@zkasm/zkevm-rom 0.0.1-security → 6.0.1

package/main/load-tx-rlp-utils.zkasm

@@ -0,0 +1,72 @@
+;@info: Add 'data' bytes to batchHashData. batchHashData = H_keccak( transactions )
+;@in: D: length of the hash
+addBatchHashData:
+        $ => HASHPOS                    :MLOAD(batchHashPos)
+        $ => E                          :MLOAD(batchHashDataId)
+        A                               :HASHK(E)
+        HASHPOS                         :MSTORE(batchHashPos)
+        C => HASHPOS
+        $ => E                          :MLOAD(lastHashKIdUsed), RETURN
+
+;; get D bytes from transaction bytes
+;@in D: number of bytes to get
+;@in C: current data parsed pointer
+;@out A: D bytes from batch data at offset C
+getTxBytes:
+        $ => A                          :MLOAD(batchL2DataLength)
+        $ => B                          :MLOAD(batchL2DataParsed)
+        A - B - C - D                   :JMPN(invalidTxRLP)
+        ${getTxs(p,D)} => A
+        $${p = p + D}
+                                        :RETURN
+
+;; Add bytes to generate ethereum signed message
+;; - legacy transaction: signedMessage = H_keccak(rlp(nonce, gasprice, gaslimit, to, value, data, chainId, 0, 0))
+;; - pre EIP-155: signedMessage = H_keccak(rlp(nonce, gasprice, gaslimit, to, value, data))
+addHashTx:
+        $ => A                          :MLOAD(txRLPLength)
+        A - HASHPOS - D                 :JMPN(invalidTxRLP)
+addHashTxBegin:
+        $ => A                          :MLOAD(batchL2DataLength)
+        $ => B                          :MLOAD(batchL2DataParsed)
+        A - B - C - D                   :JMPN(invalidTxRLP)
+        ${getTxs(p,D)} => A
+        $${p = p + D}
+        A                               :HASHK(E)
+        C + D => C                      :RETURN
+
+
+;; Check short value is over 127. Error RLP: single byte < 0x80 are not prefixed
+checkShortRLP:
+        D - 1                           :JMPNZ(skipCheckShort)
+        A - %MIN_VALUE_SHORT            :JMPN(invalidTxRLP)
+
+skipCheckShort:
+                                        :RETURN
+
+;; Check long list/value is over 55 bytes long. Error RLP: encoded list too short
+checkLongRLP:
+        A - %MIN_BYTES_LONG             :JMPN(invalidTxRLP)
+                                        :RETURN
+
+;; Check short value is over 127. Error RLP: single byte < 0x80 are not prefixed
+checkShortDataRLP:
+        $ => B                          :MLOAD(txCalldataLen)
+        B - 1                           :JMPNZ(skipCheckShortData)
+        A - %MIN_VALUE_SHORT            :JMPN(invalidTxRLP)
+
+skipCheckShortData:
+                                        :RETURN
+
+;; Check non-negative integer RLP representation has no leading zeros and it is encoded in its shortest form
+VAR GLOBAL tmpVarAcheckNonLeadingZeros
+VAR GLOBAL tmpVarZkPCcheckNonLeadingZeros
+checkNonLeadingZeros:
+        RR                              :MSTORE(tmpVarZkPCcheckNonLeadingZeros)
+        A                               :MSTORE(tmpVarAcheckNonLeadingZeros)
+        ; set value to B and get its
+        A => B                          :CALL(getLenBytes) ; in: [B: number] out: [A: byte length of B]
+        ; check (bytes length - encoded length) are not equal
+        D - A                           :JMPNZ(invalidTxRLP)
+        $ => RR                         :MLOAD(tmpVarZkPCcheckNonLeadingZeros)
+        $ => A                          :MLOAD(tmpVarAcheckNonLeadingZeros), RETURN

package/main/load-tx-rlp.zkasm

@@ -0,0 +1,431 @@
+INCLUDE "load-tx-rlp-utils.zkasm"
+INCLUDE "load-change-l2-block.zkasm"
+INCLUDE "l2-tx-hash.zkasm"
+
+; Blocks RLP parsing
+;       A - Initialization
+;       B - Read and check RLP fields. Fill 'batchHashData' and Ethereum signed transaction bytes
+;       C - Read signature. Fill 'batchHashData' bytes
+;       D - Finish RLP parsing
+;       E - Handler error RLP fields
+
+;;;;;;;;;;;;;;;;;;
+;; A - Initialization
+;;     - Data to parse
+;;         - legacy transaction: [rlp(nonce, gasprice, gaslimit, to, value, data, chainId, 0, 0)|r|s|v|effectivePercentage]
+;;         - pre EIP-155 transaction (https://eips.ethereum.org/EIPS/eip-155): [rlp(nonce, gasprice, gaslimit, to, value, data)|r|s|v|effectivePercentage]
+;;         - internal transaction changeL2Block: [txType, deltaTimestamp, indexL1InfoTree]
+;;      - Signed Ethereum transaction
+;;         - legacy transaction: H_keccak(rlp(nonce, gasprice, gaslimit, to, value, data, chainId, 0, 0))
+;;         - pre EIP-155 transaction: H_keccak(rlp(nonce, gasprice, gaslimit, to, value, data))
+;;     - RLP encoding information: https://ethereum.org/en/developers/docs/data-structures-and-encoding/rlp
+;;     - Entire batch is discarded (no transaction is processed) if any error is found
+;;;;;;;;;;;;;;;;;;
+
+loadTx_rlp:
+        ; check one keccak is available to begin processing the RLP
+        $ => D                                          :MLOAD(cntKeccakPreProcess)
+        %MAX_CNT_KECCAK_F - CNT_KECCAK_F - 1 - D        :JMPN(outOfCountersKeccak)
+
+        ; Pointer to next RLP bytes to read
+        0 => C
+        ; Check it is a change L2 block transaction
+        %TX_TYPE_NUM_BYTES => D
+        ; batchL2DataLength is not zero (at least 1 byte), checked at main
+        ${getTxs(p,D)} => A
+        $${p = p + D}
+        C + D => C                      :CALL(addBatchHashData)
+        A - %CHANGE_L2_BLOCK_TX_TYPE    :JMPZ(decodeChangeL2BlockTx)
+checkFirstTxType:
+        ; First transaction must be a change L2 block transaction if it is NOT a forced batch
+        $                               :MLOAD(pendingTxs), JMPNZ(loadTx_rlp_continue)
+        ; If it is not forced and it is not a change L2 block transaction, we discard the entire batch
+        $                               :MLOAD(isForced), JMPZ(invalidNotFirstTxChangeL2Block)
+
+loadTx_rlp_continue:
+        ; We get a new hashId
+        $ => E                          :MLOAD(nextHashPId)
+        E                               :MSTORE(l2TxHashPointer)
+        E + 1                           :MSTORE(nextHashPId)
+        $ => E                          :MLOAD(lastHashKIdUsed)
+        E + 1 => E                      :MSTORE(lastHashKIdUsed)
+;;;;;;;;;;;;;;;;;;
+;; B - Read and check RLP fields. Fill 'batchHashData' and Ethereum signed transaction bytes
+;;;;;;;;;;;;;;;;;;
+
+;; Read RLP list length
+        ; Add first byte to tx hash and batch hash
+        ; A new hash with position 0 is started
+        0 => HASHPOS
+        A                               :HASHK(E)
+        A - 0xc1                        :JMPN(invalidTxRLP)
+        A - 0xf8                        :JMPN(shortList)
+        ; do not allow lists over 2**24 bytes length
+        ; Transaction could not have more than 120.000 due to smart contract limitation (keccaks counters)
+        ; meaning that the RLP encoding is wrong
+        A - 0xfb                        :JMPN(longList, invalidTxRLP)
+
+longList:
+        A - 0xf7 => D                   :CALL(addHashTxBegin)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkLongRLP)
+                                        :CALL(checkNonLeadingZeros)
+                                        :JMP(endList)
+shortList:
+        A - 0xc0 => A
+
+endList:
+        A + C => B                      :MSTORE(txRLPLength)
+        ; Check enough keccak zk counters to digest tx hash
+        ; We don't check poseidon counters spent for l2 tx hash computing because the number of poseidon counters available is x100 the number of keccak available
+        ; so while rlp parsing, keccaks will always be the bottleneck
+        B + 1                           :MSTORE(arithA)
+        136                             :MSTORE(arithB), CALL(divARITH); in: [arithA, arithB] out: [arithRes1: arithA/arithB, arithRes2: arithA%arithB]
+        $ => B                          :MLOAD(arithRes1)
+        $ => D                          :MLOAD(cntKeccakPreProcess)
+        %MAX_CNT_KECCAK_F - CNT_KECCAK_F - B - D - 1    :JMPN(outOfCountersKeccak)
+                                        :CALL (initL2HashTx)
+
+;; Read RLP 'nonce'
+        ; 64 bits max
+nonceREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(endNonce)
+        A - 0x81                        :JMPN(nonce0)
+        A - 0x89                        :JMPN(shortNonce, invalidTxRLP)
+
+nonce0:
+        0 => A                          :MSTORE(lengthNonce), JMP(endNonce)
+
+shortNonce:
+        A - 0x80 => D
+        D                               :MSTORE(lengthNonce),CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkShortRLP)
+                                        :CALL(checkNonLeadingZeros)
+
+endNonce:
+        8 => D
+        A                               :MSTORE(txNonce), CALL(addL2HashTx)
+
+;; Read RLP 'gas price'
+        ; 256 bits max
+gasPriceREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(endGasPrice)
+        A - 0x81                        :JMPN(gasPrice0)
+        A - 0xa1                        :JMPN(shortGasPrice, invalidTxRLP)
+
+gasPrice0:
+        0 => A                          :JMP(endGasPrice)
+
+shortGasPrice:
+        A - 0x80 => D                   :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkShortRLP)
+                                        :CALL(checkNonLeadingZeros)
+
+endGasPrice:
+        32 => D
+        A                               :MSTORE(txGasPriceRLP), CALL(addL2HashTx)
+
+
+;; Read RLP 'gas limit'
+        ; 64 bits max
+gasLimitREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(endGasLimit)
+        A - 0x81                        :JMPN(gasLimit0)
+        A - 0x89                        :JMPN(shortGasLimit, invalidTxRLP)
+
+gasLimit0:
+        0 => A                          :JMP(endGasLimit)
+
+shortGasLimit:
+        A - 0x80 => D                   :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkShortRLP)
+                                        :CALL(checkNonLeadingZeros)
+
+endGasLimit:
+        8 => D
+        A                               :MSTORE(txGasLimit), CALL(addL2HashTx)
+
+;; Read RLP 'to'
+        ; 160 bits or empty
+toREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(invalidTxRLP)
+        A - 0x81                        :JMPN(noTo)
+        A - 0x94                        :JMPN(invalidTxRLP)
+        A - 0x95                        :JMPN(shortTo, invalidTxRLP)
+
+noTo:
+        1                               :MSTORE(isCreateContract), CALL(addL2HashTx_isDeploy)
+                                        :JMP(endTo)
+
+shortTo:
+        A - 0x80 => D                   :CALL(addHashTx)
+                                        :CALL(addL2HashTx_isNotDeploy)
+                                        :CALL(addL2HashTx)
+                                        :CALL(addBatchHashData)
+        A                               :MSTORE(txDestAddr)
+        A                               :MSTORE(storageAddr)
+
+endTo:
+
+;; Read RLP 'value'
+        ; 256 bits max
+valueREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(endValue)
+        A - 0x81                        :JMPN(value0)
+        A - 0xa1                        :JMPN(shortValue, invalidTxRLP)
+
+value0:
+        0 => A                          :JMP(endValue)
+
+shortValue:
+        A - 0x80 => D                   :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkShortRLP)
+                                        :CALL(checkNonLeadingZeros)
+
+endValue:
+        32 => D
+        A                               :MSTORE(txValue), CALL(addL2HashTx)
+
+;; Read RLP 'data'
+        ; should not be a list
+dataREAD:
+        ; Set calldata offset and CTX
+        $ => D                          :MLOAD(globalCalldataMemoryOffset)
+        %CALLDATA_RESERVED_CTX          :MSTORE(calldataCTX)
+        D * 32                          :MSTORE(calldataOffset)
+        $ => D                          :MLOAD(batchHashPos)
+        D                               :MSTORE(dataStarts)
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(veryShortData)
+        A - 0x81                        :JMPN(zeroBytesData)
+        A - 0xb8                        :JMPN(shortData)
+        ; do not allow string over 2**24 bytes length
+        ; Transaction could not have more than 120.000 due to smart contract limitation (keccaks counters)
+        ; meaning that the RLP encoding is wrong
+        A - 0xbb                        :JMPN(longData, invalidTxRLP)
+
+veryShortData:
+        1                               :MSTORE(txCalldataLen), CALL(addL2HashTx_dataLength)
+                                        :CALL(addL2HashTx)
+        31 => D                         :CALL(SHLarith) ; in: [A: value, D: #bytes to left shift] out: [A: shifted result]
+        ; Store current CTX
+        CTX => B
+        ; Store calldata to calldata CTX's memory
+        %CALLDATA_RESERVED_CTX => CTX
+        $ => E                          :MLOAD(globalCalldataMemoryOffset)
+        A                               :MSTORE(MEM:E)
+        E + 1                           :MSTORE(globalCalldataMemoryOffset)
+        $ => E                          :MLOAD(lastHashKIdUsed)
+         ; Restore current CTX
+        B => CTX                        :JMP(endData)
+
+shortData:
+        $ => D                          :MLOAD(batchHashPos)
+        D                               :MSTORE(dataStarts)
+        A - 0x80 => B                   :MSTORE(txCalldataLen), CALL(addL2HashTx_dataLength)
+                                        :JMP(readData)
+
+longData:
+        A - 0xb7 => D                   :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkLongRLP)
+                                        :CALL(checkNonLeadingZeros)
+        $ => D                          :MLOAD(batchHashPos)
+        D                               :MSTORE(dataStarts)
+        A => B                          :MSTORE(txCalldataLen), CALL(addL2HashTx_dataLength)
+
+readData:
+        32 => D
+        B - D                           :JMPN(readDataFinal)
+        B - D                           :MSTORE(txDataRead), CALL(addHashTx)
+        $ => E                          :MLOAD(globalCalldataMemoryOffset), CALL(addL2HashTx)
+        ; Store current CTX
+        CTX => B
+        ; Store calldata to calldata CTX's memory
+        %CALLDATA_RESERVED_CTX => CTX
+        A                               :MSTORE(MEM:E)
+        ; Restore current CTX
+        B => CTX
+        E + 1                           :MSTORE(globalCalldataMemoryOffset), CALL(addBatchHashByteByByte) ; in: [A: bytes to add, D: bytes length] out: [E: lastHashKIdUsed, A: shifted bytes to add]
+        $ => B                          :MLOAD(txDataRead), JMP(readData)
+
+readDataFinal:
+        B - 1                           :JMPN(endData)
+        B => D                          :CALL(addHashTx)
+                                        :CALL(addL2HashTx)
+        32 - D => D                     :CALL(SHLarith); in: [A: value, D: #bytes to left shift] out: [A: shifted result]
+        $ => E                          :MLOAD(globalCalldataMemoryOffset)
+        ; Store current CTX
+        CTX => B
+        ; Store calldata to calldata CTX's memory
+        %CALLDATA_RESERVED_CTX => CTX
+        A                               :MSTORE(MEM:E)
+        ; Restore current CTX
+        B => CTX
+        E + 1                           :MSTORE(globalCalldataMemoryOffset)
+        32 - D => D                     :CALL(addBatchHashByteByByte); in: [A: bytes to add, D: bytes length] out: [E: lastHashKIdUsed, A: shifted bytes to add]
+                                        :CALL(checkShortDataRLP)
+                                        :JMP(endData)
+
+zeroBytesData:
+                                        :CALL(addL2HashTx_dataLength)
+
+endData:
+        ; Check all bytes read to detect pre EIP-155 tx, if bytes read are the same as txLength, we reached the end, so it's a pre EIP-155 tx
+        ; txRLPLength and C is at most 120.000 bytes, no need to use a binary for comparison
+        $ => B                          :MLOAD(txRLPLength)
+        C - B                           :JMPZ(setPreEIP155Flag)
+
+;; Read RLP 'chainId'
+        ; 64 bits max
+chainREAD:
+        1 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        A - 0x80                        :JMPN(endChainId)
+        A - 0x81                        :JMPN(chainId0)
+        A - 0x89                        :JMPN(shortChainId, invalidTxRLP)
+
+chainId0:
+        0 => A                          :JMP(endChainId)
+
+
+shortChainId:
+        A - 0x80 => D                   :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+                                        :CALL(checkShortRLP)
+                                        :CALL(checkNonLeadingZeros)
+
+endChainId:
+        8 => D
+        A                               :MSTORE(txChainId), CALL(addL2HashTx)
+
+;; Read RLP last two values (0, 0)
+        2 => D                          :CALL(addHashTx)
+                                        :CALL(addBatchHashData)
+        ; We compare the last two bytes of the RLP with 0x8080, no need to use a binary
+        A - 0x8080                      :JMPZ(sizeVerification, invalidTxRLP)
+
+setPreEIP155Flag:
+        1                               :MSTORE(isPreEIP155)
+;; size verification
+        ; checks RLP length read at the RLP header with bytes read during RLP parsing
+sizeVerification:
+        ; txRLPLength and C is at most 120.000 bytes, no need to use a binary for comparison
+        $ => B                          :MLOAD(txRLPLength)
+        C - B                           :JMPZ(sizeVerificationSuccess, invalidTxRLP)
+sizeVerificationSuccess:
+        HASHPOS                         :HASHKLEN(E)
+
+;;;;;;;;;;;;;;;;;;
+;; C - Read signature. Fill 'batchHashData' bytes
+;;;;;;;;;;;;;;;;;;
+
+;; read ecdsa 'r'
+rREADTx:
+        32 => D                         :CALL(getTxBytes)
+        A                               :MSTORE(txR)
+        C + D => C                      :CALL(addBatchHashData)
+
+;; read ecdsa 's'
+sREADTx:
+        32 => D                         :CALL(getTxBytes)
+        A                               :MSTORE(txS)
+        C + D => C                      :CALL(addBatchHashData)
+
+;; read ecdsa 'v'
+vREADTx:
+        1 => D                          :CALL(getTxBytes)
+        A                               :MSTORE(txV)
+        C + D => C                      :CALL(addBatchHashData)
+
+;; read effective percentage
+effectivePercentageTx:
+        1 => D                          :CALL(getTxBytes)
+        A                               :MSTORE(effectivePercentageRLP)
+        C + D => C                      :CALL(addBatchHashData)
+
+;;;;;;;;;
+;; D - Finish RLP parsing
+;;;;;;;;;
+finishLoadRLP:
+;; update bytes parsed
+        $ => A                          :MLOAD(batchL2DataParsed)
+        A + C                           :MSTORE(batchL2DataParsed)
+;; increase number of transaction to process
+        $ => A                          :MLOAD(pendingTxs)
+        A + 1                           :MSTORE(pendingTxs)
+;; compute signature
+        $ => A                          :HASHKDIGEST(E)
+        A                               :MSTORE(txHash)
+
+;; Compute L2txHash
+;; Get source address from tx signature
+        $ => B                          :MLOAD(txR)
+        $ => C                          :MLOAD(txS)
+        $ => D                          :MLOAD(txV), CALL(ecrecover_tx)
+checkAndSaveFrom:
+        ; warning: we need to insert one transition step between label `checkAndSafeFrom` and `MSTORE(txSrcAddr)` to allow unsigned transactions from executor
+        20 => D
+        ; save ecrecover error code
+        B                                       :MSTORE(ecrecoverErrorCode)
+        ; save 'from' to l2TxHash
+        A                                       :MSTORE(txSrcAddr), CALL(addL2HashTx)
+        ; save 'txType' to l2TxHash
+                                                :CALL(addL2HashTx_txType)
+        ; close l2 tx hash
+                                                :CALL(closeL2TxHash)
+                                                :JMP(txLoopRLP)
+
+;;;;;;;;;
+;; E - Handler error RLP fields
+;;;;;;;;;
+invalidTxRLP:
+        $${eventLog(onError, invalidRLP)}                       :JMP(appendTxsInit)
+
+invalidDecodeChangeL2Block:
+        $${eventLog(onError, invalidDecodeChangeL2Block)}       :JMP(appendTxsInit)
+
+invalidNotFirstTxChangeL2Block:
+        $${eventLog(onError, invalidNotFirstTxChangeL2Block)}   :JMP(appendTxsInit)
+
+appendTxsInit:
+;; Append all missing 'batchL2Data' to 'batchDataHash' bytes
+        $ => B                          :MLOAD(batchL2DataLength)
+        $ => C                          :MLOAD(batchHashPos)
+        $${p = C}
+        $ => HASHPOS                    :MLOAD(batchHashPos)
+        $ => E                          :MLOAD(batchHashDataId)
+
+appendTxs:
+        B - C - 32                      :JMPN(finalAppendTxs)
+        32 => D
+        ${getTxs(p,D)} => A
+        $${p = p + D}
+        A                               :HASHK(E)
+        C + D => C                      :JMP(appendTxs)
+
+finalAppendTxs:
+        B - C => D
+        D - 1                           :JMPN(endAppendTxs)
+        ${getTxs(p,D)} => A
+        $${p = p + D}
+        A                               :HASHK(E)
+        C + D => C
+
+endAppendTxs:
+        HASHPOS                         :MSTORE(batchHashPos),JMP(finalizeBatch)