|
2 | 2 | eip: 3540 |
3 | 3 | title: EOF - EVM Object Format v1 |
4 | 4 | description: EOF is an extensible and versioned container format for EVM bytecode with a once-off validation at deploy time. |
5 | | -author: Alex Beregszaszi (@axic), Paweł Bylica (@chfast), Andrei Maiboroda (@gumb0) |
| 5 | +author: Alex Beregszaszi (@axic), Paweł Bylica (@chfast), Andrei Maiboroda (@gumb0), Hubert Ritzdorf (@ritzdorf) |
6 | 6 | discussions-to: https://ethereum-magicians.org/t/evm-object-format-eof/5727 |
7 | 7 | status: Review |
8 | 8 | type: Standards Track |
@@ -164,6 +164,7 @@ For clarity, the *container* refers to the complete account code, while *code* r |
164 | 164 | 4. `CODECOPY`/`CODESIZE`/`EXTCODECOPY`/`EXTCODESIZE`/`EXTCODEHASH` keeps operating on the entire *container*. |
165 | 165 | 5. The input to `CREATE`/`CREATE2` is still the entire *container*. |
166 | 166 | 6. The size limit for deployed code as specified in [EIP-170](./eip-170.md) and for initcode as specified in [EIP-3860](./eip-3860.md) is applied to the entire *container* size, not to the *code* size. This also means if initcode validation fails, it is still charged the EIP-3860 `initcode_cost`. |
| 167 | +7. When an EOF1 contract performs a `DELEGATECALL` the target contract has to be EOF1. If it is not EOF1 (e.g. it is EOF0 or EOF2), the `DELEGATECALL` exceptionally halts. Hence, (among other things) all the gas passed to the `DELEGATECALL` is consumed and 0 is pushed onto the stack. As it is not valid EOF1, `DELEGATECALL` to an empty container also fails. |
167 | 168 |
|
168 | 169 | (*Remark:* Due to [EIP-4750](./eip-4750.md), `JUMP` and `JUMPI` are disabled and therefore are not discussed in relation to EOF.) |
169 | 170 |
|
@@ -250,6 +251,10 @@ It is possible in the future that this data will be accessible with data-specifi |
250 | 251 |
|
251 | 252 | The value for `PC` is specified to start at 0 and to be within the active *code* section. We considered keeping `PC` to operate on the whole *container* and be consistent with `CODECOPY`/`EXTCODECOPY` but in the end decided otherwise. This also feels more natural and easier to implement in EVM: the new EOF EVM should only care about traversing *code* and accessing other parts of the *container* only on special occasions (e.g. in `CODECOPY` instruction). |
252 | 253 |
|
| 254 | +### EOF1 contracts can only `DELEGATECALL` EOF1 contracts |
| 255 | + |
| 256 | +Currently contracts can selfdestruct in three different ways (directly through `SELFDESTRUCT`, indirectly through `CALLCODE` and indirectly through `DELEGATECALL`). EIP 3670 disables the first two possibilities, however the third possibility remains. Allowing EOF1 contracts to only `DELEGATECALL` other EOF1 contracts allows the following strong statement: EOF1 contract can never be destructed. Attacks based on `SELFDESTRUCT` completely disappear for EOF1 contracts. These include destructed library contracts (e.g. Parity Multisig). |
| 257 | + |
253 | 258 | ## Backwards Compatibility |
254 | 259 |
|
255 | 260 | This is a breaking change given that any code starting with `0xEF` was not deployable before (and resulted in exceptional abort if executed), but now some subset of such codes can be deployed and executed successfully. |
|
0 commit comments