EIP-9999: amend EIP-8141 mode check, fix discard + mode-1 binding, spec-consistency fixes#1
Open
soispoke wants to merge 1 commit into
Open
Conversation
…ec-consistency fixes Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes a set of small, text-provable spec fixes to
eip-9999.md. It targets thepatch-3branch so the fixes flow into ethereum#11772. Design choices (dependency canonicalization, the wrapper cap model, proof placement, gas accounting, FOCIL binding) are not changed here; they are listed at the end as discussion comments.Correctness
assert frame.mode < 3, soDEP_VERIFY_FRAME_MODE = 3frames are rejected and the mechanism cannot validate as written. Amended to< 4. (The one fix without which nothing validates.)discard_hashesas a set of hashes but tested raw dependency triples against it, so no discard ever applied (Test Case 10 could not pass). Now compares triples to a set of triples.depsequals the referenced transactions' dependencies; mode-1 did not, so a mode-1 wrapper could carry a valid recursive STARK overdepsunrelated to itstransactions. Added the same binding to mode 1.Clarifications
dependencies(tx)).AGGREGATED_VKis a protocol constant, never user-chosen, pinned by block validity rule 2 and carried unchanged through every recursion level (which is why a recursive proof's public inputs are[deps_hash, AGGREGATED_VK]while a leaf takes onlydata_hash); distinguished it from the per-dependency user vks in the Security note.Editorial
FRAMEDATASIZEis not an EIP-8141 instruction; useFRAMEPARAM(0x04, i)for length (matches this EIP's own introspection list).get_dependencies(block)/dependencies(block)to the defined name.Design comments (out of scope for this PR — flagging for discussion)
These are real but change semantics or the DoS model, so they are not in this bug-fix PR:
get_deps_hash(filtered_deps) == block_deps_hashcannot hold when a block has a duplicate(scheme, data_hash, vk)triple (the block hash counts it twice, the circuit dedups to one) or when the proof is assembled by recursive union (deps ++ inner_depsorder ≠ block-tx order). Likely fix: make dependencies a canonical set (sort by the 96-bytedep_idand dedup) in bothblock_deps_hashand the circuit. This changes consensus semantics, so flagging rather than patching.MAX_LEANSTARK_DEPS_PER_WRAPPER = 1(a Mempool-Level Limit) means a mode-1 mempool wrapper can't aggregate more than one STARK-bearing tx, contradicting "one wrapper containing all currently active transactions". A recursive proof is ~constant size, so leaf count is the wrong axis. Suggest: per-dep caps apply to mode-0 raw wrappers; mode-1 wrappers bounded by serialized size + a tx-reference count.MAX_SIGS_PER_TX/MAX_STARKS_PER_TXare described in Security as the primary DoS defense, but no validity rule enforces them, andMAX_DEPENDENCIES_PER_FRAME = 256lets one frame exceed both.recursive_stark_gasappears to charge each dependency twice (per-frame + block-level) and bills users via base fee for the builder's work — clarify additive-vs-replacing and the payer. Separately, make the proof-size bound explicit (fixed trace width,2**24cycle cap) so flat gas is visibly justified. (Not proposing dynamic gas.)recursive_starkroot +block_deps_hashand carrying the proof bytes in a separate erasure-coded object (ePBS commits the small header first, sends the body later).deps_hash == hash(deps of the FOCIL's txs)and verify againstAGGREGATED_VK(the same hole Spelling, Grammar, Initial Structure ethereum/EIPs#3 closes for mempool wrappers); andFOCIL = [transactions, recursive_stark]intentionally exceeds EIP-7805's 8 KiB IL budget — worth one line documenting that accepted tradeoff.