BEP-228: Implement EIP-3541: Prevent deploying contracts starting with 0xEF #228
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mister-EA
requested review from
MatusKysel,
vnermolaev,
emailtovamos,
brilliant-lx,
bnb-tw and
bnb-alexlucaci
Mister-EA
changed the title
brilliant-lx
approved these changes
May 25, 2023
This was referenced Jun 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BEP: 228 Title: Prevent deploying contracts starting with 0xEF Status: Pre-Draft Type: Standards Created: 2023-04-17BEP-228: Prevent deploying contracts starting with 0xEF.
1. Summary
Disallow new code starting with the
0xEFbyte to be deployed. Code already existing in the account trie starting with0xEFbyte is not affected semantically by this change.This BEP essentially enables Ethereum's EIP-3541. The code has been already ported from go-ethereum. What remains is for this BEP to be enabled in a BSC hard fork.
2. Motivation
Contracts conforming to the EVM Object Format (EOF) are going to be validated at deploy time. In order to guarantee that every EOF-formatted contract in the state is valid, we need to prevent already deployed (and not validated) contracts from being recognized as such format. This will be achieved by choosing a byte sequence for the magic that doesn't exist in any of the already deployed contracts. To prevent the growth of the search space and to limit the analysis to the contracts existing before this fork, we disallow the starting byte of the format (the first byte of the magic).
Should the EVM Object Format proposal not be deployed in the future, the magic can be used by other features depending on versioning. In the case versioning becomes obsolete, it is simple to roll this back by allowing contracts starting with the
0xEFbyte to be deployed again.3. Specification
After
block.number == HF_BLOCKnew contract creation (via create transaction,CREATEorCREATE2instructions) results in an exceptional abort if the code's first byte is0xEF.3.1 Remarks
The initcode is the code executed in the context of the create transaction,
CREATE, orCREATE2instructions. The initcode returns code (via theRETURNinstruction), which is inserted into the account. See section 7 ("Contract Creation") in the Yellow Paper for more information.The opcode
0xEFis currently an undefined instruction, therefore: It pops no stack items and pushes no stack items, and it causes an exceptional abort when executed. This means initcode or already deployed code starting with this instruction will continue to abort execution.The exceptional abort due to code starting with
0xEFbehaves exactly the same as any other exceptional abort that can occur during initcode execution, i.e. in case of abort all gas provided to aCREATE*or create transaction is consumed.4. Rationale
The
0xEFbyte was chosen because it resembles Executable Format.Contracts using unassigned opcodes are generally understood to be at risk of changing semantics. Hence using the unassigned
0xEFshould have lesser effects, than choosing an assigned opcode, such as0xFD(REVERT),0xFE(INVALID), or0xFF(SELFDESTRUCT). Arguably while such contracts may not be very useful, they are still using valid opcodes.Analysis in May 2021, on
18084433contracts in state, showed that there are 0 existing contracts starting with the0xEFbyte, as opposed to 1, 4, and 12 starting with0xFD,0xFE, and0xFF, respectively.5. Test Cases
Each test case below may be executed in 3 different contexts:
CREATE, with account code:0x6000356000523660006000f0151560165760006000fd5b(Yul code:mstore(0, calldataload(0)) if iszero(create(0, 0, calldatasize())) { revert(0, 0) }),CREATE2, with account code:0x60003560005260003660006000f5151560185760006000fd5b(Yul code:mstore(0, calldataload(0)) if iszero(create2(0, 0, calldatasize(), 0)) { revert(0, 0) })ef0x60ef60005360016000f3ef000x60ef60005360026000f3ef00000x60ef60005360036000f3ef00...000x60ef60005360206000f3fe0x60fe60005360016000f36. Backwards Compatibility
This is a breaking change given new code starting with the
0xEFbyte will not be deployable, and contract creation will result in a failure. However, given bytecode is executed starting at its first byte, code deployed with0xEFas the first byte is not executable anyway.While this means no currently executable contract is affected, it does rejects deployment of new data contracts starting with the
0xEFbyte.7. Security Considerations
The authors are not aware of any security or DoS risks posed by this change.
8. License
Copyright and related rights waived via CC0.