'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Introduction
This case study documents a high-severity vulnerability identified by the TrustSec team and disclosed through the Account Abstraction bug bounty program on HackenProof. The issue did not allow fund theft but enabled a denial-of-service and griefing scenario affecting certain classes of Account Abstraction transactions under specific conditions. HackenProof acted as the coordination channel, supporting responsible communication with the Ethereum Foundation and allowing mitigations to be implemented prior to public disclosure. The technical details and impact described in this case study are primarily based on the Ethereum Foundation’s public disclosure of the issue.
Account Abstraction and ERC-4337: Background
ERC-4337 introduces Account Abstraction to Ethereum without requiring changes at the consensus layer. Instead of relying on externally owned accounts, users submit UserOperations that are collected and executed by bundlers through a shared EntryPoint contract. This design enables advanced wallet logic, such as custom authentication, batched transactions, and gas sponsorship, while remaining compatible with existing Ethereum infrastructure.
A core principle of ERC-4337 is the absence of trust assumptions toward bundlers. UserOperations are expected to be safe even when observed or ordered by potentially adversarial actors, and signatures bind the intended transaction parameters such as destination, calldata, and gas limits. However, while these guarantees cover what code is executed, they do not fully constrain the execution context in which it runs. This distinction becomes important when Account Abstraction interactions reach beyond simple transfers and interface with existing DeFi protocols that were designed under different execution assumptions.
The Vulnerability: Root Cause and Impact
Overview
The vulnerability affected earlier versions of ERC-4337 and made it possible for an attacker to intentionally cause certain Account Abstraction transactions to revert while still incurring gas costs. The transactions in question were valid and correctly signed, and the issue did not enable fund theft or unauthorized access. Instead, it introduced a denial-of-service and griefing scenario that could be triggered under specific and observable conditions.
Root Cause
The underlying cause was an implicit assumption about how UserOperations are executed. While a UserOperation signature binds the intended transaction parameters—such as the target contract, calldata, and gas limits—it does not guarantee that execution occurs in a fully isolated context.
Some smart contract security mechanisms, including widely used reentrancy guards, were designed with the assumption that no attacker-controlled code can run earlier in the same call stack. Under the Account Abstraction execution model, this assumption does not always hold. As a result, pre-existing safety checks could be influenced by prior state changes without violating signature validity.
Observability and Exploit Conditions
For the issue to be exploitable, the UserOperation needed to be observable before execution. This could occur in two common scenarios:
- when UserOperations are propagated through the ERC-4337 off-chain mempool, or
- when a bundler submits a
handleOpstransaction to the public Ethereum mempool containing the full UserOperation payload.
In these cases, an attacker could observe a pending operation, temporarily modify relevant contract state, and then allow the UserOperation to be executed. The modified state could cause the inner transaction to revert once processed by the EntryPoint, resulting in a failed operation that still paid for gas.
Affected Scope and Practical Impact
The impact was limited to specific classes of transactions. In particular, interactions with contracts using reentrancy protection or those sensitive to temporary state changes—such as certain DeFi withdrawals or liquidity-related operations—could be affected. Simple transfers, internal wallet logic, and many other Account Abstraction use cases were not impacted.
At the time the issue was identified, usage of the ERC-4337 mempool was still at an early stage. This limited the practical exposure, but the findings highlighted an important consideration for Account Abstraction as adoption grows and interactions with existing DeFi infrastructure become more common.
Resolution and Key Takeaways
Resolution and Mitigation
Following responsible disclosure through the Account Abstraction bug bounty program on HackenProof, the issue was addressed in coordination with the Ethereum Foundation. The mitigation was implemented in EntryPoint v0.9, which enforces that handleOps and handleAggregatedOps can only be invoked by externally owned accounts in a top-level transaction context. This change prevents UserOperations from being executed within attacker-controlled call frames, removing the conditions required for the described griefing scenario.
The update was not treated as an emergency fix, but upgrading to v0.9 was considered time-sensitive for wallets, bundlers, and infrastructure providers as Account Abstraction usage continues to expand.
Responsible Disclosure and Outcome
The report was handled in line with standard disclosure practices, allowing relevant ecosystem participants time to assess impact and deploy mitigations before public discussion. TrustSec’s findings were acknowledged through the Account Abstraction bug bounty program, and additional coordination with affected applications helped reduce potential downstream risk. The process demonstrated the value of structured disclosure channels for protocol-level research, particularly for emerging standards.
Conclusion
This case highlights the role of independent security research in identifying edge cases as new protocol standards such as Account Abstraction are adopted. The coordinated disclosure and response process demonstrates how open engagement with external researchers and structured bug bounty programs support timely mitigation and contribute to the resilience of shared infrastructure. By addressing the issue early and transparently, the Ethereum ecosystem reinforced a security-first approach that prioritizes user safety and long-term protocol robustness as Account Abstraction adoption continues to grow.
