ERC-6909

ERC-6909 allows a single smart account to natively manage multiple token types—including ERC-20, ERC-721, and ERC-1155—through a single contract interface. This eliminates the need for separate approval transactions for each token standard, streamlining asset management for wallets and dApps.

• Single Interface: One execute function can handle transfers, approvals, and interactions across all supported token types.
• Reduced Complexity: Developers interact with one modular account contract instead of multiple individual token contracts.

The standard enables atomic batch operations, where multiple token actions across different standards can be bundled into a single transaction. This significantly reduces gas costs and improves the user experience for complex DeFi interactions.

• Atomic Execution: Bundle a token swap (ERC-20), an NFT purchase (ERC-721), and a staking deposit in one tx.
• Cost Savings: Minimizes overhead from multiple transaction signatures and separate contract calls.

By centralizing token logic, ERC-6909 improves security for smart contract wallets and account abstraction (ERC-4337) implementations. It allows for more sophisticated security policies and recovery mechanisms at the account level.

• Centralized Policy Control: Set spending limits, whitelists, and transaction rules that apply to all tokens held by the account.
• Simplified Auditing: Security reviews focus on one core modular account instead of fragmented token interactions.

The standard provides a predictable interface for decentralized applications and wallet providers to interact with any token held by a modular account, fostering greater ecosystem interoperability.

• Developer Simplicity: dApps can build generic token interaction features without checking for multiple standards.
• Wallet Integration: Wallets can display and manage a user's entire portfolio from a single source, improving UX.

ERC-6909 acts as a foundational layer for building modular smart contract systems. It enables the creation of plugins and modules that can safely manage a wide array of assets, powering advanced DeFi and gaming applications.

• Plugin Architecture: Developers can create specialized modules for lending, trading, or governance that work seamlessly with all token types.
• Future-Proofing: New token standards can be integrated by adding support to the modular account's interface.

ERC-6909 defines a modular account as a smart contract wallet that can manage multiple, isolated token modules. Unlike ERC-20 where tokens are held in a wallet, ERC-6909 tokens are bound to a specific module within the account. This enables:

• Composability: Different dApps can deploy their own token modules to the same user account without conflict.
• Gas Efficiency: Batch operations across modules reduce transaction costs.
• Permissioning: Granular control over which modules can transfer which tokens.

This standard is ideal for blockchain gaming and dApps requiring temporary, application-specific assets. A game can issue an ERC-6909 module that holds in-game currency and items, which are only accessible via a session key signed by the user. This creates a secure sandbox:

• Player assets are isolated from the main wallet.
• The session key can be revoked, preventing theft of primary funds.
• Enables seamless, gas-less transactions during a gameplay session.

An ERC-6909 system has two core contracts:

• Token Module: A contract that implements the token logic (minting, burning, transferring) for a specific use case. It stores balances scoped to a parent modular account.
• Modular Account Registry: A global registry that maps modular account addresses to their installed modules. This allows any external contract to discover which tokens an account holds by querying its registered modules.

ERC-6909 solves different problems than existing standards:

• vs. ERC-20: ERC-20 tokens are global, fungible contracts. ERC-6909 tokens are instance-specific to a module within an account, enabling account-scoped semantics.
• vs. ERC-1155: ERC-1155 is for batch transfers of multiple token types from a single contract. ERC-6909 is for managing token instances across multiple module contracts within a single account. It's an account structure standard, not a token contract standard.

For Developers: Simplifies building dApps that require custom token economics without deploying a full ERC-20. Enables gas sponsorship models where the dApp pays for module-specific transactions.

For Users: Improves security through asset isolation. Reduces wallet clutter by consolidating application-specific tokens into a single smart account. Enables smoother UX with session-based interactions.

The security of the entire system hinges on the correctness of the permission validator contract. A flawed validator can grant unintended privileges. Key checks include:

• Ensuring the validator correctly interprets permissionId, caller, and target data.
• Validating that the validator cannot be upgraded to a malicious contract without proper access controls.
• Auditing for reentrancy risks within custom validation logic.

ERC-6909 defines that the zero address (address(0)) represents the default permission for any (caller, target) pair not explicitly set. Misconfiguring this default is a critical risk:

• An overly permissive default (e.g., PERMIT_ANY) can lead to unauthorized access.
• A denial-of-service default (e.g., PERMIT_NONE) can brick expected functionality.
• The setPermission function must be protected to prevent attackers from setting a malicious global default.

The standard uses function selectors for target addresses. This introduces the risk of selector clashing:

• Two different function signatures can produce the same 4-byte selector (a collision).
• A permission set for a benign function could unintentionally apply to a malicious function with the same selector on a different contract.
• Developers must audit permission sets against known clashing selectors and consider using target as (address, bytes4) with extra caution.

Modular accounts often involve upgradeable components. Key considerations include:

• Storage collisions: A new plugin or validator must not corrupt the permission storage layout, which is a mapping(bytes32 => uint256).
• Permission persistence: During upgrades, ensure critical permissions are not inadvertently cleared or altered.
• Initialization attacks: The contract must be protected against re-initialization, a common vulnerability in upgradeable patterns.

Transactions that modify permissions (setPermission, setPermissionValidator) are susceptible to front-running attacks:

• An attacker monitoring the mempool could see a permission grant and front-run it with a malicious call.
• Time-delayed or multi-step permission changes should be designed to avoid dangerous intermediate states.
• Consider using commit-reveal schemes or batched operations for sensitive permission updates.

ERC-6909 must safely interact with other account abstraction standards like ERC-4337 (EntryPoint) and ERC-7579 (Modular Accounts). Security audits must verify:

• That the permission check is invoked at the correct point in the validation flow (e.g., in the validateUserOp function).
• There is no conflict between ERC-6909 permissions and native SELFDESTRUCT or DELEGATECALL opcode permissions.
• That fallback handlers and execution layers respect the defined permission boundaries.

A Validation Module is a core component in a modular account (like an ERC-6909 account) responsible for verifying transaction signatures and permissions. It decouples the signature scheme from the account logic, allowing for flexible authentication:

• Multi-signature schemes (e.g., 2-of-3 signers)
• Social recovery setups
• Passkey or biometric signers
• Session keys for gaming ERC-6909 accounts execute transactions only after validation by an installed module.

Execution Functions (often implemented as hooks) are the logic units that perform actions within a modular account. In the ERC-6909 model, after a transaction is validated, specific execution logic is triggered. These can be:

• Native executions like token transfers or contract calls.
• Hook executions that run before or after a main action (e.g., logging, fee payment).
• Fallback handlers for arbitrary calls. This separation allows developers to compose complex transaction flows from reusable, secure modules.

A Smart Contract Wallet is a blockchain account whose logic is defined by a smart contract, not a private key. ERC-6909 modular accounts are a specific, advanced type of smart contract wallet. Key advantages over Externally Owned Accounts (EOAs) include:

• Programmable security (recovery, spending limits).
• Batch transactions (multiple actions in one call).
• Gas abstraction (paying fees in ERC-20 tokens).
• Upgradability through module management.