# Statelessness gas cost changes EIP draft ## Summary This EIP introduces changes in the gas schedule to reflect the costs of creating a witness. It requires clients to update their database layout to match this, so as to avoid potential DoS attacks. ## Motivation The [Verkle tree EIP](https://notes.ethereum.org/5HDhQXstTaKtVqVbS7S9yw) requires fundamental changes and as a preparation, this EIP is targetting the fork coming right before the verkle tree fork, in order to incentivize Dapp developers to adopt the new storage model, and ample time to adjust to it. It also incentivizes client developers to migrate their database format ahead of the verkle fork. ## Specification ### Access events We define access events as follows. When an access event takes place, the accessed data is saved to the Verkle tree (even if it was not modified). An access event is of the form`(address, sub_key, leaf_key)`, determining what data is being accessed. #### Access events for account headers When a non-precompile address is the target of a `CALL`, `CALLCODE`, `DELEGATECALL`, `SELFDESTRUCT`, `EXTCODESIZE`, or `EXTCODECOPY` opcode, or is the target address of a contract creation whose initcode starts execution, process these access events: ``` (address, 0, VERSION_LEAF_KEY) (address, 0, CODE_SIZE_LEAF_KEY) ``` If a call is value-bearing (ie. it transfers nonzero wei), whether or not the callee is a precompile, process these two access events: ``` (caller_address, 0, BALANCE_LEAF_KEY) (callee_address, 0, BALANCE_LEAF_KEY) ``` When a contract is created, process these access events: ``` (contract_address, 0, VERSION_LEAF_KEY) (contract_address, 0, NONCE_LEAF_KEY) (contract_address, 0, BALANCE_LEAF_KEY) (contract_address, 0, CODE_KECCAK_LEAF_KEY) (contract_address, 0, CODE_SIZE_LEAF_KEY) ``` If the `BALANCE` opcode is called targeting some address, process this access event: ``` (address, 0, BALANCE_LEAF_KEY) ``` If the `SELFDESTRUCT` opcode is called by some caller_address targeting some target_address (regardless of whether it’s value-bearing or not), process access events of the form: ``` (caller_address, 0, BALANCE_LEAF_KEY) (target_address, 0, BALANCE_LEAF_KEY) ``` If the `EXTCODEHASH` opcode is called targeting some address, process an access event of the form: ``` (address, 0, CODEHASH_LEAF_KEY) ``` #### Access events for storage `SLOAD` and `SSTORE` opcodes with a given address and key process an access event of the form ``` (address, tree_key, sub_key) ``` Where tree_key and sub_key are computed as follows: ```python def get_storage_slot_tree_keys(storage_key: int) -> [int, int]: if storage_key < (CODE_OFFSET - HEADER_STORAGE_OFFSET): pos = HEADER_STORAGE_OFFSET + storage_key else: pos = MAIN_STORAGE_OFFSET + storage_key return ( pos // 256, pos % 256 ) ``` #### Access events for code In the conditions below, “chunk chunk_id is accessed” is understood to mean an access event of the form ``` (address, (chunk_id + 128) // 256, (chunk_id + 128) % 256) ``` * At each step of EVM execution, if and only if PC < len(code), chunk PC // CHUNK_SIZE (where PC is the current program counter) of the callee is accessed. In particular, note the following corner cases: * The destination of a `JUMP` (or positively evaluated JUMPI) is considered to be accessed, even if the destination is not a jumpdest or is inside pushdata * The destination of a `JUMPI` is not considered to be accessed if the jump conditional is false. * The destination of a jump is not considered to be accessed if the execution gets to the jump opcode but does not have enough gas to pay for the gas cost of executing the `JUMP` opcode (including chunk access cost if the `JUMP` is the first opcode in a not-yet-accessed chunk) * The destination of a jump is not considered to be accessed if it is beyond the code (`destination >= len(code)`) * If code stops execution by walking past the end of the code, `PC = len(code)` is not considered to be accessed * If the current step of EVM execution is a `PUSH{n}`, all chunks `(PC // CHUNK_SIZE) <= chunk_index <= ((PC + n) // CHUNK_SIZE)`` of the callee are accessed. * If a nonzero-read-size `CODECOPY` or `EXTCODECOPY` read bytes `x...y` inclusive, all chunks ``(x // CHUNK_SIZE) <= chunk_index <= (min(y, code_size - 1) // CHUNK_SIZE)`` of the accessed contract are accessed. * Example 1: for a `CODECOPY` with start position 100, read size 50, `code_size = 200`, `x = 100` and `y = 149` * Example 2: for a `CODECOPY` with start position 600, read size 0, no chunks are accessed * Example 3: for a `CODECOPY` with start position 1500, read size 2000, `code_size = 3100`, `x = 1500` and `y = 3099` * `CODESIZE`, `EXTCODESIZE` and `EXTCODEHASH` do NOT access any chunks. When a contract is created, access chunks `0 ... (len(code)+30)//31` ### Write Events We define **write events** as follows. Note that when a write takes place, an access event also takes place (so the definition below should be a subset of the definition of access lists) A write event is of the form `(address, sub_key, leaf_key)`, determining what data is being written to. #### Write events for account headers When a nonzero-balance-sending CALL or SELFDESTRUCT with a given sender and recipient takes place, process these write events: ``` (sender, 0, BALANCE_LEAF_KEY) (recipient, 0, BALANCE_LEAF_KEY) ``` When a contract creation is initialized, process these write events: ``` (contract_address, 0, VERSION_LEAF_KEY) (contract_address, 0, NONCE_LEAF_KEY) ``` Only if the value sent with the creation is nonzero, also process: ``` (contract_address, 0, BALANCE_LEAF_KEY) ``` When a contract is created, process these write events: ``` (contract_address, 0, VERSION_LEAF_KEY) (contract_address, 0, NONCE_LEAF_KEY) (contract_address, 0, BALANCE_LEAF_KEY) (contract_address, 0, CODE_KECCAK_LEAF_KEY) (contract_address, 0, CODE_SIZE_LEAF_KEY) ``` #### Write events for storage SSTORE opcodes with a given `address` and `key` process a write event of the form ``` (address, tree_key, sub_key) ``` Where `tree_key` and `sub_key` are computed as follows: ```python def get_storage_slot_tree_keys(storage_key: int) -> [int, int]: if storage_key < (CODE_OFFSET - HEADER_STORAGE_OFFSET): pos = HEADER_STORAGE_OFFSET + storage_key else: pos = MAIN_STORAGE_OFFSET + storage_key return ( pos // 256, pos % 256 ) ``` #### Write events for code When a contract is created, make write events: ```python ( address, (CODE_OFFSET + i) // VERKLE_NODE_WIDTH, (CODE_OFFSET + i) % VERKLE_NODE_WIDTH ) ``` For `i` in `0 ... (len(code)+30)//31`. ### Transactions #### Access events For a transaction, make these access events: ``` (tx.origin, 0, VERSION_LEAF_KEY) (tx.origin, 0, BALANCE_LEAF_KEY) (tx.origin, 0, NONCE_LEAF_KEY) (tx.origin, 0, CODE_SIZE_LEAF_KEY) (tx.origin, 0, CODE_KECCAK_LEAF_KEY) (tx.target, 0, VERSION_LEAF_KEY) (tx.target, 0, BALANCE_LEAF_KEY) (tx.target, 0, NONCE_LEAF_KEY) (tx.target, 0, CODE_SIZE_LEAF_KEY) (tx.target, 0, CODE_KECCAK_LEAF_KEY) ``` #### Write events ``` (tx.origin, 0, NONCE_LEAF_KEY) ``` if `value` is non-zero: ``` (tx.origin, 0, BALANCE_LEAF_KEY) (tx.target, 0, BALANCE_LEAF_KEY) ``` ### Witness gas costs Remove the following gas costs: * Increased gas cost of `CALL` if it is nonzero-value-sending * EIP-2200 `SSTORE` gas costs except for the `SLOAD_GAS` * 200 per byte contract code cost Reduce gas gost: * `CREATE` to 1000 |Constant |Value| |-|-| |WITNESS_BRANCH_COST |1900| |WITNESS_CHUNK_COST |200| |SUBTREE_EDIT_COST |3000| |CHUNK_EDIT_COST |500| |CHUNK_FILL_COST |6200| When executing a transaction, maintain four sets: * `accessed_subtrees: Set[Tuple[address, int]]` * `accessed_leaves: Set[Tuple[address, int, int]]` * `edited_subtrees`: `Set[Tuple[address, int]]` * `edited_leaves`: `Set[Tuple[address, int, int]]` When an **access** event of `(address, sub_key, leaf_key)` occurs, perform the following checks: * If ``(address, sub_key)`` is not in accessed_subtrees, charge WITNESS_BRANCH_COST gas and add that tuple to accessed_subtrees. * If `leaf_key` is not `None` and ``(address, sub_key, leaf_key)`` is not in `accessed_leaves`, charge `WITNESS_CHUNK_COST` gas and add it to `accessed_leaves` When a **write** event of `(address, sub_key, leaf_key)` occurs, perform the following checks: * If (address, sub_key) is not in edited_subtrees, charge `SUBTREE_EDIT_COST` gas and add that tuple to edited_subtrees. * If leaf_key is not None and `(address, sub_key, leaf_key)` is not in `edited_leaves`, charge `CHUNK_EDIT_COST` gas and add it to `edited_leaves` * Additionally, if there was no value stored at `(address, sub_key, leaf_key)` (ie. the state held None at that position), charge `CHUNK_FILL_COST` Note that tree keys can no longer be emptied: only the values `0...2**256-1` can be written to a tree key, and 0 is distinct from None. Once a tree key is changed from `None` to not-`None`, it can never go back to `None`. ### Replacement for access lists We replace EIP 2930 access lists with an SSZ structure of the form: ```python class AccessList(Container): addresses: List[AccountAccessList, ACCESS_LIST_MAX_ELEMENTS] class AccountAccessList(Container): address: Address32 subtrees: List[AccessSubtree, ACCESS_LIST_MAX_ELEMENTS] class AccessSubtree(Container): subtree_key: uint256 elements: BitVector[256] ``` ### Miscellaneous * The `SELFDESTRUCT` opcode is renamed to `SENDALL`, and now only immediately moves all ETH in the account to the target; it no longer destroys code or storage or alters the nonce * All refunds are removed ## Rationale ### Gas reform Gas costs for reading storage and code are reformed to more closely reflect the gas costs under the new Verkle tree design. `WITNESS_CHUNK_COST` is set to charge 6.25 gas per byte for chunks, and `WITNESS_BRANCH_COST` is set to charge ~13,2 gas per byte for branches on average (assuming 144 byte branch length) and ~2.5 gas per byte in the worst case if an attacker fills the tree with keys deliberately computed to maximize proof length. The main differences from gas costs in Berlin are: * 200 gas charged per 31 byte chunk of code. This has been estimated to increase average gas usage by ~6-12% (see [this analysis](https://notes.ethereum.org/@ipsilon/code-chunk-cost-analysis) suggesting 10-20% gas usage increases at a 350 gas per chunk level). * Cost for accessing adjacent storage slots (`key1 // 256 == key2 // 256`) decreases from 2100 to 200 for all slots after the first in the group, * Cost for accessing storage slots 0…63 decreases from 2100 to 200, including the first storage slot. This is likely to significantly improve performance of many existing contracts, which use those storage slots for single persistent variables. Gains from the latter two properties have not yet been analyzed, but are likely to significantly offset the losses from the first property. It’s likely that once compilers adapt to these rules, efficiency will increase further. The precise specification of when access events take place, which makes up most of the complexity of the gas repricing, is necessary to clearly specify when data needs to be saved to the period 1 tree. ## Implementation notes This EIP will mean that certain operations, mostly reading and writing several elements in the same suffix tree, become cheaper. If clients retain the same database structure as they have now, this would result in a DOS vector. So some adaptation of the database is required in order to make this work. * In all possible futures, it is important to logically separate the commitment scheme from data storage. In particular, no traversal of the commitment scheme tree should be necessary to find any given state element * In order to make accesses to the same stem cheap as required for this EIP, the best way is probably to store each stem in the same location in the database. Basically the 256 leaves of 32 bytes each would be stored in an 8kB BLOB. The overhead of reading/writing this BLOB is small because most of the cost of disk access is seeking and not the amount transfered. ## Backward-Compatibility This EIP requires a hard fork, since it modifies consensus rules. The main backwards-compatibility-breaking changes is the gas costs for code chunk access making some applications less economically viable. It can be mitigated by increasing the gas limit at the same time as implementing this EIP, reducing the risk that applications will no longer work at all due to transaction gas usage rising above the block gas limit.