ERC-5005: Zodiac Modular Accounts

Abstract

This EIP standardizes interfaces for composable and interoperable tooling for programmable Ethereum accounts. These interfaces separate contract accounts ("avatars") from their authentication and execution logic ("guards" and "modules"). Avatars implement the IAvatar interface, and guards implement the IGuard interface. Modules may take any form.

Motivation

Currently, most programmable accounts (like DAO tools and frameworks) are built as monolithic systems where the authorization and execution logic are coupled, either within the same contract or in a tightly integrated system of contracts. This needlessly inhibits the flexibility of these tools and encourages platform lock-in via high switching costs.

By using the this EIP standard to separate concerns (decoupling authentication and execution logic), users are able to:

1. Enable flexible, module-based control of programmable accounts
2. Easily switch between tools and frameworks without unnecessary overhead.
3. Enable multiple control mechanism in parallel.
4. Enable cross-chain / cross-layer governance.
5. Progressively decentralize their governance as their project and community matures.

Specification

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

This EIP consists of four key concepts:

• Avatars are programmable Ethereum accounts. Avatars are the address that holds balances, owns systems, executes transaction, is referenced externally, and ultimately represents your DAO. Avatars MUST implement the IAvatar interface.
• Modules are contracts enabled by an avatar that implement some execution logic.
• Modifiers are contracts that sit between modules and avatars to modify the module's behavior. For example, they might enforce a delay on all functions a module attempts to execute or limit the scope of transactions that can be initiated by the module. Modifiers MUST implement the IAvatar interface.
• Guards are contracts that MAY be enabled on modules or modifiers and implement pre- or post-checks on each transaction executed by those modules or modifiers. This allows avatars to do things like limit the scope of addresses and functions that a module or modifier can call or ensure a certain state is never changed by a module or modifier. Guards MUST expose the IGuard interface. Modules, modifiers, and avatars that wish to be guardable MUST inherit Guardable, MUST call checkTransaction() before triggering execution on their target, and MUST call checkAfterExecution() after execution is complete.

Rationale

The interface defined in this standard is designed to be mostly compatible with most popular programmable accounts in use right now, to minimize the need for changes to existing tooling.

Backwards Compatibility

No backward compatibility issues are introduced by this standard.

Security Considerations

There are some considerations that module developers and users should take into account:

1. Modules have absolute control: Modules have absolute control over any avatar on which they are enabled, so any module implementation should be treated as security critical and users should be vary cautious about enabling new modules. ONLY ENABLE MODULES THAT YOU TRUST WITH THE FULL VALUE OF THE AVATAR.
2. Race conditions: A given avatar may have any number of modules enabled, each with unilateral control over the safe. In such cases, there may be race conditions between different modules and/or other control mechanisms.
3. Don't brick your avatar: There are no safeguards to stop you adding or removing modules. If you remove all of the modules that let you control an avatar, the avatar will cease to function and all funds will be stuck.

Copyright

Copyright and related rights waived via CC0.