EIP-2937: SET_INDESTRUCTIBLE opcode


Metadata
Status: StagnantStandards Track: CoreCreated: 2020-09-04
Authors
Vitalik Buterin (@vbuterin)

Simple Summary


Add a SET_INDESTRUCTIBLE (0xA8) opcode that prevents the contract from calling SELFDESTRUCT (0xFF).

Abstract


Motivation


The intended use case would be for contracts to make their first byte of code be the SET_INDESTRUCTIBLE opcode if they wish to serve as libraries that guarantee to users that their code will exist unmodified forever. This is useful in account abstraction as well as other contexts.

Unlike EIPs that disable the SELFDESTRUCT opcode entirely, this EIP does not modify behavior of any existing contracts.

Specification


Add a transaction-wide global variable globals.indestructible: Set[Address] (i.e. a variable that operates the same way as the selfdestructs set), initialized to the empty set.

Add a SET_INDESTRUCTIBLE opcode at 0xA8, with gas cost G_base, that adds the current callee to the globals.indestructible set. If in the current execution context the callee is in globals.indestructible, the SELFDESTRUCT opcode throws an exception.

Rationale


Alternative proposals to this include:

  • Simply banning SELFDESTRUCT outright. This would be ideal, but has larger backwards compatibility issues.
  • Using a local variable instead of a global variable. This is problematic because it would be broken by DELEGATECALL.

Backwards Compatibility


TBD

Security Considerations


This breaks forward compatibility with some forms of state rent, which would simply delete contracts that get too old without paying some maintenance fee. However, this is not the case with all state size control schemes; for example this is not an issue if we use ReGenesis.

If SELFDESTRUCT is ever removed in the future, this EIP would simply become a no-op.

Copyright


Copyright and related rights waived via CC0.