Store last HISTORY_SERVE_WINDOW historical block hashes in the storage of a system contract as part of the block processing logic. Furthermore this EIP has no impact on BLOCKHASH resolution mechanism (and hence its range/costs etc).
EVM implicitly assumes the client has the recent block (hashes) at hand. This assumption is not future-proof given the prospect of stateless clients. Including the block hashes in the state will allow bundling these hashes in the witness provided to a stateless client. This is already possible in the MPT and will become more efficient post-Verkle.
Extending the range of blocks which BLOCKHASH can serve (BLOCKHASH_SERVE_WINDOW) would have been a semantics change. Using extending that via this contract storage would allow a soft-transition. Rollups can benefit from the longer history window through directly querying this contract.
A side benefit of this approach could be that it allows building/validating proofs related to last HISTORY_SERVE_WINDOW ancestors directly against the current state.
| Parameter | Value |
|---|---|
BLOCKHASH_SERVE_WINDOW | 256 |
HISTORY_SERVE_WINDOW | 8191 |
SYSTEM_ADDRESS | 0xfffffffffffffffffffffffffffffffffffffffe |
HISTORY_STORAGE_ADDRESS | 0x0000F90827F1C53a10cb7A02335B175320002935 |
This EIP specifies for storing last HISTORY_SERVE_WINDOW block hashes in a ring buffer storage of HISTORY_SERVE_WINDOW length. Note that HISTORY_SERVE_WINDOW > BLOCKHASH_SERVE_WINDOW (which remains unchanged).
At the start of processing any block where this EIP is active (ie. before processing any transactions), call to HISTORY_STORAGE_ADDRESS as SYSTEM_ADDRESS with the 32-byte input of block.parent.hash, a gas limit of 30_000_000, and 0 value. This will trigger the set() routine of the history contract. This is a system operation following the same convention as EIP-4788 and therefore:
HISTORY_STORAGE_ADDRESS, the call must fail silentlyNote: Alternatively clients can choose to directly write to the storage of the contract but EVM calling the contract remains preferred. Refer to the rationale for more info.
Note that, it will take HISTORY_SERVE_WINDOW blocks after the EIP's activation to completely fill up the ring buffer. The contract will only contain the parent hash of the fork block and no hashes prior to that.
The BLOCKHASH opcode semantics remains the same as before.
The history contract has two operations: get and set. The set operation is invoked only when the caller is equal to the SYSTEM_ADDRESS as per EIP-4788. Otherwise the get operation is performed.
getIt is used from the EVM for looking up block hashes.
HISTORY_SERVE_WINDOW, block.number-1], revert.setblock.parent.hash as calldata to the contract.block.number-1 % HISTORY_SERVE_WINDOW to be calldata[0:32].Exact evm assembly that can be used for the history contract:
A special synthetic address is generated by working backwards from the desired deployment transaction:
Note, the input in the transaction has a simple constructor prefixing the desired runtime code.
The sender of the transaction can be calculated as 0x3462413Af4609098e1E27A490f554f260213D685. The address of the first contract deployed from the account is rlp([sender, 0]) which equals 0x0000F90827F1C53a10cb7A02335B175320002935. This is how HISTORY_STORAGE_ADDRESS is determined. Although this style of contract creation is not tied to any specific initcode like create2 is, the synthetic address is cryptographically bound to the input data of the transaction (e.g. the initcode).
Some activation scenarios:
1, genesis hash will be written as a normal operation to slot 0.1, only genesis hash will be written at slot 0.32, block 31's hash will be written to slot 31. Every other slot will be 0.The bytecode above will be deployed à la EIP-4788. As such the account at HISTORY_STORAGE_ADDRESS will have code and a nonce of 1, and will be exempt from EIP-161 cleanup.
The system update at the beginning of the block, i.e. process_block_hash_history (or via system call to the contract with SYSTEM_ADDRESS caller), will not warm the HISTORY_STORAGE_ADDRESS account or its storage slots as per EIP-2929 rules. As such the first call to the contract will pay for warming up the account and storage slots it accesses.To clarify further any contract call to the HISTORY_STORAGE_ADDRESS will follow normal EVM execution semantics.
Since BLOCKHASH semantics doesn't change, this EIP has no impact on BLOCKHASH mechanism and costs.
Very similar ideas were proposed before. This EIP is a simplification, removing two sources of needless complexity:
However after weighing pros and cons, we decided to go with just a limited ring buffer to only serve the requisite HISTORY_SERVE_WINDOW as EIP-4788 and beacon state accumulators allow (albeit a bit more complex) proof against any ancestor since merge.
Second concern was how to best transition the BLOCKHASH resolution logic post fork by:
HISTORY_SERVE_WINDOW blocks for the entire relevant history to persistHISTORY_SERVE_WINDOW block hashes on the fork block.We choose to go with the former. It simplifies the logic greatly. It will take roughly a day to bootstrap the contract. Given that this is a new way of accessing history and no contract depends on it, it is deemed a favorable tradeoff.
Clients have generally two options for inserting the parent block hash into state:
HISTORY_STORAGE_ADDRESS and letting that handle the storing in state.The latter option is as follows:
The first option is recommended until the Verkle fork, to stay consistent with EIP-4788 and to issues for misconfigured networks where this EIP is activated but history contract hasn't been deployed. The recommendation may be reconsidered at the Verkle fork if filtering the system contract code chunks is deemed too complex.
The ring buffer data structure is sized to hold 8191 hashes. In other system contracts a prime ring buffer size is chosen in because using a prime as the modulus ensures that no value is overwritten until the entire ring buffer has been saturated and thereafter, each value will be updated once per iteration, regardless of if some slot are missing or the slot time changes. However, in this EIP the block number is the value in the modulo operation and it only ever increases by 1 each iteration. Which means we can be confident that the ring buffer will always remain saturated.
For consistency with other system contracts, we have decided to retain the buffer size of 8191. Given the current mainnet values, 8191 roots provides about a day of coverage. This also gives users plenty of time to make a transaction with a verification against a specific hash and get the transaction included on-chain.
This EIP introduces backwards incompatible changes to the block validation rule set. But neither of these changes break anything related to current user activity and experience.
Having contracts (system or otherwise) with hot update paths (branches) poses a risk of "branch" poisoning attacks where attacker could sprinkle trivial amounts of eth around these hot paths (branches). But it has been deemed that cost of attack would escalate significantly to cause any meaningful slow down of state root updates.
Copyright and related rights waived via CC0.