Why ERC-4337's Core Architecture Incentivizes Spam

Paymasters can sponsor transaction fees, decoupling user intent from payment. This creates a free transaction channel for spammers, as seen in early Ethereum testnet deployments where >90% of UserOps were spam.\n- Zero-Cost Spam: Attackers can mint infinite transactions via sponsored sessions.\n- MEV Frontrunning: Spam can be used to obfuscate profitable MEV bundles.

Bundlers are profit-maximizing actors competing in a first-price auction for inclusion. Rational bundlers must include any UserOp with sufficient fees, even spam, or lose revenue to competitors.\n- No Native Filtering: Protocol lacks a canonical spam-slashing mechanism.\n- Race to the Bottom: Economic pressure prevents coordinated spam rejection, similar to early Ethereum block builder issues.

The UserOperation mempool is a shared, unstructured broadcast layer. Unlike Ethereum's tx pool with explicit gas pricing, it lacks a robust fee market to price out spam, making it a free-to-pollute commons.\n- No Priority Fees: Spam occupies the same queue as legitimate transactions.\n- DoS Vector: Cheap to flood, expensive to validate, creating network instability for clients like Nethermind and Geth.

Solutions like Pimlico's ERC-7560 for native spam penalties or Ethereum's PBS assume altruistic or perfectly coordinated builders. In practice, fragmented bundler markets (e.g., Stackup, Alchemy) and cross-chain intent systems like UniswapX increase complexity and attack surface.\n- Coordination Failure: Real-world deployment will have hundreds of independent bundlers.\n- Cross-Chain Spam: Spam can originate from sponsored transactions on Polygon or Base, exploiting subsidized gas.

Bundlers are profit-maximizing entities, not network stewards. Their incentive is to include the highest-paying user operations first, creating a classic priority gas auction (PGA).\n- Uncapped mempool allows infinite low-fee spam to clog the queue.\n- No inherent spam penalty for submitting invalid ops, as paymasters absorb the validation gas.\n- This mirrors early Ethereum block space issues, but with weaker spam resistance.

The paymaster's validatePaymasterUserOp function is a public, gas-paid entry point. Attackers can craft operations that fail validation but still cost the paymaster gas.\n- Sustained spam can drain a paymaster's deposit, disabling all its sponsored users.\n- Forces paymasters to implement complex rate-limiting and fraud detection off-chain, centralizing trust.\n- Creates a new attack surface where competing projects can financially sabotage each other's user onboarding.

ERC-4337 has no protocol-level stake for bundlers or paymasters, unlike L1 proposers. This eliminates a key Sybil resistance mechanism.\n- Permissionless entry allows anyone to run a bundler, enabling spam syndicates to create their own.\n- Reputation systems (like those proposed by Ethereum Foundation's 4337 team) are off-chain and non-binding.\n- Contrast with SUAVE or MEV-Boost relays, which use stake and registration to filter participants.

The UserOperation mempool is transparent. Rival bundlers can snoop on profitable bundles, replicate them, and frontrun the original builder.\n- This disincentivizes complex bundle construction (like arbitrage), reducing overall network efficiency.\n- Leads to a race-to-the-bottom where only simple, spam-like bundles are safe to publish.\n- Solutions like threshold encryption (e.g., Ethereum P2P updates) are critical but add latency and complexity.

By allowing paymasters to sponsor gas in any token, ERC-4337 abstracts gas economics from users. This creates a spam subsidy.\n- Users feel zero cost, removing natural economic throttling.\n- Paymaster's gas tank becomes a centralized, attackable funding pool for network spam.\n- Similar to how LayerZero's default configuration relies on a centralized relayer, creating a bottleneck and target.

EntryPoint contract must verify each operation's signature and paymaster validity. Optimizing for low overhead (speed/cost) weakens spam defense.\n- High verification gas hurts legitimate users; low verification gas makes spam cheaper.\n- Static gas limits for validateUserOp are a blunt instrument, easy to game.\n- Contrast with zk-rollup circuits or Altlayer's optimistic verification, which move cost away from L1.

UserOperations are public in the mempool before inclusion, creating a front-running and DoS paradise. Unlike EOA transactions, there's no gas price to prioritize honest users, only a flat fee for bundlers.

• Zero-cost spam: Anyone can broadcast infinite UserOps.
• No built-in spam resistance: No equivalent to EOA's basefee * gas economic filter.
• Bundler griefing: Spam clogs the mempool, forcing bundlers to waste resources.

Bundlers must simulate every UserOp to verify its validity and pay for the on-chain gas. Spammers pay nothing for failed simulations.

• P&L asymmetry: Bundler pays for compute, spammer pays nothing.
• Resource exhaustion: A spam wave can cripple a bundler's RPC node.
• Centralization pressure: Only large, well-capitalized bundlers (like Stackup, Alchemy) can absorb this cost, harming decentralization.

Paymasters that sponsor gas create a free mint vulnerability. A spammer can craft UserOps that always fail validation but force the Paymaster's validatePaymasterUserOp to run, wasting its staked ETH.

• Stake draining: Malicious ops can systematically drain a Paymaster's deposit.
• Indiscriminate sponsorship: Paymasters struggle to filter spam without compromising UX.
• **Protocols like Uniswap and Base using sponsored transactions become prime targets.

The emerging fix is a reputation system and staking for senders. Proposals like EIP-7510 (Reputation Scoring) and Pimlico's VerifyingPaymaster prototype enforce economic accountability.

• Sender staking: Require a bond to submit UserOps, slashed for spam.
• Reputation scores: Bundlers prioritize known-good actors.
• Whitelists: Paymasters restrict sponsorship to vetted dapps or users.