Try   HackMD

Impact Analysis of Neutering SELFDESTRUCT - Dev Update #1

SELFDESTRUCT is an opcode that a contract can use to delete itself, meaning both code and storage are deleted from the state tree, and all ETH in the contract are sent to a specified address. It turns out that SELFDESTRUCT causes several complexities. Among other things, allowing contracts to selfdestruct causes complexities when switching to Verkle trees, and the current proposal for Verkle tries requires neutering the opcode. This means that the opcode is renamed to SENDALL, and the only thing it does is to send the contract balance to the specified address.

Goal of the project

Neutering SELFDESTRUCT is a backward-incompatible change. The goal of this project is to analyze all existing uses of SELFDESTRUCT to evaluate the potential effects of this change.

What have been done

First, I downloaded the contract code of all contracts deployed on the Mainnet from the Public BigQuery Ethereum dataset. This dataset was created using Ethereum ETL. I then created a PostgreSQL database where I inserted this data. I will use this database to store metadata about the contracts, as I go along. Currently, I have added the following metadata:

  • has_selfdestruct Does the code have the SELFDESTRUCT opcode?
  • selfdestruct_recipients The potential recipients of the contract balance, extracted by static analysis (see below).
  • has_callcode Does the code have the CALLCODE opcode? This is relevant, because a contract can also selfdestruct by using CALLCODE to another contract that uses SELFDESTRUCT.
  • has_delegatecall Does the code have the DELEGATECALL opcode? Same as for CALLCODE.
  • call_addresses The potential addresses that can be called by CALLCODE or DELEGATECALL, extracted by static analysis (see below).

Static analysis of contract code

In order to perform static analysis on contract code, I have implemented a very primitive EVM interpreter in Haskell. This interpreter performs symbolic execution of EVM code. The interpreter is able to enumerate all possible inputs of a given opcode, which is used to find all possible recipients of the contract balance, and all possible addresses called by CALLCODE or DELEGATECALL. The plan is to release the source code as part of the final analysis.

Some numbers

There are a total of 43,621,454 deployed contracts on Ethereum Mainnet (as of June 12, 2021). The contracts have 398,220 distinct contract codes. Among the distinct codes, there are

  • 20,565 (~5%) codes having the SELFDESTRUCT opcode,
  • 32,032 (~8%) codes that do not have SELFDESTRUCT, but has either CALLCODE or DELEGATECALL, and
  • 345,623 (~87%) codes that do not have any of the three opcodes and are therefore indestructable.

There will be more numbers to come in the upcoming updates.

What remains to be done

Please let me know if you think I should add anything to this list.

  • Find out which of the contracts having CALLCODE or DELEGATECALL can be proven indestructable. We can prove this recursively if

    1. The contract does not contain SELFDESTRUCT and
    2. All possible contracts that can be called by the contract can be determined by static analysis, and
    3. All possible contracts that can be called, are proven to be indestructable

  • Obtain the Solidity code of all selfdestructable contracts that are available from etherscan.io.

  • Identify which contracts are metamorphic, meaning that they are able to selfdestruct and be redeployed at the same address. Metamorphic contracts will no longer be possible after neutering SELFDESTRUCT, so this will be an important part of the analysis. If a contract is metamorphic, the contract must have been either

    1. deployed using CREATE2 or
    2. deployed by a metamorphic contract

    In order to analyze this, I need to obtain information about how each contract was deployed. Check if Ethereum ETL can be used for this.

  • Obtain indicators for the popularity of the destructable contracts, such as balance, number of transactions interacting with the contract etc.

  • Improve the EVM analyzer such that it can tell under which conditions the contract may selfdestruct. For instance, if the CALLER must be equal to a specific address, etc.

  • Are there any cases where EXTCODECOPY, EXTCODEHASH or EXTCODESIZE are used to query the code of destructable contracts? For what reasons? Do any of the use cases depend on the selfdestructable contract to be able to selfdestruct?

  • Publish the code on github. All of the analysis should be replicable.

Last changed by 
Albus Dompeldorius
2
1554

Read more

Albus Dompeldorius CDAP - Dev Update #7

This is the seventh update for my work in the CDAP. What I have done since last update I have been working on Springrollup. First, I managed to implement two circuits. One for adding pending transactions, and one for processing pending transactions. Then I realized that the rollup could be simplified a lot; instead of having pending transactions, we could simply require that the operator sends witnesses to all senders in a rollup block, who then confirm their transactions, before the operator publishes the block. Only transactions whose senders have confirmed, are processed. With this new mechanism, there is no longer any need for maintaining pending transactions. Another challange I faced was that I learned that circuits are very strict about the sizes of their inputs. This means that for instance the number of transactions in a block must be hard-coded in the circuit. One solution to allow dynamically adjusted block sizes is to create several circuits for different sizes and allowing the operator to pick one circuit each time they want to publish a block. However, this challenge is even more difficult in our case, since not only is the number of transactions variable, but also the number of senders. One solution for this is to have two circuits that are processed after one another. The first circuit processes all balance updates, and the second circuit processes all senders (checks their signature, and checks that their account index is part of the calldata). The first circuit could compute a hash of all senders (along with the new state root), which is fed as an input to the second circuit. What I will do next

Nov 9, 2021
Albus Dompeldorius CDAP - Dev Update #6

This is the sixth update for my work in the CDAP. What I have done since last update Springrollup specification Since my last update, I have finally figured out how to do deposits/withdrawals in my zk-rollup (called Springrollup), and I have posted the first description of it on ethresear.ch. I realized that because of the differences between my design and regular zk-rollups, deposits and withdrawals were more complicated in comparison with a regular zk-rollups, but I found a way to do it. I figured out that it was much easier to do withdrawals and deposits if we represented each rollup account's balance as a sum of two balances: one balance which keeps track of the amount deposited on L1 to the account minus the amount withdrawn on L1 from the account, and another balance which keeps track of the amount received to the account minus the amount sent by L2 transfers from the account.

Oct 26, 2021
Springrollup: A zk-rollup that allows a sender to batch an unlimited number of transfers with only 6 bytes of calldata per batch

(The newest version of this document can always be found on hackmd or GitHub) We introduce Springrollup: a Layer 2 solution which has the same security assumptions as existing zk-rollups, but uses much less on-chain data. In this rollup, a sender can batch an arbitrary number of transfers to other accounts while only having to post their address as calldata, which is 6 bytes if we want to support up to 2^48 ~ 300 trillion accounts. As a by-product we also achieve increased privacy, since less user data is posted on-chain. General framework We start by introducing the general framework that we will use to describe the rollup. The rollup state is divided in two parts: On-chain available state: State with on-chain data availability. All changes to this state must be provided as calldata by the operator.

Oct 20, 2021
Albus Dompeldorius CDAP - Dev Update #5

This is the fifth update for my work in the CDAP. What I have done since last update Since my last update, I have been working on my zk-rollup concept, which allows for greatly reduced calldata usage while still preserving the same security of zk-rollups. The document is now expanded with more details about deposits, withdrawals, calldata estimates and examples. Anyone familiar with how zk-rollups work should now hopefully be able to grasp the main idea in my proposal. The reason I haven't posted to ethresear.ch yet, is that I want to implement an optimization first. (see below) What I will do next I am currently working on an optimization which would allow even less calldata usage. The current proposal uses 8 bytes of calldata for a batch of up to 65536 transfers from the same sender, but with the extra optimization this will be reduced to 6 bytes for a batch of an unlimited amount of transfers from the same sender. Once this is done, I will post the proposal on ethresear.ch to get some feedback on the proposal. I will reach out to zk-people to try to collaborate on an implementation.

Oct 12, 2021
Read more from Albus Dompeldorius
Published on HackMD