{"id":18150,"date":"2026-03-10T14:48:06","date_gmt":"2026-03-10T14:48:06","guid":{"rendered":"https:\/\/cryptoted.net\/index.php\/2026\/03\/10\/dodging-a-bullet-ethereum-state-problems\/"},"modified":"2026-03-10T14:48:06","modified_gmt":"2026-03-10T14:48:06","slug":"dodging-a-bullet-ethereum-state-problems","status":"publish","type":"post","link":"https:\/\/cryptoted.net\/index.php\/2026\/03\/10\/dodging-a-bullet-ethereum-state-problems\/","title":{"rendered":"Dodging a bullet: Ethereum State Problems"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"\">\n<p class=\"chakra-text css-gi02ar\">With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"state\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"state permalink\" href=\"#state\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>State<\/h2>\n<p class=\"chakra-text css-gi02ar\">Let&#8217;s begin with some background on Ethereum and State.<\/p>\n<p class=\"chakra-text css-gi02ar\">The Ethereum state consists of a patricia-merkle trie, a prefix-tree. This post won&#8217;t go into it in too much detail, suffice to say that as the state grows, the branches in this tree become more dense. Each added account is another leaf. Between the root of the tree, and the leaf itself, there are a number of &#8220;intermediate&#8221; nodes.<\/p>\n<p class=\"chakra-text css-gi02ar\">In order to look up a given account, or &#8220;leaf&#8221; in this huge tree, somewhere on the order of 6-9 hashes need to be resolved, from the root, via intermediate nodes, to finally resolve the last hash which leads to the data that we were looking for.<\/p>\n<p class=\"chakra-text css-gi02ar\">In plain terms: whenever a trie lookup is performed to find an account, 8-9 resolve operations are performed. Each resolve operation is one database lookup, and each database lookup may be any number of actual disk operations. The number of disk operations are difficult to estimate, but since the trie keys are cryptographic hashes (collision resistant), the keys are &#8220;random&#8221;, hitting the exact worst case for any database.<\/p>\n<p class=\"chakra-text css-gi02ar\">As Ethereum has grown, it has been necessary to increase the gas prices for operations which access the trie. This was performed in <span class=\"chakra-text css-ons8vw\">Tangerine Whistle<\/span> at block <span class=\"chakra-text css-ons8vw\">2,463,000<\/span> in October 2016, which included <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-150\">EIP 150<\/a>. EIP 150 aggressively raised certain gascosts and introduced a whole slew of changes to protect against DoS attacks, in the wake of the so called &#8220;Shanghai attacks&#8221;.<\/p>\n<p class=\"chakra-text css-gi02ar\">Another such raise was performed in the <span class=\"chakra-text css-ons8vw\">Istanbul<\/span> upgrade, at block <span class=\"chakra-text css-ons8vw\">9,069,000<\/span> in December 2019. In this upgrade, <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-1884\">EIP 1884<\/a> was activated.<\/p>\n<p class=\"chakra-text css-gi02ar\">EIP-1884 introduced the following change:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\"><span class=\"chakra-text css-ons8vw\">SLOAD<\/span> went from <span class=\"chakra-text css-ons8vw\">200<\/span> to <span class=\"chakra-text css-ons8vw\">800<\/span> gas,<\/li>\n<li class=\"css-0\"><span class=\"chakra-text css-ons8vw\">BALANCE<\/span> went from <span class=\"chakra-text css-ons8vw\">400<\/span> to <span class=\"chakra-text css-ons8vw\">700<\/span> gas (and a cheaper <span class=\"chakra-text css-ons8vw\">SELFBALANCE<\/span>) was added,<\/li>\n<li class=\"css-0\"><span class=\"chakra-text css-ons8vw\">EXTCODEHASH<\/span> went from <span class=\"chakra-text css-ons8vw\">400<\/span> to <span class=\"chakra-text css-ons8vw\">700<\/span> gas,<\/li>\n<\/ul>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"the-problems\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"the problems permalink\" href=\"#the-problems\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>The problem(s)<\/h2>\n<p class=\"chakra-text css-gi02ar\">In March 2019, Martin Swende was doing some <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/holiman\/vmstats\">measurements<\/a> of EVM opcode performance. That investigation later led to the creation of EIP-1884. A few months prior to EIP-1884 going live, the paper <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/arxiv.org\/abs\/1909.07220\">Broken Metre<\/a> was published (September 2019).<\/p>\n<p class=\"chakra-text css-gi02ar\">Two Ethereum security researchers &#8212; Hubert Ritzdorf and Matthias Egli &#8212; teamed up with one of the authors behind the paper; Daniel Perez, and &#8216;weaponized&#8217; an exploit which they submitted to the Ethereum bug bounty in. This was on October 4, 2019.<\/p>\n<p class=\"chakra-text css-gi02ar\">We recommend you to read the <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/hackmd.io\/@iwck0wkoSzauVnsYI0h7JA\/SkyFmk4_r\">submission<\/a> in full, it&#8217;s a well-written report.<\/p>\n<p class=\"chakra-text css-gi02ar\">On a channel dedicated to cross-client security, developers from Geth, Parity and Aleth were informed about the submission, that same day.<\/p>\n<p class=\"chakra-text css-gi02ar\">The essence of the exploit is to trigger random trie lookups. A very simple variant would be:<\/p>\n<div class=\"chakra-stack css-1jx0in4\">\n<pre><pre style=\"color:white;font-family:Consolas, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;font-size:1em;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none;padding:1em;margin:0.5em 0;overflow:auto;background:#011627\"><code class=\"language-bash\" style=\"color:#d6deeb;font-family:Consolas, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace;text-align:left;white-space:pre;word-spacing:normal;word-break:normal;word-wrap:normal;line-height:1.5;font-size:1em;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-hyphens:none;-moz-hyphens:none;-ms-hyphens:none;hyphens:none\"><span>\tjumpdest     <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> jump label, start of loop\n<\/span><span>\tgas          <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> get a <\/span><span class=\"token\" style=\"color:rgb(173, 219, 103)\">'random'<\/span><span> value on the stack\n<\/span><span>\textcodesize  <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> trigger trie lookup\n<\/span><span>\tpop          <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> ignore the extcodesize result\n<\/span><span>\tpush1 0x00   <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> jump label dest\n<\/span><span>\tjump         <\/span><span class=\"token\" style=\"color:rgb(199, 146, 234)\">;<\/span><span> jump back to start\n<\/span><\/code><\/pre>\n<\/div>\n<p class=\"chakra-text css-gi02ar\">In their report, the researchers executed this payload against nodes synced up to mainnet, via <span class=\"chakra-text css-ons8vw\">eth_call<\/span>, and these were their numbers when executed with <span class=\"chakra-text css-ons8vw\">10M<\/span> gas:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\"><span class=\"chakra-text css-ons8vw\">10M<\/span> gas exploit using <span class=\"chakra-text css-ons8vw\">EXTCODEHASH<\/span> (at 400 gas)\n<\/li>\n<li class=\"css-0\"><span class=\"chakra-text css-ons8vw\">10M<\/span> gas exploit using <span class=\"chakra-text css-ons8vw\">EXTCODESIZE<\/span> (at 700 gas)\n<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">As is plainly obvious, the changes in EIP 1884 were definitely making an impact at reducing the effects of the attack, but it was nowhere near sufficient.<\/p>\n<p class=\"chakra-text css-gi02ar\">This was right before Devcon in Osaka. During Devcon, knowledge of the problem was shared among the mainnet client developers. We also met up with Hubert and Mathias, as well as Greg Markou (from Chainsafe &#8212; who were working on ETC). ETC developers had also received the report.<\/p>\n<p class=\"chakra-text css-gi02ar\">As 2019 were drawing to a close, we knew that we had larger problems than we had previously anticipated, where malicious transactions could lead to blocktimes in the minute-range. To further add to the woes: the dev community were already not happy about EIP-1884 which hade made certain contract-flows break, and users and miners alike were sorely itching for raised block gas limits.<\/p>\n<p class=\"chakra-text css-gi02ar\">Furthermore, a mere two months later, in December 2019, Parity Ethereum <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/www.parity.io\/parity-ethereum-openethereum-dao\/\">announced<\/a> their departure from the scene, and OpenEthereum took over maintenance of the codebase.<\/p>\n<p class=\"chakra-text css-gi02ar\">A new client coordination channel was created, where Geth, Nethermind, OpenEthereum and Besu developers continued to coordinate.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"the-solutions\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"the solutions permalink\" href=\"#the-solutions\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>The solution(s)<\/h2>\n<p class=\"chakra-text css-gi02ar\">We realised that we would have to do a two-pronged approach to handle these problems. One approach would be to work on the Ethereum protocol, and somehow solve this problem at the protocol layer; preferrably without breaking contracts, and preferrably without penalizing &#8216;good&#8217; behaviour, yet still managing to prevent attacks.<\/p>\n<p class=\"chakra-text css-gi02ar\">The second approach would be through software engineering, by changing the data models and structures within the clients.<\/p>\n<h3 class=\"chakra-heading group css-xuzltg\" id=\"protocol-work\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"protocol work permalink\" href=\"#protocol-work\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Protocol work<\/h3>\n<p class=\"chakra-text css-gi02ar\">The first iteration of how to handle these types of attacks is <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/gist.github.com\/holiman\/aafd9a46f6849deb380004178d44c434\">here<\/a>. In February 2020, it was officially launched as <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-2583\">EIP 2583<\/a>. The idea behind it is to simply add a penalty every time a trie lookup causes a miss.<\/p>\n<p class=\"chakra-text css-gi02ar\">However, Peter found a work-around for this idea &#8212; the &#8216;shielded relay&#8217; attack &#8211; which places an upper bound (around ~800) on how large such a penalty can effectively be.<\/p>\n<p class=\"chakra-text css-gi02ar\">The issue with <em class=\"chakra-text css-0\">penalties for misses<\/em> is that the lookup needs to happen first, to determine that a penalty must be applied. But if there is not enough gas left for the penalty, an unpaid consumption has been performed. Even though that does result in a throw, these state reads can be wrapped into nested calls; allowing the outer caller to continue repeating the attack without paying the (full) penalty.<\/p>\n<p class=\"chakra-text css-gi02ar\">Because of that, the EIP was abandoned, while we were searching for a better alternative.<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Alexey Akhunov explored the idea of <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/ethresear.ch\/t\/oil-adding-a-second-fuel-source-to-the-evm-pre-eip\/7394\">Oil<\/a> &#8212; a secondary source of &#8220;gas&#8221;, but which was intrinsically different from <span class=\"chakra-text css-ons8vw\">gas<\/span>, in that it would be invisible to the execution layer, and could cause transaction-global reverts.<\/li>\n<li class=\"css-0\">Martin wrote up a similar proposal, about <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/gist.github.com\/holiman\/8a3c31e459ee1bff04256bc214ea7f14\">Karma<\/a>, in May 2020.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">While iterating on these various schemes, Vitalik Buterin proposed to just increase the gas costs, and maintain access lists. In August 2020, Martin and Vitalik started iterating on what was to become <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-2929\">EIP-2929<\/a> and its companion-eip, <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-2930\">EIP-2930<\/a>.<\/p>\n<p class=\"chakra-text css-gi02ar\">EIP-2929 effectively solved a lot of the former issues.<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">As opposed to EIP-1884, which unconditionally raised costs, it instead raised costs only for things not already accessed. This leads to a mere <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/holiman\/eip2929-stats\/blob\/main\/README.md#summary\">sub-percent increase<\/a> in net costs.<\/li>\n<li class=\"css-0\">Also, along with EIP-2930, it does not break any contract flows,<\/li>\n<li class=\"css-0\">And it can be further tuned with raised gascosts (without breaking things).<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">On the 15th of April 2021, they both went live with the <span class=\"chakra-text css-ons8vw\">Berlin<\/span> upgrade.<\/p>\n<h3 class=\"chakra-heading group css-xuzltg\" id=\"development-work\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"development work permalink\" href=\"#development-work\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Development work<\/h3>\n<p class=\"chakra-text css-gi02ar\">Peter&#8217;s attempt to solve this matter was <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/go-ethereum\/pull\/20152\">dynamic state snapshots<\/a>, in October 2019.<\/p>\n<p class=\"chakra-text css-gi02ar\">A snapshot is a secondary data structure for storing the Ethereum state in a flat format, which can be built fully online, during the live operation of a Geth node. The benefit of the snapshot is that it acts as an acceleration structure for state accesses:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Instead of doing <span class=\"chakra-text css-ons8vw\">O(log N)<\/span> disk reads (<span class=\"chakra-text css-ons8vw\">x<\/span> LevelDB overhead) to access an account \/ storage slot, the snapshot can provide direct, <span class=\"chakra-text css-ons8vw\">O(1)<\/span> access time (<span class=\"chakra-text css-ons8vw\">x<\/span> LevelDB overhead).<\/li>\n<li class=\"css-0\">The snapshot supports account and storage iteration at <span class=\"chakra-text css-ons8vw\">O(1)<\/span> complexity per entry, which enables remote nodes to retrieve sequential state data significantly cheaper than before.<\/li>\n<li class=\"css-0\">The presence of the snapshot also enables more exotic use cases such as offline-pruning the state trie, or migrating to other data formats.<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">The downside of the snapshot is that the raw account and storage data is essentially duplicated. In the case of mainnet, this means an extra <span class=\"chakra-text css-ons8vw\">25GB<\/span> of SSD space used.<\/p>\n<p class=\"chakra-text css-gi02ar\">The dynamic snapshot idea had already been started in mid 2019, aiming primarily to be an enabler for <span class=\"chakra-text css-ons8vw\">snap<\/span> sync. At the time, there were a number of &#8220;big projects&#8221; that the geth team was working on.<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Offline state pruning<\/li>\n<li class=\"css-0\">Dynamic snapshots + snap sync<\/li>\n<li class=\"css-0\">LES state distribution via sharded state<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">However, it was decided to fully prioritize on snapshots, postponing the other projects for now. These laid the ground-work for what was later to become <span class=\"chakra-text css-ons8vw\">snap\/1<\/span> sync <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/devp2p\/blob\/master\/caps\/snap.md\">algorithm<\/a>. It was merged in March 2020.<\/p>\n<p class=\"chakra-text css-gi02ar\">With the &#8220;dynamic snapshot&#8221; functionality released into the wild, we had a bit of breathing room. In case the Ethereum network would be hit with an attack, it would be painful, yes, but it would at least be possible to inform users about enabling the snapshot. The whole snapshot generation would take a lot of time, and there was no way to sync the snapshots yet, but the network could at least continue to operate.<\/p>\n<h3 class=\"chakra-heading group css-xuzltg\" id=\"tying-up-the-threads\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"tying up the threads permalink\" href=\"#tying-up-the-threads\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Tying up the threads<\/h3>\n<p class=\"chakra-text css-gi02ar\">In March-April 2021, the <span class=\"chakra-text css-ons8vw\">snap\/1<\/span> protocol was rolled out in geth, making it possible to sync using the new snapshot-based algorithm. While still not the default sync mode, it is one (important) step towards making the snapshots not only useful as an attack-protection, but also as a major improvement for users.<\/p>\n<p class=\"chakra-text css-gi02ar\">On the protocol side, the <span class=\"chakra-text css-ons8vw\">Berlin<\/span> upgrade occurred April 2021.<\/p>\n<p class=\"chakra-text css-gi02ar\">Some benchmarks made on our AWS monitoring environment are below:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Pre-berlin, no snapshots, <span class=\"chakra-text css-ons8vw\">25M<\/span> gas: <span class=\"chakra-text css-ons8vw\">14.3s<\/span><\/li>\n<li class=\"css-0\">Pre-berlin, with snapshots, <span class=\"chakra-text css-ons8vw\">25M<\/span> gas: <span class=\"chakra-text css-ons8vw\">1.5s<\/span><\/li>\n<li class=\"css-0\">Post-berlin, no snapshots, <span class=\"chakra-text css-ons8vw\">25M<\/span> gas: <span class=\"chakra-text css-ons8vw\">~3.1s<\/span><\/li>\n<li class=\"css-0\">Post-berlin, with snapshots, <span class=\"chakra-text css-ons8vw\">25M<\/span> gas: <span class=\"chakra-text css-ons8vw\">~0.3s<\/span><\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">The (rough) numbers indicate that <span class=\"chakra-text css-ons8vw\">Berlin<\/span> reduced the efficiency of the attack by <span class=\"chakra-text css-ons8vw\">5x<\/span>, and snapshot reduces it by <span class=\"chakra-text css-ons8vw\">10x<\/span>, totalling to a <span class=\"chakra-text css-ons8vw\">50x<\/span> reduction of impact.<\/p>\n<p class=\"chakra-text css-gi02ar\">We estimate that currently, on Mainnet (15M gas), it would be possible to create blocks that would take <span class=\"chakra-text css-ons8vw\">2.5-3s<\/span> to execute on a <span class=\"chakra-text css-ons8vw\">geth<\/span> node <em class=\"chakra-text css-0\">without<\/em> snapshots. This number will continue to deteriorate (for non-snapshot nodes), as the state grows.<\/p>\n<p class=\"chakra-text css-gi02ar\">If refunds are used to increase the effective gas usage within a block, this can be further exacerbated by a factor of (max) <span class=\"chakra-text css-ons8vw\">2x<\/span> . With <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/eips.ethereum.org\/EIPS\/eip-1559\">EIP 1559<\/a>, the block gas limit will have a higher elasticity, and allow a further <span class=\"chakra-text css-ons8vw\">2x<\/span> (the <span class=\"chakra-text css-ons8vw\">ELASTICITY_MULTIPLIER<\/span>) in temporary bursts.<\/p>\n<p class=\"chakra-text css-gi02ar\">As for the feasibility of executing this attack; the cost for an attacker of buying a full block would be on the order of a few ether (<span class=\"chakra-text css-ons8vw\">15M<\/span> gas at <span class=\"chakra-text css-ons8vw\">100Gwei<\/span> is <span class=\"chakra-text css-ons8vw\">1.5<\/span> ether).<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"why-disclose-now\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"why disclose now permalink\" href=\"#why-disclose-now\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Why disclose now<\/h2>\n<p class=\"chakra-text css-gi02ar\">This threat has been an &#8220;open secret&#8221; for a long time &#8212; it has actually been publically disclosed by mistake at least once, and it has been referenced in ACD calls several times without explicit details.<\/p>\n<p class=\"chakra-text css-gi02ar\">Since the Berlin upgrade is now behind us, and since geth nodes by default are using snapshots, we estimate that the threat is low enough that transparency trumps, and it&#8217;s time to make a full disclosure about the works behind the scenes.<\/p>\n<p class=\"chakra-text css-gi02ar\">It&#8217;s important that the community is given a chance to understand the reasoning behind changes that negatively affect the user experience, such as raising gas costs and limiting refunds.<\/p>\n<hr aria-orientation=\"horizontal\" class=\"chakra-divider css-1e6gg7n\"\/>\n<p class=\"chakra-text css-gi02ar\">This post was written by Martin Holst Swende and Peter Szilagyi 2021-04-23.<br \/>\nIt was shared with other Ethereum-based projects at 2021-04-26, and publically disclosed 2021-05-18.<\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/blog.ethereum.org\/en\/2021\/05\/18\/eth-state-problems\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork. State Let&#8217;s begin with some background on Ethereum and State. The Ethereum state consists of a patricia-merkle trie, a prefix-tree. This post won&#8217;t go into it [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[24],"tags":[],"kronos_expire_date":[],"class_list":["post-18150","post","type-post","status-publish","format-standard","hentry","category-ethereum"],"_links":{"self":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/comments?post=18150"}],"version-history":[{"count":0,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/18150\/revisions"}],"wp:attachment":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media?parent=18150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/categories?post=18150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/tags?post=18150"},{"taxonomy":"kronos_expire_date","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/kronos_expire_date?post=18150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}