MultiversX Tracker is Live!

Critical Bug in ERC-4337 EntryPoint v0.8: Violation of Section 4.3.1 (Strict Gas Bound)

Etherum Reddit

More / Etherum Reddit 1 month ago 124 Views

I am disclosing a critical implementation bug in the EntryPoint contract (v0.7.0 / v0.8.0) that violates the core gas

accounting guarantees of EIP-4337.

Abstract

The EntryPoint fails to enforce the paymasterPostOpGasLimit cap when a postOp call fails due to Out-of-Gas (OOG). This

regression allows the EntryPoint's own internal execution overhead (specifically MCOPY/memory expansion for context)

to be billed to the Paymaster in addition to their signed limit.

The Protocol Violation

EIP-4337 Section 4.3.1 states:

> "The `paymasterPostOpGasLimit` ... is the strict upper bound on the gas the Paymaster is willing to pay for the

`postOp` call."

The Implementation Flaw

In _postExecution, the gas accounting logic for the OOG failure path is:

1 // EntryPoint.sol

2 actualGas += preGas - gasleft() + postOpUnusedGasPenalty;

The preGas snapshot is taken before the context data is copied to memory for the postOp call. If an attacker provides

a maximized context, the copying cost (overhead) is significant. In the OOG path, this overhead is added to actualGas

without being clamped to paymasterPostOpGasLimit.

Reproduction & Impact

Using a Mainnet fork against the live EntryPoint v0.7.0 (0x000...):

  1. UserOp: Signs a paymasterPostOpGasLimit of 100,000.

  2. Attack: Includes a large context payload.

  3. Result: The Paymaster is charged ~177,000 gas.

    This 77% overcharge creates a profitable attack vector for malicious Bundlers to drain Paymaster deposits,

    particularly those using automated JIT refills.

    Proposed Solution

    The fix is to explicitly cap the gas consumption in the failure path, ensuring the Paymaster is never liable for more

    than their signature authorized.

    I have submitted a PR with the fix here:

    https://github.com/Tejanadh/account-abstraction/pull/1

    Disclosure Note

    This issue was originally reported in mid-2025. After multiple rounds of private disclosure and rejection, I am

    publishing this to ensure Paymaster operators are aware of the risk and to expedite the merging of the fix.

    Full reproduction repository: https://github.com/Tejanadh/account-abstraction

submitted by /u/Hefty-Standard-9185
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Read more

Related Posts

Comments