|Author||Alex Beregszaszi, Andrei Maiboroda, Paweł Bylica|
Table of Contents
Introduce code validation at contract creation time for EOF formatted (EIP-3540) contracts. Reject contracts which contain truncated
PUSH-data or unassigned instructions. Legacy bytecode is unaffected by this change.
Currently existing contracts require no validation of correctness and EVM implementations can decide how they handle truncated bytecode or unassinged instructions. This change aims to bring code validity into consensus, so that it becomes easier to reason about bytecode. Moreover, EVM implementations may require less paths to decide which instruction is valid in the current execution context.
If it will be desired to introduce new instructions without bumping EOF version, having unassigned instructions already deployed would mean such contracts potentially can be broken (since some of the instructions are changing their behaviour). Rejecting to deploy unassigned instructions allows introducing new instructions with or without bumping the EOF version.
Remark: We rely on the notation of initcode, code and creation as defined by EIP-3540.
This feature is introduced on the very same block EIP-3540 is enabled, therefore every EOF1-compatible bytecode MUST be validated according to these rules.
At contract creation time both initcode and code are iterated instruction-by-instruction (the same process is used to perform “JUMPDEST-analysis”). Bytecode is deemed invalid if any of these conditions is true:
- it contains opcodes which are not currently assigned to an instruction (for the sake of assigned instructions, we count
INVALID(0xfe) as assigned),
- the data portion of a
PUSHn(0x60..0x7f) instruction is beyond the end of the code section.
If initcode is invalid, the contract creation results in an exceptional abort. If code is invalid, the contract creation results in an exceptional abort.
CALLCODE (0xf2) opcode may be dropped from the
valid_opcodes list to prevent use of this instruction in future. Likewise
SELFDESTRUCT (0xff) could also be rejected. Yet we decided not to mix such changes in.
# The below are ranges as specified in the Yellow Paper. # Note: range(s, e) excludes e, hence the +1 valid_opcodes = [ *range(0x00, 0x0b + 1), *range(0x10, 0x1d + 1), 0x20, *range(0x30, 0x3f + 1), *range(0x40, 0x47 + 1), *range(0x50, 0x5b + 1), *range(0x60, 0x6f + 1), *range(0x70, 0x7f + 1), *range(0x80, 0x8f + 1), *range(0x90, 0x9f + 1), *range(0xa0, 0xa4 + 1), # Note: 0xfe is considered assigned. *range(0xf0, 0xf5 + 1), 0xfa, 0xfd, 0xfe, 0xff ] # Fails with assertion on invalid code def validate_code(code: bytes): pos = 0 while pos < len(code): # Ensure the opcode is valid opcode = code[pos] pos += 1 assert(opcode in valid_opcodes) # Skip pushdata -- over-reading will be checked on next iteration if opcode >= 0x60 and opcode <= 0x7f: pos += opcode - 0x60 + 1 # Ensure last PUSH doesn't go over code end assert(pos == len(code))
This change poses no risk to backwards compatibility, as it is introduced at the same time EIP-3540 is. The validation does not cover legacy bytecode.
The initcode validation adds additional overhead. We consider adding additional gas cost for the contract creation proportional to the length of the code section in initcode (e.g. 3 gas per byte).
This is not an issue for code in average case because the deployment cost is already 200 gas per byte. However, an attack may be constructed where long code is first validated and then contract creation fails because of insufficient gas for the deployment cost. The solution is to either charge the deployment cost before validation, or add a similar charge as initcode will have.
Copyright and related rights waived via CC0.
Please cite this document as:
Alex Beregszaszi, Andrei Maiboroda, Paweł Bylica, "EIP-3670: EOF - Code Validation [DRAFT]," Ethereum Improvement Proposals, no. 3670, June 2021. [Online serial]. Available: https://eips.ethereum.org/EIPS/eip-3670.