From 22bd1e592b4fe90a0bb201f3bfbca530bf5a62ed Mon Sep 17 00:00:00 2001 From: Alex Stokes Date: Tue, 13 Jun 2023 13:42:03 -0600 Subject: [PATCH] use two ring buffers to avoid collision attacks --- EIPS/eip-4788.md | 58 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/EIPS/eip-4788.md b/EIPS/eip-4788.md index 1cc70b1f04be9..edaf77de97f95 100644 --- a/EIPS/eip-4788.md +++ b/EIPS/eip-4788.md @@ -29,7 +29,7 @@ restaking constructions, smart contract bridges, MEV mitigations and more. |--- |--- |--- | `FORK_TIMESTAMP` | TBD | | `HISTORY_STORAGE_ADDRESS` | `Bytes20(0xB)` | -| `G_beacon_root` | 2100 | gas +| `G_beacon_root` | 4200 | gas | `HISTORICAL_ROOTS_LENGTH` | 98304 | ### Background @@ -53,22 +53,29 @@ Validity is guaranteed from the consensus layer, much like how withdrawals are h At the start of processing any execution block where `block.timestamp >= FORK_TIMESTAMP` (i.e. before processing any transactions), write the parent beacon root provided in the block header into the storage of the contract at `HISTORY_STORAGE_ADDRESS`. -The timestamp (a 64-bit unsigned integer value) of the header is used as a key into the contract's storage. -To map the timestamp to the correct key, the timestamp as a number is reduced modulo `HISTORICAL_ROOTS_LENGTH` and -this resulting 64-bit unsigned integer should be encoded as 32 bytes in big-endian format when writing to the storage. +In order to bound the storage used by this precompile, two ring buffers are used: one to track the latest root at a given index and another to track +the latest timestamp at a given index. -The 32 bytes of the `parent_beacon_block_root` (as provided) are the -value to write in the contract's storage. +To derive the index `root_index` into the root ring buffer, the timestamp (a 64-bit unsigned integer value) is reduced modulo `HISTORICAL_ROOTS_LENGTH`. +To derive the index `timestamp_index` into the timestamp ring buffer, add `HISTORICAL_ROOTS_LENGTH` to the index into the root ring buffer. +Both resulting 64-bit unsigned integers should be encoded as 32 bytes in big-endian format when writing to the storage. + +The 32 bytes of the `parent_beacon_block_root` (as provided) are the value to write behind the `root_index`. +The timestamp from the header, encoded as 32 bytes in big-endian format, is the value to write behind the `timestamp_index`. In Python pseudocode: ```python timestamp_reduced = block_header.timestamp % HISTORICAL_ROOTS_LENGTH -key = to_uint256_be(timestamp_reduced) +timestamp_extended = timestamp_reduced + HISTORICAL_ROOTS_LENGTH +root_index = to_uint256_be(timestamp_reduced) +timestamp_index = to_uint256_be(timestamp_extended) parent_beacon_block_root = block_header.parent_beacon_block_root +timestamp_as_uint256 = to_uint256_be(block_header.timestamp) -sstore(HISTORY_STORAGE_ADDRESS, key, parent_beacon_block_root) +sstore(HISTORY_STORAGE_ADDRESS, root_index, parent_beacon_block_root) +sstore(HISTORY_STORAGE_ADDRESS, timestamp_index, timestamp_as_uint256) ``` #### New stateful precompile @@ -76,24 +83,33 @@ sstore(HISTORY_STORAGE_ADDRESS, key, parent_beacon_block_root) Beginning at the execution timestamp `FORK_TIMESTAMP`, a "stateful" precompile is deployed at `HISTORY_STORAGE_ADDRESS`. Callers of the precompile should provide the `timestamp` they are querying encoded as 32 bytes in big-endian format. -This `timestamp` is reduced in the same way to point to a unique storage location into the ring buffer from any given block. -Alongside the existing gas for calling the precompile, there is an additional gas cost of `G_beacon_root` cost to reflect the implicit `SLOAD` from -the precompile's state. +Given this input, the precompile reduces the `timestamp` in the same way during the write routine and first checks if +the `timestamp` recorded in the ring buffer matches the one supplied by the caller. -The parent beacon block root for the given timestamp is returned as 32 bytes in the caller's provided return buffer. +If the `timestamp` **does NOT** match, the client **MUST** return the "zero" word -- the 32-byte value where each byte is `0x00`. + +If the `timestamp` **does** match, the client **MUST** read the root from the contract storage and return those 32 bytes in the caller's return buffer. In pseudocode: ```python timestamp = evm.calldata[:32] timestamp_reduced = to_uint64_be(timestamp) % HISTORICAL_ROOTS_LENGTH -key = to_uint32_be(timestamp_reduced) -root = sload(HISTORY_STORAGE_ADDRESS, key) -evm.returndata[:32].set(root) +timestamp_extended = timestamp_reduced + HISTORICAL_ROOTS_LENGTH +timestamp_index = to_uint256_be(timestamp_extended) + +recorded_timestamp = sload(HISTORY_STORAGE_ADDRESS, timestamp_index) +if recorded_timestamp != timestamp: + evm.returndata[:32].set(0x0000000000000000000000000000000000000000000000000000000000000000) +else: + root_index = to_uint256_be(timestamp_reduced) + root = sload(HISTORY_STORAGE_ADDRESS, root_index) + evm.returndata[:32].set(root) ``` -If there is no timestamp stored at the given root, the opcode follows the existing EVM semantics of `SLOAD` returning `0`. +Alongside the existing gas for calling the precompile, there is an additional gas cost of `G_beacon_root` to reflect the two (2) implicit `SLOAD`s from +the precompile's state. ## Rationale @@ -115,6 +131,16 @@ be nonfavorable conditions. Use of block root over state root does mean proofs will require a few additional nodes but this cost is negligible (and could be amortized across all consumers, e.g. with a singleton state root contract that caches the proof per slot). +### Why two ring buffers? + +The first ring buffer only tracks `HISTORICAL_ROOTS_LENGTH` worth of roots and so for all possible timestamp values would consume a constant amount of storage. +However, this design opens the precompile to an attack where a skipped slot that has the same value modulo the ring buffer length would return an old root value, +rather than the most recent one. + +To nullify this attack, this EIP keeps track of the pair of data `(parent_beacon_block_root, timestamp)` for each index into the +ring buffer and verifies the timestamp matches the one originally used to write the root data when being read. Given the fixed size of storage slots (only 32 bytes), the requirement +to store a pair of values necessitates two ring buffers, rather than just one. + ## Backwards Compatibility No issues.