Skip to main content
Instance Vault Contracts (IVCs) are ERC-4337 smart accounts that eliminate admin keys from token governance. Each IVC acts as the sole authority for its tokens, executing operations through backend automation or owner approval without exposing private keys to compromise. Built on the Account Abstraction standard, IVCs enable gasless transactions, batch operations, and programmable execution policies. Your backend signs operations off-chain and the IVC validates permissions on-chain before executing—no direct wallet interactions required for routine operations.

Introduction

IVCs deploy as upgradeable UUPS proxies through the InstanceVaultFactory. Each vault maintains isolated state with deterministic CREATE2 addresses computed from owner address and instance ID. The factory tracks all deployments globally and per-owner for discovery and verification. The vault operates through three execution paths: backend automation with pre-authorized function selectors and rate limits, owner direct execution bypassing all restrictions for emergency response, and ERC-4337 ‘UserOperations’ through the ‘EntryPoint’ for gasless sponsored transactions.

Setup and Configuration

Deploy an IVC through the factory specifying owner address, target token contract, and instance ID. Once deployed, the owner authorizes a backend signer and sets session expiry, enables specific function selectors with daily rate limits, and funds the vault with ETH for gas. The vault becomes operational immediately after configuration. Backend authorization establishes which address can sign `UserOperations’ and how long that authorization remains valid. Session expiry typically ranges from 30 to 90 days and can be renewed by the owner at any time. The owner can revoke backend access instantly for emergency response. Function selectors must be explicitly enabled before backend automation can call them. Each selector receives a daily rate limit—set to zero for unlimited calls or specify maximum calls per day. The system resets counters at midnight UTC and tracks usage automatically.

Automated Execution

Backend services create UserOperations containing the function call, sign with the authorized backend key, and submit to the EntryPoint. The IVC validates the signature matches the authorized backend signer, checks the session hasn’t expired, confirms the contract isn’t paused, verifies the function selector is enabled, and enforces daily rate limits before execution. Valid operations execute automatically with events emitted for monitoring. Failed validations revert without execution and return specific error codes. The EntryPoint handles gas payment through the associated paymaster—users never pay gas directly.

Gas Sponsorship

The InstanceVaultPaymaster sponsors gas for IVC operations. Vault owners deposit ETH to their vault-specific balance in the paymaster, set daily spending limits to prevent runaway costs, and the paymaster pays EntryPoint fees automatically for approved operations. The system reserves estimated gas cost during validation, executes the operation through the EntryPoint, refunds unused gas back to the vault balance, and tracks daily spending with automatic midnight resets. Owners withdraw unused balance anytime through the vault’s owner execution path.

Security Model

Only the IVC can execute admin functions on its tokens—no issuer-held admin keys exist. The owner maintains ultimate control through direct execution but cannot bypass the blockchain. Backend automation operates within strict boundaries set by enabled functions and rate limits. All operations emit events for transparency and monitoring. Session expiry forces periodic re-authorization. Emergency pause functionality stops all operations instantly. The vault cannot be upgraded without owner approval through the UUPS authorization check.

Deployment Parameters

function createVault(
    address owner,           // Vault owner address
    address token,           // Target token contract(s)
    uint256 instanceId       // Unique instance identifier
) external returns (address vaultAddress)
The factory computes deterministic addresses allowing you to fund vaults before deployment. Pre-compute the address, send ETH to it, then call createVault to deploy. The factory validates owner and token addresses are non-zero and confirms no vault exists for this owner-instanceId pair before deployment.

Owner Operations

All functionalities are fully automated and accessible using your API key or the issuer app. Configure backend automation: 
function authorizeBackend(address _backendSigner, uint256 _sessionDuration) external
function enableFunction(bytes4 selector, uint256 dailyLimit) external
function updateDailyLimit(bytes4 selector, uint256 newLimit) external
Emergency controls: 
function pause() external          // Stop all operations
function unpause() external        // Resume operations
function revokeBackend() external  // Remove backend access
Direct execution bypass: 
function ownerExecute(address target, uint256 value, bytes calldata data) external

Backend Integration

Generate ‘UserOperations’ off-chain with your backend services. Include the vault address as sender, encode the function call as calldata with the execute selector, set appropriate gas limits based on operation complexity, and sign with the authorized backend key. Submit `UserOperations’ to a bundler service or directly to the EntryPoint. The bundler batches multiple operations for gas efficiency and submits to the EntryPoint for validation. The IVC validates and executes automatically if all checks pass.

Monitoring and Status

Query vault configuration and operational status: 
function getVaultStatus() external view returns (
    address _owner,
    address _backendSigner,
    address _commodityToken,
    uint256 _sessionExpiry,
    bool _paused,
    uint256 _balance,
    uint256 _entryPointBalance,
    uint256 _executionNonce
)

function getFunctionConfig(bytes4 selector) external view returns (
    bool enabled,
    uint256 dailyLimit,
    uint256 remainingCalls
)

function isAutomationReady() external view returns (bool)
Track all operations through emitted events. Monitor function call counts against daily limits. Watch session expiry timestamps for renewal. Check paymaster balance regularly to ensure sufficient gas funding.

Multi-Vault Management

Organizations managing multiple token types deploy separate IVCs per token. Each vault maintains isolated permissions, rate limits, and gas budgets. The factory tracks all vaults per owner for consolidated management while preserving security isolation between tokens. Query all vaults for an owner through the factory, monitor aggregate gas spending across vaults, set unified policies through batch configuration, and maintain separate backend signers per vault or share one signer across multiple vaults depending on security requirements.