The Security, Ease-of-Use, and Censorship-Resistance of a wallet.

A wallet is essentially a tool for 1. creating a private key, 2. safeguarding the private key, 3. using the private key, 4. backing up the private key, and 5. recovering the private key.

Currently, the most popular method for private key backup/recovery is the mnemonic phrase, which is a combination of 12 or 24 words that appear when the wallet is registered.

  • 1. A mnemonic phrase can be used to derive the plaintext of a private key. When a user migrates their wallet to a new device, they can simply enter their mnemonic phrase into the wallet app to derive their private key and regain control of the wallet.
  • 2. For the user, the private key is equivalent to the mnemonic phrase, but these two concepts still have some differences in the daily use of the wallet. The mnemonic phrase is simply a backup and recovery plan for the user’s private key.
  • 3. A metaphor: the mnemonic phrase is like making a casting mold of your key. If you lose your key, you can use the mnemonic phrase to generate a new, identical key.

As the singular means of interaction with the blockchain network, it falls to us to safeguard our wallet’s private key and mnemonic seed phrases. While generating one’s own address through the SHA256 algorithm via an offline environment is the most secure method of creating an account, this option is impracticable for the overwhelming majority of users due to the high technical barriers it presents. Thus, in choosing a wallet, users should consider three essential factors: security, ease of use, and censorship resistance:

  • 1. Security: What is the cost to potential hackers in compromising a wallet’s private key/mnemonic seed phrases?
  • 2. For instance, in the case of a hardware wallet, a private key can only be obtained through phishing attacks or physical theft.
  • 3. Ease of use: How user-friendly is the wallet?
  • 4. The registration process for Metamask requires users to record and subsequently re-enter 12 mnemonic seed phrases upon changing devices. In contrast, registering for and logging into Binance can be accomplished with a single click via email login.
  • 5. Censorship resistance: Is the ultimate control of the wallet in the hands of the user?
  • 6. If a wallet app stores a user’s imported mnemonic seed phrases in plaintext on its servers, it may be vulnerable to hacking. Even in the absence of such an attack, there is always the risk of internal malfeasance. In either case, censorship resistance is not ensured.

There are two main types of wallets: non-custodial wallets and centralized custodial wallets.

  • 1. Non-custodial wallets: Users are responsible for safeguarding their own mnemonic seed phrases.
  • 2. For example, Metamask is a non-custodial cryptocurrency wallet. Non-custodial means that Metamask does not store any data about the wallet, and the private key data is stored locally in the browser or mobile app. When a user needs to perform on-chain signing activities, Metamask retrieves the private key from the local file to sign it. However, if a user loses or has their private key and mnemonic seed phrases stolen, Metamask cannot help them recover it, and their assets will be lost permanently.
  • 3. Hardware wallets, such as Ledger, are widely recognized as the most secure. They generate private keys and wallet addresses offline on a hardware device, and the public key for the address is imported into a web wallet such as Metamask. When signing is required, it is confirmed offline on the Ledger hardware. Since the private key never touches the internet, it is very difficult for hackers to steal the private key from the hardware wallet. However, if the user loses their mnemonic seed phrases or falls victim to phishing, the protective capabilities of the hardware wallet are nullified, and their assets can still be stolen.
  • 4. Custodial wallets: Exchange wallets such as Coinbase/Binance adopt the custodial wallet approach. The difference is that the accounts displayed on Coinbase are not owned by the user’s private key, but are simply accounting numbers displayed in the Coinbase program rather than on-chain assets displayed on Etherscan. This can be understood as the user trusting Coinbase to hold their assets in custody rather than owning them themselves, so Coinbase’s accounts cannot interact with dApps such as Uniswap.

Overall, in custodial wallets, the project party holds the mnemonic seed phrases in custody and the threshold for registering and recovering the wallet is low. However, the security of the wallet depends on the project party rather than the user themselves, and the project party has actual control of the wallet. In non-custodial wallets, the mnemonic seed phrases are in the hands of the user, and the threshold for registering and recovering the wallet is high, but the security and censorship resistance are both very high.

Drawbacks of the mnemonic seed phrase

As Web3 continues to evolve and more needs and use cases emerge, the on-chain ecosystem is thriving, particularly in the wake of the 2021 Defi Summer which saw a large influx of users migrating their assets from exchanges to the chain. As of March 2022, MetaMask’s monthly active user base had reached 30 million.

However, mnemonic seed phrases, the current most mainstream account recovery scheme, have also become a primary target for hackers. For the ordinary user, the most common instance of wallet theft is the copying of mnemonic seed phrases from the clipboard or the theft of private key files stored locally through phishing websites.

  • When hackers attack, they must weigh the cost of the attack against the potential rewards. All private keys (mnemonic seed phrases) are a subset of a dictionary and, by exhaustively searching through all possible combinations, a hacker could potentially gain access to all on-chain assets. However, this cost-benefit ratio is poor. If the dictionary were searched using brute force algorithms to find all possible combinations, it would take:
  • For the current mainstream mnemonic seed phrase of 12 English words, with a vocabulary of 2048 words, 2048¹²=5.44e39 combinations (5444517870735000000000000000000000000000).
  • Such a massive amount of computing power would be enough for a hacker to launch a 51% attack on the BTC network.
  • Therefore, hackers have a higher rate of return by phishing users’ mnemonic seed phrases or stealing private key files stored on local devices.

Continuing with Metamask as an example, hackers can obtain saved mnemonic phrases and private keys in two places:

  1. Mnemonic phrases: After creating a wallet, it is important for users to safeguard the generated mnemonic phrases, which are generally recommended to be handwritten on a piece of paper and properly stored.
  2. However, some people may be lazy and use the clipboard to copy and paste, save them in a doc document, or even in WeChat chat records. If a hacker has installed malicious software on the user’s phone/computer that constantly monitors the clipboard, they can steal the just-created private key. For example, it was rumored that QuickQ VPN was caught copying users’ clipboards to steal mnemonic phrases.
  3. Private keys: At the same time, Metamask generally saves the encrypted private key on the local device where the wallet was created for easy access. If the Metamask plugin is installed on Chrome:
  4. On Windows, the location where Metamask stores the private key is: C:\Users\USER_NAME\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn.
  5. On Mac, the location is: Library>Application Support>Google>Chrome>Default>Local Extension Settings>nkbihfbeogaeaoehlefnkodbefgpgknn.

Therefore, the security of Metamask depends on the security of Chrome. If a hacker successfully penetrates Chrome’s firewall, they can obtain the user’s address private key and transfer all assets. This is also why hardware wallets are more secure than plugin wallets like Metamask.

Beyond Metamask, some non-custodial wallets lack, such as the Slope wallet on Solana being hacked: Slope’s mobile app sends the mnemonic to their Sentry server through TLS when creating the Phantom wallet, which is then stored in plaintext, meaning anyone with access to the Sentry server can access the user’s private key.

Aside from this, there are more wallet security incidents worth reflecting upon.

EOA Accounts being Stolen

  1. In 2022, Fenbushi Capital’s founder’s wallet was stolen

The cause of the theft of Shen Bo’s wallet was the leakage of mnemonic phrases, and the wallet used at the time of the theft was Trust Wallet. The stolen amount included approximately 38.23 million USDC, 1,607 ETH, 720,000 USDT, and 4.13 BTC.

     2. In 2018, hackers were able to gain access to the Bitcoin wallet of renowned Bitcoin investor, Karl Welchez, through social engineering techniques, transferring the assets to their own account.

Smart Contract Accounts Being Hacked

  1. The Paraswap contract deployment address was stolen

According to Slowmist’s investigation report: The hacker address (0xf358..7036) had already obtained the private key privileges of ParaSwap Deployer and QANplatform Deployer. The hacker extracted $1000 from ParaSwap Deployer and transferred it to the QANplatform Deployer address as a test. After analyzing 0xf358..7036 with the AML platform, we found that the hacker also stole The SolaVerse Deployer and many other fancy addresses. As of now, the hacker has stolen more than $170,000.

      2. The Ronin bridge was attacked in March of this year, resulting in a loss of 17.36k ETH and 25.5m USDC

The hacker fabricated a nonexistent company, used LinkedIn and WhatsApp to contact Axie’s senior engineer, lured him with a new job opportunity, arranged an interview, and finally offered a generous package, but the offer document was toxic, successfully infiltrating the Axie system and stealing the engineer’s EOA address private key for contract deployment.”

In addition to being a primary target for hackers, mnemonic phrases also serve as a high barrier for entry for new users of Web3.

  1. When creating a wallet, for security purposes it is necessary to manually copy down 12 words, and it is best not to take a picture of the resulting sheet of paper. Even if using a trusted, open-source password storage software (such as 1password), we are unable to utilize the convenience of copy and pasting due to the risk of clipboard theft.
  2. When restoring a wallet, or switching login devices, it is necessary to retrieve the sheet of paper and re-enter the 12 words.

The mere act of safeguarding a sheet of paper with 12 words written on it is inherently untrustworthy and un-Web3-like. We look forward to a future living in the metaverse, but the security of our accounts relies on a piece of paper invented during the Song Dynasty. As such, these two steps are enough to discourage most Web2 players, as most registration processes in the Web2 world can be logged into with a single click using a Google or iOS account.

The Recovery of Accounts without Mnemonic Phrases

To reduce the barrier to entry for wallets and encourage more users to adopt Web3, we need to implement login systems that are similar to those used in Web2, but without compromising the security or censorship resistance of the wallet. To this end, it is necessary to develop more convenient and secure methods of account recovery. Currently, all discussions point towards one solution: recovery without mnemonic phrases. There are currently two approaches to implementing mnemonic-less recovery: MPC and Social Recovery function.

  1. MPC: private keys are generated through multi-party computation, thus avoiding single-point failures caused by the loss/theft of private keys on the user end
  2. This can be understood as: MPC is a 3FA, with each verification method holding a fragment of a key. The lock has no single key, and if one fragment of the key is lost, the user can recover it with the other verification methods
  3. Social recovery: funds are stored in a smart contract and controlled by an EOA wallet through multi-signature/single-signature schemes, and trusted third-party guardians are designated. If the private key of the EOA wallet is lost, the guardians can change the control of the contract, so the user does not need to save a mnemonic phrase
  4. Currently, discussions often discuss social recovery and account abstraction wallets together, but it should be noted that social recovery is a standard and function on the smart contract, proposed by [EIP-2429] in 2019, which allows users to change the control of private key of the contract through guardians. The recently hot topic of EIP-4337 is a discussion about account abstraction, which we will discuss in the following section.

MPC — Multi-Party-Computation

MPC scheme creates private key fragments through multi-party computation when creating an EOA wallet. In 2019, the paper “Two-Party Elliptic Curve Digital Signature Based on Secure Multi-Party Computation” was published at CRYPTO 2019, officially bringing the implementation of MPC into the public’s view. MPC stands for Secure Multi-Party Computation.

  1. Multi-party computation (MPC) is a branch of cryptographic technology that dates back to the pioneering work of Andrew C. Yao almost 40 years ago. Using MPC, the generation of private keys is no longer dependent on a single point but can be calculated and held by a group of untrusted parties (n parties) together (n fragments of private keys), a technology known as DKG (Distributed Key Generation).
  2. Distributed key generation can be carried out using access structures that allow for different types of access: the conventional “t out of n” setup (as long as t of the n private key fragments are involved in the signature, it can be proven to be a valid signature) will be able to withstand up to t arbitrary failures in operations related to the private key without compromising security.
  3. The threshold signature scheme (TSS) is the term for the combination of distributed key generation (DKG) and distributed signature.
  4. At the same time, when one of the private key fragments is lost/exposed, MPC supports the recovery and replacement of private key fragments, achieving the effect of ensuring account security without the need to change the account.

MPC scheme ensures that no complete private keys appear during the creation, usage, storage, backup, and recovery of the account through multi-party generation/holding of private key fragments and the “t out of n” TSS threshold signature scheme, achieving higher convenience than single-point generated/held private key wallets such as MetaMask in terms of security and censorship resistance.

  1. Security
  2. No private keys/mnemonic phrases: During the wallet generation process, each party (the wallet project and the user) generates private key fragments through MPC, and the complete private key never appears during the process. It can be understood that MPC is a truly private keyless wallet.
  3. Increased cost for hacker attacks: Even if a hacker infiltrates the user’s local device, they can only obtain private key fragments. Only when the hacker controls the wallet’s server + the user’s local device can they steal the user’s assets.
  4. Ease-of-Use:
  5. Social login: Users can create an account on the MPC wallet using identity verification methods such as email (assuming the MPC wallet uses a 2/2 signature scheme, where both private key fragments must be used simultaneously to sign).
  6. Censorship resistance:
  7. Centralized institutions (wallet/backup devices) only hold fragments of the account’s private key and cannot control the user’s account.

Social Recovery Function

Social recovery function is deployed on a smart contract account. A smart contract wallet can be understood as a contract deployed on the chain by an EOA account to manage funds and is similar to a regular smart contract. The EOA wallet of the deployer has control over the smart contract.

  • Smart contract wallets are not a private keyless solution because the controlling EOA wallet has a private key.
  • However, smart contract wallets can change the user’s signing private key through the social recovery function.
  • Continuing with the lock analogy, the social recovery function is like getting a new key from the guardian after your key is lost.

Two years after the EIP-2929 proposal, in 2021, Vitalik first proposed a case of social recovery wallet application on the forum:

  1. When creating a smart contract wallet, the user can specify other EOA addresses as “guardians,” which must be signed on-chain and incur a gas fee.
  2. The user’s EOA account acts as the “signing private key,” which can be used to approve transactions.
  3. At least 3 (or more) “guardian” EOA accounts, which cannot approve transactions but can change the “signing private key.” Changing the “signing private key” also requires the guardians to sign and pay a gas fee.
  4. The signing private key has the function to add or remove guardians, but the process takes a certain amount of time (usually 1–3 days).
  5. In daily use, the user can use a smart contract wallet with the social recovery function (such as Argent and Loopring) like a normal wallet, using their signing key to confirm transactions. This way, every transaction can be quickly confirmed with a single confirmation.
  6. Creation: The creation of a private key for an abstracted account wallet is no different from that of Metamask.
  7. Custody: As the EOA wallet controlling the contract is only used as a “signature private key” and can be transferred through a guardian, the user does not need to specifically store a mnemonic phrase.
  8. Usage: Contract wallets, like MPC and traditional wallets, are used for transferring and trading, but due to the need to call the contract, they are more expensive than MPC wallets. However, because it is a contract call, it supports the use of non-native tokens such as USDC/USDT for payment, which greatly reduces the interaction difficulty for new Web3 players. In principle, in the same transaction, the project party swaps the user’s USDC for ETH and pays the gas fee on their behalf.
  9. Backup: The private key backup process for an abstracted account wallet is replaced by “guardians,” but this is counterintuitive and costly:
  10. When a user first uses Web3 and wants to register a wallet, they must find three trusted friends with EOA wallets in Web3 to become their guardians and pay gas fees.
  11. If the user wants to compensate their friends for the gas fees, they need to pay for the gas fee of 6 transactions in total, while it’s free to create a Metamask account.
  12. Recovery: If a user loses their signing key, they can apply to use the social recovery function. The user needs to contact their guardians and have them sign a special transaction (paid for by the user or the guardian) to change the signing key registered in the wallet contract to a new one. This is much simpler: guardians can view recovery requests and sign them through a website, such as security.loopring.

However, in terms of the security of the private key, it does not reach the level of an MPC wallet:

  1. The cost of being attacked: hackers can still gain access to the complete private key by infiltrating the user’s device, in other words, using a smart contract wallet only adds another means of recovering the private key in the event that it is lost
  2. Low resistance to censorship: as the social recovery function requires the designation of “guardians,” there is the possibility of guardians colluding with each other for wrongdoing
  3. The main risks of social recovery are:
  4. Collusion: if some users know that they are part of a recovery, they may be interested in executing an attack on the recovery;
  5. Targeted attacks: external agents may be aware of the owner of a recovery and target the weakest point needed to execute a recovery attack;
  6. General exposure: if an attacker manages to infect a large user’s base environment dependencies and gain access to multiple identities, they may also have unintended consequences for unaffected users through recovery.

MPC vs. Social Recovery: Security, Ease-of-Use, Censorship-Resistance

The future of the Mass Adoption: Web3 Wallet

Now that we have mnemonic-less account recovery schemes, we can expect the next generation of Web3 wallets to be ones that can be registered and logged in with an email. In this analysis, we will compare two representative projects: MPC wallets and account abstraction wallets, both of which have achieved a low threshold for user access with mnemonic-less schemes.

Bitizen

Among the MPC wallets, Bitizen, which has thoroughly achieved both convenience and resistance to censorship, uses a 2/3 TSS scheme. Let’s analyze its security and resistance to censorship:

Security

  1. Creation: To achieve strong censorship resistance, after completing the registration of the wallet, the user can Bluetooth backup their private key fragments with a second device using a 2/3 TSS scheme: the Bitcoin server, the user’s local device, and the user’s second device.
  2. Custody: Since the complete private key was not generated during the wallet creation process, there are no mnemonic phrases: the user’s Bitcoin account will be associated with the user’s cloud drive and email, and the user only needs to log in with their email to use the Bitcoin wallet normally.
  3. Usage: The user can sign in by obtaining the private key fragments stored in the Bitcoin cloud and on the local device through facial recognition authentication (2/3). After the second device backs up the private key fragments through Bluetooth, it can be saved offline completely and does not need to be used at all on ordinary days (signing only requires the Bitcoin server and the user’s main device).
  4. Backup: Backup the local private key fragments to the user’s cloud drive. When the user needs to switch devices to log in, they can simply authenticate with their email and face, and Bitcoin will request the user to restore the private key fragments from the cloud drive backup.
  5. Recovery: Similarly, when the user’s device is lost/accidentally deleted the local Bitcion files, they can recover the private key fragments through the cloud drive. If the user is even unable to log in to the cloud drive, Bitcion will recalculate the private key fragments through the private key fragments on the server and the user’s second backup device, allowing the user to restore the wallet on a new device.

Censorship Resistance:

A 2/3 TSS scheme gives the user absolute control over their wallet (with 2/3 of the private key fragments in their possession), even if Bitizen goes bankrupt or runs away, the user can still exercise control over their wallet.

Source: https://docs.bitizen.org/Comparison/Overview

Unipass

Unipass, an abstracted wallet, combines the benefits of smart contract and MPC (Multi-Party Computation) wallets in order to:

  1. Facilitate the use of any mainstream, liquid token for gas fees during transactions.
  2. Safeguard private keys through the use of MPC (2/2) and TSS (Threshold Signature Scheme) technologies for distributed key generation, eliminating the possibility of a single point of failure for private keys:
  3. Private keys are divided into two pieces, one of which is stored on Unipass’s server and the other on the user’s device.
  4. Allow for the recovery of private keys through the use of the DomainKeys Identified Mail (DKIM) scheme, allowing users to use their email address as a “guardian” rather than another EOA address.
  5. This significantly lowers the threshold for users to find a guardian, as they do not need to be involved in the blockchain and only require an email address.
Source: https://docs.wallet.unipass.id/docs/architecture/email-on-chain-verification

Ease-of-Use to High Applicability

Ease-of-Use wallets are not the end of the wallet application, and there is still some distance between the current Web3 infrastructure and traditional Web2 finance. Visa’s automatic debit and regular automatic payment functions bring great convenience to users, but they are still somewhat difficult to implement on Ethereum. The Abstract Account may be the next high-applicability blockchain wallet narrative: Visa released an article “Auto Payments for Self-Custodial Wallets”, exploring the use of the Abstract Account wallet Argent to implement automatic programmable payment on the StarNet network, allowing users to automatically pay with self-custodial wallets without signing each transaction. But how does the Abstract Account wallet actually work? This concept has actually been around for a long time.

Account abstraction: From EIP-2938 to EIP-4337

As EIP-4337 was proposed, the topic of account abstraction has returned to the forefront. Social recovery and account abstraction (using smart contracts as EOA wallets, i.e., account abstraction) were proposed as early as EIP-1271 and have been implemented by wallets such as Argent on Layer2 networks like StarkNet. So what sets the recent EIP-4337 proposal (account abstraction) apart?

From EIP-86 in 2015 to the current EIP-4337, the core idea among developers has been “contracts as wallets”. Account abstraction allows users to interact with the mainnet in an intuitive way and gives them precise control over the key permissions of their accounts. Since the code of EOA accounts is fixed, it is difficult to add modular or functional design elements to EOA wallets such as batch transfers or social recovery. Therefore, a breakthrough has been sought in smart contracts. The proposal most similar to EIP-4337 is EIP-2938, which also defines a new smart contract operation protocol, but requires modification at the consensus layer, making it difficult for developers to maintain. The main innovation of EIP-4337 is that the mainnet does not require a protocol change at the consensus level.

  • In EIP-1237, contract address signature initiation relies on centralized Relayers for signing, which are centralized and have varying standards among themselves, making them incompatible with multiple chains/dApps.
  • EIP-4337 proposes the use of Bundlers instead of Relayers, which are decentralized multi-parties, thus enhancing the anti-censorship capabilities of smart contract wallets and standardizing signature standards, greatly reducing the integration difficulty for developers.
  • EIP-4337 will have an impact in the future, but as of now it does not improve user experience. Therefore, the discussion of this proposal is limited to VCs and developers, more like Move in relation to Aptos, causing excitement among VCs and developer communities, but for Web3 users, this Layer1 written in solidity or Move does not currently have much of a change in user experience.
  • After all, the smart contract wallet Argent, which has raised $5.62 million in financing and has been in development for 4 years, has only had 74,000 addresses: just like how users only started using Metamask to dig for high APY mining after the rise of DeFi, a new catalyst may be needed for the current smart contract wallet craze.’
Source: https://dune.com/tschubotz/argent
  • Though Argent’s user deposits are not yet numerous, with the implementation of Ethereum’s account abstraction proposal, it means that Argent users will be able to seamlessly connect to the Ethereum mainnet from StarkNet. The sparks ignited during this process are also worth anticipating.
Source: https://dune.com/tschubotz/argent

Use cases

  • Fine-grained permission control: Fine-tune the single signature permission of an EOA:
  • Grant user A the transfer quota of X TokenB in the contract
  • Grant user B the trading permission of authorized tokenC in the contract instead of the transfer permission
  • When the contract is not used for a long time, automatically transfer the usage rights of the contract
  • Diversified payment methods for gas: Third-party payment or payment with any token
  • Automatic deduction/refund

Embracing the Future of Web3

It is a well-known fact that while the number of Web2 users has reached 4.8 billion, the number of Web3 users has only recently surpassed 100 million in 2022. We are still in the early, pioneering stages of blockchain development.

Source: https://emtemp.gcom.cloud/ngw/globalassets/cn/information-technology/images/graphs/5-trends-drive-the-gartner-hype-cycle-for-emerging-technologies-2020-chinese.jpg

“What level of risk and responsibility am I willing to take on for my assets?” Is it possible to have a wallet that is both secure and doesn’t require me to remember my private key? It has always been a question posed by traditional VCs: “Is there a scenario where only Web3 can do something that Web2 can’t?” We believe that Web3 wallets are one example that contradicts traditional Web2: only in a decentralized Web3 network can we expect a wallet that satisfies censorship resistance, security, and user experience, where users neither bear the risk nor the responsibility. Such a wallet is also an important foundation for the 47 billion Web2 users to embrace the future of Web3: the wallet is not only the first entrance to Web3, but also the foundation for the development of on-chain domain names (such as ENS), soul-bounded tokens, and decentralized identifier reputation systems. Without a secure wallet environment, the building of Web3 lego will have no solid foundation.

We need to more seriously consider that there are few opportunities to “fire” in a bear market. MPC gives us a glimpse of the future of EOA wallets that are more user-friendly and secure and is adaptable to all current EVM chains. The integration of smart contracts into dApps still has a long way to go, and the social recovery plan currently looks inadequate. However, the potential of smart contracts for the future is exciting. We are faced with the question of who to bet on, and we will put forward this answer with our money. 2022 was a dark year for cryptocurrencies, but we still believe that the future is bright. We are the awakened warlocks in the World of Warcraft, and we hope to create a world where no one can take away our lifesteal (unless a proposal passes with a vote 😠).

Disclaimer: Part of this article is based on an interview with Winson, CEO of Web3 Wallet Bitizen. Bitizen is one of Redline DAO’s Portfolios. We would like to thank Bitizen and Winson for their support for this article.

Reference

Comments

All Comments

Recommended for you

  • U.S. consumer confidence improves again in November, reaching a two-year high

    Dana M. Peterson, Chief Economist of the World Large Enterprises Federation, said, "US consumer confidence continued to improve in November, reaching the highest level in the past two years. The growth in November was mainly due to consumers' more positive assessment of the current situation, especially in the labor market. Compared with October, consumers' optimism about future employment opportunities has also greatly increased, reaching the highest level in nearly three years. At the same time, consumers' expectations for future business conditions have not changed, while their optimism about future income has slightly declined." Earlier, the US Conference Board Consumer Confidence Index for November recorded 111.7, a new high since July 2023.

  • Starknet: Phase 1 of STRK staking is now live on the mainnet

    Starknet announced that the first stage of STRK staking has officially launched on the mainnet.

  • CZ: Not trying to end the meme craze, just encouraging more builders

    CZ posted on X platform today, saying: "I am not against Meme coins, but Meme coins have become 'a little' strange now. Let's use blockchain technology to build practical applications." Some community users said that even Musk is a supporter of Meme coins, and it is very difficult to end this frenzy. CZ responded that "there is no attempt to end anything, everyone has the right to choose to invest or hold what they want. Just encourage more builders."

  • Talus Network Completes $6 Million Strategic Round of Financing with a Valuation of $150 Million

    decentralized AI protocol Talus Network raised $6 million in a strategic financing round led by Polychain Capital, valuing the company at $150 million. This funding will help further develop the Talus ecosystem, including the Protochain, Nexus framework, and "AI dating experience" application.

  • AXIOS: Trump is considering appointing a secretary of state for artificial intelligence

    according to AXIOS, Trump is considering appointing an AI minister to coordinate federal policies and government use of emerging technologies.

  • Coinbase International has launched COW perpetual contracts

     Coinbase International has launched COW perpetual contracts. COW-PERP market limit, market, stop loss, and stop loss limit orders are now all available.

  • Schuman Financial Completes $7.36 Million Seed Round, Led by RockawayX

    Schuman Financial has completed a $7.36 million seed round of financing, led by RockawayX, with participation from Lightspeed Faction, Kraken Ventures, Nexo Ventures, Gnosis VC, Delta Blockchain Fund and Bankless Ventures. In addition, Schuman Financial has launched a euro stablecoin, EURØP, which complies with the MiCA standard.

  • QCP: BTC's path to $100,000 has stalled, and ETH implied volatility has turned to put options

    QCP Capital has published an analysis indicating that the recent drop in the price of Bitcoin has resulted in long liquidations exceeding $430 million. This drop coincides with the end of five consecutive days of net inflows for spot ETFs, which recorded a outflow of $438 million on Monday, while MicroStrategy fell by 4.4%. With the US holiday approaching and no immediate catalyst to push prices higher, BTC's path towards $100,000 has stalled. In addition, the implied volatility of ETH has turned to bearish options rather than bullish options, and market concerns about downside risks may intensify, especially with the release of the FOMC meeting minutes and PCE data. However, in the long run, this market decline is not an excessive correction. Bitcoin has only retreated to last week's level. Since Trump's election, the market has become extremely overbought and leveraged, so a pause is inevitable.

  • Binance will delist GFT, IRIS, KEY, OAX, and REN

     Binance will delist the following trading pairs on December 10, 2024: GFT/USDT, IRIS/BTC, IRIS/USDT, KEY/USDT, OAX/BTC, OAX/USDT, REN/BTC, and REN/USDT. Additionally, Binance Futures will close all positions and automatically settle the KEYUSDT and RENUSDT USDⓈ-M perpetual contracts on December 3, 2024 at 09:00 (UTC). After the settlement is completed, the contracts will be delisted.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.