Shared Mempool is a Vulnerability. The public, permissionless UserOperation mempool is a broadcast channel for unconfirmed transactions. This creates a centralized attack surface for frontrunning, denial-of-service, and censorship that Ethereum's native mempool does not have.
account-abstraction-fixing-crypto-ux
Blog
Why ERC-4337's UserOperation Mempool is a Security Minefield
Account abstraction's alt mempool for UserOperations reintroduces systemic MEV, censorship, and spam vectors that Ethereum's base layer design deliberately eliminated. This is the hidden cost of UX.
introduction
THE VULNERABILITY
Introduction
ERC-4337's shared UserOperation mempool introduces systemic security risks that native account abstraction avoids.
Intent Paradigm is Exploitable. UserOperations express intents, not final transactions. This gap between declaration and execution enables MEV extraction and manipulation by bundlers, similar to issues seen in UniswapX and CowSwap.
Bundlers are Trusted Actors. The system's security depends on a decentralized set of bundlers behaving honestly. A malicious or compromised bundler can censor, reorder, or steal UserOperations, creating a single point of failure absent in EOA transactions.
Evidence: Pimlico's Data. Analysis from Pimlico and Stackup shows bundlers consistently reorder transactions for profit. This proves the theoretical incentive misalignment is a practical, measurable vulnerability in production.
thesis-statement
THE SECURITY DILEMMA
The Core Argument: A Regressive Architectural Trade-Off
ERC-4337's shared UserOperation mempool reintroduces systemic risks that modern blockchains have spent years eliminating.
A public mempool is a DoS vector. The global, permissionless broadcast of UserOperations before execution creates a predictable attack surface for transaction censorship and front-running, identical to the problems plaguing Ethereum's base layer.
Bundlers face extractable value wars. Competitive bundlers like Pimlico and Stackup must engage in Priority Gas Auctions (PGAs) to win profitable bundles, leaking value to Ethereum validators and increasing costs for end-users.
This architecture is a regression. It mirrors the insecure, transparent transaction flow that Flashbots and private RPCs like Alchemy were built to circumvent, now embedded at the account abstraction protocol layer.
Evidence: The Ethereum Foundation's own audit flagged mempool DoS as a critical risk, noting a single malicious UserOperation can invalidate thousands of pending ones, forcing expensive re-submission.
key-trends
ERC-4337 MEMPOOL VULNERABILITIES
The Emerging Threat Landscape
The shared UserOperation mempool, while enabling permissionless bundling, introduces systemic risks that traditional EOA wallets never faced.
01
The Unencrypted Mempool is a Public Bazaar
Every UserOp is broadcast in plaintext, creating a frontrunning free-for-all. Searchers and builders compete on speed, not just fee priority, enabling value extraction on every transaction.\n- MEV becomes UO-MEV: Searchers can sandwich, backrun, or censor any AA transaction.\n- Privacy Zero: Your entire sponsored transaction flow is visible before execution.
100%
Exposed
~500ms
Exploit Window
02
Stochastic Fee Market Failure
ERC-4337's paymaster-sponsored gas breaks the deterministic link between payer and transaction. This creates perverse incentives where bundlers prioritize spam or malicious ops that offer higher builder rewards.\n- Spam Amplification: Attackers can flood the mempool with sponsored ops at near-zero cost.\n- Censorship Vectors: Bundlers become centralized arbiters of which UserOps get included.
$0
User Gas Cost
10x
Spam Incentive
03
The Bundler as a Single Point of Trust
The protocol delegates critical security functions—signature aggregation, op ordering, state simulation—to a permissionless but centralized builder class. This recreates the miner extractable value (MEV) problem with higher complexity.\n- Simulation Hijacking: Malicious bundlers can simulate ops incorrectly to steal funds.\n- Cartel Formation: Projects like EigenLayer, AltLayer, and Stackr are building dedicated bundler networks, risking fragmentation and trusted relay models.
1
Execution Point
>60%
Market Share Risk
04
Solution: Encrypted Mempools & SUAVE
The endgame is removing the public mempool entirely. Encrypted order-flow auctions and shared sequencers like EigenLayer and Astria move competition off-chain.\n- SUAVE Chain: A specialized chain for preference expression and block building, separating execution from intent.\n- Private RPCs: Services like BloxRoute and Flashbots Protect route UserOps directly to trusted builders, bypassing public exposure.
0%
Public Exposure
Intent-Based
Paradigm
05
Solution: Reputation-Based Bundling & PBS
Mitigate rogue bundlers through staking, slashing, and proposer-builder separation (PBS). This aligns bundler incentives with network health.\n- Staked Bundler Networks: Operators like Pimlico and Stackup bond ETH to guarantee honest simulation.\n- Enshrined PBS: A future EIP could separate the roles of UserOp proposer and block builder at the protocol level.
32 ETH
Stake Required
-99%
Trust Assumption
06
Solution: Local Mempools & P2P Networks
The most radical fix is abandoning the global mempool. Wallets maintain private, peer-to-peer networks for UserOp propagation, similar to Lightning Network gossip.\n- Direct Bundler Relationships: Wallets like Safe and Rhinestone whitelist trusted builders.\n- Subnet Mempools: Layer 2s like Arbitrum and zkSync could run isolated mempools, reducing attack surface.
P2P
Topology
Local Only
Visibility
ERC-4337 USEROPERATION SECURITY
Base Layer vs. Alt Mempool: A Security Comparison
Comparing the security guarantees of using the public base layer mempool versus a private, permissioned alternative for ERC-4337 UserOperations.
| Security Feature / Vector | Public Base Layer Mempool | Private Alt Mempool (e.g., Pimlico, Stackup) | Hybrid / Bundler-Enforced |
|---|---|---|---|
Transaction Privacy (MEV Resistance) | Partial | ||
Front-running Protection | Bundler-dependent | ||
Guaranteed Inclusion (No Timeouts) | |||
DoS Attack Surface | High (Public Gossip) | Low (Permissioned Peers) | Medium |
Censorship Resistance | Bundler-dependent | ||
Maximum Extractable Value (MEV) Leakage | 100% of potential MEV | < 5% (via private RPC) | 10-50% (via searcher auctions) |
Required Trust Assumption | None (Ethereum L1) | Alt Mempool Operator | Bundler & Auction Mechanism |
Integration Complexity for dApps | Low (Standard ERC-4337) | High (Custom RPC Endpoint) | Medium (SDK configuration) |
deep-dive
THE VULNERABILITY
Anatomy of a Minefield: MEV, Censorship, Spam
ERC-4337's shared mempool for UserOperations introduces systemic risks that standard EOA transactions do not face.
The mempool is public. UserOperations broadcast to a global, permissionless mempool before bundlers process them. This exposes transaction intent, creating a front-running and sandwich attack surface similar to Uniswap's early days.
Bundlers are centralized points of failure. The current reliance on a few dominant bundlers like Pimlico and Alchemy creates a censorship vector. A malicious or compliant bundler can exclude transactions based on origin or destination.
Spam is a denial-of-service weapon. Filling the mempool with invalid UserOperations is trivial and cheap, blinding bundlers to legitimate transactions. This is a low-cost attack that cripples the network's usability.
The solution is private RPCs. Services like BloXroute and Flashbots Protect are becoming mandatory, moving UserOperations off the public mempool. This recreates the trusted relay model, centralizing power to prevent exploitation.
counter-argument
THE TRADEOFF
Steelman: "It's a Necessary Evil for UX"
The public mempool is a deliberate design compromise that enables permissionless bundler competition at the cost of exposing user intents.
The mempool is permissionless by design. ERC-4337's public UserOperation mempool exists to prevent bundler cartels, ensuring any actor can submit a bundle and collect fees. This mirrors Ethereum's base-layer philosophy but replicates its frontrunning and MEV vulnerabilities for user intents.
Privacy is the sacrificed variable. Unlike private RPCs from Alchemy or BloxRoute, the public mempool broadcasts intent details. This allows searchers and bundlers to extract value by reordering, censoring, or sandwiching operations before they land in a bundle.
The alternative is centralization. Removing the public mempool would require a whitelist of trusted bundlers, creating a single point of failure and control. Projects like Stackup and Biconomy rely on this open design for their bundler networks to function without permission.
Evidence: The Ethereum Foundation's own ERC-4337 bundler implementation, Rundler, operates on this public mempool, explicitly documenting its vulnerability to MEV extraction as a known trade-off for network resilience.
risk-analysis
ERC-4337 MEMPOOL VULNERABILITIES
Concrete Risks for Builders and Users
The shared UserOperation mempool is a critical but exposed layer, creating systemic risks that smart accounts and bundlers must actively defend against.
01
The Unencrypted Mempool is a Public Order Book
Every pending UserOp is visible to all searchers and builders, enabling frontrunning and MEV extraction on a new transaction type. This is not a theoretical risk; it's the default state.
- Sandwich attacks can target token approvals and swaps within a single UserOp.
- Time-bandit attacks allow builders to reorder bundles for maximal extractable value.
- Privacy loss exposes user intent (e.g., which NFT they're bidding on) before execution.
100%
Visibility
0ms
Latency to Searchers
02
Stochastic Fee Market Creates Unpredictable Failures
ERC-4337's paymaster-dependant gas abstraction breaks the deterministic link between the user's payment and the chain's gas price, leading to silent transaction reversion.
- Paymaster insolvency during gas spikes causes bundled transactions to fail while others succeed.
- No partial reverts: One failed UserOp can revert an entire bundle, creating griefing vectors.
- Unclear liability for users when a paymaster's relay fails, unlike EOA's direct gas payment.
~5-10%
Gas Spike Risk
100%
Bundle Revert
03
Bundler Centralization is a Systemic Single Point of Failure
The economic model currently incentivizes a handful of professional bundlers (like Stackup, Alchemy, Pimlico) to dominate, recreating the validator centralization problem at the infrastructure layer.
- Censorship risk: A major bundler can blacklist addresses or dApps.
- Liveness risk: If top 3 bundlers go offline, the network halts.
- Trust assumption: Users must rely on bundlers to correctly simulate and include their ops, a role miners/validators don't have.
>70%
Top 3 Share
1
SPOF Layer
04
Signature Aggregation is a Double-Edged Sword
While BLS aggregation reduces on-chain gas costs, it introduces off-chain complexity and new attack surfaces for the aggregators and verifiers.
- Faulty aggregation can lead to invalid bundles being proposed, wasting block space.
- Implementation bugs in novel cryptography (BLS, EIP-1271) are high-severity.
- Verifier centralization: Efficient aggregation may require trusted off-chain services, mirroring bundler centralization.
-90%
Gas Saving
High
Complexity Cost
05
The DoS-by-Simulation Attack Vector
Bundlers must simulate every UserOp before inclusion. Malicious actors can craft ops that pass simulation but fail on-chain, wasting bundler resources and creating a denial-of-service vector.
- Resource exhaustion: Simulation is computationally expensive; spamming can cripple bundler nodes.
- Free option: Attackers impose cost on bundlers with zero stake, unlike Ethereum's gas-based spam protection.
- Pools like Flashbots Protect do not exist for the UserOp mempool, leaving bundlers exposed.
10k+
Ops/Second
$0
Attacker Cost
06
Solution Path: Encrypted Mempools & Reputation Systems
The mitigation path is clear but requires coordinated upgrades and economic incentives, moving beyond the current naive broadcast model.
- Encrypted mempools (e.g., SUAVE-inspired designs) are necessary for intent privacy.
- Staked bundlers with slashing for liveness and correctness, similar to L1 validators.
- Reputation systems for paymasters and accounts to filter out spam and malicious actors pre-simulation.
EIP-?
Required Upgrade
>1 ETH
Stake Proposed
future-outlook
THE VULNERABILITY
The Path Forward: Hardening the Alt Mempool
ERC-4337's UserOperation mempool is a novel but fragile construct that introduces systemic risks absent in the standard Ethereum transaction pool.
The alt mempool is permissionless and unencrypted. Unlike the mainnet mempool, any bundler can listen for UserOperations, creating a public data lake for front-running. This exposes user intents before execution, a fundamental design flaw.
Bundlers are centralized points of failure. The current reliance on a few dominant bundlers like Stackup and Alchemy creates censorship vectors. A malicious or compromised bundler can selectively exclude transactions or extract maximal value.
Paymasters introduce new trust assumptions. Services like Biconomy and Candide that sponsor gas fees become single points of financial risk. A paymaster's insolvency or malicious revocation can brick entire dApp ecosystems.
Evidence: The Pimlico bundler dashboard shows over 70% of UserOps are handled by just three providers, demonstrating the extreme centralization risk in the current network.
takeaways
SECURITY PRIMER
TL;DR for Protocol Architects
ERC-4337's shared mempool for UserOperations introduces systemic risks that native transaction pools never faced. Here's what you must design for.
01
The Unprotected Mempool
Unlike EOA transactions, UserOperations are public, unencrypted, and linger in a shared mempool for ~30 seconds to minutes. This creates a new attack surface for frontrunning, denial-of-service, and censorship.\n- No Native Encryption: Calldata, including sensitive logic, is exposed.\n- Time-Based Attacks: Long validity windows enable complex MEV extraction.
30s+
Exposure Window
0
Native Privacy
02
Bundler-Level Censorship
The P2P mempool is optional. Bundlers like Stackup, Alchemy, and Biconomy can run private mempools, creating a permissioned relay layer. This centralizes transaction inclusion power.\n- Gatekeeper Risk: Bundlers can filter or reorder UserOps based on fee or origin.\n- Fragmented Liquidity: UserOps may not propagate across all bundlers, reducing competition.
~5
Major Bundlers
High
Centralization Risk
03
Paymaster Frontrunning & DoS
Paymasters sponsoring gas are vulnerable. An attacker can copy a victim's valid UserOp, submit it with a higher fee, and drain the paymaster's deposit. This also enables cheap Denial-of-Service by spamming to exhaust deposit.\n- Signature Replay: The attack is permissionless once a UserOp is seen.\n- Economic Attack: Targets the EntryPoint deposit, not the user.
Critical
Vulnerability
Paymaster
Target
04
Solution: Encrypted Mempools & SUAVE
The endgame is mempool privacy. Projects like EigenLayer's SUAVE and Flashbots Protect are building encrypted channels to hide UserOps until execution. This mirrors the evolution seen in CowSwap and UniswapX for intents.\n- Threshold Encryption: UserOps are encrypted until a block is proposed.\n- MEV Mitigation: Separates discovery from execution to reduce toxic flow.
Future
State
SUAVE
Key Entity
05
Solution: Aggressive Bundler Strategies
Bundlers must implement real-time risk engines. This includes simulating UserOp validity, monitoring paymaster health, and using private transaction relays to bypass public mempool exposure entirely.\n- Local Simulation: Pre-execution checks to filter malicious ops.\n- Direct Integration: Bypass public mempool via RPC endpoints.
Mandatory
For Production
Real-Time
Simulation
06
Solution: Paymaster Hardening
Paymaster logic must be paranoid. Implement strict rate-limiting, use oracles for dynamic gas pricing, and require off-chain attestations for high-value ops. Consider a whitelist model for early stages.\n- Deposit Management: Automatically replenish deposits to avoid exhaustion.\n- Crisis Shutdown: Ability to pause sponsorship via a guardian.
Rate Limits
Primary Defense
Oracle
Dependency
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall