-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create HIP: Adopt Cancun EVM SELFDESTRUCT semantics in Hedera #868
Conversation
HIP to adop the SELFDESTRUCT semantics added to the EVM as part of the Cancun fork. Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com>
✅ Deploy Preview for hedera-hips ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the more intricate of the Cancun features.
Left a few questions to inform some final consideration
HIP/hip-868.md
Outdated
Hedera services may need to be changed to ensure that the transaction processing | ||
does not leave a "shadow" account number for transient self-destructs. Such | ||
transient self-destructs will also need to be tested to ensure all HTS tokens | ||
are properly swept during the sweep as well as the transient contract modes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@q: Does Ethereum have support for cases where the SELFDESTRUCT attempt fail for some reason and funds aren't swept?
We may want to support cases where the beneficiary account isn't associated with the HTS token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Selfdestruct always happens. The only way it doesn't stick is if the outer calling contract reverts. Then all sub-calls side effects are fully reverted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This HIP should specify what happens, then, in this case where the beneficiary account doesn't have an association to the HTS token? Allowing the sweep to happen in that case breaks our rules for tokens (and seems to allow for exploits), but if not doing it then what?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about for
Sweep (choose 1)
- Revert the overall transaction if the transfer account is not associated with the token. This stays in line with Hedera architecture since HTS tokens is an outside EVM
- Best effort to transfer tokens to transfer account. If it's not associated the transaction does fail since the HBAR is swept. I'm leaning to this option since Sweep on the EVM doesn't factor in token balances anyway
Delete (intention with fallback logic)
- transfer tokens to the transfer account noted in the selfdestruct
- If transfer account is not associated transfer tokens to the treasurer as the last option.
Wdyt?
HIP/hip-868.md
Outdated
|
||
### Hedera Services | ||
|
||
Hedera services may need to be changed to ensure that the transaction processing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Does the EVM assign an address to the contract that did not exist prior to transaction processing or does it go unaddressed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another question is should that contract call another contract or send cryptocurrency.
What address does the EVM/Ethereum use to express the from address in that account to account interaction?
This may inform how we identify the transient contract
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You know the address of the contract during the initcode, so yes. The case it matters for 6780 would be CREATE2 initcode, where the address is a function within the EVM of the salt and initcode. We are safe not allocating a hedera address until after the full transaction completes (until the hedera account service precompile launches...)
The other case is contract creation transaction. That already has a high overhead cost to users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem is if we don't create an account then the record file will have an ambiguous contractId as the recipient of any transfers as part of the sweep.
If we can get a unique address that will never be reused then we should issue an contractId with the record files showing ContractCreate, Contract Delete child transactions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some questions.
HIP/hip-868.md
Outdated
Hedera services may need to be changed to ensure that the transaction processing | ||
does not leave a "shadow" account number for transient self-destructs. Such | ||
transient self-destructs will also need to be tested to ensure all HTS tokens | ||
are properly swept during the sweep as well as the transient contract modes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This HIP should specify what happens, then, in this case where the beneficiary account doesn't have an association to the HTS token? Allowing the sweep to happen in that case breaks our rules for tokens (and seems to allow for exploits), but if not doing it then what?
deprecated for at least a year on Ethereum Mainnet, so it is expected that such | ||
use cases have never found their way onto Hedera's Mainnet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth looking at mirror node data to see if in fact it has happened on mainnet? (Or confirm it hasn't, as expected.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, let's check
The substantial changes of this HIP are the removal of some functionality in | ||
some circumstances. There are no known security impacts of this removal and | ||
furthermore there are no known security mitigations that require the presence of | ||
the removed functionality. It is expected the security implications will be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"minimal to none" -> why not just "none" then?
(Although I see that EIP-6780 says something more specific anyway - does it need to be repeated here?
)
However, since Hedera places "ownership" of token balances with the account | ||
holding the balance we will need to extend the behavior of the sweep mode to | ||
also transfer all HTS tokens to the beneficiary. Notably, for a successful | ||
transaction beneficiary accounts must support the receiving of HTS tokens via | ||
association configuration. This is consistent with current self-destruct | ||
behavior and consistent with the spirit of the Ethereum change in that code and | ||
the account are no longer deleted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, if the contract holds HTS token balance the self-destruct fails with TRANSACTION_REQUIRES_ZERO_TOKEN_BALANCES
. This specification is changing the current behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In follow up seems we'll
- keep it simple and focus on EVM changes only here
- utilize pre-existing flow to govern HTS balances and transient address/account considerations
92c3ce1
to
ae09dc4
Compare
Clarify that there will be EVM non-equivalence - which already exists - for self destructs that interact with Hedera semantics in a way that is affected by the security model. Signed-off-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com>
David's changes LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
title: Support Cancun Self-Destruct Semantics in Smart Contract Services | ||
author: Danno Ferrin (@shemnon) | ||
working-group: Nana Essilfie-Conduah <@nana-ec>, Jasper Potts <@jasperpotts>, Richard Bair <@rbair23>, Stoyan Panayotov <stoyan.panayotov@limechain.tech> | ||
type: Standards Track |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We added a new header for council members to see who requested hips. Could you add the 'requested-by' header here and add whoever requested this hip?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is part of EVM equivalence and ensuring the network continues to support the latest Ethereum Hardfork features.
There's no one or few requestors. Just the network staying up to date to ensure support.
Maybe "EVM developers" in general?
Co-authored-by: Nana Essilfie-Conduah <56320167+Nana-EC@users.noreply.github.com> Signed-off-by: Danno Ferrin <danno.ferrin@shemnon.com>
…aph#868) Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com> Signed-off-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com> Signed-off-by: Danno Ferrin <danno.ferrin@shemnon.com> Co-authored-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com> Co-authored-by: Nana Essilfie-Conduah <56320167+Nana-EC@users.noreply.github.com> Co-authored-by: Michael Garber <michael.garber@swirldslabs.com> Signed-off-by: Kim Rader <kim.rader@swirldslabs.com>
Description:
HIP to adop the SELFDESTRUCT semantics added to the EVM as part of the Cancun fork.
Related issue(s):
Fixes #
Notes for reviewer:
This is one of four related HIPs covering Cancun support.
Checklist