Merge branch 'main' into passkey-by-id

src/AAFactory.sol

@@ -22,7 +22,7 @@ contract AAFactory {
   address public immutable beacon;
 
   /// @notice A mapping from unique account IDs to their corresponding deployed account addresses.
-  mapping(string => address) public accountMappings;
+  mapping(string accountId => address deployedAccount) public accountMappings;
 
   /// @notice Constructor that initializes the factory with a beacon proxy bytecode hash and implementation contract address.
   /// @param _beaconProxyBytecodeHash The bytecode hash of the beacon proxy.

src/SsoAccount.sol

@@ -22,6 +22,8 @@ import { SignatureDecoder } from "./libraries/SignatureDecoder.sol";
 import { ERC1271Handler } from "./handlers/ERC1271Handler.sol";
 import { BatchCaller } from "./batch/BatchCaller.sol";
 
+import { BootloaderAuth } from "./auth/BootloaderAuth.sol";
+
 import { ISsoAccount } from "./interfaces/ISsoAccount.sol";
 import { IModuleValidator } from "./interfaces/IModuleValidator.sol";
 
@@ -32,7 +34,15 @@ import { IModuleValidator } from "./interfaces/IModuleValidator.sol";
 /// @notice This contract is a modular and extensible account implementation with support of
 /// multi-ownership, custom modules, validation/execution hooks and different signature validation formats.
 /// @dev Contract is expected to be used as Beacon proxy implementation.
-contract SsoAccount is Initializable, HookManager, ERC1271Handler, TokenCallbackHandler, BatchCaller, ISsoAccount {
+contract SsoAccount is
+  Initializable,
+  HookManager,
+  ERC1271Handler,
+  TokenCallbackHandler,
+  BatchCaller,
+  ISsoAccount,
+  BootloaderAuth
+{
   // Helper library for the Transaction struct
   using TransactionHelper for Transaction;
 
@@ -109,7 +119,7 @@ contract SsoAccount is Initializable, HookManager, ERC1271Handler, TokenCallback
   /// @param _to The address to which the call is made.
   /// @param _value The value to send along with the call.
   /// @param _data The calldata to pass along with the call.
-  function _executeCall(address _to, uint128 _value, bytes calldata _data) internal {
+  function _executeCall(address _to, uint128 _value, bytes calldata _data) private {
     uint32 gas = Utils.safeCastToU32(gasleft());
     bool success;
 
@@ -182,7 +192,7 @@ contract SsoAccount is Initializable, HookManager, ERC1271Handler, TokenCallback
   /// @param _signedHash The signed hash of the transaction.
   /// @param _transaction The transaction data.
   /// @return The magic value if the validation was successful and bytes4(0) otherwise.
-  function _validateTransaction(bytes32 _signedHash, Transaction calldata _transaction) internal returns (bytes4) {
+  function _validateTransaction(bytes32 _signedHash, Transaction calldata _transaction) private returns (bytes4) {
     // Run validation hooks
     bool hookSuccess = runValidationHooks(_signedHash, _transaction);
     if (!hookSuccess) {
@@ -212,7 +222,7 @@ contract SsoAccount is Initializable, HookManager, ERC1271Handler, TokenCallback
   /// @dev Increments the nonce value in Nonce Holder system contract to ensure replay attack protection.
   /// @dev Reverts if the Nonce Holder stores different `_nonce` value from the expected one.
   /// @param _expectedNonce The nonce value expected for the account to be stored in the Nonce Holder.
-  function _incrementNonce(uint256 _expectedNonce) internal {
+  function _incrementNonce(uint256 _expectedNonce) private {
     // Allow-listing slither finding as the call's success is checked+revert within the fn
     // slither-disable-next-line unused-return
     SystemContractsCaller.systemCallWithPropagatedRevert(
@@ -225,7 +235,7 @@ contract SsoAccount is Initializable, HookManager, ERC1271Handler, TokenCallback
 
   /// @dev Safely casts a uint256 to an address.
   /// @dev Revert if the value exceeds the maximum size for an address (160 bits).
-  function _safeCastToAddress(uint256 _value) internal pure returns (address) {
+  function _safeCastToAddress(uint256 _value) private pure returns (address) {
     require(_value <= type(uint160).max, "Overflow");
     return address(uint160(_value));
   }

src/handlers/ERC1271Handler.sol

@@ -3,7 +3,6 @@ pragma solidity ^0.8.24;
 
 import { IERC1271Upgradeable } from "@openzeppelin/contracts-upgradeable/interfaces/IERC1271Upgradeable.sol";
 import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
-import { Transaction } from "@matterlabs/zksync-contracts/l2/system-contracts/libraries/TransactionHelper.sol";
 import { EIP712 } from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
 
 import { SignatureDecoder } from "../libraries/SignatureDecoder.sol";

src/interfaces/ISsoAccount.sol

@@ -4,7 +4,6 @@ pragma solidity ^0.8.24;
 import { IAccount } from "@matterlabs/zksync-contracts/l2/system-contracts/interfaces/IAccount.sol";
 
 import { IERC1271Upgradeable } from "@openzeppelin/contracts-upgradeable/interfaces/IERC1271Upgradeable.sol";
-import { IERC777Recipient } from "@openzeppelin/contracts/token/ERC777/IERC777Recipient.sol";
 import { IERC721Receiver } from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
 import { IERC1155Receiver } from "@openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol";
 
@@ -26,5 +25,5 @@ interface ISsoAccount is
   IValidatorManager,
   IAccount
 {
-  function initialize(bytes[] calldata initialValidators, address[] calldata k1Owners) external;
+  function initialize(bytes[] calldata initialValidators, address[] calldata initialK1Owners) external;
 }

src/libraries/Errors.sol

@@ -16,7 +16,6 @@ library Errors {
 
   // Auth errors
   error NOT_FROM_BOOTLOADER(address notBootloader);
-  error NOT_FROM_HOOK(address notHook);
   error NOT_FROM_SELF(address notSelf);
 
   // Batch caller errors

src/libraries/SessionLib.sol

@@ -201,7 +201,7 @@ library SessionLib {
     CallSpec[] memory callPolicies,
     uint64[] memory periodIds,
     uint256 periodIdsOffset
-  ) internal returns (CallSpec memory) {
+  ) private returns (CallSpec memory) {
     CallSpec memory callPolicy;
     bool found = false;
 
@@ -344,7 +344,7 @@ library SessionLib {
     UsageLimit memory limit,
     UsageTracker storage tracker,
     address account
-  ) internal view returns (uint256) {
+  ) private view returns (uint256) {
     if (limit.limitType == LimitType.Unlimited) {
       // this might be still limited by `maxValuePerUse` or a constraint
       return type(uint256).max;

src/libraries/SignatureDecoder.sol

@@ -1,8 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0
 pragma solidity ^0.8.24;
 
-import { Errors } from "../libraries/Errors.sol";
-
 library SignatureDecoder {
   // Decode transaction.signature into signature, validator and hook data
   function decodeSignature(

src/managers/HookManager.sol

@@ -6,7 +6,7 @@ import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableS
 import { Transaction } from "@matterlabs/zksync-contracts/l2/system-contracts/libraries/TransactionHelper.sol";
 import { ExcessivelySafeCall } from "@nomad-xyz/excessively-safe-call/src/ExcessivelySafeCall.sol";
 
-import { Auth } from "../auth/Auth.sol";
+import { SelfAuth } from "../auth/SelfAuth.sol";
 import { SsoStorage } from "../libraries/SsoStorage.sol";
 import { Errors } from "../libraries/Errors.sol";
 import { IExecutionHook, IValidationHook } from "../interfaces/IHook.sol";
@@ -19,7 +19,7 @@ import { IModule } from "../interfaces/IModule.sol";
  * @dev Hook addresses are stored in a linked list
  * @author https://getclave.io
  */
-abstract contract HookManager is IHookManager, Auth {
+abstract contract HookManager is IHookManager, SelfAuth {
   using EnumerableSet for EnumerableSet.AddressSet;
   // Interface helper library
   using ERC165Checker for address;
@@ -98,7 +98,7 @@ abstract contract HookManager is IHookManager, Auth {
     }
   }
 
-  function _addHook(address hook, bool isValidation, bytes calldata initData) internal {
+  function _addHook(address hook, bool isValidation, bytes calldata initData) private {
     if (!_supportsHook(hook, isValidation)) {
       revert Errors.HOOK_ERC165_FAIL(hook, isValidation);
     }
@@ -114,7 +114,7 @@ abstract contract HookManager is IHookManager, Auth {
     emit HookAdded(hook);
   }
 
-  function _removeHook(address hook, bool isValidation) internal {
+  function _removeHook(address hook, bool isValidation) private {
     if (isValidation) {
       require(_validationHooks().remove(hook), "Hook not found");
     } else {
@@ -124,7 +124,7 @@ abstract contract HookManager is IHookManager, Auth {
     emit HookRemoved(hook);
   }
 
-  function _isHook(address addr) internal view override returns (bool) {
+  function _isHook(address addr) internal view returns (bool) {
     return _validationHooks().contains(addr) || _executionHooks().contains(addr);
   }
 

src/managers/OwnerManager.sol

@@ -4,7 +4,7 @@ pragma solidity ^0.8.24;
 import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import { SsoStorage } from "../libraries/SsoStorage.sol";
 import { Errors } from "../libraries/Errors.sol";
-import { Auth } from "../auth/Auth.sol";
+import { SelfAuth } from "../auth/SelfAuth.sol";
 import { IOwnerManager } from "../interfaces/IOwnerManager.sol";
 
 /**
@@ -14,7 +14,7 @@ import { IOwnerManager } from "../interfaces/IOwnerManager.sol";
  * @dev Owners are stored in a linked list
  * @author https://getclave.io
  */
-abstract contract OwnerManager is IOwnerManager, Auth {
+abstract contract OwnerManager is IOwnerManager, SelfAuth {
   using EnumerableSet for EnumerableSet.AddressSet;
 
   /// @inheritdoc IOwnerManager
@@ -37,13 +37,14 @@ abstract contract OwnerManager is IOwnerManager, Auth {
     k1OwnerList = _k1Owners().values();
   }
 
+  // Should not be set to private as it is called from SsoAccount's initialize
   function _k1AddOwner(address addr) internal {
     require(_k1Owners().add(addr), "K1 owner already exists");
 
     emit K1OwnerAdded(addr);
   }
 
-  function _k1RemoveOwner(address addr) internal {
+  function _k1RemoveOwner(address addr) private {
     require(_k1Owners().remove(addr), "K1 owner not found");
 
     emit K1OwnerRemoved(addr);

src/managers/ValidatorManager.sol

@@ -5,7 +5,7 @@ import { ERC165Checker } from "@openzeppelin/contracts/utils/introspection/ERC16
 import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import { ExcessivelySafeCall } from "@nomad-xyz/excessively-safe-call/src/ExcessivelySafeCall.sol";
 
-import { Auth } from "../auth/Auth.sol";
+import { SelfAuth } from "../auth/SelfAuth.sol";
 import { Errors } from "../libraries/Errors.sol";
 import { SsoStorage } from "../libraries/SsoStorage.sol";
 import { IValidatorManager } from "../interfaces/IValidatorManager.sol";
@@ -18,7 +18,7 @@ import { IModule } from "../interfaces/IModule.sol";
  * @dev Validators are stored in an enumerable set
  * @author https://getclave.io
  */
-abstract contract ValidatorManager is IValidatorManager, Auth {
+abstract contract ValidatorManager is IValidatorManager, SelfAuth {
   using EnumerableSet for EnumerableSet.AddressSet;
   // Interface helper library
   using ERC165Checker for address;
@@ -54,6 +54,7 @@ abstract contract ValidatorManager is IValidatorManager, Auth {
     validatorList = _moduleValidators().values();
   }
 
+  // Should not be set to private as it is called from SsoAccount's initialize
   function _addModuleValidator(address validator, bytes memory initData) internal {
     if (!_supportsModuleValidator(validator)) {
       revert Errors.VALIDATOR_ERC165_FAIL(validator);
@@ -65,7 +66,7 @@ abstract contract ValidatorManager is IValidatorManager, Auth {
     emit ValidatorAdded(validator);
   }
 
-  function _removeModuleValidator(address validator) internal {
+  function _removeModuleValidator(address validator) private {
     require(_moduleValidators().remove(validator), "Validator not found");
 
     emit ValidatorRemoved(validator);

src/validators/SessionKeyValidator.sol

@@ -22,11 +22,9 @@ contract SessionKeyValidator is IModuleValidator {
   event SessionCreated(address indexed account, bytes32 indexed sessionHash, SessionLib.SessionSpec sessionSpec);
   event SessionRevoked(address indexed account, bytes32 indexed sessionHash);
 
-  // account => number of open sessions
   // NOTE: expired sessions are still counted if not explicitly revoked
-  mapping(address => uint256) private sessionCounter;
-  // session hash => session state
-  mapping(bytes32 => SessionLib.SessionStorage) private sessions;
+  mapping(address account => uint256 nOpenSessions) private sessionCounter;
+  mapping(bytes32 sessionHash => SessionLib.SessionStorage sessionState) private sessions;
 
   /// @notice Get the session state for an account
   /// @param account The account to fetch the session state for
@@ -95,7 +93,7 @@ contract SessionKeyValidator is IModuleValidator {
 
   /// @notice creates a new session for an account, called by onInstall
   /// @param sessionData ABI-encoded session specification
-  function _addValidationKey(bytes calldata sessionData) internal returns (bool) {
+  function _addValidationKey(bytes calldata sessionData) private returns (bool) {
     SessionLib.SessionSpec memory sessionSpec = abi.decode(sessionData, (SessionLib.SessionSpec));
     createSession(sessionSpec);
     return true;

src/validators/WebAuthValidator.sol

@@ -193,7 +193,7 @@ contract WebAuthValidator is VerifierCaller, IModuleValidator {
   }
 
   /// @inheritdoc IERC165
-  function supportsInterface(bytes4 interfaceId) public pure override returns (bool) {
+  function supportsInterface(bytes4 interfaceId) external pure override returns (bool) {
     return
       interfaceId == type(IERC165).interfaceId ||
       interfaceId == type(IModuleValidator).interfaceId ||