Spending limit

Spending limit

The Spending Limit feature is implemented through the DailyERC20SpendingLimitHook contract. This hook allows users to set and manage daily spending limits for both ETH and ERC20 tokens, providing enhanced security by preventing excessive spending within a 24-hour period.

Overview

The spending limit mechanism operates on a daily reset cycle (UTC timezone) and includes a time-lock system for limit modifications. This ensures both flexibility in managing funds and security against unauthorized changes.

Implementation Details

Step 1: Installation and Configuration

Users install the Spending Limit Hook in their wallet by providing initial configuration data:

TokenLimit
    address token
    uint256 spendingLimit

Example initialization:

address[] memory tokens = new address[](2);
tokens[0] = ETH_TOKEN_ADDRESS;  // Special address for ETH
tokens[1] = USDC_ADDRESS;       // USDC token address

uint256[] memory limits = new uint256[](2);
limits[0] = 1 ether;           // 1 ETH daily limit
limits[1] = 1000 * 10**6;      // 1000 USDC daily limit

bytes memory initData = abi.encode(tokens, limits);

Step 2: Daily Operations

The hook automatically manages spending limits through several mechanisms:

  1. Limit Validation: Each transaction is validated against the daily limit

  2. Spending Tracking: Accumulates spending amounts throughout the day

  3. Automatic Reset: Limits reset at UTC midnight (00:00 UTC)

  4. Multi-token Support: Separate tracking for ETH and each ERC20 token

Step 3: Limit Modifications

Changes to spending limits follow a time-locked process:

  1. Initiate Change: Call initiateSetLimit(token, newLimit) to start the process

  2. Waiting Period: 24-hour time-lock period begins

  3. Apply/Cancel: After the time-lock, either:

    • Apply the new limit with applySetLimit(token)

    • Cancel the change with cancelSetLimit(token), can be done at any time

Technical Flow

Security Considerations

  1. Time-lock Protection

    • All limit increases require a 24-hour waiting period

    • Changes can be cancelled during the waiting period

    • Prevents immediate limit modifications by attackers

  2. Token Isolation

    • Each token has its own independent limit

    • ETH and ERC20 tokens are tracked separately

    • Zero limits indicate unlimited spending

Usage Guidelines

  1. Initial Setup

    bytes[] memory hooks = new bytes[](1);
uint8 capabilityFlags = 2; // preUserOpValidationHook only
hooks[0] = abi.encodePacked(
    address(dailyLimitHook), 
    initData, 
    capabilityFlags
);

  2. Limit Management

    • Set appropriate limits based on usage patterns

    • Consider time-lock period when planning limit changes

    • Monitor daily spending through provided queries

Common Operations

  • Query current limit: getCurrentLimit(token)

  • View pending changes: getPendingLimit(token)

  • Initiate limit change: initiateSetLimit(token, newLimit)

  • Apply pending change: applySetLimit(token)

  • Cancel pending change: cancelSetLimit(token)

Previouszk email recoveryNextPassKey

Last updated