Skip to content

Commit

Permalink
use two ring buffers to avoid collision attacks
Browse files Browse the repository at this point in the history
  • Loading branch information
ralexstokes committed Jun 13, 2023
1 parent 20d7767 commit 50315b6
Showing 1 changed file with 44 additions and 16 deletions.
60 changes: 44 additions & 16 deletions EIPS/eip-4788.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ restaking constructions, smart contract bridges, MEV mitigations and more.
|--- |--- |---
| `FORK_TIMESTAMP` | TBD |
| `HISTORY_STORAGE_ADDRESS` | `Bytes20(0xB)` |
| `G_beacon_root` | 2100 | gas
| `G_beacon_root` | 4200 | gas
| `HISTORICAL_ROOTS_LENGTH` | 98304 |

### Background
Expand All @@ -53,47 +53,65 @@ Validity is guaranteed from the consensus layer, much like how withdrawals are h
At the start of processing any execution block where `block.timestamp >= FORK_TIMESTAMP` (i.e. before processing any transactions),
write the parent beacon root provided in the block header into the storage of the contract at `HISTORY_STORAGE_ADDRESS`.

The timestamp (a 64-bit unsigned integer value) of the header is used as a key into the contract's storage.
To map the timestamp to the correct key, the timestamp as a number is reduced modulo `HISTORICAL_ROOTS_LENGTH` and
this resulting 64-bit unsigned integer should be encoded as 32 bytes in big-endian format when writing to the storage.
In order to bound the storage used by this precompile, two ring buffers are used: one to track the latest root at a given index and another to track
the latest timestamp at a given index.

The 32 bytes of the `parent_beacon_block_root` (as provided) are the
value to write in the contract's storage.
To derive the index `root_index` into the root ring buffer, the timestamp (a 64-bit unsigned integer value) is reduced modulo `HISTORICAL_ROOTS_LENGTH`.
To derive the index `timestamp_index` into the timestamp ring buffer, add `HISTORICAL_ROOTS_LENGTH` to the index into the root ring buffer.
Both resulting 64-bit unsigned integers should be encoded as 32 bytes in big-endian format when writing to the storage.

The 32 bytes of the `parent_beacon_block_root` (as provided) are the value to write behind the `root_index`.
The timestamp from the header, encoded as 32 bytes in big-endian format, is the value to write behind the `timestamp_index`.

In Python pseudocode:

```python
timestamp_reduced = block_header.timestamp % HISTORICAL_ROOTS_LENGTH
key = to_uint256_be(timestamp_reduced)
timestamp_extended = timestamp_reduced + HISTORICAL_ROOTS_LENGTH
root_index = to_uint256_be(timestamp_reduced)
timestamp_index = to_uint256_be(timestamp_extended)

parent_beacon_block_root = block_header.parent_beacon_block_root
timestamp_as_uint256 = to_uint256_be(block_header.timestamp)

sstore(HISTORY_STORAGE_ADDRESS, key, parent_beacon_block_root)
sstore(HISTORY_STORAGE_ADDRESS, root_index, parent_beacon_block_root)
sstore(HISTORY_STORAGE_ADDRESS, timestamp_index, timestamp_as_uint256)
```

#### New stateful precompile

Beginning at the execution timestamp `FORK_TIMESTAMP`, a "stateful" precompile is deployed at `HISTORY_STORAGE_ADDRESS`.

Callers of the precompile should provide the `timestamp` they are querying encoded as 32 bytes in big-endian format.
This `timestamp` is reduced in the same way to point to a unique storage location into the ring buffer from any given block.

Alongside the existing gas for calling the precompile, there is an additional gas cost of `G_beacon_root` cost to reflect the implicit `SLOAD` from
the precompile's state.
Given this input, the precompile reduces the `timestamp` in the same way during the write routines and first checks if
the `timestamp` at the ring buffer index matches the one supplied by the caller.

The parent beacon block root for the given timestamp is returned as 32 bytes in the caller's provided return buffer.
If the `timestamp` **does NOT** match, the client **MUST** return the "zero" word -- the 32-byte value where each byte is `0x00`.

If the `timestamp` **does** match, the client **MUST** read the root ring buffer and return the 32-byte value there in the caller's return buffer.

In pseudocode:

```python
timestamp = evm.calldata[:32]
timestamp_reduced = to_uint64_be(timestamp) % HISTORICAL_ROOTS_LENGTH
key = to_uint32_be(timestamp_reduced)
root = sload(HISTORY_STORAGE_ADDRESS, key)
evm.returndata[:32].set(root)
timestamp_extended = timetsamp_reduced + HISTORICAL_ROOTS_LENGTH
timestamp_index = to_uint256_be(timestamp_extended)

recorded_timestamp = sload(HISTORY_STORAGE_ADDRESS, timestamp_index)
if recorded_timestamp != timestamp:
evm.returndata[:32].set(0x0000000000000000000000000000000000000000000000000000000000000000)
else:
root_index = to_uint256_be(timestamp_reduced)
root = sload(HISTORY_STORAGE_ADDRESS, root_index)
evm.returndata[:32].set(root)
```

If there is no timestamp stored at the given root, the opcode follows the existing EVM semantics of `SLOAD` returning `0`.
Alongside the existing gas for calling the precompile, there is an additional gas cost of `G_beacon_root` cost to reflect the two (2) implicit `SLOAD`s from
the precompile's state.

If there is no root stored at the given timestamp, the opcode follows the existing EVM semantics of `SLOAD` returning `0`.

## Rationale

Expand All @@ -115,6 +133,16 @@ be nonfavorable conditions.
Use of block root over state root does mean proofs will require a few additional nodes but this cost is negligible (and could be amortized across all consumers,
e.g. with a singleton state root contract that caches the proof per slot).

### Why two ring buffers?

The first ring buffer only tracks `HISTORICAL_ROOTS_LENGTH` worth of roots and so for all possible timestamp values would consume a constant amount of storage.
However, this design opens the precompile to an attack where a skipped slot that has the same value modulo the ring buffer length would return an old root value,
rather than the most recent one.

To nullify this attack, this EIP keeps track of the pair of data `(parent_beacon_block_root, timestamp)` for each index into the
ring buffer and verifies the timestamp matches the one originally used to write the root data when being read. Given the fixed size of storage slots (only 32 bytes), the requirement
to store a pair of values necessitates two ring buffers, rather than just one.

## Backwards Compatibility

No issues.
Expand Down

0 comments on commit 50315b6

Please sign in to comment.