# Spearbits PR diff [TOC] All pull-requests from tag `audit.1` to last tag `v0.7.0.0-rc.4` All pull-requests from tag `v0.7.0.0-rc.4` to last tag `v0.8.0.0-fork.2` ## New repository https://github.com/0xPolygonHermez/zkevm-rom-internal has been created to add all the fixes that are being found by the internal/external audits It is a mirror of the `zkevm-rom` repository. >Request access if needed to `krlosmata` in telegram group ## Summary what's Changed * update version package by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/218 * update tmpvars & expAD counters by @laisolizq in https://github.com/0xPolygonHermez/zkevm-rom/pull/212 * Fix jmpn by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/214 * read entire bytecode program at once by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/219 * remove obsolete TODO comment by @zkronos73 in https://github.com/0xPolygonHermez/zkevm-rom/pull/222 * Fix computeGasSendCall by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/221 * fix FNEC_DIV_TWO constant and update test by @zkronos73 in https://github.com/0xPolygonHermez/zkevm-rom/pull/225 * Feature/counter tests by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/223 * RLP checks & clean code by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/224 * Audit jan fixes by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/226 * Feature/counters and comments by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/227 * Boundaries check fixes by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/228 * update dependencies by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/229 * reduce steps max limit by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/231 * Feature/check 256bits by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/233 * add metadata file by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/234 * fix zk-counters checks with :LT by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/235 * Feature/fix sendall by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/236 * Feature/remove debug handles by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/237 * remove duplicate stack overflow by @krlosMata in https://github.com/0xPolygonHermez/zkevm-rom/pull/240 * Remove opbasefee by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/241 * Optimize opPush and SHL by @ignasirv in https://github.com/0xPolygonHermez/zkevm-rom/pull/242 **Full Changelog**: https://github.com/0xPolygonHermez/zkevm-rom/compare/audit.1...v0.7.0.0-rc.4 **Continue full changelog**: https://github.com/0xPolygonHermez/zkevm-rom/compare/v0.7.0.0-rc.4...v0.8.0.0-fork.2 ## Pull-Request details Sorted as in previous section | PR link | Solves | Brief explanation | New Code | |:------------------------------------------------------------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:--------:| | [218](https://github.com/0xPolygonHermez/zkevm-rom/pull/218) | x | update last versions package | NO | | [212](https://github.com/0xPolygonHermez/zkevm-rom/pull/212) | [35](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/35)<br>[10](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/10) | split `tmpVars` for each functionality + check counters `expAD` function before loop | NO | | [214](https://github.com/0xPolygonHermez/zkevm-rom/pull/214) | x | fix `JMPN` at decoding RLP | YES | | [219](https://github.com/0xPolygonHermez/zkevm-rom/pull/219) | x | Load contract bytecode in one single instruction instead of loading byte per byte | YES | | [222](https://github.com/0xPolygonHermez/zkevm-rom/pull/222) | [45](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/45) | Remove TODO comments | NO | | [221](https://github.com/0xPolygonHermez/zkevm-rom/pull/221) | [42](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/42)<br>[17](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/17) | Fix all unsafe computations. Fix less 32 bits computations. | NO | | [225](https://github.com/0xPolygonHermez/zkevm-rom/pull/225) | x | fix FNEC_DIV_TWO constant in `ecrecover` | YES | | [223](https://github.com/0xPolygonHermez/zkevm-rom/pull/223) | [43](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/43)<br>[8](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/8) | zk-counters at lowest level function | YES | | [224](https://github.com/0xPolygonHermez/zkevm-rom/pull/224) | [18](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/18) | RLP non-canonical checks | YES | | [226](https://github.com/0xPolygonHermez/zkevm-rom/pull/226) | [7](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/7)<br>[9](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/9)<br>[10](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/10)<br>[15](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/15) | several optimitzations from audit commnets. Fix jump out of bounds | NO | | [227](https://github.com/0xPolygonHermez/zkevm-rom/pull/227) | [43](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/43)<br>[8](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/8) | Safe band 5% on zk-counters | YES | | [228](https://github.com/0xPolygonHermez/zkevm-rom/pull/228) | [21](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/21)<br>[34](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/34) | Fix reading out-of-bounds. Optimitzation `opPUSHB`. Fix `offsetUtils`. Fix `touched` | NO | | [229](https://github.com/0xPolygonHermez/zkevm-rom/pull/229) | x | Update versions | NO | | [231](https://github.com/0xPolygonHermez/zkevm-rom/pull/231) | x | Reduce zk-counters steps by 5% | YES | | [233](https://github.com/0xPolygonHermez/zkevm-rom/pull/233) | x | Fix operation with register > 32 bits | YES | | [234](https://github.com/0xPolygonHermez/zkevm-rom/pull/234) | x | add metadata.txt file | NO | | [235](https://github.com/0xPolygonHermez/zkevm-rom/pull/235) | x | Fix negative numbers in `:LT` | YES | | [236](https://github.com/0xPolygonHermez/zkevm-rom/pull/236) | [36](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/36) | Fix SENDALL to itself | NO | | [237](https://github.com/0xPolygonHermez/zkevm-rom/pull/237) | x | Remove handlers for debug purposes | NO | | [240](https://github.com/0xPolygonHermez/zkevm-rom/pull/240) | [11](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/11) | Remove duplicate stack overflow check | NO | | [241](https://github.com/0xPolygonHermez/zkevm-rom/pull/241) | [33](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/33) | Remove `opBASEFEE` opcode | NO | | [242](https://github.com/0xPolygonHermez/zkevm-rom/pull/242) | [41](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/41)<br>[26](https://github.com/spearbit-audits/review-polygon-zkevm-dec/issues/26)<br>[12](https://github.com/spearbit-audits/review-polygon-zkevm-jan/issues/12) | Optimitzations audit: push, SHL, MSTOREX, `opMSTORE` & `opCALLDATALOAD` | YES | | [246](https://github.com/0xPolygonHermez/zkevm-rom/pull/246) | x | Add `forkID` parameter | YES | | [247](https://github.com/0xPolygonHermez/zkevm-rom/pull/247) | x | revert on not-supported precompiled, add check zk-counter `PADDING_PG_LIMIT` & assert 32 bit range for certain free-input | YES | | [248](https://github.com/0xPolygonHermez/zkevm-rom/pull/248) | x | Fix CTX = 0 when calling `identity` precompiled directly | YES | | [251](https://github.com/0xPolygonHermez/zkevm-rom/pull/251) | x | Update constant Global Exit Root L2 address | YES | | [257](https://github.com/0xPolygonHermez/zkevm-rom/pull/257/files) | x | add update storage logs | NO | | [252](https://github.com/0xPolygonHermez/zkevm-rom/pull/252) | x | Fix adding bytes to compute BatchHashData & remove MAXMEM register | YES | | [263](https://github.com/0xPolygonHermez/zkevm-rom/pull/263) | x | Fix `MLOADX` util function, check overflow at intrinsic balance, correct typos, fix txCount with 64 bits computations, fix RLP long list (llength < 3 bytes), fix txNonce & fix `opBLOCKCHASH` | YES | | [2](https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/2) |x | add control RLP leading zeros, comment chainID to be 32 bits at maximum & add missing binary zk-counter check |YES | ## Extended PR explanation ### 219 - new feature added - In previous version, smart contract bytecode was added byte by byte into the poseidon hash, then we performed the hash and compare it against the state-tree - In the new version, loads the smart contract bytecode hash from the state-tree and directly creates a poseidon table with state-tree resulting hash and external bytecode. Bytecode and hash must match otherwise proof will fail ### 223 - zk-counters has been refactor - notice that new approach zk-counters are checked at lowest level functions - tooling and unitary tests has been added in order to always check zk-counters. Hence, we can notice if counters changes ### 224 - add checks for non-canonical RLP decoding - single byte values(0-127) encoded as short string - short string encoded as long string - short list encoded as long list - `gasLimit` to be max 64 bits ### 248 - fixes directly call to precompiled identity which could couse to go to `handleGas` with a incorrect `CTX` and thus add random amount od ether in a leaf ### 263 - Several fixes found in internal audit has been done in this PR - limit 3 bytes for RLP long list which could lead to perform `ARITH` state machine which values over 32 bits and stop the prover - control overflow when checking intrinsic balance. This could cause to mint Ether in an account for free - using `JMPN` (limited by 32 bits) on `txNonce` & `txCount` - fix `opBLOCKCHASH` where stack input was not controlled properly and could cause stopping the prover - fix `MSTOREX` utils to handle correctly situation when `offset + lengthBuytesToWrite > 32` which leads to stopping te prover (this was triggered in public testnet) ## Internal audit issues and fixes - Kanban with all issues found: https://github.com/orgs/0xPolygonHermez/projects/4/views/1 > Ask `krlosmata` if you do not have access - PRs that solves all the issues in the kanban: https://github.com/0xPolygonHermez/zkevm-rom-internal/pulls - some of them imply small changes and they are group in one PR - issues are mapped to PR in their comments - PR contains the issues solved - this [PR](https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/7) contains all fixes ### Large code changes - The following issues are the ones that implied more code change. Hence, it is need a double check on the fix: - https://github.com/0xPolygonHermez/internal-audit/issues/20 - https://github.com/0xPolygonHermez/internal-audit/issues/21 - https://github.com/0xPolygonHermez/internal-audit/issues/3 - https://github.com/0xPolygonHermez/internal-audit/issues/15 - https://github.com/0xPolygonHermez/internal-audit/issues/26 - https://github.com/0xPolygonHermez/internal-audit/issues/22 - https://github.com/0xPolygonHermez/internal-audit/issues/23 - The rest of the issues are straightforward changes, still it would be good also to double check them ### PR list - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/2 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/5 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/6 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/8 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/3 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/10 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/9 - https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/12 - last to fix return data when identity pre-compiled is called directly > all PRs are being accumlated in https://github.com/0xPolygonHermez/zkevm-rom-internal/pull/11