In the evolving landscape of decentralized finance (DeFi) and self-custody, wallet infrastructure is undergoing a radical transformation. Special attention should be given to Account Abstraction. It addresses the limitations of user experience and the complexities of traditional Externally Owned Accounts (EOA) wallets, offering greater flexibility and smarter wallet management.
Different networks implement Account Abstraction in different ways. Starknet, for example, has it natively integrated at the protocol level. Ethereum, by contrast, does not yet provide native support, but relies on a clever workaround, the ERC-4337 standard, which delivers Account Abstraction functionality without requiring changes to the Ethereum protocol.
Account Abstraction (ERC-4337) transforms wallets into programmable smart contracts, unlocking advanced functionality such as spending limits, multi-signature verification, session keys, and customizable recovery mechanisms. This programmability paves the way for smarter and more user-friendly self-custody solutions. At the same time, it introduces new layers of complexity, particularly in ensuring security and reliability.
In this article, EVEDEX collaborates with HashEx to examine one of the most critical and practical implementations of ERC-4337 standard (AA): two-factor authentication (2FA) and account recovery. Unlike traditional approaches, such as email codes or push notifications, 2FA in the context of ERC-4337 (AA) relies on programmable custom logic embedded directly into smart contracts. We will outline the underlying architecture, compare it with hybrid and embedded wallet models, and provide real-world insights from developers at the forefront of smart account design.
1. From Key Pairs to Smart Accounts: The Power (and Risk) of Abstraction
Account Abstraction changes the paradigm of how wallets operate. Instead of relying on a single private key to authorize transactions, AA allows wallets to be implemented as smart contracts. This opens the door to powerful capabilities (custom logic, signature policies, and modular security) previously unattainable in traditional Externally Owned Accounts (EOAs).
Still, many AA wallets today adopt a hybrid approach: they embed wallets within dApps or rely on a backend provider to verify 2FA or enable recovery. While this enhances onboarding and usability, it creates a dangerous trade-off.
“A wallet with embedded AA logic but a centralized backend is still a single point of failure,” notes Vlad Komissarov, CTO of EVEDEX. “True decentralization demands that critical functions, especially recovery and multi-factor auth, happen entirely on-chain.”
HashEx, one of the leading smart contract auditing and infrastructure firms, has highlighted these concerns in its internal security reviews. According to Gleb Zykov, CTO of HashEx, hybrid wallets often fall short in protecting against backend downtime, regulatory overreach, or the simple disappearance of the provider.
That’s why EVEDEX, in collaboration with HashEx, is pioneering a modular validator-based architecture that leverages ERC-4337 (AA) not just for convenience, but for trustless security.
“The EVEDEX stack was designed with long-term resilience in mind,” says Thomas Kralow, Chairman of EVEDEX. “User funds remain fully secured on-chain. Our smart contracts ensure that even if the exchange goes offline, users can interact directly with the EVENTUM blockchain to withdraw their assets. With AA-enabled wallets, access to funds stays entirely independent of the platform.”
2. Implementing Truly Decentralized 2FA and Recovery with Modular Validators
At the heart of this next-generation wallet architecture are validator modules, pluggable components that govern how transactions are validated inside an AA-based wallet. By leveraging standards like ERC-7579, users and developers can compose secure and flexible validation logic without hardcoding sensitive flows.
The two key modules EVEDEX and HashEx engineers propose are:
OwnableValidator – Enables multi-signature setups. For example, in a 2-of-2 configuration, a transaction must be signed by both the user and a secondary key (such as a hardware wallet or trusted dApp-based signer). This ensures on-chain 2FA: even if one key is compromised, the funds remain protected.
TimelockValidator – Introduces a programmable time delay for sensitive operations. For instance, a recovery transaction initiated by a backup key is not executed immediately. Instead, it enters a time-locked queue, during which the original owner can cancel it if it’s malicious.
This dual-validator model provides both resilience and usability. Users do not need to register on external platforms, trust custodians, or maintain active session monitoring. Everything happens on-chain, under their control.
“We designed our validator setup so that no single party, not even us, could act unilaterally over a user’s funds,” explains Vlad Komissarov, CTO of EVEDEX. “Security shouldn’t be a trade-off against convenience, both must scale together.”
The dual-validator model even accommodates economic incentives. For example, a backend monitoring service may be rewarded for identifying and canceling unauthorized timelock transactions. Importantly, such a service has no custody or control over user funds, it only signals suspicious activity, keeping the system trustless.
HashEx’s audit team contributed directly to testing this validator logic under adversarial conditions, verifying not only the cryptographic soundness but also the real-world assumptions about how attackers behave.
3. Use Cases, UX Benefits, and Final Outlook
The modular validator framework unlocks a new category of secure-by-design wallet use cases. Whether it’s institutional accounts requiring multiple approvals or retail users seeking non-custodial 2FA, AA wallets built on these standards support both of these extremes, without central points of failure.
For EVEDEX, ERC-4337 (AA) brings practical features and new possibilities:
– Derivatives traders with large positions can enable time-delayed withdrawals, adding a safeguard against unauthorized or impulsive fund transfers.– Proprietary trading firms and syndicates can require multi-signature approvals for moving funds, strengthening internal governance and risk control.– Retail users concerned about loss of access can set up social recovery mechanisms, which remain fully non-custodial and verifiable on-chain.
By integrating ERC-4337 (AA) features into its Layer 3 architecture, EVEDEX is not just building a trading platform, it’s building a resilient user environment, where security scales with user activity.
“For us, modular validation is not an abstract standard, it’s how we protect people in the real world,” notes Thomas Kralow, Chairman of EVEDEX. “We’re bridging the gap between DeFi ideals and institutional-grade usability.”
4. Risks of ERC-4337 (АА)
DoS exposure. The increased complexity of ERC-4337 verification logic marginally elevates the risk of denial-of-service (DoS) attacks. At EVEDEX, we address this risk through independent smart contract audits, ongoing penetration testing, and the upcoming launch of a public bug bounty program to support vulnerability disclosure.
Gas overhead. ERC-4337 transactions consume more gas due to the additional security and account checks made possible by account abstraction. At EVEDEX, AA is applied to deposits, while trading operations on the exchange do not involve AA-powered transactions. This way, the extra cost is limited to on-chain deposits, where its impact is negligible relative to the transaction size.
Transaction flow limits. ERC-4337 doesn’t allow multiple pending transactions, which can be restrictive in some cases. At EVEDEX, account abstraction is applied to deposits, but not to the trading operations themselves, so this limitation does not affect users.
5. Summary
This collaboration with HashEx has been pivotal. Their security team conducted adversarial modeling, exploring edge cases such as race conditions in validator modules, and verified compliance with emerging AA-related standards. Having passed these rigorous security reviews, the next step for EVEDEX is to open-source its validator implementations and facilitate community-driven improvements.
Education, SDKs, documentation, and integration guides will be available for both developers and wallet providers. Ultimately, decentralized 2FA and account recovery will become the new default, and EVEDEX aims to be at the forefront of that transformation.
Written by:
Vlad Komissarov, CTO of EVEDEX
Gleb Zykov, CTO at HashEx Blockchain Security.
