Introduce code validation at contract creation time for EOF formatted (EIP-3540) contracts. Reject contracts which contain truncated
PUSH-data or undefined instructions. Legacy bytecode (code which is not EOF formatted) is unaffected by this change.
Currently existing contracts require no validation of correctness and EVM implementations can decide how they handle truncated bytecode or undefined instructions. This change aims to bring code validity into consensus, so that it becomes easier to reason about bytecode. Moreover, EVM implementations may require less paths to decide which instruction is valid in the current execution context.
If it will be desired to introduce new instructions without bumping EOF version, having undefined instructions already deployed would mean such contracts potentially can be broken (since some of the instructions are changing their behaviour). Rejecting to deploy undefined instructions allows introducing new instructions with or without bumping the EOF version.
Remark: We rely on the notation of initcode, code and creation as defined by EIP-3540.
This feature is introduced on the very same block EIP-3540 is enabled, therefore every EOF1-compatible bytecode MUST be validated according to these rules.
At contract creation time both initcode and code are iterated instruction-by-instruction (the same process is used to perform "JUMPDEST-analysis"). Bytecode is deemed invalid if any of these conditions is true:
- it contains opcodes which are not currently assigned to an instruction (for the sake of assigned instructions, we count
INVALID(0xfe) as assigned),
- the data portion of a
PUSHn(0x60..0x7f) instruction is beyond the end of the code section.
If initcode is invalid, the contract creation results in an exceptional abort. If code is invalid, the contract creation results in an exceptional abort.
CALLCODE (0xf2) opcode may be dropped from the
valid_opcodes list to prevent use of this instruction in future. Likewise
SELFDESTRUCT (0xff) could also be rejected. Yet we decided not to mix such changes in.
# Reference Implementation
# The below are ranges as specified in the Yellow Paper. # Note: range(s, e) excludes e, hence the +1 valid_opcodes = [ *range(0x00, 0x0b + 1), *range(0x10, 0x1d + 1), 0x20, *range(0x30, 0x3f + 1), *range(0x40, 0x47 + 1), *range(0x50, 0x5b + 1), *range(0x60, 0x6f + 1), *range(0x70, 0x7f + 1), *range(0x80, 0x8f + 1), *range(0x90, 0x9f + 1), *range(0xa0, 0xa4 + 1), # Note: 0xfe is considered assigned. *range(0xf0, 0xf5 + 1), 0xfa, 0xfd, 0xfe, 0xff ] # Fails with assertion on invalid code def validate_code(code: bytes): pos = 0 while pos < len(code): # Ensure the opcode is valid opcode = code[pos] pos += 1 assert(opcode in valid_opcodes) # Skip pushdata if opcode >= 0x60 and opcode <= 0x7f: pos += opcode - 0x60 + 1 # Ensure last PUSH doesn't go over code end assert(pos == len(code))
# Test Cases
# Contract creation
Each case should be tested for creation transaction,
- Invalid initcode
- Valid initcode returning invalid code
- Valid initcode returning valid code
# Valid codes
- EOF code containing
- EOF code with a code section ending with
PUSHinstruction followed by correct number of bytes of data
- EOF code with data section containing bytes that are undefined instructions
- Legacy code containing undefined instruction
- Legacy code ending with incomplete PUSH instruction
# Invalid codes
- EOF code containing undefined instruction
- EOF code ending with incomplete
- This can include
PUSHinstruction unreachable by execution, e.g. after
- This can include
# Backwards Compatibility
This change poses no risk to backwards compatibility, as it is introduced at the same time EIP-3540 is. The validation does not cover legacy bytecode (code which is not EOF formatted).
# Security Considerations
The initcode validation adds additional overhead. We consider adding additional gas cost for the contract creation proportional to the length of the code section in initcode (e.g. 3 gas per byte).
This is not an issue for code in average case because the deployment cost is already 200 gas per byte. However, an attack may be constructed where long code is first validated and then contract creation fails because of insufficient gas for the deployment cost. The solution is to either charge the deployment cost before validation, or add a similar charge as initcode will have.
Copyright and related rights waived via CC0 (opens new window).