The validateSessionUserOp function repeatedly decodes _sessionKeyData
The validateSessionUserOp function repeatedly decodes _sessionKeyData using hardcoded offsets, introducing a risk of error-prone code. Such redundancy in decoding not only complicates the code structure but also increases the probability of mistakes when making changes or updates.
function validateSessionUserOp(
UserOperation calldata _op,
bytes32 _userOpHash,
bytes calldata _sessionKeyData,
bytes calldata _sessionKeySignature
) external view returns (bool) {
address sessionKey = address(bytes20(_sessionKeyData[0:20]));
// 20:40 is token address
address recipient = address(bytes20(_sessionKeyData[40:60]));
uint256 maxAmount = abi.decode(_sessionKeyData[60:92], (uint256));
{
address token = address(bytes20(_sessionKeyData[20:40]));
// we expect _op.callData to be `SmartAccount.executeCall(to, value, calldata)` calldata
(address tokenAddr, uint256 callValue, ) = abi.decode(
_op.callData[4:], // skip selector
(address, uint256, bytes)
);
...
}
...We recommend using the api.decode function to avoid these problems.
(address sessionKey, address token, address recipient, uint256 maxAmount) = abi.decode(_sessionKeyData, (address, address, address, uint256));