immutable · naveen-imtb · Nov 25, 2025 · Nov 25, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,5 @@ scripts/*_output*.json
 .env.devnet
 .env.testnet
 .env.mainnet
+
+lib/
diff --git a/hardhat.config.ts b/hardhat.config.ts
@@ -16,16 +16,19 @@ loadAndValidateEnvironment();
 
 const config: HardhatUserConfig = {
   solidity: {
-    compilers: [{ version: '0.8.17' }],
-    settings: {
-      optimizer: {
-        enabled: true,
-        runs: 999999,
-        details: {
-          yul: true
+    compilers: [{
+      version: '0.8.17',
+      settings: {
+        viaIR: true,
+        optimizer: {
+          enabled: true,
+          runs: 999999,
+          details: {
+            yul: true
+          }
         }
       }
-    }
+    }]
   },
   paths: {
     root: 'src',

diff --git a/scripts/deploy.ts b/scripts/deploy.ts
@@ -52,14 +52,14 @@ async function main(): Promise<EnvironmentInfo> {
   // 4. Deploy startup wallet impl (PNR)
   const startupWalletImpl = await deployContractViaCREATE2(env, wallets, 'StartupWalletImpl', [walletImplLocator.address]);
 
-  // --- Step 4: Deployed using CREATE2 Factory.
-  // 5. Deploy main module dynamic auth (CFC)
-  const mainModuleDynamicAuth = await deployContractViaCREATE2(env, wallets, 'MainModuleDynamicAuth', [factory.address, startupWalletImpl.address]);
-
-  // --- Step 5: Deployed using Passport Nonce Reserver.
-  // 6. Deploy immutable signer (PNR)
+  // --- Step 4: Deployed using Passport Nonce Reserver.
+  // 5. Deploy immutable signer (PNR)
   const immutableSigner = await deployContractViaCREATE2(env, wallets, 'ImmutableSigner', [signerRootAdminPubKey, signerAdminPubKey, signerAddress]);
 
+  // --- Step 5: Deployed using CREATE2 Factory.
+  // 6. Deploy main module dynamic auth (CFC)
+  const mainModuleDynamicAuth = await deployContractViaCREATE2(env, wallets, 'MainModuleDynamicAuth', [factory.address, startupWalletImpl.address, immutableSigner.address]);
+
   // --- Step 6: Deployed using alternate wallet (?)
   // Fund the implementation changer
   // WARNING: If the deployment fails at this step, DO NOT RERUN without commenting out the code a prior which deploys the contracts.

diff --git a/scripts/step4.ts b/scripts/step4.ts
@@ -13,10 +13,12 @@ async function step4(): Promise<EnvironmentInfo> {
   const { network } = env;
   const factoryAddress = '0x8Fa5088dF65855E0DaF87FA6591659893b24871d';
   const startupWalletImplAddress = '0x8FD900677aabcbB368e0a27566cCd0C7435F1926';
+  const immutableSignerAddress = '0xcff469E561D9dCe5B1185CD2AC1Fa961F8fbDe61';
 
   console.log(`[${network}] Starting deployment...`);
   console.log(`[${network}] Factory address ${factoryAddress}`);
   console.log(`[${network}] StartupWalletImpl address ${startupWalletImplAddress}`);
+  console.log(`[${network}] ImmutableSigner address ${immutableSignerAddress}`);
 
   await waitForInput();
 
@@ -25,7 +27,7 @@ async function step4(): Promise<EnvironmentInfo> {
 
   // --- Step 4: Deployed using CREATE2 Factory.
   // Deploy main module dynamic auth (CFC)
-  const mainModuleDynamicAuth = await deployContractViaCREATE2(env, wallets, 'MainModuleDynamicAuth', [factoryAddress, startupWalletImplAddress]);
+  const mainModuleDynamicAuth = await deployContractViaCREATE2(env, wallets, 'MainModuleDynamicAuth', [factoryAddress, startupWalletImplAddress, immutableSignerAddress]);
 
   fs.writeFileSync('step4.json', JSON.stringify({
     factoryAddress: factoryAddress,

diff --git a/src/contracts/mocks/MainModuleMockV1.sol b/src/contracts/mocks/MainModuleMockV1.sol
@@ -6,7 +6,7 @@ import "../modules/MainModuleDynamicAuth.sol";
 
 contract MainModuleMockV1 is MainModuleDynamicAuth {
     // solhint-disable-next-line no-empty-blocks
-    constructor(address _factory, address _startup) MainModuleDynamicAuth(_factory, _startup) {}
+    constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) MainModuleDynamicAuth(_factory, _startupWalletImpl, _immutableSignerContract) {}
 
 
-}
+}
diff --git a/src/contracts/mocks/MainModuleMockV2.sol b/src/contracts/mocks/MainModuleMockV2.sol
@@ -6,7 +6,7 @@ import "../modules/MainModuleDynamicAuth.sol";
 
 contract MainModuleMockV2 is MainModuleDynamicAuth {
     // solhint-disable-next-line no-empty-blocks
-    constructor(address _factory, address _startup) MainModuleDynamicAuth(_factory, _startup) {}
+    constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) MainModuleDynamicAuth(_factory, _startupWalletImpl, _immutableSignerContract) {}
 
     function version() external pure override returns (uint256) {
         return 2;

diff --git a/src/contracts/mocks/MainModuleMockV3.sol b/src/contracts/mocks/MainModuleMockV3.sol
@@ -6,7 +6,7 @@ import "../modules/MainModuleDynamicAuth.sol";
 
 contract MainModuleMockV3 is MainModuleDynamicAuth {
     // solhint-disable-next-line no-empty-blocks
-    constructor(address _factory, address _startup) MainModuleDynamicAuth(_factory, _startup) {}
+    constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) MainModuleDynamicAuth(_factory, _startupWalletImpl, _immutableSignerContract) {}
 
     function version() external pure override returns (uint256) {
         return 3;

diff --git a/src/contracts/modules/MainModuleDynamicAuth.sol b/src/contracts/modules/MainModuleDynamicAuth.sol
@@ -24,7 +24,7 @@ contract MainModuleDynamicAuth is
 {
 
   // solhint-disable-next-line no-empty-blocks
-  constructor(address _factory, address _startup) ModuleAuthDynamic (_factory, _startup) { }
+  constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) ModuleAuthDynamic (_factory, _startupWalletImpl, _immutableSignerContract) { }
 
 
   /**

diff --git a/src/contracts/modules/commons/ModuleAuth.sol b/src/contracts/modules/commons/ModuleAuth.sol
@@ -13,9 +13,9 @@ import "./ModuleERC165.sol";
 abstract contract ModuleAuth is IModuleAuth, ModuleERC165, SignatureValidator, IERC1271Wallet {
   using LibBytes for bytes;
 
-  uint256 private constant FLAG_SIGNATURE = 0;
-  uint256 private constant FLAG_ADDRESS = 1;
-  uint256 private constant FLAG_DYNAMIC_SIGNATURE = 2;
+  uint256 internal constant FLAG_SIGNATURE = 0;
+  uint256 internal constant FLAG_ADDRESS = 1;
+  uint256 internal constant FLAG_DYNAMIC_SIGNATURE = 2;
 
   bytes4 private constant SELECTOR_ERC1271_BYTES_BYTES = 0x20c13b0b;
   bytes4 private constant SELECTOR_ERC1271_BYTES32_BYTES = 0x1626ba7e;
@@ -49,7 +49,7 @@ abstract contract ModuleAuth is IModuleAuth, ModuleERC165, SignatureValidator, I
     bytes32 _hash,
     bytes memory _signature
   )
-    internal override returns (bool)
+    internal virtual override returns (bool)
   {
     (bool verified, bool needsUpdate, bytes32 imageHash) = _signatureValidationWithUpdateCheck(_hash, _signature);
     if (needsUpdate) {
@@ -74,7 +74,7 @@ abstract contract ModuleAuth is IModuleAuth, ModuleERC165, SignatureValidator, I
     bytes32 _hash,
     bytes memory _signature
   )
-    internal view returns (bool, bool, bytes32)
+    internal view virtual returns (bool, bool, bytes32)
   {
     (
       uint16 threshold,  // required threshold signature

diff --git a/src/contracts/modules/commons/ModuleAuthDynamic.sol b/src/contracts/modules/commons/ModuleAuthDynamic.sol
@@ -4,19 +4,155 @@ pragma solidity 0.8.17;
 
 import "./ModuleAuthUpgradable.sol";
 import "./ImageHashKey.sol";
+import "./ModuleStorage.sol";
+import "./NonceKey.sol";
 import "../../Wallet.sol";
 
+import "../../utils/LibBytes.sol";
 
 abstract contract ModuleAuthDynamic is ModuleAuthUpgradable {
+  using LibBytes for bytes;
+
   bytes32 public immutable INIT_CODE_HASH;
   address public immutable FACTORY;
+  address public immutable IMMUTABLE_SIGNER_CONTRACT;
 
-  constructor(address _factory, address _startupWalletImpl) {
+constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) {
     // Build init code hash of the deployed wallets using that module
     bytes32 initCodeHash = keccak256(abi.encodePacked(Wallet.creationCode, uint256(uint160(_startupWalletImpl))));
 
     INIT_CODE_HASH = initCodeHash;
     FACTORY = _factory;
+    IMMUTABLE_SIGNER_CONTRACT = _immutableSignerContract;
+  }
+
+  /**
+   * @notice Verify if signer is default wallet owner
+   * @param _hash       Hashed signed message
+   * @param _signature  Array of signatures with signers ordered
+   *                    like the the keys in the multisig configs
+   *
+   * @dev The signature must be solidity packed and contain the total number of owners,
+   *      the threshold, the weight and either the address or a signature for each owner.
+   *
+   *      Each weight & (address or signature) pair is prefixed by a flag that signals if such pair
+   *      contains an address or a signature. The aggregated weight of the signatures must surpass the threshold.
+   *
+   *      Flag types:
+   *        0x00 - Signature
+   *        0x01 - Address
+   *
+   *      E.g:
+   *      abi.encodePacked(
+   *        uint16 threshold,
+   *        uint8 01,  uint8 weight_1, address signer_1,
+   *        uint8 00, uint8 weight_2, bytes signature_2,
+   *        ...
+   *        uint8 01,  uint8 weight_5, address signer_5
+   *      )
+   */
+  function _signatureValidation(
+    bytes32 _hash,
+    bytes memory _signature
+  )
+    internal virtual override returns (bool)
+  {
+    (bool verified, bool needsUpdate, bytes32 imageHash) = _signatureValidationWithUpdateCheck(_hash, _signature);
+    if (needsUpdate) {
+      updateImageHashInternal(imageHash);
+    }
+    return verified;
+  }
+
+  /**
+   * @notice Verify signature and determine if image hash needs updating
+   * @param _hash       Hashed signed message
+   * @param _signature  Packed signature data containing threshold, flags, weights, and addresses/signatures
+   * @return verified   True if the signature is valid and weight threshold is met
+   * @return needsUpdate True if the image hash needs to be stored (first transaction)
+   * @return imageHash  The computed image hash from the signature
+   *
+   * @dev This function parses the signature, recovers/reads signer addresses, and validates them.
+   *      For defensive validation, each extracted address is compared against IMMUTABLE_SIGNER_CONTRACT.
+   *      If a match is found, it is recorded.
+   *      
+   *      Special case: If this is the first transaction (nonce == 0) and the immutable signer contract
+   *      is one of the signers, the signature is automatically validated and approved without checking
+   *      the stored image hash. This allows the immutable signer to bootstrap the wallet on first use.
+   */
+  function _signatureValidationWithUpdateCheck(
+    bytes32 _hash,
+    bytes memory _signature
+  )
+    internal view override returns (bool, bool, bytes32)
+  {
+    (
+      uint16 threshold,  // required threshold signature
+      uint256 rindex     // read index
+    ) = _signature.readFirstUint16();
+
+    // Start image hash generation
+    bytes32 imageHash = bytes32(uint256(threshold));
+
+    // Acumulated weight of signatures
+    uint256 totalWeight;
+
+    // Track if immutable signer contract is one of the signers
+    bool immutableSignerContractFound = false;
+
+    // Iterate until the image is completed
+    while (rindex < _signature.length) {
+      // Read next item type and addrWeight
+      uint256 flag; uint256 addrWeight; address addr;
+      (flag, addrWeight, rindex) = _signature.readUint8Uint8(rindex);
+
+      if (flag == FLAG_ADDRESS) {
+        // Read plain address
+        (addr, rindex) = _signature.readAddress(rindex);
+      } else if (flag == FLAG_SIGNATURE) {
+        // Read single signature and recover signer
+        bytes memory signature;
+        (signature, rindex) = _signature.readBytes66(rindex);
+        addr = recoverSigner(_hash, signature);
+
+        // Acumulate total weight of the signature
+        totalWeight += addrWeight;
+      } else if (flag == FLAG_DYNAMIC_SIGNATURE) {
+        // Read signer
+        (addr, rindex) = _signature.readAddress(rindex);
+
+        // Read signature size
+        uint256 size;
+        (size, rindex) = _signature.readUint16(rindex);
+
+        // Read dynamic size signature
+        bytes memory signature;
+        (signature, rindex) = _signature.readBytes(rindex, size);
+        require(isValidSignature(_hash, addr, signature), "ModuleAuthDynamic#_signatureValidation: INVALID_SIGNATURE");
+
+        // Acumulate total weight of the signature
+        totalWeight += addrWeight;
+      } else {
+        revert("ModuleAuthDynamic#_signatureValidation INVALID_FLAG");
+      }
+
+      // Defensive check: compare extracted address with target address
+      if (IMMUTABLE_SIGNER_CONTRACT != address(0) && addr == IMMUTABLE_SIGNER_CONTRACT) {
+        immutableSignerContractFound = true;
+      }
+
+      // Write weight and address to image
+      imageHash = keccak256(abi.encode(imageHash, addrWeight, addr));
+    }
+
+    // Check if this is the first transaction (nonce == 0) and immutable signer contract is one of the signers
+    uint256 currentNonce = uint256(ModuleStorage.readBytes32Map(NonceKey.NONCE_KEY, bytes32(uint256(0))));
+    if (currentNonce == 0 && immutableSignerContractFound) {
+      return (true, true, imageHash);
+    }
+
+    (bool verified, bool needsUpdate) = _isValidImage(imageHash);
+    return ((totalWeight >= threshold && verified), needsUpdate, imageHash);
   }
 
   /**
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,7 +24,7 @@ contract MainModuleDynamicAuth is @@
     {
       // solhint-disable-next-line no-empty-blocks
-      constructor(address _factory, address _startup) ModuleAuthDynamic (_factory, _startup) { }
+      constructor(address _factory, address _startupWalletImpl, address _immutableSignerContract) ModuleAuthDynamic (_factory, _startupWalletImpl, _immutableSignerContract) { }
       /**
@@ Expand Down @@