π Production-Ready | π WebAuthn/Passkey | β‘ BLS Signatures | ποΈ ERC-4337 AA | π KMS Integration
A complete, production-ready implementation combining biometric authentication (Face ID, Touch ID, Windows Hello), BLS aggregate signatures, and ERC-4337 account abstraction. Features passwordless login, mandatory transaction verification, KMS-based key management, and gasless account deployment via Paymaster sponsorship.
π― Perfect for: Web3 developers building secure wallets, DeFi applications requiring enhanced security, and projects needing passwordless blockchain authentication with enterprise-grade key management.
# Clone the repository
git clone https://github.com/fanhousanbu/YetAnotherAA.git
cd YetAnotherAA
# Build the image
docker build -t yaaa:latest .
# Run the container
docker run -p 80:80 yaaa:latest
# Visit http://localhost and register with Face ID/Touch ID!# Clone and install dependencies
git clone https://github.com/fanhousanbu/YetAnotherAA.git
cd YetAnotherAA && npm install
# Start all services (VS Code launch configuration recommended)
npm run start:dev -w aastar # Backend API (port 3000)
npm run dev -w aastar-frontend # Frontend (port 8080)
# Visit http://localhost:8080 and start using!
# Note: BLS signing service uses remote endpoint (https://yetanotheraa-validator.onrender.com)π‘ Tip: Use VS Code's "Run and Debug" panel to launch all services with one click (
.vscode/launch.jsonconfigured)
- Passwordless Experience: Login and transactions using only biometrics (Face ID, Touch ID, Windows Hello)
- FIDO2 Compliant: Industry-standard WebAuthn implementation with mandatory user verification
- Multi-Device Support: Register passkeys across multiple devices
- Transaction Security: Every transaction requires biometric confirmation
- Multi-Node Signatures: Aggregate signatures from multiple BLS nodes efficiently
- Dynamic Gas Optimization: EIP-2537-based calculation adapts to node count
- Gossip Network: Automatic node discovery and selection via P2P network
- Quantum-Ready: BLS12-381 curve provides preparation for post-quantum security
- Multi-Version Support: Compatible with EntryPoint v0.6, v0.7, and v0.8
- Unified Architecture: User wallet acts as both creator and signer (no separate deployer)
- Gasless Deployment: Account creation sponsored by Paymaster - zero ETH required
- Dual Verification: AA signatures verify userOpHash, BLS signatures verify messagePoint
- Secure Key Management: Production wallets managed by Key Management Service
- Zero Private Key Exposure: Keys never leave the secure KMS environment
- Auto-Generated Wallets: User wallets created automatically (KMS in production, local in dev)
- No Manual Configuration: Private keys only needed for initial contract deployment
- Gasless Onboarding: Account deployment fully sponsored - users need zero ETH
- Flexible Sponsorship: Optional transaction sponsorship for improved UX
- True Web2 Experience: Users can interact with blockchain without holding gas tokens
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (Next.js) β
β WebAuthn + Biometric Interface β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ
β Backend API (NestJS) β
β β’ WebAuthn Authentication β’ KMS Integration β
β β’ Account Management β’ Transfer Orchestration β
ββββββββββ¬ββββββββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββ
β β β
ββββββββββΌβββββββββββ βββββββββββΌββββββββββ βββββΌβββββββββββ
β KMS Service β β Remote BLS Signer β β Bundler β
β β’ Key Generation β β β’ Gossip Network β β (Pimlico) β
β β’ Secure Signing β β β’ Signature Agg β β β
βββββββββββββββββββββ βββββββββββ¬ββββββββββ βββββ¬βββββββββββ
β β
ββββββββββββββββββββββββββββββββββΌβββββββββββββββββΌββββββββββββ
β Ethereum (ERC-4337) β
β EntryPoint β Factory β AAStarAccount β Validator (BLS) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Dynamic Gas Calculation
function _calculateRequiredGas(uint256 nodeCount) internal pure returns (uint256) {
// EIP-2537 pairing: 32600 * k + 37700 (k=2)
uint256 pairingBaseCost = 102900;
// G1 additions: (nodeCount - 1) * 500
uint256 g1AdditionCost = (nodeCount - 1) * 500;
// Storage reads: nodeCount * 2100
uint256 storageReadCost = nodeCount * 2100;
// EVM overhead: 50000 + (nodeCount * 1000)
uint256 evmExecutionCost = 50000 + (nodeCount * 1000);
return calculateFinalGas(totalCost); // 25% margin + limits
}BLS Signature Format (705 bytes)
[nodeIdsLength(32)][nodeIds...][blsSignature(256)][messagePoint(256)][aaSignature(65)]
Dual Verification Process
1. ECDSA: Verify userOpHash.toEthSignedMessageHash() against signer
2. BLS: Aggregate public keys from selected nodes
3. Pairing: Verify e(G, signature) = e(aggPubKey, messagePoint)
- Transaction: 0x39f8dbf5...30139f985
- Amount: 1 PNT
| Node Count | Estimated Gas | Actual Usage | Status |
|---|---|---|---|
| 1 node | 600,000 | ~520k | β |
| 3 nodes | 600,000 | ~653k | β |
| 100 nodes | 640,500 | N/A | Scaled |
-
Biometric Authentication
- FIDO2-compliant WebAuthn with mandatory user verification
- No password-only access for sensitive operations
- Multi-device passkey support
-
KMS Key Management
- Production wallets managed in secure KMS environment
- Private keys never exposed to application layer
- Automatic wallet generation on user registration
-
Unified Ownership
- User wallet = creator = signer (no third-party deployer)
- Full account control from genesis
- Simplified trust model
-
Smart Contract Security
- Dual verification (AA + BLS)
- Time locks (validAfter/validUntil)
- Nonce-based replay protection
- Owner-only critical operations
YetAnotherAA/
βββ aastar/ # Backend API (NestJS)
β βββ auth/ # WebAuthn authentication
β βββ kms/ # KMS integration
β βββ transfer/ # ERC-4337 transaction service
βββ aastar-frontend/ # Frontend (Next.js)
βββ app/ # Biometric authentication UI
Note: Smart contracts (Solidity) and BLS signing service are maintained in separate repositories:
- Validator contracts: YetAnotherAA-Validator
- BLS Signer: Remote service at https://yetanotheraa-validator.onrender.com
This project demonstrates:
- Modern Cryptography: BLS12-381 pairing-based signatures and aggregation
- Account Abstraction: ERC-4337 implementation with multiple EntryPoint versions
- Biometric Auth: Production-grade WebAuthn/Passkey integration
- Key Management: Enterprise KMS integration for secure key storage
- Gas Optimization: Dynamic calculation based on EIP-2537 standards
- System Design: Full-stack blockchain application with multiple services
# Run with environment variables
docker run -p 80:80 \
-e KMS_ENABLED=true \
-e KMS_ENDPOINT=https://kms.your-domain.com \
-e BLS_SEED_NODES=https://yetanotheraa-validator.onrender.com \
-e DATABASE_TYPE=postgres \
-e DATABASE_HOST=your-db-host \
-e DATABASE_PORT=5432 \
-e DATABASE_NAME=aastar \
-e DATABASE_USERNAME=your-user \
-e DATABASE_PASSWORD=your-password \
-e ENTRY_POINT_V7_ADDRESS=0x0000000071727De22E5E9d8BAf0edAc6f37da032 \
-e AASTAR_ACCOUNT_FACTORY_V7_ADDRESS=0xYourFactoryAddress \
-e VALIDATOR_CONTRACT_V7_ADDRESS=0xYourValidatorAddress \
-e BUNDLER_RPC_URL=https://api.pimlico.io/v2/11155111/rpc?apikey=YOUR_API_KEY \
yaaa:latest
# Or use docker-compose (recommended)
docker-compose up -dNote: The BLS signing service is hosted separately. Use
BLS_SEED_NODESto configure the endpoint.
For testing purposes only:
- AAStarValidator:
0xD9756c11686B59F7DDf39E6360230316710485af - AAStarAccountFactory (v0.6):
0xab18406D34B918A0431116755C45AC7af99DcDa6 - AAStarAccountFactory (v0.7):
0xAae813Ae38418f38701142cEab08D4F52383bF34 - EntryPoint v0.6:
0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789 - EntryPoint v0.7:
0x0000000071727De22E5E9d8BAf0edAc6f37da032
β οΈ Production: Deploy your own contracts. Private keys only needed for contract deployment - runtime wallets are KMS-managed.
Smart contracts are maintained in a separate repository. See YetAnotherAA-Validator for deployment instructions.
# Clone validator repository
git clone https://github.com/fanhousanbu/YetAnotherAA-Validator.git
cd YetAnotherAA-Validator
# Compile contracts
forge build
# Deploy validator and factory contracts (one-time)
forge script script/DeployValidator.s.sol \
--rpc-url $RPC_URL \
--private-key $DEPLOYER_PRIVATE_KEY \
--broadcast- β Docker Deployment: One-click build and run, production-ready
- β Zero Configuration: No private keys needed for operation
- β Gasless Deployment: Account creation requires zero ETH
- β Multi-Version Support: EntryPoint v0.6, v0.7, v0.8
- β KMS Integration: Production-grade key management
- β Unified Ownership: User wallet controls everything
- β Real-time Gossip: Automatic BLS node discovery
- β Full Stack: Complete monorepo with all components
- Node.js: >= 20.19.0
- npm: >= 10.0.0
- Docker: >= 20.10 (for Docker deployment)
- Foundry: Latest version (for contract development)
- HTTPS: WebAuthn requires HTTPS (or localhost)
The project includes complete Docker configuration with the following features:
- Multi-stage Build: Optimized image size
- PM2 Process Management: Auto-restart and load balancing
- Health Check: Container health monitoring
- Environment Variables: Flexible production configuration
FROM node:20.19.0-alpine
RUN npm install -g pm2 && apk add --no-cache git
COPY . .
RUN npm ci --include=dev --force
RUN npm run build -w aastar && npm run build -w aastar-frontend
CMD ["pm2-runtime", "start", "ecosystem.config.js"]Services managed by PM2:
aastar-backend- Backend API (port 3000)aastar-frontend- Next.js frontend (port 80)
External dependencies:
- BLS Signer: https://yetanotheraa-validator.onrender.com
- KMS Service: Configured via
KMS_ENDPOINT - Bundler: Configured via
BUNDLER_RPC_URL
# View all service logs
docker logs -f <container_id>
# View specific service
docker exec <container_id> pm2 logs
# Real-time monitoring
docker exec <container_id> pm2 monitMIT License - See LICENSE file for details
Issues and Pull Requests are welcome!
Status: Network: Sepolia Testnet | Security: WebAuthn + KMS Enhanced