Create HIP: Adopt Cancun EVM SELFDESTRUCT semantics in Hedera #868
Conversation
HIP to adop the SELFDESTRUCT semantics added to the EVM as part of the Cancun fork. Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com>
✅ Deploy Preview for hedera-hips ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
shemnon
changed the title
Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com>
mgarbs
requested review from
rbair23,
nickpoorman,
jasperpotts,
Nana-EC,
lukelee-sl and
david-bakin-sl
HIP/hip-868.md
Outdated
| Hedera services may need to be changed to ensure that the transaction processing | ||
| does not leave a "shadow" account number for transient self-destructs. Such | ||
| transient self-destructs will also need to be tested to ensure all HTS tokens | ||
| are properly swept during the sweep as well as the transient contract modes. |
There was a problem hiding this comment.
@q: Does Ethereum have support for cases where the SELFDESTRUCT attempt fail for some reason and funds aren't swept?
We may want to support cases where the beneficiary account isn't associated with the HTS token
There was a problem hiding this comment.
No. Selfdestruct always happens. The only way it doesn't stick is if the outer calling contract reverts. Then all sub-calls side effects are fully reverted.
There was a problem hiding this comment.
This HIP should specify what happens, then, in this case where the beneficiary account doesn't have an association to the HTS token? Allowing the sweep to happen in that case breaks our rules for tokens (and seems to allow for exploits), but if not doing it then what?
There was a problem hiding this comment.
What about for
Sweep (choose 1)
- Revert the overall transaction if the transfer account is not associated with the token. This stays in line with Hedera architecture since HTS tokens is an outside EVM
- Best effort to transfer tokens to transfer account. If it's not associated the transaction does fail since the HBAR is swept. I'm leaning to this option since Sweep on the EVM doesn't factor in token balances anyway
Delete (intention with fallback logic)
- transfer tokens to the transfer account noted in the selfdestruct
- If transfer account is not associated transfer tokens to the treasurer as the last option.
Wdyt?
HIP/hip-868.md
Outdated
|
|
||
| ### Hedera Services | ||
|
|
||
| Hedera services may need to be changed to ensure that the transaction processing |
There was a problem hiding this comment.
Q: Does the EVM assign an address to the contract that did not exist prior to transaction processing or does it go unaddressed?
There was a problem hiding this comment.
Another question is should that contract call another contract or send cryptocurrency.
What address does the EVM/Ethereum use to express the from address in that account to account interaction?
This may inform how we identify the transient contract
There was a problem hiding this comment.
You know the address of the contract during the initcode, so yes. The case it matters for 6780 would be CREATE2 initcode, where the address is a function within the EVM of the salt and initcode. We are safe not allocating a hedera address until after the full transaction completes (until the hedera account service precompile launches...)
The other case is contract creation transaction. That already has a high overhead cost to users.
There was a problem hiding this comment.
The problem is if we don't create an account then the record file will have an ambiguous contractId as the recipient of any transfers as part of the sweep.
If we can get a unique address that will never be reused then we should issue an contractId with the record files showing ContractCreate, Contract Delete child transactions
HIP/hip-868.md
Outdated
| Hedera services may need to be changed to ensure that the transaction processing | ||
| does not leave a "shadow" account number for transient self-destructs. Such | ||
| transient self-destructs will also need to be tested to ensure all HTS tokens | ||
| are properly swept during the sweep as well as the transient contract modes. |
There was a problem hiding this comment.
This HIP should specify what happens, then, in this case where the beneficiary account doesn't have an association to the HTS token? Allowing the sweep to happen in that case breaks our rules for tokens (and seems to allow for exploits), but if not doing it then what?
| deprecated for at least a year on Ethereum Mainnet, so it is expected that such | ||
| use cases have never found their way onto Hedera's Mainnet. |
There was a problem hiding this comment.
Is it worth looking at mirror node data to see if in fact it has happened on mainnet? (Or confirm it hasn't, as expected.)
| The substantial changes of this HIP are the removal of some functionality in | ||
| some circumstances. There are no known security impacts of this removal and | ||
| furthermore there are no known security mitigations that require the presence of | ||
| the removed functionality. It is expected the security implications will be |
There was a problem hiding this comment.
"minimal to none" -> why not just "none" then?
(Although I see that EIP-6780 says something more specific anyway - does it need to be repeated here?
)
| However, since Hedera places "ownership" of token balances with the account | ||
| holding the balance we will need to extend the behavior of the sweep mode to | ||
| also transfer all HTS tokens to the beneficiary. Notably, for a successful | ||
| transaction beneficiary accounts must support the receiving of HTS tokens via | ||
| association configuration. This is consistent with current self-destruct | ||
| behavior and consistent with the spirit of the Ethereum change in that code and | ||
| the account are no longer deleted. |
There was a problem hiding this comment.
Currently, if the contract holds HTS token balance the self-destruct fails with TRANSACTION_REQUIRES_ZERO_TOKEN_BALANCES. This specification is changing the current behavior.
david-bakin-sl
force-pushed
the
cancun-selfdestruct-changes
branch
from
92c3ce1
to
ae09dc4
Compare
Clarify that there will be EVM non-equivalence - which already exists - for self destructs that interact with Hedera semantics in a way that is affected by the security model. Signed-off-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com>
|
David's changes LGTM |
| title: Support Cancun Self-Destruct Semantics in Smart Contract Services | ||
| author: Danno Ferrin (@shemnon) | ||
| working-group: Nana Essilfie-Conduah <@nana-ec>, Jasper Potts <@jasperpotts>, Richard Bair <@rbair23>, Stoyan Panayotov <stoyan.panayotov@limechain.tech> | ||
| type: Standards Track |
There was a problem hiding this comment.
We added a new header for council members to see who requested hips. Could you add the 'requested-by' header here and add whoever requested this hip?
There was a problem hiding this comment.
This is part of EVM equivalence and ensuring the network continues to support the latest Ethereum Hardfork features.
There's no one or few requestors. Just the network staying up to date to ensure support.
Maybe "EVM developers" in general?
Co-authored-by: Nana Essilfie-Conduah <56320167+Nana-EC@users.noreply.github.com> Signed-off-by: Danno Ferrin <danno.ferrin@shemnon.com>
…aph#868) Signed-off-by: Danno Ferrin <danno.ferrin@swirldslabs.com> Signed-off-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com> Signed-off-by: Danno Ferrin <danno.ferrin@shemnon.com> Co-authored-by: David S Bakin <117694041+david-bakin-sl@users.noreply.github.com> Co-authored-by: Nana Essilfie-Conduah <56320167+Nana-EC@users.noreply.github.com> Co-authored-by: Michael Garber <michael.garber@swirldslabs.com> Signed-off-by: Kim Rader <kim.rader@swirldslabs.com>
Description:
HIP to adop the SELFDESTRUCT semantics added to the EVM as part of the Cancun fork.
Related issue(s):
Fixes #
Notes for reviewer:
This is one of four related HIPs covering Cancun support.
Checklist