Skip to main content
Sigvex

AA Storage Access Violations Remediation

Keep ERC-4337 validation free of banned opcodes and non-associated storage so bundlers can safely simulate the operation.

AA Storage Access Violations Remediation

Overview

ERC-4337 restricts what the validation phase may do so that bundlers can simulate a user operation off-chain and trust the result on-chain. Reading environment-dependent opcodes or touching another contract’s storage during validateUserOp or validatePaymasterUserOp makes simulation unreliable, so the operation is dropped from the mempool. The fix moves time and balance logic out of validation and into the packed validationData return value.

Related Detector: AA Storage Access Violations

Before (Vulnerable)

function validateUserOp(PackedUserOperation calldata op, bytes32 hash, uint256 funds)
    external returns (uint256)
{
    require(block.timestamp < op.deadline); // BANNED: TIMESTAMP
    require(address(this).balance > 1 ether); // BANNED: SELFBALANCE
    // ...
}

After (Fixed)

function validateUserOp(PackedUserOperation calldata op, bytes32 hash, uint256 funds)
    external returns (uint256)
{
    bool sigValid = _checkSig(op, hash);
    // Return validAfter/validUntil in packed format -- no banned opcodes
    return _packValidationData(!sigValid, op.deadline, 0);
}

Time bounds expressed through validationData are enforced by the EntryPoint, not by reading TIMESTAMP inside validation, so the function stays deterministic during simulation. Restrict storage access to associated slots: the account’s own state and the account’s deposit slot in the EntryPoint.

Alternative Mitigations

  • Allow CREATE2 only in the initCode deployment phase, never in steady-state validation.
  • Move any check that depends on an external contract’s state into the execution phase, which is unrestricted.
  • Use a staked paymaster or factory when access to broader storage is genuinely required, per the validation scope rules.

Common Mistakes

  • Calling a library or external contract from validation that itself reads a banned opcode.
  • Reading SELFBALANCE or BALANCE of an unrelated address to gate the operation.
  • Computing an allowlist check against a registry contract’s storage during validation instead of execution.

References