The First Interoperable, Composable, and Chain Abstracted Session Key Module

TL;DR

Biconomy and Rhinestone have teamed up to build the Smart Session Manager, an onchain permissions system that is fully composable and interoperable across any ERC-7579 smart account.

Session keys are not a new concept. However, Smart Sessions change the game in four specific ways:

• It is interoperable across all ERC-7579 accounts. This means developers only need to build with one permission framework to ensure maximum account coverage (incl. Safe, Biconomy, ZeroDev, Etherspot, OKX, and many more).
• Smart Sessions separate validators (the signing mechanism) and policies to increase composability and component reuse, which improves developer efficiency and costs.
• Support for a wide range of signing mechanisms out of the box, including passkeys, multisig, and the standard ECDSA validator.
• Chain abstracted sessions! With Smart Sessions, developers can enable a session key for multiple sessions and on multiple chains, all with a single user signature! Build a seamless omnichain dapp experience with ease.

We’ve already announced our partnership with WalletConnect to bring smart sessions to developers via AppKit (using Safe under the hood), and we’re excited to launch this killer module into production with Biconomy at the end of September.

Smart Sessions will be integrated with the ModuleSDK at the end of this week for early access and beta testing on the testnet with any ERC-7579 account.

Session Keys Defined

One of the core features of smart accounts is programmable validation. It facilitates key recovery, multisig, passkeys, and quantum resistance. However, the real game-changer is the ability to set programmable permissions. Permissions will play a pivotal role in almost all killer smart account applications: intent-based transactions, chain abstraction, DeFi automations, or general UX improvements by collapsing complex on-chain interactions into a single click. They are a linchpin component that enables such products to be self-sovereign for users.

Programmable permissions are made possible by session keys, a form of a validator module. Session keys are scoped (i.e., restricted to certain on-chain actions) and ephemeral (only valid for a pre-determined period) and authorized by the user. For example, a session key can be limited to only approve USDC transfers under a certain value to a whitelist of addresses for the next hour. They are a useful tool for making general UX improvements but can also unlock powerful new use cases that require delegating high-stakes access rights to a trusted entity.

Shortcomings of Existing Session Key Products

Session keys are not a new phenomenon. Many smart wallet providers have built and offered session keys to developers who are building with a specific account implementation. However, there have been several shortcomings with prior implementations:

1. Account interoperability: All session key products to date have been purpose-built for a specific account implementation. For example, Biconomy’s existing Session Key Manager is only compatible with the Biconomy V2 smart account.
2. Lack of composability: Most session key products do not separate the policy (the specified permissions) from the validator (what authorizes the permissions). The logic that defines what a session key can do is written directly into each implementation, limiting composability.
3. Signing mechanism support: Most session key products only support an ECDSA validation scheme, leaving out multisig, passkeys, and many other signing mechanisms that could be relevant for different application use cases.

Introducing the Smart Session Manager

A highly interoperable and composable session key product that is chain abstracted!

Rhinestone and Biconomy co-developed the Smart Session Manager. It is highly customizable, compatible with ERC-7715, and works with any ERC-7579-compliant smart account.

The Smart Session Manager’s design separates policies and validators. This allows for a much more composable developer experience, where session keys can be configured by reusing existing policies and validators. The multichain features and compatibility with ERC-7579 mean application developers no longer need to write a different session key for every smart account they support and every chain supported. Below is an overview of the Smart Session Manager architecture.

A Policy is a defined permission, such as a gas limit, spending limit, or a whitelist of contract addresses. The (Stateless) Validator is a signing mechanism, such as an ECDSA validator (EOA), MPC, passkeys, etc. The Smart Session Manager stores validator IDs, which map to an IValidator contract that verifies signatures and an IPolicy contract that validates policies. Each Smart Session, created by an application and approved by the user, has a corresponding validator ID. When a transaction is triggered against a specific validator ID, the policies are looped over, and the session key signatures are verified against the signing mechanism.

Composability emerges here because a specific Policy and Validator only needs to be written once and can be reused by any developer. If a required Policy or Validator does not exist, the developer can write a bespoke contract to meet these needs. This also creates added security benefits by isolating policies from the application and allowing users to overwrite or add stricter permissions through a trusted wallet UI.

At launch, we will cater to all the permission and policy types defined in the ERC-7715 spec, including native token, ERC-20, ERC-721, and ERC-1155 token transfers, and gas limit, spend limit, call limit, and rate limit policies. We’ll also have some extras, including the sudo permission (full delegation or “the yolo” policy) and a generalized policy that the developer can customize.

Chain Abstracted Sessions

Chain Abstraction is a loaded term. Most interpret chain abstraction as the ability to spend a given token across any chain instantly, removing the need for users to bridge or even be aware of the underlying network. However, there are many other components to abstracting away account and asset management across chains. In a prior blog post we talked about contract state sync to align module config across different chains — for example, aligning the authorization keys on an account across all chains (see Scrolls Keystore).

To completely abstract chains from the user experience, it’s important that permissions (or authorizations) can also be seamlessly propagated or replayed across multiple chains in a secure manner for the user. Smart Sessions enables this by allowing users to sign a list of sessions with a respective set of chainIDs. We believe this will be a game changer for applications developers looking to automate and streamline onchain interactions across multiple chians.

Creating Powerful Onchain Automation

Session keys unlock an array of compelling user experiences and products. For example, they allow application developers to remove pesky transaction popups from the wallet, removing the need for the user to continually switch contexts between the app and the wallet during a session. Session keys can also unlock more powerful products. For example, Argent recently announced the Argent Card, which allows users to plug a MasterCard debit card directly into an existing account. When an offchain transaction is initiated, a session key is used to draw funds from the user’s account onchain.

Session keys will bring about a large array of asynchronous signing and automations on the user’s behalf, unlocking new onchain products that previously could only be delivered by centralized third parties. For example, DeFi products will be able to offer features that previously could only be offered by centralized exchanges.

One powerful use case that Biconomy will be looking to support through the Biconomy DAN is onchain AI agents, such as a self-custodial portfolio management product (a robo advisor) or a more complex agent that can undertake undefined tasks to achieve a specifically defined outcome.

Rhinestone Automations

Many DeFi automations, such as auto rebalancing, auto liquidation, TWAPs, stop loss, take profit, DCA, etc etc require a session key, in some cases an executor module, and an offchain relay service that can monitor pre-defined events and fire a trigger when certain conditions are met. For example, a DCA module would use a simple cron job trigger with a session key. The introduction of executor modules can allow for pre-determined logic with unknown future variables to be automated — e.g. an auto save feature that is dependent on the amount of tokens received at the time of the automation.

For this reason, we built Rhinestone Automations, an offchain service that monitors events (e.g., time or onchain events) and triggers executions under pre-determined conditions. Session keys allow users to authorize these automations without giving up custody of their account or custody funds in a purpose-built contract separate from the smart account.

Rhinestone Automations is currently in private beta. Please reach out if you’re interested in testing.

WalletConnect AppKit Integration

The WalletConnect AppKit SDK lets developers quickly and easily integrate Smart Sessions into dapps. By leveraging AppKit, developers can provide users with a significantly improved experience by allowing them to grant permissions for transactions to occur even when they are not actively present on the dapp. This unlocks a wealth of new use cases and fosters a more seamless “set it and forget it” experience for users.

AppKit provides a standardized, easy-to-use interface that works seamlessly with any ERC-7715 compatible wallet. This eliminates the need for developers to write custom code for each wallet integration, saving time and effort.

In addition to providing a powerful SDK for any dapp developer, support for Smart Sessions will soon be available in AppKit Universal Wallet. This means that all of our Smart Wallet users will be able to benefit from the enhanced capabilities and flexibility offered by these new features. Powered by the Smart Sessions Manager and the ModuleSDK, our Universal wallet will provide an intuitive experience for users to grant permissions and manage their Smart Sessions.

See it in action with our On-Chain TicTacToe where the user doesn’t need to approve every move and DCA App that will execute transactions in the background.

Biconomy DAN

Biconomy DAN enables secure session key management and offchain permissions via an MPC network. The key material for these authorizations is decentralized to a key management network that leverages Silence Laboratories’ MPC technology and Ethereum’s economic security via EigenLayer node operators. When an agent recommends a batch of transactions on behalf of a user, each node individually validates these requests against the scoped permissions. Only once a threshold number of nodes verify that the transaction request is within the set permissions, DAN generates the required signature.

Biconomy DAN can be used with the Smart Session Manager to manage the session key material securely, or permissions can be programmed offchain. The advantage of onchain permissions is that they are trust-minimized. The advantage of programming the permissions offchain is cost-effectiveness (minimizing gas fees) while placing higher trust in the node operators. Biconomy DAN will be flexible enough to allow for a combination. An example where combining onchain and offchain permissions could be effective is where developers set high-security policies onchain (such as a spending limit) and less security-critical policies offchain for cost-benefits. Check out the Biconomy DAN product page for more information.

Why Biconomy Partnered up with Rhinestone

Module Development Expertise

Rhinestone’s bread and butter are modular smart accounts. Before ERC-7579, we built modules for all the major modular accounts, which gave us a unique perspective on what works well and what doesn’t. We’ve been heavily involved in multiple implementations of ERC-7579 accounts and thus have an intricate understanding of the spec and module landscape. Finally, we wrote the handbook (ModuleKit) on building and testing modules against any smart account.

We were proud to contribute to the Smart Session Manager as a core open source good for the growing ERC-7579 ecosystem.

Distribution

Smart Sessions is a powerful smart account module that should be accessible to any developer building with account abstraction. To achieve this, Rhinestone will distribute the Smart Session Manager to any developer building products native to smart accounts via the ModuleSDK. This will provide a platform for Biconomy DAN as any developer building with the Smart Session Manager can easily integrate and use this complementary service.

Rhinestone will act as an interoperability and security layer. Through ERC-7579, we achieve out-of-the-box interoperability across Biconomy’s Nexus account (coming soon), ZeroDev’s Kernel V3, and several smart wallets (e.g., OKX and Trust Wallet) with many more inbound. For accounts that are not ERC-7579 compliant, Rhinestone provides a translation mechanism in the form of ERC-7579 adapters. For example, the Smart Session Manager module will be available to developers building with Safe via the Safe7579 Adapter.

User Security

In an earlier blog post, we discussed the importance of the Module Registry in securing an open and permissionless ecosystem of apps built natively for smart accounts. In Q3 2024, the Smart Session Manager module will undergo a security review with a trusted auditor, and a security attestation will be made on the Module Registry.

The Module Registry will play two important roles: 1) create a scalable mechanism for verifying the security of smart account modules onchain, and 2) enable ongoing security checks whenever a module is used. Through the Module Registry, Biconomy can set a high-security bar for any developer building with the Smart Session Manager and the DAN from the outset.

Rhinestone and Biconomy will be partnering with Spearbit to perform the audit and attestation of the Smart Session Manager. We’re excited to onboard Spearbit as a Module Registry auditor in preparation for the modular marketplace built on these security foundations.

Conclusion

Smart Sessions are a powerful primitive for delegating permissions to third parties. The Smart Session Manager allows for composable permissions that are interoperable with any account implementation that is ERC-7579 compliant. Biconomy DAN helps solve key management while providing an offchain alternative to session keys when gas fees are an important consideration.

If you want to build novel products requiring users to delegate sensitive authorizations, we’d love to hear from you!

Follow us:

• Rhinestone
• Biconomy