WhitelistPaymaster

Author: Lendefi Team

Sponsors gas for ERC-4337 UserOperations that target whitelisted contracts. Inherits from BasePaymaster (which provides Ownable and EntryPoint integration).

Overview

The WhitelistPaymaster is a permissioned gas sponsor for the Owl Smart Wallet system. It validates that a UserOperation's target contract is on the whitelist before agreeing to pay gas fees. This enables controlled gas sponsorship for AI agents interacting with approved protocols (e.g., DeFi lending, token swaps).

Key Features:

• Whitelist-based target validation for execute() and executeBatch() calls

• Optional wallet registry enforcement to ensure only valid wallets receive sponsorship

• Gas tracking metrics for monitoring and analytics

• Batch whitelist management for operational efficiency

Security Model:

• Only owner can modify whitelist and registry settings

• Critical: Only first-level call targets are validated. Do NOT whitelist contracts with arbitrary forwarding capabilities (multicall routers, generic proxies) as they would bypass target validation.

Agentic Context: AI agents submit UserOperations via the bundler relay. If the target contract (e.g., Morpho, Uniswap) is whitelisted, the paymaster sponsors gas, enabling gasless autonomous operation.

State Variables

whitelistedContracts

Mapping of approved target contracts that can receive sponsored transactions.

walletRegistry

Optional registry/factory contract used to validate that userOp.sender is a legitimate wallet.

enforceWalletRegistry

If true, requires userOp.sender to be validated against walletRegistry before sponsoring.

totalSponsoredTransactions

Counter of all sponsored transactions (for analytics).

totalGasSponsored

Cumulative gas cost sponsored (in wei).

EXECUTE_SELECTOR

Function selector for SmartWallet.execute(address,uint256,bytes).

EXECUTE_BATCH_SELECTOR

Function selector for SmartWallet.executeBatch((address,uint256,bytes)[]).

Functions

Constructor

Initializes the paymaster with the ERC-4337 EntryPoint and owner address.

Admin Functions

setWhitelistedContract

Add or remove a contract from the whitelist.

Access Control: onlyOwner

Security Warning: Only whitelist contracts you trust as direct call targets. Do NOT whitelist generic forwarding contracts (multicall, proxies, routers), as they enable attackers to bypass target validation.

Emits: ContractWhitelisted

setWhitelistedContractsBatch

Batch whitelist multiple contracts in a single transaction.

Access Control: onlyOwner

Emits: ContractWhitelisted (once per address)

setWalletRegistry

Set the wallet registry/factory contract used to validate userOp.sender.

Set to address(0) to disable registry validation (also disables enforcement automatically).

Access Control: onlyOwner

Emits: WalletRegistryUpdated

setEnforceWalletRegistry

Enable or disable wallet registry enforcement.

When enabled, walletRegistry must be set and all userOp.sender addresses must pass registry validation.

Access Control: onlyOwner

Emits: WalletRegistryEnforcementUpdated

View Functions

isWhitelisted

Check if a contract address is whitelisted.

Returns:

Internal Functions

_validatePaymasterUserOp

Internal validation logic called by EntryPoint.

Validates the UserOperation before agreeing to sponsor gas. Checks:

1. userOp.sender is valid (if registry enforcement enabled)

2. Target contract (extracted from calldata) is whitelisted

3. Function selector is execute or executeBatch

Returns:

Reverts:

• InvalidWallet(wallet) if registry enforcement enabled and wallet not valid

• WalletRegistryNotSet() if enforcement enabled but registry is address(0)

• InvalidUserOperation() if calldata too short or selector invalid

• TargetNotWhitelisted(target) if target not whitelisted

_postOp

Internal post-operation hook called by EntryPoint.

Tracks gas usage metrics and emits TransactionSponsored event.

Emits: TransactionSponsored

Events

ContractWhitelisted

Emitted when a contract is added to or removed from the whitelist.

TransactionSponsored

Emitted when a transaction is successfully sponsored.

WalletRegistryUpdated

Emitted when the wallet registry address is changed.

WalletRegistryEnforcementUpdated

Emitted when wallet registry enforcement is enabled or disabled.

Errors

TargetNotWhitelisted

Thrown when the target contract is not whitelisted.

InvalidUserOperation

Thrown when the UserOperation has invalid calldata or function selector.

ZeroAddress

Thrown when a zero address is provided where not allowed.

InvalidWallet

Thrown when wallet registry enforcement is enabled and the wallet is not valid.

WalletRegistryNotSet

Thrown when wallet registry enforcement is enabled but walletRegistry is address(0).

Integration Guide

For AI Agent Developers:

When submitting UserOperations via the bundler relay, ensure:

1. The target contract is whitelisted (check via isWhitelisted())

2. The wallet is valid (if registry enforcement is enabled)

3. The function is execute() or executeBatch()

For Protocol Integrators:

To enable gas sponsorship for your protocol:

1. Request whitelist approval from the paymaster owner

2. Ensure your contract does not forward arbitrary calls

3. Test with a UserOperation before production use

For Auditors:

Critical validation points:

• _validatePaymasterUserOp extracts target from calldata at fixed offsets

• Only first-level targets are validated (nested calls not checked)

• Registry enforcement is optional but recommended for production