Contract accounts aren’t just better, they’re also cheaper.
Background…
The future of Ethereum is contract accounts on rollups.
Together, contract accounts (also known as “account abstraction”) and rollups represent a fundamental upgrade & enable real-world use of the chain:
- Fast, cheap transactions.
- Secure accounts built on best-practice cryptography.
- Better recovery, including easy-to-use passkey backups. No seed phrase.
EOAs and L1 are settlement infrastructure. The future is 4337 on L2. The problem, so far, was that 4337 on L2 was expensive.
Making 4337-on-L2 efficient
The main cost on L2 is calldata. 4337 can use a lot of that. For example, see Ansgar’s breakdown of what Vitalik later called the “infamous 1600-byte transfer”: a 4337 bundle containing a single Daimo USDC transfer.
We fix this using bundle compression.
The BundleBulker contract is simple and permissionless. Any bundler can register their own IInflator
to compress bundles however they want. A good default is the PerOpInflator, which concatenates individually compressed ops. Each bundler (Pimlico, ThirdWeb, Alchemy, etc) can deploy their own PerOpInflator instance, with the beneficiary (op fee recipient) set accordingly. PerOpInflator is similarly permissionless: any app can register their own IOpInflator
with arbitrary, app-specific userop compression.
For an example, check out DaimoOpInflator. What it is doing, specifically?
- Packing. The Solidity ABI encoding was designed for L1, where computation is expensive, not for L2, where computation is effectively free and calldata is expensive. A single boolean argument takes 32 bytes… structs are encoded in a luxuriously expansive way.
- Templating. Parts of the op that don’t change are templated in. In our case,
callGasLimit
,verificationGasLimit
, and the WebAuthn (passkey) JSON envelope. - Stateful compression. We replace the 40 byte (from address, to address) with a ~10 byte (from name, to name) using our existing onchain name registry. We could further optimize by using an index instead of a name.
The important thing is that this setup is permissionless. Any app can write their own inflator and start using it.
Results
Results so far, using a simple ERC20 token transfer as our benchmark.
Bytes per transfer | Just the op | 1-op bundle | 10-op bundle |
EOA transaction · example | 179 | 179 | 179 |
Naive 4337 · example | 1408 | 1623 | 1429 |
Bundle compression · example | 127 | 343 | 149 |
Below: a 4337 bundle containing a single USDC transfer, before and after compression. In both cases, I’ve highlighted the op. The rest is the bundle fixed overhead.
The highlighted op is smaller than an EOA ERC-20 transfer.
Each bundle will contain many of these, amortizing the fixed overhead & making contract wallets more efficient than legacy wallets.
Questions
- What about rollup compression?
- Why use 4337 at all, if we’re calling into another contract that sits in front of the EntryPoint?
- Standard ops. Userop explorer, ops identified by ophash, everything inter-”op”-erable. If you use bespoke AA, you get no observability or devtools. Note that a userop explorer will show the uncompressed op, —it’ll just have a lower preVerificationGas = lower cost.
- Censorship resistance. Bundler down or not serving you? Your wallet can send the uncompressed op to the standard 4337 mempool, paying a few cents more fee for guaranteed inclusion.
- Security. Stick with the battle-tested EntryPoint contract. See below.
- What if there’s a vulnerability in my inflator?
- Doesn’t state diff fix this?
- How do I add this?
Bundle compression is complementary to rollup compression. Both are useful.
Rollups compress calldata before settling to L1, but this is limited on its own. Stateful compression is hard to achieve. Bundle compression is at the app layer and lets you do application-specific templating and stateful lookups.
Together, this lets us approach the goal state of very compact transactions.
Three reasons.
The inflator contract is, unavoidably, not beautiful to look at. You’re writing a byte-packed encoding, plus templating and lookups.
The great news is that the inflator contract has no security responsibilities. This is because your wallet still signs over the uncompressed op. The EntryPoint contract and your 4337 wallet’s validateUserOp function work exactly as before. If there’s any issue in the inflator contract, it can only cause liveness problems (reverted, invalid ops), not security errors. It’s neatly compartmentalized as an optional optimization.
In fact, this separation of responsibilities makes your wallet more secure. The gross bit-packing goes in one place—the security-critical validation logic goes in another, which can written in entirely idiomatic Solidity.
State diffs are an elegant theoretical optimization for zkrollups: just prove that you have a block of valid transactions resulting in a given diff. The transactions themselves, and their calldata, are not posted! For a transfer, the diff is just (-10 for alice, +10 for bob). No compression needed.
We’re unlikely to see this in a production, real, stage2 rollup. A state-diff-only permissionless rollup is a scary construct. It raises the spectre of undiagnosable hacks, both of the rollup itself and applications on top. Say a block shows up that drains a defi protocol. You might never learn what the bug was! The transaction was never published, only the final state diff (minus $500m for contract 0x…, plus $500m for bob) and a proof that some valid set of transactions produced this diff. Similarly for proving-system bugs.
TLDR; production rollups will post calldata for the forseeable future.
Instructions coming once we have bundler support. In the meantime, our production implementation is open source.