-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gas limits for calls #117
Comments
Limiting the ref_time seems do-able via an approximation, we could benchmark a bunch contracts and approximate a ref_time X EVM gas factor. This solves the problem of too much arbitrary code execution in sub-calls, most importantly transfers. However, it doesn't solve the DOS vector as malicious contracts can potentially still use up a lot of gas via proof_size. So with either solution, we'd have an API for calls with EVM gas instead of our traditional weights. The pallet does then take care of translating the supplied gas stipend into sensible weight limits, either via a fixed factor (1.), via a relative approach (2.) or somehow else. The pallet should do it because if it is a compile time constant we can never change it (in case we have to bump it). |
Also note that zkSync is passing gas as-is to the eravm. I don't see anything in the docs how eravm gas relates to evm gas, however are hardly exactly equivalent to the EVM, but it seems fine for them too? Related issue is to cap nested stack frames at 63/64. |
We discussed the following:
|
Tasks:
|
We decided to not go with the The reason why they want to prevent contracts reaching this limit is to avoid so called stack depth attacks. Only contracts not checking the return values of sub calls would be vulnerable. i.e contracts lacking basic error handling. Those would be vulnerable to many more other vulnerabilities since they treat a fallible operation as infallible. The conclusion is that we leave the limits as is: Sub calls can exactly the resources their callee assigns to them. As of right now this is always all resources with the exception (to be implemented as part of this issue) of our heuristic for detecting balance transfers. Eventually we will add a pre-compile that allows fine grained resource control over sub calls (out of scope for this issue). |
Gas does not correspond to
ref_time
exactly as semantically equivalent code can exhibit totally different gas usage on EVM vs. ref_time usage on PVM.Right now we ignore it, making all calls unconstrained. But those gas limits are a security feature (DOS and re-entrancy).
Without gas limits in place, we essentially force people to not use existing libraries and write their contracts such that any calls or transfers are made at the end of the execution or when 1/64 of the available gas is enough to complete after the call or transfer.
Possible solutions:
ref_time
limit with respect to our ref_time block limit (the portion that's allocated for contracts).Drawback is that the compiler (i.e. the user) needs to know the absolute(Solved if the pallet takes care of this). However we can implement it in the pallet to reflect that. Also note that on Ethereum, for transfers a gas stipend ofref_time
limit of the target blockchain. It also largely disconnects the semantic meaning of the value should the block limits in either chain change2300
is hard-coded in the compiler, so realistically they can never make any change breaking this.Note: By default, when no explicit gas limit is specified, solc compiles down to supplying what the
gas()
opcode returns.The text was updated successfully, but these errors were encountered: