Bundlers are systemic infrastructure. They are not just relayers; they are the decentralized sequencers for account abstraction, responsible for ordering, simulating, and submitting user operations. A logic flaw here compromises the entire user operation mempool, not a single contract.
wallet-wars-smart-accounts-vs-embedded-wallets
Blog
Why ERC-4337 Bundler Logic Demands Its Own Audit Framework
Standard smart contract audits are blind to the systemic risks posed by ERC-4337 bundlers. Their privileged role in ordering, batching, and submitting UserOperations creates a novel attack surface for MEV extraction, censorship, and front-running that demands a new security paradigm.
introduction
THE NEW ATTACK SURFACE
Introduction
ERC-4337's bundler logic introduces a unique, systemic risk vector that traditional smart contract audits fail to capture.
Audit scope is fundamentally different. Traditional audits focus on contract state transitions. Bundler audits must analyze off-chain logic, mempool economics, and MEV extraction vectors, similar to the risks seen in Flashbots and EigenLayer operator networks.
The simulation requirement is the vulnerability. Bundlers must simulate operations for validity. A malicious actor can craft an operation that simulates successfully but fails on-chain, enabling Denial-of-Service (DoS) attacks that drain bundler resources and block the network.
Evidence: The Pimlico team's bundler, a leading implementation, processes over 2 million user operations monthly. A single logic bug in its validation could stall a significant portion of the ERC-4337 ecosystem.
thesis-statement
THE STATE TRANSITION GAP
The Core Argument: Bundlers Are Not Just Infrastructure
ERC-4337 bundlers execute complex, stateful logic, creating a new attack surface that traditional infrastructure audits miss.
Bundlers execute stateful logic. Unlike a simple RPC node relaying signed transactions, a bundler validates UserOperations, simulates execution, and constructs a bundle. This deterministic validation logic is a protocol-level responsibility, not mere plumbing.
Audit scope is fundamentally different. Infrastructure audits check for uptime and API correctness. A bundler security audit must verify the correctness of its mempool rules, simulation engine, and fee logic to prevent censorship or fund loss.
Failure is systemic, not isolated. A flawed AltLayer or Stackup bundler implementation doesn't just go offline; it can cause mass transaction reverts or enable MEV extraction at the protocol level, breaking user guarantees.
Evidence: The Pimlico bundler's simulation engine had to be formally verified to prevent invariant violations that would allow invalid bundles onchain, a risk absent in standard node client audits.
key-trends
BEYOND SMART CONTRACT AUDITS
The Emerging Bundler Risk Landscape
ERC-4337 bundlers are not just relayers; they are stateful, permissionless operators whose off-chain logic creates a new attack surface.
01
The Mempool Poisoning Attack
Bundlers must parse a public mempool of UserOperations, exposing them to DoS via malformed or gas-guzzling ops. A single bad actor can cripple bundler profitability by forcing it to simulate invalid transactions.
- Risk: ~$0 cost for attacker vs. unbounded simulation gas for bundler.
- Solution: Requires robust mempool filtering and reputation scoring akin to Ethereum's txpool management.
100%
Permissionless Risk
$0
Attacker Cost
02
The Unchecked Oracle Dependency
Bundler logic for fee estimation and paymaster validation depends on external data feeds (e.g., ETH/USD price). A manipulated oracle can cause systemic underpayment or bundler insolvency.
- Risk: Centralized oracle failure propagates to the entire Account Abstraction stack.
- Solution: Audit must verify redundant oracle design and circuit-breaker logic, similar to protocols like MakerDAO or Aave.
1
Single Point
Systemic
Failure Mode
03
The MEV-Capturing Bundler
A bundler's ability to order, censor, and insert its own transactions creates inherent MEV. Without transparent rules, this leads to user value extraction and chain congestion.
- Risk: Opaque bundling turns a public good into a rent-seeking intermediary.
- Solution: Audits must scrutinize ordering logic for fairness, pushing towards credible neutrality models seen in CowSwap or Flashbots SUAVE.
>90%
Of Profits
Opaque
Order Flow
04
The Stateful Simulation Gap
Bundlers must simulate each UserOperation's validity, but their view of chain state can lag. A race condition between simulation and execution can allow invalid ops to be included, forcing the bundler to pay for reverted txns.
- Risk: Front-running and state-based attacks directly hit the bundler's wallet.
- Solution: Audit framework must test simulation logic against adversarial chain reorgs and mempool timing attacks.
12s
Reorg Window
Direct Loss
Bundler Liability
05
Paymaster Rug Pull Liability
Bundlers stake ETH to sponsor gas for paymaster transactions. If a paymaster contract is malicious or buggy, the bundler's stake can be slashed or locked. This is a smart contract risk transferred to the infrastructure layer.
- Risk: Indirect financial exposure to unaudited, third-party paymaster code.
- Solution: Requires bundlers to implement paymaster whitelisting and coverage limits, with audits verifying these safeguards.
Staked ETH
Capital at Risk
3rd Party
Code Dependency
06
The Centralizing Sequencer Dilemma
High-performance bundling favors centralized, optimized sequencers. This recreates the L2 sequencer centralization problem at the application layer, threatening censorship resistance.
- Risk: A few dominant bundlers (e.g., Stackup, Alchemy) become de facto gatekeepers.
- Solution: Audit criteria should include decentralization roadmaps and forced inclusion mechanisms, learning from Arbitrum and Optimism.
<5
Major Players
Gatekeeper Risk
Network Effect
ERC-4337 BUNDLER SECURITY
Standard Audit vs. Bundler-Specific Audit: A Gap Analysis
A direct comparison of audit scope and coverage for traditional smart contracts versus the specialized components of an ERC-4337 bundler.
| Audit Focus Area | Standard Smart Contract Audit | Bundler-Specific Audit |
|---|---|---|
UserOperation Mempool Validation | ||
Paymaster Pre-Funding & Sponsorship Logic | ||
Aggregator Signature Verification | ||
MEV Extraction & Censorship Resistance | Basic Tx Sequencing | PBS, OFAs, Builder Logic |
Gas Estimation for Arbitrary Callchains | Single Tx | Multi-op, Multi-chain |
Handling Failed UserOperations | Revert | Partial Bundle Execution, Safe Failure Modes |
Audit Artifact | Contract Source Code | Source Code + Node.js/Go Client Logic |
Avg. Critical Bug Bounty Range | $50k - $250k | $250k - $1M+ |
deep-dive
THE VULNERABILITY
Deconstructing the Bundler Attack Surface
ERC-4337's bundler logic introduces unique attack vectors that demand a dedicated security framework beyond smart contract audits.
Bundlers are execution oracles. They simulate and submit UserOperations, making subjective decisions about transaction ordering and inclusion that create MEV extraction surfaces similar to block builders on Ethereum L1.
Simulation logic is the primary attack vector. Malicious smart accounts can craft operations that pass simulation but fail execution, forcing bundlers to waste gas. This DoS vulnerability requires bundlers like those from Stackup or Alchemy to implement complex validation heuristics.
Audits must target the bundler-client interface. The P2P mempool specification and the eth_sendUserOperation RPC endpoint are new, untested layers where invalid data or spam can cripple network liveness.
Evidence: The ERC-4337 reference bundler in JavaScript was not built for production, leaving teams like Pimlico and Biconomy to develop custom, unaudited node software that handles billions in potential user funds.
protocol-spotlight
AUDIT GAP ANALYSIS
How Leading Bundlers Are (Or Aren't) Addressing This
Standard smart contract audits are insufficient for the complex, stateful logic of ERC-4337 bundlers. Here's how the ecosystem is adapting.
01
The Problem: Stateful Execution is a New Attack Surface
Bundlers manage a mempool of UserOperations, handle simulation and ordering, and execute atomic bundles. This creates unique risks like:\n- Mempool poisoning and DoS via invalid ops\n- Front-running and MEV extraction within the bundle\n- Simulation griefing causing failed transactions and wasted gas
~500ms
Simulation Window
10k+
Ops/Hour
02
Stackup's Guard: Proactive Simulation & Reputation
Stackup's bundler implements a reputation system and aggressive simulation to mitigate systemic risk. This approach:\n- Scores senders based on historical op success to filter spam\n- Pre-validates ops against a recent state to reduce on-chain failures\n- Creates a defensive mempool, shifting risk assessment off-chain
>99%
Success Rate
-90%
Revert Waste
03
Alchemy & Pimlico: The Outsourced Risk Model
Major RPC providers offer bundler APIs but treat the core node as a black-box dependency (e.g., on Reth or Geth). This outsources critical security:\n- Relies on node client integrity for simulation accuracy\n- Abstracts away mempool logic, creating audit opacity\n- Centralizes risk on a few infrastructure codebases
$10B+
Aggregate TVL
2-3
Core Clients
04
The Solution: A Bundler-Specific Audit Framework
A new framework must test the end-to-end flow, not just contracts. Critical audit vectors include:\n- Mempool isolation: Preventing op leakage between bundles\n- Simulation fidelity: Ensuring local state matches on-chain execution\n- Atomicity guarantees: Verifying all-or-nothing bundle submission
5+
New Test Vectors
10x
Complexity Increase
counter-argument
THE SURFACE ARGUMENT
The Steelman: "It's Just Code, Audit the Code"
A naive view holds that auditing the core ERC-4337 contracts is sufficient for security, ignoring the critical off-chain execution layer.
The core contracts are simple. The EntryPoint, AccountFactory, and Paymaster logic are minimal and deterministic. Auditing them, as firms like OpenZeppelin and Trail of Bits have done, provides a false sense of completeness.
The real complexity is off-chain. The bundler's mempool logic and transaction simulation are not part of the on-chain standard. This creates a trust boundary where a bundler's implementation dictates security.
Compare to a sequencer. An L2 sequencer's code is a single point of failure, just like a bundler. Auditing Arbitrum's Nitro or Optimism's Bedrock is mandatory; a bundler deserves the same scrutiny.
Evidence: The Pimlico bundler team's public audit by Spearbit focused on DoS vectors and simulation integrity, proving the bundler-specific attack surface is distinct and critical.
FREQUENTLY ASKED QUESTIONS
FAQ: Bundler Security for Builders and Auditors
Common questions about why ERC-4337 bundler logic demands its own, specialized audit framework.
Bundlers are hybrid systems requiring both smart contract and off-chain logic audits. A standard contract audit misses critical off-chain components like mempool simulation, transaction ordering, and DoS protection. Frameworks like Pimlico's userop.js and Stackup's Bundler introduce unique stateful logic that interacts with EntryPoint contracts in novel ways, creating new attack surfaces.
takeaways
BEYOND SMART CONTRACT SECURITY
TL;DR: The New Audit Mandate
ERC-4337's modular architecture introduces systemic risks that traditional smart contract audits are not designed to catch, demanding a new framework focused on the bundler's logic and its interaction with the wider ecosystem.
01
The Problem: The Bundler is a New Attack Surface
The bundler is a privileged, off-chain actor that can censor, front-run, or reorder UserOperations. Traditional audits focus on on-chain contract logic, but the bundler's mempool logic and economic incentives are a new, untested attack vector.
- Risk: Centralization of power in a few bundler implementations (e.g., Stackup, Alchemy).
- Blind Spot: MEV extraction logic and transaction ordering are opaque.
1 of 3
Critical Risk Vectors
Off-Chain
Attack Surface
02
The Solution: End-to-End State Transition Audits
Audits must simulate the full UserOperation lifecycle, from the client to the EntryPoint. This requires testing the bundler's validation logic, paymaster sponsorship checks, and aggregation rules against malicious or edge-case inputs.
- Focus: Ensure atomicity of the
validateUserOp->handleOpsflow. - Tooling Gap: Existing fuzzers like Foundry need extensions for off-chain component simulation.
100%
Flow Coverage
E2E
Test Scope
03
The Problem: Paymaster-Bundler Incentive Misalignment
Paymasters (like Biconomy, Candide) reimburse bundlers for gas, creating a trust assumption. A malicious or buggy bundler could drain a paymaster's deposit by spamming invalid ops, or a paymaster could refuse payment post-execution.
- Systemic Risk: A compromised paymaster can brick dependent accounts.
- Audit Gap: Economic security models and slashing conditions are not formally verified.
$M+
Deposit at Risk
Trust Assumption
Critical Flaw
04
The Solution: Adversarial Network Simulation
Model the bundler-paymaster-account factory network as a multi-agent game. Use agent-based simulation to stress-test for liveness failures and extractable value under adversarial conditions, similar to analyses done for Cosmos or Polkadot validators.
- Output: Quantify the minimum staking/penalty required for safety.
- Benchmark: Measure censorship resistance against a cartel of bundlers.
N-Agent
Simulation
Game Theory
Framework
05
The Problem: Mempool Privacy & Front-Running
The ERC-4337 mempool is public by default, exposing UserOperation intent. This recreates the same MEV issues seen on Uniswap and Ethereum L1, but now with more complex transactions. Bundlers become the new block builders.
- Exploit: Sandwich attacks on token approvals within a UserOperation.
- Audit Blind Spot: Privacy-preserving tech (e.g., SUAVE, Flashbots) integration is not audited.
Public
Intent Exposure
MEV Vector
Recreated
06
The Solution: Intent-Based Architecture Review
Audit the bundler's compliance with intent standards and its integration with privacy layers. Evaluate if the system's design allows for future integration with CowSwap-style solvers or Across-like relayers without breaking security guarantees.
- Criteria: Can user intent be fulfilled without leakage?
- Future-Proofing: Ensure architecture doesn't preclude encrypted mempools like Shutter Network.
Intent
Preservation
Future-Proof
Design
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall