How EOAs work
The why, how, and what of Accounts in Web3
Blockchain networks use cryptographic addressing for accounts. For most of us, these are referred to as private keys, public addresses, wallets, vaults, or more broadly, accounts. Most blockchain networks have two classes of addresses, both of which are considered "1st class citizens" by the network: Smart Contract Addresses, and Externally-Owned Accounts, or EOAs. For the sake of this document, "accounts" are identities, addresses, storage, and more.
Smart contracts are self-executing programs that are native to the web3 network. They can be used to create (mint) cryptocurrencies, NFTs, and other web3-based assets. Unlike EOAs, smart contracts do not have private keys associated with them. They are stored on the network and can be identified by a unique cryptographic address, provided by the network.
For the rest of us - the particularly human - users, there are Externally-Owned Accounts, or EOAs.
"External" in this sense is "external to the network", an account that requires an off-chain private key to demonstrate ownership, rather than programmatic code like smart contracts. This cryptographic addressing, also referred to as asymmetric or public-key cryptography, is the basis for self-sovereignty in Web3. It's also how most smart contracts, decentralized applications, and protocols expect input from human users.
Externally-Owned Account = Accounts for humans, and maybe a few off-chain machines.
Let's expand on a few key characteristics of EOAs:
In asymmetric cryptography, a private key and a public key form a keypair. The private key is kept secret by the user and is used to sign transactions and messages, while the public key is used to verify the authenticity of these transactions and messages.
The public key can be derived from the private key through a mathematical process, but it is not possible to recreate the private key from the public key. This is known as the principle of "asymmetry" and is what makes public-key cryptography possible.
Colloquially, the math is "one-way only", or works like a trap door. Thus, you can safely share your public key, and not worry about risking your private key.
Unlike Web1 and Web2, where all users, websites, and services are provided with addresses (e.g. IP Addresses), Web3 EOAs are created and wholly controlled by end-users. In its most basic form, this is total control of how an individual identifies to the network. This also means the end-user assumes full responsibility for securely storing and safely using their account.
It's important to note that EOAs are not "registered" on a network when created, or require any interaction with the network to create. They can be created offline, and off-chain. They are so significantly random that it's statistically impossible to ever create the same keypair twice. When using an EOA, the end user mathematically demonstrates they have the private key for the corresponding address. If the math checks out, the network accepts the transaction, message, or signature as valid.
EOAs are not wallets. "Wallets" typically refer to software and/or hardware that serve two main purposes: storing private keys, and safely using private keys.
Wallets also serve as the interface for users to interact with the web3 network. When a user wants to make a transaction or interact with the network, they use their wallet to form the correct transaction or message, and the wallet will broadcast it through a JSON RPC service. If a user does not have a wallet, they would need to run their own node connected to the network to broadcast their transactions.
Wallets are typical for end-users, but EOAs can also be stored in plain text, encrypted files called "keystore files", seed phrases, or specialized hardware security modules (HSMs).
General interaction of an web3 account
In other words, a private key is used to create a public key, which in turn is shortened to create a public address.
This private-public keypair is referred to as your Externally-Owned Account, or EOA. EOAs, in turn, are typically managed and utilized by wallets.
Wallets use the private key is used to form signatures, which are used to authorize either transactions or messages.
The signed transaction or message is then broadcast to the network by the wallet.
These signed transactions or messages are verified by the network against the public address. They can transfer assets on the network directly, or interact with smart contract addresses.
The programs located at smart contract addresses can be just about anything, from ERC-20 tokens and deFi protocols, to NFTs and decentralized identity protocols. This is the web3 most people are familiar with.
Most smart contract applications (or decentralized applications aka dApps) expect human input to come from EOAs.
The same properties that make public-key cryptography safe and desirable for Web3, and provide the non-custodial, self-sovereignty Web3 advocates for, also result in a critical single point of failure.
If an end-user loses, shares, compromises, misplaces, or otherwise does some unpredictable thing with their private key, no one can help them. Basically, if they are human, and therefore make mistakes, losing their account is more likely a matter of when, not if.
This risk, responsibility, and requirement is ultimately the single greatest barrier to entry for mainstram users in Web3: "If I [insert negative action] my private key, I'm [insert negative state of being], no one can help me, and it's my fault."
The same reason "Not your keys, not your crypto" is true holds for "Lose your keys, lose your crypto".
If you're thinking, "but wait, I'm only human!", INTU gets it. Spoiler: Our dEOAs are all the goodness of EOAs, plus some added benefits, with none of the "one private key away from ruin".
An end-user's typical experience in Web3 looks like
- Creating a random keypair on a local device, typically, but not necessarily, with wallet software
- Providing wallet software sufficient rights to manage and utilize the private key
- Using wallet software as an interface to Web3, broadcasting signed transactions or messages on behalf of the end user
- Using signed messages and transactions to interact with Web3 networks
- Losing private keys is a critical, unrecoverable failure