Statelessness gas cost changes EIP draft

Summary

This EIP introduces changes in the gas schedule to reflect the costs of creating a witness. It requires clients to update their database layout to match this, so as to avoid potential DoS attacks.

Motivation

The Verkle tree EIP requires fundamental changes and as a preparation, this EIP is targetting the fork coming right before the verkle tree fork, in order to incentivize Dapp developers to adopt the new storage model, and ample time to adjust to it. It also incentivizes client developers to migrate their database format ahead of the verkle fork.

Specification

Access events

We define access events as follows. When an access event takes place, the accessed data is saved to the Verkle tree (even if it was not modified). An access event is of the form(address, sub_key, leaf_key), determining what data is being accessed.

Access events for account headers

When a non-precompile address is the target of a CALL, CALLCODE, DELEGATECALL, SELFDESTRUCT, EXTCODESIZE, or EXTCODECOPY opcode, or is the target address of a contract creation whose initcode starts execution, process these access events:

(address, 0, VERSION_LEAF_KEY)
(address, 0, CODE_SIZE_LEAF_KEY)

If a call is value-bearing (ie. it transfers nonzero wei), whether or not the callee is a precompile, process these two access events:

(caller_address, 0, BALANCE_LEAF_KEY)
(callee_address, 0, BALANCE_LEAF_KEY)

When a contract is created, process these access events:

(contract_address, 0, VERSION_LEAF_KEY)
(contract_address, 0, NONCE_LEAF_KEY)
(contract_address, 0, BALANCE_LEAF_KEY)
(contract_address, 0, CODE_KECCAK_LEAF_KEY)
(contract_address, 0, CODE_SIZE_LEAF_KEY)

If the BALANCE opcode is called targeting some address, process this access event:

(address, 0, BALANCE_LEAF_KEY)

If the SELFDESTRUCT opcode is called by some caller_address targeting some target_address (regardless of whether it’s value-bearing or not), process access events of the form:

(caller_address, 0, BALANCE_LEAF_KEY)
(target_address, 0, BALANCE_LEAF_KEY)

If the EXTCODEHASH opcode is called targeting some address, process an access event of the form:

(address, 0, CODEHASH_LEAF_KEY)

Access events for storage

SLOAD and SSTORE opcodes with a given address and key process an access event of the form

(address, tree_key, sub_key)

Where tree_key and sub_key are computed as follows:

def get_storage_slot_tree_keys(storage_key: int) -> [int, int]:
    if storage_key < (CODE_OFFSET - HEADER_STORAGE_OFFSET):
        pos = HEADER_STORAGE_OFFSET + storage_key
    else:
        pos = MAIN_STORAGE_OFFSET + storage_key
    return (
        pos // 256,
        pos % 256
    ) 

Access events for code

In the conditions below, “chunk chunk_id is accessed” is understood to mean an access event of the form

(address, (chunk_id + 128) // 256, (chunk_id + 128) % 256)

• At each step of EVM execution, if and only if PC < len(code), chunk PC // CHUNK_SIZE (where PC is the current program counter) of the callee is accessed. In particular, note the following corner cases:
  • The destination of a JUMP (or positively evaluated JUMPI) is considered to be accessed, even if the destination is not a jumpdest or is inside pushdata
  • The destination of a JUMPI is not considered to be accessed if the jump conditional is false.
  • The destination of a jump is not considered to be accessed if the execution gets to the jump opcode but does not have enough gas to pay for the gas cost of executing the JUMP opcode (including chunk access cost if the JUMP is the first opcode in a not-yet-accessed chunk)
  • The destination of a jump is not considered to be accessed if it is beyond the code (destination >= len(code))
  • If code stops execution by walking past the end of the code, PC = len(code) is not considered to be accessed
• If the current step of EVM execution is a PUSH{n}, all chunks `(PC // CHUNK_SIZE) <= chunk_index <= ((PC + n) // CHUNK_SIZE)`` of the callee are accessed.
• If a nonzero-read-size CODECOPY or EXTCODECOPY read bytes x...y inclusive, all chunks (x // CHUNK_SIZE) <= chunk_index <= (min(y, code_size - 1) // CHUNK_SIZE) of the accessed contract are accessed.
  • Example 1: for a CODECOPY with start position 100, read size 50, code_size = 200, x = 100 and y = 149
  • Example 2: for a CODECOPY with start position 600, read size 0, no chunks are accessed
  • Example 3: for a CODECOPY with start position 1500, read size 2000, code_size = 3100, x = 1500 and y = 3099
• CODESIZE, EXTCODESIZE and EXTCODEHASH do NOT access any chunks.
  When a contract is created, access chunks 0 ... (len(code)+30)//31

Write Events

We define write events as follows. Note that when a write takes place, an access event also takes place (so the definition below should be a subset of the definition of access lists) A write event is of the form (address, sub_key, leaf_key), determining what data is being written to.

Write events for account headers

When a nonzero-balance-sending CALL or SELFDESTRUCT with a given sender and recipient takes place, process these write events:

(sender, 0, BALANCE_LEAF_KEY)
(recipient, 0, BALANCE_LEAF_KEY)

When a contract creation is initialized, process these write events:

(contract_address, 0, VERSION_LEAF_KEY)
(contract_address, 0, NONCE_LEAF_KEY)

Only if the value sent with the creation is nonzero, also process:

(contract_address, 0, BALANCE_LEAF_KEY)

When a contract is created, process these write events:

(contract_address, 0, VERSION_LEAF_KEY)
(contract_address, 0, NONCE_LEAF_KEY)
(contract_address, 0, BALANCE_LEAF_KEY)
(contract_address, 0, CODE_KECCAK_LEAF_KEY)
(contract_address, 0, CODE_SIZE_LEAF_KEY)

Write events for storage

SSTORE opcodes with a given address and key process a write event of the form

(address, tree_key, sub_key)

Where tree_key and sub_key are computed as follows:

def get_storage_slot_tree_keys(storage_key: int) -> [int, int]:
    if storage_key < (CODE_OFFSET - HEADER_STORAGE_OFFSET):
        pos = HEADER_STORAGE_OFFSET + storage_key
    else:
        pos = MAIN_STORAGE_OFFSET + storage_key
    return (
        pos // 256,
        pos % 256
    )

Write events for code

When a contract is created, make write events:

(
    address,
    (CODE_OFFSET + i) // VERKLE_NODE_WIDTH,
    (CODE_OFFSET + i) % VERKLE_NODE_WIDTH
)

For i in 0 ... (len(code)+30)//31.

Transactions

Access events

For a transaction, make these access events:

(tx.origin, 0, VERSION_LEAF_KEY)
(tx.origin, 0, BALANCE_LEAF_KEY)
(tx.origin, 0, NONCE_LEAF_KEY)
(tx.origin, 0, CODE_SIZE_LEAF_KEY)
(tx.origin, 0, CODE_KECCAK_LEAF_KEY)
(tx.target, 0, VERSION_LEAF_KEY)
(tx.target, 0, BALANCE_LEAF_KEY)
(tx.target, 0, NONCE_LEAF_KEY)
(tx.target, 0, CODE_SIZE_LEAF_KEY)
(tx.target, 0, CODE_KECCAK_LEAF_KEY)

Write events

(tx.origin, 0, NONCE_LEAF_KEY)

if value is non-zero:

(tx.origin, 0, BALANCE_LEAF_KEY)
(tx.target, 0, BALANCE_LEAF_KEY)

Witness gas costs

Remove the following gas costs:

• Increased gas cost of CALL if it is nonzero-value-sending
• EIP-2200 SSTORE gas costs except for the SLOAD_GAS
• 200 per byte contract code cost

Reduce gas gost:

• CREATE to 1000

When executing a transaction, maintain four sets:

• accessed_subtrees: Set[Tuple[address, int]]
• accessed_leaves: Set[Tuple[address, int, int]]
• edited_subtrees: Set[Tuple[address, int]]
• edited_leaves: Set[Tuple[address, int, int]]

When an access event of (address, sub_key, leaf_key) occurs, perform the following checks:

• If (address, sub_key) is not in accessed_subtrees, charge WITNESS_BRANCH_COST gas and add that tuple to accessed_subtrees.
• If leaf_key is not None and (address, sub_key, leaf_key) is not in accessed_leaves, charge WITNESS_CHUNK_COST gas and add it to accessed_leaves

When a write event of (address, sub_key, leaf_key) occurs, perform the following checks:

• If (address, sub_key) is not in edited_subtrees, charge SUBTREE_EDIT_COST gas and add that tuple to edited_subtrees.
• If leaf_key is not None and (address, sub_key, leaf_key) is not in edited_leaves, charge CHUNK_EDIT_COST gas and add it to edited_leaves
  • Additionally, if there was no value stored at (address, sub_key, leaf_key) (ie. the state held None at that position), charge CHUNK_FILL_COST

Note that tree keys can no longer be emptied: only the values 0...2**256-1 can be written to a tree key, and 0 is distinct from None. Once a tree key is changed from None to not-None, it can never go back to None.

Replacement for access lists

We replace EIP 2930 access lists with an SSZ structure of the form:

class AccessList(Container):
    addresses: List[AccountAccessList, ACCESS_LIST_MAX_ELEMENTS]
    
class AccountAccessList(Container):
    address: Address32
    subtrees: List[AccessSubtree, ACCESS_LIST_MAX_ELEMENTS]
    
class AccessSubtree(Container):
    subtree_key: uint256
    elements: BitVector[256]

Miscellaneous

• The SELFDESTRUCT opcode is renamed to SENDALL, and now only immediately moves all ETH in the account to the target; it no longer destroys code or storage or alters the nonce
• All refunds are removed

Rationale

Gas reform

Gas costs for reading storage and code are reformed to more closely reflect the gas costs under the new Verkle tree design. WITNESS_CHUNK_COST is set to charge 6.25 gas per byte for chunks, and WITNESS_BRANCH_COST is set to charge ~13,2 gas per byte for branches on average (assuming 144 byte branch length) and ~2.5 gas per byte in the worst case if an attacker fills the tree with keys deliberately computed to maximize proof length.

The main differences from gas costs in Berlin are:

• 200 gas charged per 31 byte chunk of code. This has been estimated to increase average gas usage by ~6-12% (see this analysis suggesting 10-20% gas usage increases at a 350 gas per chunk level).
• Cost for accessing adjacent storage slots (key1 // 256 == key2 // 256) decreases from 2100 to 200 for all slots after the first in the group,
• Cost for accessing storage slots 0…63 decreases from 2100 to 200, including the first storage slot. This is likely to significantly improve performance of many existing contracts, which use those storage slots for single persistent variables.

Gains from the latter two properties have not yet been analyzed, but are likely to significantly offset the losses from the first property. It’s likely that once compilers adapt to these rules, efficiency will increase further.

The precise specification of when access events take place, which makes up most of the complexity of the gas repricing, is necessary to clearly specify when data needs to be saved to the period 1 tree.

Implementation notes

This EIP will mean that certain operations, mostly reading and writing several elements in the same suffix tree, become cheaper. If clients retain the same database structure as they have now, this would result in a DOS vector.

So some adaptation of the database is required in order to make this work.

• In all possible futures, it is important to logically separate the commitment scheme from data storage. In particular, no traversal of the commitment scheme tree should be necessary to find any given state element
• In order to make accesses to the same stem cheap as required for this EIP, the best way is probably to store each stem in the same location in the database. Basically the 256 leaves of 32 bytes each would be stored in an 8kB BLOB. The overhead of reading/writing this BLOB is small because most of the cost of disk access is seeking and not the amount transfered.

Backward-Compatibility

This EIP requires a hard fork, since it modifies consensus rules.

The main backwards-compatibility-breaking changes is the gas costs for code chunk access making some applications less economically viable. It can be mitigated by increasing the gas limit at the same time as implementing this EIP, reducing the risk that applications will no longer work at all due to transaction gas usage rising above the block gas limit.