Abstract
We propose a non-custodial interface for service providers to provide AA accounts.
Motivation
Problem:
The createAccount function necessitates an owner address to establish an account, consequently preventing service providers from creating accounts on behalf of their users without knowledge of the users’ EOA addresses. To resolve this limitation, service providers employ temporary EOAs to deterministically generate an ERC-4337 account for their users, assigning the temporary EOA as the initial owner. This approach, however, introduces a security vulnerability, as the temporary EOAs’ private keys are managed by the service providers. Furthermore, the service providers assume responsibility for these private keys until such a time when users take the ownership.
Solution:
Set a separate contract as the owner when calling createAccount, and allow the user to claim ownership at a later date via a signature provided by the service provider.
This approach has its limitations, however. To prevent the predetermined address from being claimed by an external party, most AA wallet factory contracts include the owner address when calculating the predetermined address and make sure that the owner of the AA wallet becomes the given owner address. In order to satisfy this constraint, service providers opt to creating a new and random private key on their server and sending it later when the user requests it.