Subaccount Design using ISigner Interface #232
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
🤖 Bytecode changes detected! Version has been automatically bumped and EIP-712 domain versions have been updated. |
gakonst
reviewed
Jul 7, 2025
Comment on lines
+100
to
+112
| // This should fail because subAccount is not approved on the main account to use themainKey yet. | ||
| assertEq( | ||
| oc.execute(false, abi.encode(subAccountIntent)), | ||
| bytes4(keccak256("VerificationError()")) | ||
| ); | ||
|
|
||
| // Verify no transfer happened | ||
| assertEq(subAccount.eoa.balance, 1 ether); | ||
| assertEq(mainAccount.eoa.balance, 9 ether); | ||
|
|
||
| // Now approve the subAccount to use the main account's key | ||
| vm.prank(mainAccount.eoa); | ||
| mainAccount.d.setSubAccountApproval(mainKey.keyHash, subAccount.eoa, true); |
Contributor
There was a problem hiding this comment.
Why is this necessary for security? I understand that you have it as a protective guardrail, but if I'm signing something with my main account key, why would I also need to auth the sub-account?
Collaborator
Author
There was a problem hiding this comment.
Yeah you're right, since the main account key is already signing the digest, they don't need to also explicitly approve the subaccount to verify using their key.
One nice property of having this explicit subaccount auth though, is that you can iterate over a list of all subaccounts onchain. This might be useful to do balance aggregation in UIs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
The core philosophy of the design is that the main account is the "control panel" or "admin keychain" of all subaccounts. This means that each subaccount should ideally have only 1 super admin key, which is an external key pointing to the main account.
This allows us to do key rotations and fund management easily on subaccounts, while retaining the security properties that the subaccount will not be able to use the main account's "msg.sender" to sign arbitrary data.
This is a flexible and minimal design, that allows you to do both JIT pull flows and separate balance subaccounts.
Supported SubAccount Types
Separate balance subaccounts are nicer, because they allow a lot of flexibility for the DApp, there are a lot of usecases like AI agentic execution, which might require arbitrary function selectors and calldata. It is not feasible to tightly scope the session keys for such use cases.
In general, we believe that balance aggregation and display is fundamentally an offchain UI problem. Users are already used to balance separation designs in tradFi like the separation between Current Account/Saving Account/Investment Account.
In crypto, users are already okay with depositing to hyperliquid and polymarket.
The JIT pull flow might be the wrong feature to optimize for, as the problems that we face with enforcing spending limits for all tokens, still exist in the JIT pull flow. In any case, this subaccount design is flexible enough to also allow the JIT puill flow.
Flow
Tests