Note

The author of this document now favors this alternative proposal to achieve the same goal:

https://notes.ethereum.org/@vbuterin/witness_gas_cost_2

Simple Summary

Add a gas cost charge for accessing each individual “chunk” (contiguous 31-byte segment) of code, to bound the maximum witness size of a block.

Motivation

There is a strong desire to allow stateless verification of blocks. A client should be able to verify the correctness of any individual block without any extra information except for a small file that any state-holding node can generate, called a witness, that contains the portion of the state accessed by the block along with proofs of correctness.

Stateless verification has important benefits including allowing clients to run in low-disk-space environments, enabling semi-light-client setups where clients trust blocks by default but stand ready to verify any specific block in the case of an alarm, and sharding setups where clients jump between shards frequently and cannot keep up with the state of all shards. However, stateless verification is not practical at present because a worst-case block accesses a very large amount of state and the witness size would be prohibitively large.

A large part of these issues either already has been resolved or is expected to be soon resolved. EIP 2929 increased the cost of random state access to ~1900-2600 gas, reducing the maximum amount of state that can be accessed. A move to Verkle trees will decrease the witness size to a mere ~200 bytes per account or storage slot access. These two steps together limit witness data from storage or account accesses to ~1.5 MB in a 15M gas block (with the exception of possible tree attacks that could increase the worst case to ~3 MB).

But there is one major remaining hole: contract code. A contract’s code can contain up to 24000 bytes, and so a 2600 gas CALL can add ~24200 bytes to the witness size. This implies a worst-case witness size of over 100 MB. The solution is to move away from storing code as a single monolithic hash, and instead break it up into chunks that can be proven separately; this can be done simultaneously with a move to a Verkle tree. However, to actually bound witness size, we also need to add a gas rule that accounts for these costs. This EIP proposes an EIP-2929-like “accessed code chunks” list.

Specification

Parameters

Constant Value
CHUNK_SIZE 31
CHUNK_ACCESS_COST 350
ACCESS_LIST_CHUNK_ACCESS_COST 330

Changes

When executing a transaction, maintain a set accessed_code_chunks: Set[Tuple[Address, int]]. When a chunk of code not in the set is accessed, charge CHUNK_ACCESS_COST gas, and add that chunk to the set.

Only chunks 0 ... (code_size - 1) // CHUNK_SIZE can be accessed or charged for (for accounts with empty code, that’s the empty set); attempts to access code chunks beyond this range are not charged for or added to the accessed_code_chunks set.

We determine when a “chunk of code is accessed” as follows:

We extend EIP 2930 by changing the access list format to allow address records in the access list to have either length 2 (as in EIP 2930) or length 3. If they have length 3, the three items are as follows:

  1. The address (as in EIP 2930)
  2. A list of storage keys (as in EIP 2930)
  3. A list of chunk indices, where each index is a uint16 in little-endian format (ie. a 2-byte integer, with an appended zero even if n < 256)

Charge ACCESS_LIST_CHUNK_ACCESS_COST for each chunk in the access list, and add those chunks to accessed_code_chunks.

Rationale

In the current proposed Verkle tree specification, all “account header” fields and code are stored in a single depth-2 subtree of the state trie. The data overhead for accessing all of this tree is ~400 bytes (~150 bytes for the Merkle branch for the subtree, plus 48 bytes for the sub-root commitment and 48 bytes for each of the four sub-tree commitments).

The base gas cost of calling an account is 2600 gas. For a contract call to require the full 400-byte witness, it must access all four code sub-trees and incur the per-chunk cost at least once. This pushes the total witness size to 400 + 34 * 4 = 536 (a chunk is 32 bytes + 2 bytes for the chunk index), with a total gas cost of 2600 + 350 * 4 = 4000; hence, the witness gas cost is ~7.5 gas per byte. Additional chunk accesses add 350 gas for 34 bytes, or ~10.3 gas per byte. This is within the same neighborhood as the gas cost to witness data ratio of other state accesses.

Chunk size in this EIP is set to 31 bytes to allow one byte to be prepended to the chunk saved in the Verkle tree to represent the number of bytes at the start of the chunk that are pushdata.

Backwards Compatibility

This EIP will increase the cost of calling some contracts significantly. The access list extension ensures that this does not break backwards compatibility, much like the original introduction of EIP 2930 ensured that EIP 2929 does not break backwards compatibility.

[Empirical analysis TBD]

Security Considerations

[TBD]

Copyright and related rights waived via CC0.

Last changed by  
vbuterin
5349

Read more

Verkle tree integration

Simple Summary Introduce a new Verkle state tree alongside the existing hexary Patricia tree. After the hard fork, the Verkle tree stores all edits to state and a copy of all accessed state, and the hexary Patricia tree can no longer be modified. This is a first step in a multi-phase transition to Ethereum exclusively relying on Verkle trees to store execution state. Motivation Verkle trees solve the key problem standing in the way of Ethereum being stateless-client-friendly: witness sizes. A witness accessing an account in today's hexary Patricia tree is, in the average case, close to 3 kB, and in the worst case it may be three times larger. Assuming a worst case of 6000 accesses per block (15m gas / 2500 gas per access), this corresponds to a witness size of ~18 MB, which is too large to safely broadcast through a p2p network within a 12-second slot. Verkle trees reduce witness sizes to ~200 bytes per account in the average case, allowing stateless client witnesses to be acceptably small. Specification Verkle tree definition We define a Verkle tree here by providing the function to compute the root commitment given a set of 32-byte keys and 32-byte values. Algorithms for updating and inserting values are up to the implementer; the only requirement is that the root commitment after the update must continue to match the value computed from this specification. We will then define an embedding that provides the 32-byte key at which any particular piece of state information (account headers, code, storage) should be stored.

Nov 24, 2022
Paths toward single-slot finality

Special thanks to Justin Drake, Dankrad Feist, Alex Obadia, Hasu, Anders Elowsson and miscellaneous hackmd anons for feedback and review of various versions of this post. Today, Ethereum blocks take 64-95 slots (~15 minutes) to finalize. This was justified as picking a compromise position on the decentralization / finality time / overhead tradeoff curve: 15 minutes is not too long and it's comparable to existing exchanges' confirmation times, it allows users to run nodes on regular computers, even with the large number of validators arising from a deposit size of 32 ETH (as opposed to the earlier value of 1500 ETH). However, there are a lot of good arguments for decreasing the finality time to a single slot. This is a state-of-research post reviewing the roadmap for how to do so. How and why Ethereum staking works today Ethereum's LMD GHOST + Casper FFG consensus is a compromise between the two major styles of consensus popular in proof of stake blockchains: Chain-based consensus, where one message (the block) is produced during each slot (a pre-determined interval of time, eg. 12 seconds in Ethereum). Chain-based consensus maximizes the number of participants and minimizes chain load, but easily forks and does not have any notion of finality. Traditional BFT consensus, where each validator makes two messages ("attestations") per slot in addition to one validator making a block, and one slot's block gets irreversibly "finalized" before the next slot begins. Traditional BFT consensus minimizes time to finality, but at the cost of high chain load and only supporting a small number of participants.

Oct 20, 2022
The road to account abstraction

Account abstraction allows us to use smart contract logic to specify not just the effects of the transaction, but also the fee payment and validation logic. This allows many important security benefits, such as multisig and smart recovery wallets, being able to change keys without changing wallets, and quantum-safety. Many approaches to account abstraction have been proposed and implemented to various degrees, see: EIP-86, EIP-2938, and this doc from two years ago. Today, development on EIPs is stalled due to a desire to focus on the merge and sharding, but an alternative that does not require any consensus changes has seen great progress: ERC-4337. ERC-4337 attempts to do the same thing that EIP-2938 does, but through extra-protocol means. Users are expected to send off-chain messages called user operations, which get collected and packaged in bulk into a single transaction by either the block proposer or a builder producing bundles for block proposers. The proposer or builder is responsible for filtering the operations to ensure that they only accept operations that pay fees. There is a separate mempool for user operations, and nodes connected to this mempool do ERC-4337-specific validations to ensure that a user operation is guaranteed to pay fees before forwarding it. ERC-4337 can do a lot as a purely voluntary ERC. However, there are a few key areas where it is weaker than a truly in-protocol solution: Existing users cannot upgrade without moving all their assets and activity to a new account Extra gas overhead (~42k for a basic UserOperation compared to ~21k for a basic transaction)

Oct 1, 2022
Proposals to adjust memory gas costs

Currently, we limit the memory consumption of the EVM in two ways: a quadratic memory expansion cost and a de-facto call stack depth limit enforced with the EIP-150 "63/64 rule". These mechanisms are reasonably effective at their desired goal, but are both needlessly complicated and inefficient, punishing regular users too much and DoS attackers too little. This post proposes some alternative designs that better meet the key goal of limiting EVM memory usage. How does memory gas pricing work today? Quadratic memory expansion cost Extending memory in a callframe to $L$ chunks (so, $L * 32$ bytes) requires paying $\lfloor \frac{L^2}{512} \rfloor + 3L$ gas. This is charged in real time. For example, if memory is currently 16 chunks long, and a MSTORE op fills bytes 682...713, then memory is extended to 23 chunks, and $(\lfloor \frac{23^2}{512} \rfloor + 3 * 23) - (\lfloor \frac{16^2}{512} \rfloor + 3 * 16) =$ $(1 + 69) - (0 + 48) = 22$ extra memory expansion gas is charged. See implementation here. Note that this is on a per-call-frame basis: if a call makes a child call, memory in the child call is initialized as empty and pricing for it starts from zero.

Jul 30, 2022
Read more from vbuterin
Published on HackMD