Securing Web3 with Account Abstraction

In line with the dawn of the digital age, an increasing part of our lives are taking place in the digital sphere. As the lines between the physical and digital domains become increasingly blurred, our physical and digital identities too are becoming more and more assimilated. This is reflected in the rise of concepts such as Soulbound tokens (SBTs) which are tokenized representations of digital identities.

As SBTs are tied to the identities of the owners of the crypto wallets in which they are stored, this could pose security risks to Web3 users. An example of such a risk is that of [ice phishing](https://blog.knowbe4.com/heads-up-there-is-a-whole-new-type-of-blockchain-scam-called-ice-phishing#:~:text=Ice phishing%2C as the Defender,involve stealing one’s private keys.) which involves tricking a user into signing permissions allowing for the attacker to spend the user’s tokens.

Given the fact that Web3 users are required to grant permissions to connect their crypto wallets prior to interacting with decentralised applications, ice phishing attacks could be a pertinent threat to the identities of users as Web3 becomes more mainstream moving forward. Recognizing this, Ethereum has recently introduced some security improvements through the account abstraction function of its ERC-4337 upgrade which has paved the way for customizable smart wallets.

Enhanced security with account abstraction

With this, let’s explore more about the recent ERC-4337 upgrade and the security features that can be built into the logic of smart wallets through account abstraction.

1/ Backup Keys

The current security mechanisms used by crypto wallets in the form of seed phrases and private keys to public keys and wallet addresses are awkward at best and clunky at worst. The loss of seed phrases and private keys would mean that the funds in the relevant wallet or account would be frozen and unrecoverable – for instance 20% of BTC supply is lost due to lost private key. Account abstraction allows the security logic of smart wallets to be encoded to provide for the use of backup keys which allow owners of smart wallets to access the funds in the accounts of these wallets in the event of the loss of private keys or seed phrases.

In addition, backup keys can also double up as permission keys for the creation of replacement private keys or seed phrases in the event of accident loss or unintended exposure of these keys or seed phrases. Given the importance of backup keys, the security logic of smart wallets can be encoded to provide for the splitting of access to these keys across multiple trusted guardians.

Seed Phrases, Keys and Addresses Connectivity (Source: Twitter/@Crypto Whiteboard)

2/ Multisig Authentication

In view of the high risk nature of cryptocurrency transactions, the use of multisig authentication aka multi-factor authentication (MKA) has evolved to mitigate the security risks relating to theft and fraud. In simple terms, multisig authentication involves the use of multiple forms of authentication to access an account or perform a transaction.

The idea is that the inclusion of additional layers of security would make it harder for attackers to gain unathorized access to crypto wallets. Thanks to the customizable nature of smart wallets through the use of account abstraction, the security logic of these wallets can be configured in such a manner as to require the input of authorization credentials from multiple trusted parties such as family members or through multiple devices such as a hard wallet, particularly for high value transactions.

Multisig Authentication Framework (Source:Bcdocs.Xpxsirius.io)

3/ Transaction Limits

Account abstraction allows the security logic of smart wallets to be encoded with configurations for preset daily/weekly/monthly transaction limits. The inclusion of such a configuration in the security logic of smart wallets would limit the amount of losses of victims of hacks and attacks. This is because even if a hacker or an attacker manages to gain unauthorized access to a smart wallet, it would take some time for them to drain off the funds in the wallet. This would buy the owner of the smart wallet some time to take the necessary action to either freeze or recover the account.

With regard to the freezing of a smart wallet, the security logic of the wallet can be encoded in such a manner as to allow the owner to lock the compromised account using another authorized device, thereby securing the funds in the account. As for recovery of the compromised account, the security logic of the smart wallet can be encoded in such a manner as to provide for the setting of pre-approved accounts that can be used by the owner of the wallet to authorize new devices for the purposes of resetting access to the account in order to regain control of it.

Setting BTC Daily/Weekly Transaction Limit (Source: Freewallet.org)

4/ Whitelist Addresses

Account abstraction allows the security logic of smart wallets to be encoded to provide for the whitelisting of prescribed addresses that have been approved by the owner of the wallet. In this manner, the security logic of the smart wallet would only allow funds in the wallet to be transferred to the whitelist addresses.

In the event of any security breach, a hacker or attacker who manage to gain unauthorized access to the wallet would be unable to siphon off the funds in the wallet’s accounts as the security logic of the wallet would ensure that these funds could only be transferred to the whitelist addresses that are controlled by or affiliated with the owner. If the hacker or attacker tries to make changes to the whitelist addresses, the security layers of multisig authentication would come into play to prevent them from making such changes unless in the unlikely scenario they have access to the whole set of backup keys required for the purposes of multisig authentication.

Whitelisting (Source:MyGreatLearning.com)

If Web3 is to fulfil its promise as the next iteration of the Internet, it is imperative that it inspires trust and confidence among its users. A prime way of doing so would be to plug the security gaps of Web3 to boost the level of protection afforded to its users. A giant step has been taken by Web3 in this direction in the wake of the ERC-4337 upgrade which has paved the way for the security features of backup keys, multisig authentication, transaction limits and whitelist addresses to be built into the logic of smart wallets through account abstraction.