ADI Chain

We express our gratitude to the ADI Chain team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

GaslessPaymaster implements an ERC-4337 (account abstraction) paymaster that sponsors gas fees on behalf of users, enabling gasless transactions.

The system users should acknowledge all the risks summed up in the risks section of the report

{Finding_Table?columns=title,severity,status&setting.filter.type=Vulnerability}

Documentation quality

• Functional requirements are provided.

• • Project overview is detailed

  • Main flows are described

  • Includes system architecture

• Technical description is complete.

• • Run instructions are provided.

  • NatSpec is sufficient.

  • Technical specification is provided.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is 87.16% (branch coverage).

• Deployment and basic user interactions are covered with tests.

GaslessPaymaster implements an ERC-4337 (account abstraction) paymaster that sponsors gas fees on behalf of users, enabling gasless transactions. It integrates with the eth-infinitism/account-abstraction v0.7 EntryPoint singleton — the protocol-level contract that orchestrates UserOperation validation, execution, and gas accounting. The paymaster holds an ETH deposit at the EntryPoint, which is debited to cover gas costs for sponsored operations and refunded for unused gas after execution.The contract provides two independent authorization paths for gas sponsorship:

1. Whitelist path — An admin-configured per-address allowlist with optional fee-per-gas caps, gas-volume caps, time windows, and transaction count limits. A global maxCostPerOperation bound applies across both paths. Whitelisted senders require no signature; the paymaster sponsors any operation from an active whitelisted address that satisfies the configured constraints.

2. Signature path — An off-chain verifier (holding VERIFIER_ROLE) signs a commitment hash over a subset of UserOperation fields and fee caps. The on-chain contract recovers the signer, verifies the role, enforces fee caps embedded in the paymasterAndData, and marks the signature as used to prevent replay.

The contract inherits BasePaymaster (which provides EntryPoint integration, deposit/stake management, and Ownable access control), OpenZeppelin's AccessControl (for role-based administration), and Pausable (for emergency stops). This dual inheritance creates two independent authority systems governing different aspects of the contract.

Files in scope

• GaslessPaymaster.sol — ERC-4337 paymaster supporting dual-path gas sponsorship (whitelist and verifier signature). Validates UserOperations during the EntryPoint's validation phase, returns context for post-execution processing, and emits events in _postOp. Manages whitelist configurations, transaction counters, and signature replay tracking.

Privileged Roles

• VERIFIER_ROLE - only allowed signer in _validatePaymasterUserOp unless the caller is whitelisted.

• DEFAULT_ADMIN_ROLE - can pause the contracts, setup whitelisted addresses, revoke signatures.

• owner - ability to withdraw deposit, as well as add/unlock/withdraw stake from the EntryPoint. Gated by pause state via _checkOwner override; fund management is blocked while the contract is paused.

• entryPoint - only allowed caller of validatePaymasterUserOp and postOp.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope