Access Control

Nexus - Access Control Documentation

Table of Contents

• Nexus - Access Control Documentation
  • 1. Introduction
  • 2. Deployment Strategy
  • 3. Access Control Mechanisms
  • 4. User Operation Validation
  • 5. Execution Permissions
  • 6. Additional Technical Specifications
  • 7. Security Audits and Historical Performance
  • 8. Technical Specifications and Contract Addresses

1. Introduction

This document provides an overview of the access control measures for the Nexus Smart Account, which complies with ERC-7579 and ERC-4337 standards. Outlining the security and access control mechanisms in place ensures transparency and clarity for auditors and users.

2. Deployment Strategy

The Nexus Smart Account follows the UUPS Proxy Pattern as defined in ERC-1822, allowing for future upgrades while maintaining strong access control. Only the EntryPoint or the account itself can initiate an upgrade, ensuring unauthorized entities cannot alter the contract's logic.

Note

Entrypoint Deployment: The EntryPoint contract is deployed at the same address (0x0000000071727De22E5E9d8BAf0edAc6f37da032) across all EVM chains for consistency. On new chains, the EntryPoint can be deployed using Nick's keyless method to achieve predictable addresses, facilitating easier integration and interoperability.

3. Access Control Mechanisms

The Nexus Smart Account utilizes several modifiers to restrict access to its functions:

• onlyEntryPointOrSelf: Restricts function access to the EntryPoint or the smart account itself, preventing unauthorized calls.
• onlyEntryPoint: Limits function access exclusively to the EntryPoint, ensuring only the designated entry point can perform specific operations.
• onlyExecutorModule: Ensures that only registered executor modules can call certain functions, providing an additional layer of security for transaction execution.
• onlyAuthorized: Ensures that only authorized entities, such as the EntryPoint, the smart account itself, or registered executor modules, can call certain functions, providing an additional layer of security for transaction execution and module interactions.

Modules are added by calling the installModule function, specifying the module type. This process includes checks to prevent the installation of duplicate or incompatible modules, ensuring that only valid and necessary modules are integrated into the smart account.

4. User Operation Validation

The validateUserOp function validates transactions by verifying signatures and nonce alignment before execution. It forwards the validation task to appropriate validator modules, ensuring that each transaction is authorized and correctly structured.

Important

Validation Process: This method ensures that only authorized and correctly structured transactions are processed, adding an extra layer of security.

5. Execution Permissions

The executeFromExecutor function handles requests from executor modules, with additional security checks via hooks. This ensures that only authorized modules can initiate transactions and that each transaction is validated and securely executed.

Caution

Secure Execution: Ensures that all transactions are validated and securely executed by authorized modules only.

6. Additional Technical Specifications

The Nexus Smart Account leverages ERC-7201 to prevent storage collisions, maintain state integrity, and ensure that different modules and operations do not interfere with each other's data.

Note

Namespace Storage: Ensures state integrity and prevents interference between modules.

7. Security Audits and Historical Performance

Reputable firms like OpenZeppelin, Spearbit, Cyfrin, and Chainlight are planning to audit the Nexus Smart Account to ensure it meets high-security standards. These audits will focus on verifying the robustness of the access control mechanisms, ensuring that the smart account operates securely and as intended.

Tip

Security Audits: These audits ensure the robustness of the access control mechanisms and overall security.

8. Ownable and User Responsibility

Biconomy uses the Ownable contract in factories to control the whitelisting of modules and factories. It also handles operations such as adding stakes, unlocking them, or taking them out on the EntryPoint.

Important

User Responsibility: Even though the Nexus accounts are secure and audited, Biconomy cannot access your Nexus account. Users are responsible > for managing their accounts securely. Biconomy cannot recover lost funds or access to an account that has been misused or compromised.

---