Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update EIP-4788: post audit tweaks #7672

Merged
merged 8 commits into from
Sep 26, 2023
Merged

Conversation

lightclient
Copy link
Member

@lightclient lightclient commented Sep 8, 2023

repost from lightclient/4788asm#16

We've had a few really nice audits done on this code and things have generally been positive. There are a few pieces of feedback that I think are worth addressing before we settle on the final code though. Here is a list, ordered by priority:

  1. Verify timestamp is non-zero -- currently the implementation allows an input of zero to return a zero root. This is because the current mainnet timestamp is not perfectly divisible by our modulus. Although no proof could be authenticated against the zero root, it's still an ugly correctness edge case that I think should be addressed.
  2. Update buflen to 93600 -- this value will share 500-10001 more remainders if the slot time were to change versus the current modulus, decreasing the overall storage use of the contract (h/t @adietrichs). updated to 8191 as the number is prime and there is 100% utilization for all potential slot time values.
  3. Load calldata once -- minor nit, but in case the cost of retrieving calldata changes in the future, it would make more sense to only access it via calldatacopy a single time, instead of paying for that cost at each load. This require a bit of dup'ing and swap'ing, but still extremely manageable. As a part of this I was also able to delete the get_input macro (h/t @adietrichs).

Footnotes

  1. https://gist.github.com/lightclient/820a0d5c5861ed09c5cae5e384e9779e

@github-actions github-actions bot added c-update Modifies an existing proposal s-draft This EIP is a Draft t-core labels Sep 8, 2023
@eth-bot
Copy link
Collaborator

eth-bot commented Sep 8, 2023

✅ All reviewers have approved.

@eth-bot eth-bot changed the title 4788: post audit tweaks Update EIP-4788: post audit tweaks Sep 8, 2023
EIPS/eip-4788.md Outdated
"v": "0x1b",
"r": "0x539",
"s": "0x133700f3a77843802897db",
"hash": "0x14789a20c0508b81ab7a0287a12a3a41ca960aa18244af8e98689e37ed569f07"
"s": "0x133700018971c643803096",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the r and s values have any particular meaning? I'm more curious as to why they s value had to change. Was it searched to find the first valid signature of any address from "zero" or is there some other meaning?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The s value is like the "nonce" for our address generator. We keep trying new s values until we get a deploy address with beac02 prefix.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it.

Is there a canonical definition of what a synthetic address is and best practices to grind out and S value?

In this particular case (r being 1337 in decimal, and s being 0x1337 left shifted 72 bytes, and then search upwards from there) it is obvious it should not have a known public key. But I think the industry would benefit from a best practice for showing a transaction is a synthetic address transaction with a know r producing a corresponding s.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this post is the pinnacle of our knowledge on the subject and it does not give any explicit instructions: https://weka.medium.com/how-to-send-ether-to-11-440-people-187e332566b7

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you talking about Nothing-up-my-sleeve numbers?

@ethereum ethereum deleted a comment from Ruyeduardo Sep 9, 2023
@djrtwo
Copy link
Contributor

djrtwo commented Sep 11, 2023

this value will share 500-1000 if slot were to change

  1. this is only if the slot time were to change to 4, 8, 16, 24, or 32. I suppose aesthetically we expect that?
  2. What is the precise value of sharing these remainders? a reduced non-zero state size for this precompile in the event that the slot time is changed? what magnitude are we talking about?

@adietrichs
Copy link
Member

adietrichs commented Sep 11, 2023

this value will share 500-1000 if slot were to change

Not sure I understand this, but I created my own gist to compare: https://gist.github.com/adietrichs/4f41090c37d292a96b08c8cdbd076d90
Active means percent of slots actively used under that slot time, Inactive counts the extra slots that were written to under 12s and are now no longer used.

For many slot times, 93600 results in a lower number of active (and total, taking into account the inactive ones) slots.
For the range of slot times up to 30s, the ones where there is a difference are: 5, 9, 10, 13, 15, 18, 20, 25, 26, 30.
For all of these 93600 is more efficient. For all others, both choices of modulus are equally efficient.

@adietrichs
Copy link
Member

adietrichs commented Sep 11, 2023

I talked with @lightclient, and out of that came the idea to maybe go the other way: I updated the gist with a third option of a modulus of 8191. Because that's a prime number, that way we are always at 100% active slots, but across a much smaller total range (picked so that at 12s slot time, it still covers ~1d). I'll open a PR for that change.

@adietrichs
Copy link
Member

adietrichs commented Sep 11, 2023

I have opened the PR: lightclient#7.
To keep conversation in one place, here a copy of the description:

HISTORY_BUFFER_LENGTH determines the overall size of the history region of the 4788 contract in storage. Both current proposed modulus, as well as the replacement proposed in the branch this PR is against, share prime factors with the current slot time (12s). This means that the usage of the history region will be sparse (only 1/12 of the storage slots in the region will be used). Furthermore, if we change the slot time in the future, this will change in somewhat arbitrary ways (depending on how many factors the new slot time and the modulus share). While this does not affect the functioning of the EIP, it does add unnecessary variance to two aspects, namely the total storage requirements and the total history depth available.

This PR changes the modulus to a prime number, so that there can never be any shared factors with the slot time. This way, 100% of the history region will be utilized, allowing for simple reasoning about total storage requirements and the total history depth, even in the case of future slot time changes. The specific value (8191 == 2**13 - 1) was chosen so that in the 12s slot time case it matches the total history depth of the original modulus as closely as possible.

Update EIP-4788: Move to Prime Modulus
EIPS/eip-4788.md Outdated Show resolved Hide resolved
EIPS/eip-4788.md Outdated Show resolved Hide resolved
@lightclient
Copy link
Member Author

New beacon root address found by @spencer-tb! Thanks!

@lightclient
Copy link
Member Author

Final beacon root address is 0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02.

Copy link
Collaborator

@eth-bot eth-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All Reviewers Have Approved; Performing Automatic Merge...

@eth-bot eth-bot merged commit 761df83 into ethereum:master Sep 26, 2023
yperbasis added a commit to erigontech/erigon that referenced this pull request Sep 26, 2023
Set BeaconRootsAddress to `0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02`
in preparation for
[dencun-devnet-9](https://notes.ethereum.org/@ethpandaops/dencun-devnet-9)
per ethereum/EIPs#7672. Hopefully this will be
the final change to BeaconRootsAddress.

Also update execution-spec-tests to
[v1.0.5](https://github.com/ethereum/execution-spec-tests/releases/tag/v1.0.5).
| `SYSTEM_ADDRESS` | `0xfffffffffffffffffffffffffffffffffffffffe` |
| `BEACON_ROOTS_ADDRESS` | `0xbEac00dDB15f3B6d645C48263dC93862413A222D` |
| `BEACON_ROOTS_ADDRESS` | `0x000F3df6D732807Ef1319fB7B8bB8522d0Beac02` |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was the address changed?

jumpi

push0
push0
revert

jumpdest
push3 0x018000
push3 0x001fff
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be push2 now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, this was a miss. However, not worth fixing, the runtime execution gascost is identical, the only difference is that the code is one byte larger than it would have needed to be.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repeats 4x so 4 bytes wasted. Forever :)

Copy link

@namiloh namiloh Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. Now there are 32 bits less left in the world.

🚻 ☮️

holiman added a commit to ethereum/go-ethereum that referenced this pull request Sep 28, 2023
This change contains the final (?) address for 4788 beacon root contract. The update to the EIP is being tracked here: ethereum/EIPs#7672

---------

Co-authored-by: Martin Holst Swende <martin@swende.se>
tyler-smith pushed a commit to blocknative/go-ethereum that referenced this pull request Oct 12, 2023
This change contains the final (?) address for 4788 beacon root contract. The update to the EIP is being tracked here: ethereum/EIPs#7672

---------

Co-authored-by: Martin Holst Swende <martin@swende.se>
tyler-smith pushed a commit to blocknative/go-ethereum that referenced this pull request Oct 16, 2023
This change contains the final (?) address for 4788 beacon root contract. The update to the EIP is being tracked here: ethereum/EIPs#7672

---------

Co-authored-by: Martin Holst Swende <martin@swende.se>
devopsbo3 pushed a commit to HorizenOfficial/go-ethereum that referenced this pull request Nov 10, 2023
This change contains the final (?) address for 4788 beacon root contract. The update to the EIP is being tracked here: ethereum/EIPs#7672

---------

Co-authored-by: Martin Holst Swende <martin@swende.se>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c-update Modifies an existing proposal s-draft This EIP is a Draft t-core
Projects
None yet
Development

Successfully merging this pull request may close these issues.