Adds a new mechanism to allow validators to trigger withdrawals and exits from their execution layer (0x01) withdrawal credentials.
These new execution layer exit messages are appended to the execution layer block and then processed by the consensus layer.
Validators have two keys -- an active key and a withdrawal credential. The active key takes the form of a BLS key, whereas the withdrawal credential can either be a BLS key (0x00) or an execution layer address (0x01). The active key is "hot", actively signing and performing validator duties, whereas the withdrawal credential can remain "cold", only performing limited operations in relation to withdrawing and ownership of the staked ETH. Due to this security relationship, the withdrawal credential ultimately is the key that owns the staked ETH and any rewards.
As currently specified, only the active key can initiate a validator exit. This means that in any non-standard custody relationship (i.e., the active key is a separate entity from the withdrawal credentials), the ultimate owner of the funds -- the possessor of the withdrawal credentials -- cannot independently choose to exit and begin the withdrawal process. This leads to either trust issues (e.g. ETH can be "held hostage" by the active key owner) or insufficient work-arounds such as pre-signed exits. Additionally, in the event that active keys are lost, a user should still be able to recover their funds by using their cold withdrawal credentials.
To ensure that the withdrawal credentials (owned by both EOAs and smart contracts) can trustlessly control the destiny of the staked ETH, this specification enables exits triggerable by 0x01 withdrawal credentials.
Note, 0x00 withdrawal credentials can be changed into 0x01 withdrawal credentials with a one-time signed message. Thus any functionality enabled for 0x01 credentials is defacto enabled for 0x00 credentials.
| Name | Value | Comment |
|---|---|---|
WITHDRAWAL_REQUEST_PREDEPLOY_ADDRESS | 0x00000961Ef480Eb55e80D19ad83579A64c007002 | Where to call and store relevant details about exit / partial withdrawal mechanism |
WITHDRAWAL_REQUEST_TYPE | 0x01 | The EIP-7685 type prefix for withdrawal request |
SYSTEM_ADDRESS | 0xfffffffffffffffffffffffffffffffffffffffe | Address used to invoke system operation on contract |
EXCESS_WITHDRAWAL_REQUESTS_STORAGE_SLOT | 0 | |
WITHDRAWAL_REQUEST_COUNT_STORAGE_SLOT | 1 | |
WITHDRAWAL_REQUEST_QUEUE_HEAD_STORAGE_SLOT | 2 | Pointer to head of the withdrawal request message queue |
WITHDRAWAL_REQUEST_QUEUE_TAIL_STORAGE_SLOT | 3 | Pointer to the tail of the withdrawal request message queue |
WITHDRAWAL_REQUEST_QUEUE_STORAGE_OFFSET | 4 | The start memory slot of the in-state withdrawal request message queue |
MAX_WITHDRAWAL_REQUESTS_PER_BLOCK | 16 | Maximum number of withdrawal requests that can be dequeued into a block |
TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK | 2 | |
MIN_WITHDRAWAL_REQUEST_FEE | 1 | |
WITHDRAWAL_REQUEST_FEE_UPDATE_FRACTION | 17 | |
EXCESS_INHIBITOR | 2**256-1 | Excess value used to compute the fee before the first system call |
FORK_BLOCK -- the first block in a blockchain after this EIP has been activated.The new withdrawal request operation is an EIP-7685 request
with type 0x01 and consists of the following fields:
source_address: Bytes20validator_pubkey: Bytes48amount: uint64The EIP-7685 encoding of a withdrawal request is computed as follows.
Note that amount is returned by the contract little-endian, and must be encoded as such.
The contract has three different code paths, which can be summarized at a high level as follows:
56 byte input, the validator's public
key concatenated with a big-endian uint64 amount value.If call data input to the contract is exactly 56 bytes, perform the following:
check_fee())increment_count())insert_withdrawal_request_into_queue())Specifically, the functionality is defined in pseudocode as the function add_withdrawal_request():
The following pseudocode can compute the cost of an individual withdrawal request, given a certain number of excess withdrawal requests.
When the input to the contract is length zero, interpret this as a get request for the current fee, i.e. the contract returns the result of get_fee().
At the end of processing any execution block starting from the FORK_BLOCK (i.e. after processing all transactions and after performing the block body withdrawal requests validations), call WITHDRAWAL_REQUEST_PREDEPLOY_ADDRESS as SYSTEM_ADDRESS with no calldata. The invocation triggers the following:
dequeue_withdrawal_requests())update_excess_withdrawal_requests())reset_withdrawal_requests_count())Each withdrawal request must appear in the EIP-7685 requests list in the exact order returned by dequeue_withdrawal_requests().
Additionally, the system call and the processing of that block must conform to the following:
30_000_000.WITHDRAWAL_REQUEST_PREDEPLOY_ADDRESS, the corresponding block MUST be marked invalid.The functionality triggered by the system call is defined in pseudocode as the function read_withdrawal_requests():
The withdrawal requests contract is deployed like any other smart contract. A special synthetic address is generated by working backwards from the desired deployment transaction:
Sketch of spec:
ExecutionLayerWithdrawalRequestExecutionPayload as an SSZ List bound by length MAX_WITHDRAWAL_REQUESTS_PER_BLOCKprocess_voluntary_exit but can fail validations (e.g. validator is already exited) without the block failing (similar to deposit coming from EL)process_operations for each ExecutionLayerWithdrawalRequest found in the ExecutionPayloadvalidator_pubkey fieldMultiple validators can utilize the same execution layer withdrawal credential, thus the validator_pubkey field is utilized to disambiguate which validator is being exited.
Note, validator_index also disambiguates validators.
The problem is that smart contracts of some staking pools are not aware of the indices, because the index becomes known only after the validator has been created on the beacon chain, while the pubkey is available in advance.
The contract maintains an in-state queue of withdrawal request messages to be dequeued each block into the block and thus into the execution layer.
The number of withdrawal requests that can be passed into the consensus layer are bound by MAX_WITHDRAWAL_REQUESTS_PER_BLOCK to bound the load both on the block size as well as on the consensus layer processing. 16 has been chosen for MAX_WITHDRAWAL_REQUESTS_PER_BLOCK to be in line with the bounds of similar operations on the beacon chain -- e.g. VoluntaryExit and Deposit.
Although there is a maximum number of withdrawal requests that can be passed to the consensus layer each block, the execution layer gas limit can provide for far more calls to the withdrawal request predeploy contract at each block. The queue then allows for these calls to successfully be made while still maintaining a system rate limit.
The alternative design considered was to have calls to the contract fail after MAX_WITHDRAWAL_REQUESTS_PER_BLOCK successful calls were made within the context of a single block. This would eliminate the need for the message queue, but would come at the cost of a bad UX of contract call failures in times of high exiting. The complexity to mitigate this bad UX is relatively low and is currently favored.
Transactions are naturally rate-limited in the execution layer via the gas limit, but an adversary willing to pay market-rate gas fees (and potentially utilize builder markets to pay for front-of-block transaction inclusion) can fill up the exit operation limits for relatively cheap, thus griefing honest validators that want to make a withdrawal request.
There are two general approaches to combat this griefing -- (a) only allow validators to send such messages and with a limit per time period or (b) utilize an economic method to make such griefing increasingly costly.
Method (a) (not used in this EIP) would require EIP-4788 (the BEACON_ROOT opcode) against which to prove withdrawal credentials in relation to validator pubkeys as well as a data-structure to track requests per-unit-time (e.g. 4 months) to ensure that a validator cannot grief the mechanism by submitting many requests. The downsides of this method are that it requires another cross-layer EIP and that it is of higher cross-layer complexity (e.g. care that might need to be taken in future upgrades if, for example, the shape of the merkle tree of BEACON_ROOT changes, then the contract and proof structure might need to be updated).
Method (b) has been utilized in this EIP to eliminate additional EIP requirements and to reduce cross-layer complexity to allow for correctness of this EIP (now and in the future) to be easier to analyze. The EIP-1559-style mechanism with a dynamically adjusting fee mechanism allows for users to pay MIN_WITHDRAWAL_REQUEST_FEE for withdrawal requests in the normal case (fewer than 2 per block on average), but scales the fee up exponentially in response to high usage (i.e. potential abuse).
TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK configuration valueTARGET_WITHDRAWAL_REQUESTS_PER_BLOCK has been selected as 2 such that the growth of the partial withdrawal queue in the beacon state is negligible under extreme scenarios of the exit churn congestion.
The fee update rule is intended to approximate the formula fee = MIN_WITHDRAWAL_REQUEST_FEE * e**(excess / WITHDRAWAL_REQUEST_FEE_UPDATE_FRACTION), where excess is the total "extra" amount of withdrawal requests that the chain has processed relative to the "targeted" number (TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK per block).
Like EIP-1559, it’s a self-correcting formula: as the excess goes higher, the fee increases exponentially, reducing usage and eventually forcing the excess back down.
The block-by-block behavior is roughly as follows. If block N processes X requests, then at the end of block N excess increases by X - TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK, and so the fee in block N+1 increases by a factor of e**((X - TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK) / WITHDRAWAL_REQUEST_FEE_UPDATE_FRACTION). Hence, it has a similar effect to the existing EIP-1559, but is more "stable" in the sense that it responds in the same way to the same total withdrawal requests regardless of how they are distributed over time.
The parameter WITHDRAWAL_REQUEST_FEE_UPDATE_FRACTION controls the maximum downwards rate of change of the blob gas price. It is chosen to target a maximum downwards change rate of e(TARGET_WITHDRAWAL_REQUESTS_PER_BLOCK / WITHDRAWAL_REQUEST_FEE_UPDATE_FRACTION) ≈ 1.125 per block.
More detailed analysis of the fee mechanism is available here.
Withdrawal requests are placed into the actual body of the beacon block.
There is a strong design requirement that the consensus layer and execution layer can execute independently of each other. This means, in this case, that the consensus layer cannot rely upon a synchronous call to the execution layer to get the required withdrawal requests for the current block. Instead, the requests must be embedded in the beacon block such that if the execution layer is offline, the consensus layer still has the requisite data to fully execute the consensus portion of the state transition function.
Verifying secp256k1 signatures from the consensus layer via Engine API is one of the alternatives to the proposed requests mechanism which engineering complexity is much lower.
However, this approach would limit usage of withdrawal requests to a large extent by making it impossible for smart contracts owning validator withdrawal credentials to benefit from this functionality.
This EIP introduces backwards incompatible changes to the block structure and block validation rule set. But neither of these changes break anything related to current user activity and experience.
There might be existing custody relationships and/or products that rely upon the assumption that the withdrawal credentials cannot trigger a withdrawal request. We are currently confident that the additional withdrawal credentials feature does not impact the security of existing validators because:
In the event that existing validators/custodians rely on this, then the validators can be exited and restaked utilizing 0x01 withdrawal credentials pointing to a smart contract that simulates this behaviour.
Calls to the system contract require a fee payment defined by the current contract state. Overpaid fees are not returned to the caller. It is not generally possible to compute the exact required fee amount ahead of time. When adding a withdrawal request from a contract, the contract can perform a read operation to check for the current fee and then pay exactly the required amount. Here is an example in Solidity:
Note: the system contract uses the EVM CALLER operation (Solidity: msg.sender) as the target address for withdrawals, i.e. the address that calls the system contract must match the 0x01 withdrawal credential recorded in the beacon state.
Note: the above code reverts if the fee is too high, the fee can change significantly between creation of a withdrawal request transaction and its inclusion into a block, thus, this check is very important to avoid overpayments.
Using an EOA to request withdrawals will always result in overpayment of fees. There is no way for an EOA to use a wrapper contract to request a withdrawal. And even if a way existed, the gas cost of returning the overage would likely be higher than the overage itself. If requesting withdrawals to an EOA through the system contract is desired, we recommend that users perform transaction simulations to estimate a reasonable fee amount to send.
Although the likelihood of a failed system call to WITHDRAWAL_REQUEST_PREDEPLOY_ADDRESS is extremely low, the behavior in such cases is well-defined: the block is marked as invalid. However, if the failure results from processing a transaction within the block, the public mempool may still retain the transaction even after the block is invalidated. This can result in the offending transaction being included again, potentially causing one or more subsequent slots to go without valid blocks. To mitigate this, we recommend that the block producer implementation shuffle their transaction set to increase the chances of producing a valid block, without the offending transaction(s). The block producer implementation and/or the mempool should be aware of system call failure scenarios to enable this behavior.
This EIP should not have been activated if there is no code present at WITHDRAWAL_REQUEST_PREDEPLOY_ADDRESS (i.e., if the chain is not "ready"). Doing so would cause the first and all subsequent blocks after FORK_BLOCK to be marked invalid.
If this situation occurs on a live chain, the following are two potential recovery strategies:
FORK_BLOCK activation point by updating the consensual fork timestamp or block number in the client implementation(s), then deploy the contract before the fork activates.Copyright and related rights waived via CC0.