zkevm-rom 0.0.1-security → 6.0.1

package/main/precompiled/pre-ecPairing.zkasm

@@ -0,0 +1,72 @@
+/**
+ * @link [https://www.evm.codes/precompiled#0x08?fork=berlin]
+ * @zk-counters
+ *  - dynamic steps: 200000 * nInputs + 175000
+ *  - dynamic arith: 15000 * nInputs + 17500
+ *  - dynamic binary: 4100 * nInputs + 750
+ * @process-precompiled
+ *  - stack input: [x1, y1, x2, y2, ..., xk, yk]
+ *  - stack output: [success]
+ * @note For implementation details, see: https://hackmd.io/kcEJAWISQ56eE6YpBnurgw?view
+ */
+
+funcEcPairing:
+    ; Move balances if value > 0 just before executing the contract CALL
+    $ => B                              :MLOAD(txValue)
+    0 => A
+    zkPC+2 => RR
+    $                                   :LT, JMPC(moveBalances)
+
+    GAS - %ECPAIRING_GAS => GAS         :JMPN(outOfGas) ; gas static = 45000
+
+    1 => C
+    $ => B                              :MLOAD(txCalldataLen),JMPZ(continueInput0)
+    B                                   :MSTORE(arithA)
+    192                                 :MSTORE(arithB), CALL(divARITH); in: [arithA, arithB] out: [arithRes1: arithA/arithB, arithRes2: arithA%arithB]
+    $ => A                              :MLOAD(arithRes2), JMPNZ(preEndFail)
+    $ => A                              :MLOAD(arithRes1)
+    A                                   :MSTORE(ecPairing_ninputs)
+
+    GAS - 34000*A => GAS                :JMPN(outOfGas) ; gas = 34000 * inputsLength
+
+    %MAX_CNT_BINARY - CNT_BINARY - 750 - 4100*A     :JMPN(outOfCountersBinary)
+    %MAX_CNT_ARITH - CNT_ARITH - 17500 - 15000*A    :JMPN(outOfCountersArith)
+    %MAX_CNT_STEPS - STEP - 175000 - 200000*A       :JMPN(outOfCountersStep)
+
+    -32                                 :MSTORE(readXFromCalldataOffset),CALL(ecPairing)
+    B                                   :JMPNZ(preEndFail)
+    $ => C                              :MLOAD(ecPairing_result)
+
+continueInput0:
+
+    ; write ecAdd data into memory
+    0 => E
+    C                                   :MSTORE(bytesToStore), CALL(MSTORE32); in: [bytesToStore, E: offset] out: [E: new offset]
+
+    ; prepare return data
+    0                                   :MSTORE(retDataOffset)
+    32                                  :MSTORE(retDataLength)
+    $ => A                              :MLOAD(originCTX), JMPZ(handleGas)
+    ; set retDataCTX
+    $ => B                              :MLOAD(currentCTX)
+    A => CTX
+    B                                   :MSTORE(retDataCTX)
+    B => CTX
+
+    ; write result ecpairing into previous context memory
+    $ => C                              :MLOAD(retCallLength)
+    $ => E                              :MLOAD(retCallOffset)
+
+    ; ecpairing result is in bytesToStore
+    C - 32                              :JMPN(continueECPAIRING)
+    32 => C
+
+continueECPAIRING:
+    $ => CTX                            :MLOAD(originCTX), CALL(MSTOREX)  ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+                                        :JMP(endECPAIRING)
+
+preEndECPAIRING:
+    $ => CTX                            :MLOAD(originCTX)
+
+endECPAIRING:
+    CTX                                 :MSTORE(currentCTX), JMP(preEnd)

package/main/precompiled/pre-ecrecover.zkasm

@@ -0,0 +1,71 @@
+/**
+ * @link [https://www.evm.codes/precompiled#0x01?fork=berlin]
+ * @zk-counters
+ *  - dynamic steps:
+ *  - dynamic arith:
+ *  - dynamic binary:
+ * @process-precompiled
+ *  - stack input: [hash, v, r, s]
+ *  - stack output: [publicAddress]
+ */
+funcECRECOVER:
+    ; Move balances if value > 0 just before executing the contract CALL
+    $ => B                              :MLOAD(txValue)
+    0 => A
+    zkPC+2 => RR
+    $                                   :LT, JMPC(moveBalances)
+
+    GAS - %ECRECOVER_GAS => GAS         :JMPN(outOfGas) ; gas static = 3000
+    ; read data stored in calldata
+    ; read hash [32 bytes]
+    32                                  :MSTORE(readXFromCalldataLength)
+    0 => E                              :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A                              :MLOAD(readXFromCalldataResult)
+    ; read v [32 bytes]
+    E + 32 => E                         :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => D                              :MLOAD(readXFromCalldataResult)
+    ; read r [32 bytes]
+    E + 32 => E                         :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => B                              :MLOAD(readXFromCalldataResult)
+    ; read s [32 bytes]
+    E + 32 => E                         :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => C                              :MLOAD(readXFromCalldataResult),CALL(ecrecover_precompiled) ; in: [A: hash, B: r, C: s, D: v], out: [A: result_ecrecover, B: result_code]
+    B                                   :JMPNZ(endECRECOVERFail)
+
+    ; write ecrecover data into memory
+    0 => E
+    A                                   :MSTORE(bytesToStore), CALL(MSTORE32); in: [bytesToStore, E: offset] out: [E: new offset]
+
+    ; prepare return data
+    0                                   :MSTORE(retDataOffset)
+    32                                  :MSTORE(retDataLength)
+    $ => A                              :MLOAD(originCTX), JMPZ(handleGas)
+    ; set retDataCTX
+    $ => B                              :MLOAD(currentCTX)
+    A => CTX
+    B                                   :MSTORE(retDataCTX)
+    B => CTX
+
+    ; write result ecrecover into previous context memory
+    $ => C                              :MLOAD(retCallLength), JMPZ(preEndECRECOVER)
+    $ => E                              :MLOAD(retCallOffset)
+
+    ; ecrecover result is in bytesToStore
+    C - 32                              :JMPN(continueEcrecover)
+    32 => C
+
+continueEcrecover:
+    $ => CTX                            :MLOAD(originCTX), CALL(MSTOREX)  ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+                                        :JMP(endECRECOVER)
+
+endECRECOVERFail:
+    $ => A                              :MLOAD(originCTX), JMPZ(handleGas)
+    A => CTX
+    0                                   :MSTORE(retDataCTX)
+    CTX                                 :MSTORE(currentCTX), JMP(preEnd)
+
+preEndECRECOVER:
+    $ => CTX                            :MLOAD(originCTX)
+
+endECRECOVER:
+    CTX                                 :MSTORE(currentCTX), JMP(preEnd)

package/main/precompiled/pre-modexp.zkasm

@@ -0,0 +1,367 @@
+/**
+ * @link [https://www.evm.codes/precompiled#0x05?fork=berlin]
+ * @zk-counters
+ *  - dynamic steps:
+ *  - dynamic arith:
+ *  - dynamic binary:
+ * @process-precompiled
+ *  - stack input: [x1, y1, x2, y2]
+ *  - stack output: [x, y]
+ * @note We work with unbounded and unsigned integers represented in (little-endian) chunks of 256 bits.
+ * @note After a few discussions, we decided to set the maximum input length of the base, modulus and exponent to 32.
+ *       See [https://github.com/0xPolygonHermez/zkevm-rom-internal/issues/43] for more details.
+ */
+INCLUDE "../modexp/constants.zkasm"
+
+INCLUDE "../modexp/modexp.zkasm"
+INCLUDE "../modexp/modexp_utils.zkasm"
+
+INCLUDE "../modexp/array_lib/utils/array_trim.zkasm"
+INCLUDE "../modexp/array_lib/utils/array_compare.zkasm"
+
+INCLUDE "../modexp/array_lib/array_add_AGTB.zkasm"
+INCLUDE "../modexp/array_lib/array_add_short.zkasm"
+INCLUDE "../modexp/array_lib/array_mul_long.zkasm"
+INCLUDE "../modexp/array_lib/array_mul_short.zkasm"
+INCLUDE "../modexp/array_lib/array_mul.zkasm"
+INCLUDE "../modexp/array_lib/array_square.zkasm"
+INCLUDE "../modexp/array_lib/array_div_short.zkasm"
+INCLUDE "../modexp/array_lib/array_div_long.zkasm"
+INCLUDE "../modexp/array_lib/array_div.zkasm"
+
+VAR GLOBAL multiplication_complexity
+
+VAR GLOBAL modexp_Bsize
+VAR GLOBAL modexp_Esize
+VAR GLOBAL modexp_Msize
+VAR GLOBAL modexp_Mend
+VAR GLOBAL modexp_offset
+VAR GLOBAL modexp_returnIndex
+VAR GLOBAL modexp_returnFirstIndex
+VAR GLOBAL modexp_returnIndexRem
+VAR GLOBAL expLenBits
+VAR GLOBAL retCopyLen
+
+funcModexp:
+
+    %MAX_CNT_BINARY - CNT_BINARY - 20   :JMPN(outOfCountersBinary)
+    %MAX_CNT_ARITH - CNT_ARITH - 2      :JMPN(outOfCountersArith)
+    %MAX_CNT_STEPS - STEP - 400         :JMPN(outOfCountersStep)
+
+    ; Move balances if value > 0 just before executing the contract CALL
+    $ => B                              :MLOAD(txValue)
+    0 => A
+    zkPC + 2 => RR
+    $                                   :LT, JMPC(moveBalances)
+
+    ; read data stored in calldata
+    ; Bsize [32 bytes], Esize [32 bytes], Msize [32 bytes]
+    ; Bsize [32 bytes]
+    32                                  :MSTORE(readXFromCalldataLength)
+    0 => E                              :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A                              :MLOAD(readXFromCalldataResult)
+    A                                   :MSTORE(modexp_Bsize) ;Bsize = base size
+    ; Esize [32 bytes]
+    E + 32 => E                         :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A                              :MLOAD(readXFromCalldataResult)
+    A                                   :MSTORE(modexp_Esize) ;Esize = exp size
+    ; Msize [32 bytes]
+    E + 32 => E                         :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A                              :MLOAD(readXFromCalldataResult)
+    A                                   :MSTORE(modexp_Msize) ;Msize = mod size
+    ; store offset modexp num values
+    E + 32 => E
+    E                                   :MSTORE(modexp_offset)
+    ; get exp offset = 96 bytes (Bsize | Esize | Msize) + Bsize
+    $ => A                              :MLOAD(modexp_Bsize)
+    96 => B
+    $ => A                              :ADD
+    $ => B                              :MLOAD(txCalldataLen)
+    ; expLenBits = bit length of first 32 bytes of exp
+    0                                   :MSTORE(expLenBits)
+    ; if 96 + Bsize (exp offset) < txCalldataLen --> setExpBits, else --> expLenBits = 0
+    $                                   :LT, JMPC(setExpBits, setMaxLen)
+
+setExpBits:
+    ; E exp offset
+    A => E
+    $ => A,C                            :MLOAD(modexp_Esize)
+    33 => B
+    ; A, C = Esize
+    ; if Esize <= 32 --> setExpBitsContinue
+    $ => B                              :LT, JMPC(setExpBitsContinue)
+    32 => C
+
+setExpBitsContinue:
+    ; read a length of bytes (C) from exp offset (E)
+    C                                   :MSTORE(readXFromCalldataLength)
+    E                                   :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A                              :MLOAD(readXFromCalldataResult)
+    ; A = first 32 bytes of exp
+    32 - C => D                         :CALL(SHRarith)
+    A => B                              :CALL(getLenBits); A bits length first 32 bytes
+    ; A = bit length of first 32 bytes of exp
+    A                                   :JMPZ(setMaxLen)
+    A - 1                               :MSTORE(expLenBits)
+
+setMaxLen:
+    ; set B with max length (max(Blen, Mlen))
+    $ => B                              :MLOAD(modexp_Msize)
+    $ => A                              :MLOAD(modexp_Bsize)
+    $                                   :LT, JMPC(calculateGas)
+    A => B
+
+; B: max_length = max(Blen, Mlen)
+calculateGas:
+
+    %MAX_CNT_BINARY - CNT_BINARY - 10   :JMPN(outOfCountersBinary)
+    %MAX_CNT_ARITH - CNT_ARITH - 2      :JMPN(outOfCountersArith)
+    %MAX_CNT_STEPS - STEP - 120         :JMPN(outOfCountersStep)
+
+    B                                   :MSTORE(arithA)
+    7                                   :MSTORE(arithB), CALL(addARITH)
+    ; check arith overflow
+    $                                   :MLOAD(addArithOverflow), JMPNZ(outOfGas)
+    $ => B                              :MLOAD(arithRes1)
+    B                                   :MSTORE(arithA)
+    8                                   :MSTORE(arithB), CALL(divARITH)
+    ; B: words = (max_length + 7) / 8
+    $ => B                              :MLOAD(arithRes1)
+    %MAX_GAS_WORD_MODEXP => A
+    $                                   :LT, JMPC(outOfGas)
+    ; A: multiplication_complexity = words**2
+    B                                   :MSTORE(arithA)
+    B                                   :MSTORE(arithB), CALL(mulARITH)
+    $ => A                              :MLOAD(arithRes1)
+    A                                   :MSTORE(multiplication_complexity), JMPZ(dynamicGas)
+
+    $ => A                              :MLOAD(modexp_Esize)
+    33 => B
+    ; if Esize <= 32 --> modexp_expLT32
+    $ => B                              :LT, JMPC(modexp_expLT32)
+    ;elif Esize > 32: iteration_count = (8 * (Esize - 32)) + ((exponent & (2**256 - 1)).bit_length() - 1)
+    A                                   :MSTORE(arithA)
+    32                                  :MSTORE(arithB), CALL(subARITH)
+    $ => A                              :MLOAD(arithRes1)
+    A                                   :MSTORE(arithA)
+    8                                   :MSTORE(arithB), CALL(mulARITH)
+    ; check arith overflow
+    $                                   :MLOAD(mulArithOverflowFlag), JMPNZ(outOfGas)
+    ; A = 8 * (Esize - 32)
+    $ => A                              :MLOAD(arithRes1)
+    $ => B                              :MLOAD(expLenBits)
+    ; iteration_count = (8 * (Esize - 32)) + ((exponent & (2**256 - 1)).bit_length() - 1)
+    A                                   :MSTORE(arithA)
+    B                                   :MSTORE(arithB), CALL(addARITH)
+    ; check arith overflow
+    $                                   :MLOAD(addArithOverflow), JMPNZ(outOfGas)
+    $ => E                              :MLOAD(arithRes1), JMP(finalGas)
+    ; E = iteration_count
+
+modexp_expLT32:
+    $ => E                              :MLOAD(expLenBits)
+
+finalGas:
+    E => B
+    %MAX_GAS_IT_MODEXP => A
+    $                                   :LT, JMPC(outOfGas)
+    1 => A
+    $                                   :LT, JMPC(dynamicGas)
+    1 => E
+
+dynamicGas:
+
+    %MAX_CNT_BINARY - CNT_BINARY - 9   :JMPN(outOfCountersBinary)
+    %MAX_CNT_ARITH - CNT_ARITH - 3     :JMPN(outOfCountersArith)
+    %MAX_CNT_STEPS - STEP - 55         :JMPN(outOfCountersStep)
+
+    ; E = calculate_iteration_count = max(iteration_count, 1)
+    $ => A                              :MLOAD(multiplication_complexity)
+    A                                   :MSTORE(arithA)
+    E                                   :MSTORE(arithB), CALL(mulARITH)
+    ; check arith overflow
+    $                                   :MLOAD(mulArithOverflowFlag), JMPNZ(outOfGas)
+    ; A = multiplication_complexity * iteration_count
+    $ => A                              :MLOAD(arithRes1)
+    A                                   :MSTORE(arithA)
+    3                                   :MSTORE(arithB), CALL(divARITH)
+    ; A = multiplication_complexity * iteration_count / 3
+    $ => A                              :MLOAD(arithRes1)
+    %TX_GAS_LIMIT => B
+    $                                   :LT, JMPNC(outOfGas)
+    200 => B
+    $                                   :LT, JMPC(lastChecks)
+    A => B
+
+lastChecks:
+    B                                   :MSTORE(preGAS)
+    ; B = max(200, multiplication_complexity * iteration_count / 3)
+    GAS - B => GAS                      :JMPN(outOfGas)
+    ; check first modulo size and base size to match ethereum specification
+    0 => A
+    $ => B                              :MLOAD(modexp_Msize)
+    $                                   :EQ, JMPC(save0outMod0)  ; if Msize = 0 --> save0outMod0
+    ; Msize > 0 from here
+    $ => B                              :MLOAD(modexp_Bsize)
+    $                                   :EQ, JMPC(save0out)      ; if Bsize = 0 --> save0out
+    ; Bsize > 0 from here
+
+    ; Check maximum length allowed in the zkEVM reagrding the modExp
+    ; If parameters (length > %MAX_SIZE_MODEXP) --> zkEVM does a revert returning all the gas consumed
+    %MAX_SIZE_MODEXP => A
+    $ => B                              :MLOAD(modexp_Bsize)
+    $                                   :LT, JMPC(preFailModExpLength) ; if Bsize > MAX_SIZE_MODEXP --> preFailModExpLength
+    $ => B                              :MLOAD(modexp_Esize)
+    $                                   :LT, JMPC(preFailModExpLength) ; if Esize > MAX_SIZE_MODEXP --> preFailModExpLength
+    $ => B                              :MLOAD(modexp_Msize)
+    $                                   :LT, JMPC(preFailModExpLength) ; if Msize > MAX_SIZE_MODEXP --> preFailModExpLength
+    ; get base value
+    $ => E                              :MLOAD(modexp_offset) ; This is used in modexp_getBase, modexp_getExp and modexp_getMod
+    $ => C                              :MLOAD(modexp_Bsize)
+                                        :CALL(modexp_getBase)
+    ; get exp value
+    $ => C                              :MLOAD(modexp_Esize)
+                                        :CALL(modexp_getExp)
+    ; get mod value
+    $ => C                              :MLOAD(modexp_Msize)
+                                        :CALL(modexp_getMod)
+    1 => B
+    ; if mod == 0 --> return 0
+    $ => A                              :MLOAD(modexp_Mlen), JMPZ(save0out)
+    ; if Mlen != 1 --> checkExpLen
+    $                                   :EQ, JMPNC(checkExpLen)
+    ; if Mlen == 1 && mod == 1 --> return 0
+    $ => A                              :MLOAD(modexp_M)
+    $                                   :EQ, JMPC(save0out)
+
+checkExpLen:
+    ; if exp == 0 --> return 1
+    $ => A                              :MLOAD(modexp_Elen), JMPZ(save1out)
+
+checkBaseLen:
+    ; if base == 0 --> return 0
+    $ => A                              :MLOAD(modexp_Blen), JMPZ(save0out)
+    ; if Blen != 1 --> callMODEXP
+    $                                   :EQ, JMPNC(callMODEXP)
+    ; if Blen == 1 && base == 1 --> return 1
+    $ => A                              :MLOAD(modexp_B)
+    $                                   :EQ, JMPC(save1out)
+
+callMODEXP:
+                                        :CALL(modexp)
+                                        :JMP(finalMODEXP)
+
+save1out:
+    1                                   :MSTORE(modexp_out), JMP(finalMODEXP)
+
+save0out:
+    $ => B                              :MLOAD(modexp_Msize)
+    %MAX_SIZE_MODEXP => A
+    $                                   :LT,JMPC(preFailModExpLength)
+    0                                   :MSTORE(modexp_out), JMP(finalMODEXP)
+
+save0outMod0:
+    0                                   :MSTORE(modexp_out), JMP(preEndMODEXP)
+
+finalMODEXP:
+    %MAX_CNT_STEPS - STEP - 100         :JMPN(outOfCountersStep)
+
+    ; Get lower between retCallLength and modexp_Msize
+    $ => A                              :MLOAD(modexp_Msize)
+    $ => B                              :MLOAD(retCallLength)
+    A - B                               :JMPN(finalMODEXPreturn)
+    B => A
+
+finalMODEXPreturn:
+    ; write data into memory
+    A                                   :MSTORE(retCopyLen)
+    0 => B
+    $ => C                              :MLOAD(modexp_Msize)
+    C                                   :MSTORE(arithA)
+    32                                  :MSTORE(arithB), CALL(divARITH)
+    $ => E                              :MLOAD(arithRes1)
+    E                                   :MSTORE(modexp_returnFirstIndex)
+    $ => A                              :MLOAD(arithRes2)
+    A                                   :MSTORE(modexp_returnIndexRem), JMPZ(memoryLoop)
+    ; if Msize % 32 > 0, copy last bytes, else --> memoryLoop
+    A => C
+    $ => A                              :MLOAD(modexp_out+E)
+    32 - C => D                         :CALL(SHLarith)
+    A                                   :MSTORE(bytesToStore)
+    B => E
+                                        :CALL(MSTOREX) ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+    E => B
+    $ => A                              :MLOAD(modexp_Msize)
+    A - C => C                          :JMPZ(modexpReturn)
+    $ => E                              :MLOAD(modexp_returnFirstIndex)
+
+memoryLoop:
+
+    %MAX_CNT_BINARY - CNT_BINARY - 2    :JMPN(outOfCountersBinary)
+    %MAX_CNT_STEPS - STEP - 50          :JMPN(outOfCountersStep)
+
+    E - 1 => E                          :MSTORE(modexp_returnIndex)
+    $ => A                              :MLOAD(modexp_out+E)
+    A                                   :MSTORE(bytesToStore)
+    B => E
+                                        :CALL(MSTORE32) ; in: [bytesToStore, E: offset] out: [E: new offset]
+    E => B
+    $ => E                              :MLOAD(modexp_returnIndex)
+    C - 32 => C                         :JMPNZ(memoryLoop)
+
+modexpReturn:
+    %MAX_CNT_STEPS - STEP - 100         :JMPN(outOfCountersStep)
+
+    ; prepare return data
+    0                                   :MSTORE(retDataOffset)
+    $ => C                              :MLOAD(modexp_Msize)
+    C                                   :MSTORE(retDataLength)
+    $ => B                              :MLOAD(retCallOffset)
+    $ => A                              :MLOAD(originCTX), JMPZ(handleGas)
+    ; set retDataCTX
+    $ => E                              :MLOAD(currentCTX)
+    A => CTX
+    E                                   :MSTORE(retDataCTX)
+
+    $ => C                              :MLOAD(retCopyLen)
+    $ => E                              :MLOAD(modexp_returnFirstIndex)
+    $ => A                              :MLOAD(modexp_returnIndexRem), JMPZ(returnLoop)
+    A => C
+    $ => A                              :MLOAD(modexp_out+E)
+    32 - C => D                         :CALL(SHLarith)
+    A                                   :MSTORE(bytesToStore)
+    B => E
+                                        :CALL(MSTOREX) ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+    E => B
+    $ => A                              :MLOAD(retCopyLen)
+    A - C => C                          :JMPZ(endMODEXP)
+    $ => E                              :MLOAD(modexp_returnFirstIndex)
+
+returnLoop:
+    %MAX_CNT_BINARY - CNT_BINARY - 2    :JMPN(outOfCountersBinary)
+    %MAX_CNT_STEPS - STEP - 50          :JMPN(outOfCountersStep)
+
+    E - 1 => E                          :MSTORE(modexp_returnIndex)
+    C - 32                              :JMPN(returnLoopFinal)
+    $ => A                              :MLOAD(modexp_out+E)
+    A                                   :MSTORE(bytesToStore)
+    B => E
+                                        :CALL(MSTORE32) ; in: [bytesToStore, E: offset] out: [E: new offset]
+    E => B
+    $ => E                              :MLOAD(modexp_returnIndex)
+    C - 32 => C                         :JMPZ(endMODEXP, returnLoop)
+
+returnLoopFinal:
+    $ => A                              :MLOAD(modexp_out+E)
+    32 - C => D                         :CALL(SHLarith)
+    A                                   :MSTORE(bytesToStore)
+    B => E
+                                        :CALL(MSTOREX) ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+                                        :JMP(endMODEXP)
+
+preEndMODEXP:
+    $ => A                              :MLOAD(originCTX), JMPZ(handleGas)
+    A => CTX
+
+endMODEXP:
+    CTX                                 :MSTORE(currentCTX), JMP(preEnd)

package/main/precompiled/pre-sha2-256.zkasm

@@ -0,0 +1,125 @@
+/**
+ * @link [https://www.evm.codes/precompiled#0x02?fork=berlin]
+ * @zk-counters
+ *  - dynamic steps:
+ *  - dynamic binary:
+ * @process-precompiled
+ *  - stack input: [data]
+ *  - stack output: [hash]
+ */
+VAR GLOBAL sha256DataOffset
+VAR GLOBAL sha256DataId
+VAR GLOBAL sha256Hash
+VAR GLOBAL tmpZkSHA256
+
+funcSHA256:
+    %MAX_CNT_STEPS - STEP - 100         :JMPN(outOfCountersStep)
+    %MAX_CNT_BINARY - CNT_BINARY - 1    :JMPN(outOfCountersBinary)
+
+    ; Move balances if value > 0 just before executing the contract CALL
+    $ => B          :MLOAD(txValue)
+    0 => A
+    zkPC+2 => RR
+    $               :LT, JMPC(moveBalances)
+
+    ; GAS - staticGas
+    GAS - %SHA2_256_GAS => GAS :JMPN(outOfGas)
+
+    $ => C          :MLOAD(txCalldataLen)
+
+    ;words => A  === (C+31)/32 => A
+    C + 31 => A
+    A               :MSTORE(arithA)
+    32              :MSTORE(arithB), CALL(divARITH); in: [arithA, arithB] out: [arithRes1: arithA/arithB, arithRes2: arithA%arithB]
+    $ => A          :MLOAD(arithRes1)
+
+    ; GAS - dynamicGas
+    GAS - %SHA2_256_WORD_GAS*A => GAS   :JMPN(outOfGas)
+
+    ; Compute necessary sha256 counters to finish the full hash
+    ; Divide the total data length + 1 by 64 to obtain the sha256 counter increment
+    ; 64 is the value used by the prover to increment sha256 counters
+    C + 1                            :MSTORE(arithA)
+    64                               :MSTORE(arithB), CALL(divARITH); in: [arithA, arithB] out: [arithRes1: arithA/arithB, arithRes2: arithA%arithB]
+    $ => A                           :MLOAD(arithRes1)
+
+    ; check enough sha256 counters left
+    %MAX_CNT_SHA256_F - CNT_SHA256_F - A    :JMPN(outOfCountersSha256)
+
+    ; prepare retData
+    0               :MSTORE(retDataOffset)
+    32              :MSTORE(retDataLength)
+    32              :MSTORE(readXFromCalldataLength)
+    0 => HASHPOS
+                    :CALL(SHA256data)
+    ; get & update sha256Data ID
+    $ => E          :MLOAD(sha256DataId)
+    E + 1           :MSTORE(sha256DataId)
+
+    ; copy sha256 to memory (hash 32 bytes)
+    0 => E
+    A               :MSTORE(bytesToStore), CALL(MSTORE32); in: [bytesToStore, E: offset] out: [E: new offset]
+
+SHA256dataReturn:
+    ; handle CTX
+    $ => A          :MLOAD(originCTX), JMPZ(handleGas)
+    ; set retDataCTX
+    $ => B          :MLOAD(currentCTX)
+    A => CTX
+    B               :MSTORE(retDataCTX)
+    B => CTX
+    ; copy sha256 to retData (hash 32 bytes)
+    $ => C          :MLOAD(retCallLength)
+    $ => E          :MLOAD(retCallOffset)
+    $ => CTX        :MLOAD(originCTX)
+    C - 32          :JMPN(continueSHA256dataReturn)
+    32 => C
+
+continueSHA256dataReturn:
+    $ => A          :MLOAD(sha256Hash)
+    ; MSTORE memory origin CTX
+    A               :MSTORE(bytesToStore), CALL(MSTOREX) ; in: [bytesToStore, E: offset, C: length] out: [E: new offset]
+    ; set currentCTX
+    CTX             :MSTORE(currentCTX), JMP(preEnd)
+
+SHA256data:
+    RR              :MSTORE(tmpZkSHA256)
+    0 => E          :MSTORE(sha256DataOffset)
+
+SHA256dataLoop:
+    %MAX_CNT_STEPS - STEP - 50         :JMPN(outOfCountersStep)
+
+    ; Copy from calldata to hashS
+    C               :JMPZ(computeSHA256)
+    C - 32          :JMPN(SHA256dataFinal)
+    $ => E          :MLOAD(sha256DataOffset)
+    E               :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A          :MLOAD(readXFromCalldataResult)
+    E + 32 => E     :MSTORE(sha256DataOffset)
+
+    $ => E          :MLOAD(sha256DataId)
+    32 => D
+    A               :HASHS(E)
+    C - 32 => C     :JMP(SHA256dataLoop)
+
+SHA256dataFinal:
+    %MAX_CNT_STEPS - STEP - 300         :JMPN(outOfCountersStep)
+
+    $ => E          :MLOAD(sha256DataOffset)
+    C               :MSTORE(readXFromCalldataLength)
+    E               :MSTORE(readXFromCalldataOffset), CALL(readFromCalldataOffset); in: [readXFromCalldataOffset: offset value, readXFromCalldataLength: length value], out: [readXFromCalldataResult: result value]
+    $ => A          :MLOAD(readXFromCalldataResult)
+    32 - C => D     :CALL(SHRarith)
+    $ => E          :MLOAD(sha256DataId)
+    C => D
+    A               :HASHS(E)
+
+computeSHA256:
+    %MAX_CNT_STEPS - STEP - 20              :JMPN(outOfCountersStep)
+
+    $ => E          :MLOAD(sha256DataId)
+    HASHPOS         :HASHSLEN(E)
+    $ => A          :HASHSDIGEST(E)
+    A               :MSTORE(sha256Hash)
+    $ => RR         :MLOAD(tmpZkSHA256)
+                    :RETURN

package/main/precompiled/revert-precompiled.zkasm

@@ -0,0 +1,25 @@
+revertPrecompiled:
+    %MAX_CNT_STEPS - STEP - 100         :JMPN(outOfCountersStep)
+
+    ; load initSR to revert all state changes
+    ; revert touched accounts
+    $ => SR         :MLOAD(initSR), CALL(revertTouched)
+    $${eventLog(onError, revert)}
+                    :CALL(revertBlockInfoTree)
+    ; check if it is the first context
+    $ => A          :MLOAD(originCTX), JMPZ(handleGasFromError) ; first context
+    A => CTX        :MSTORE(currentCTX)
+
+    ; clear retDataCTX, no return data in revert precompiled
+    0               :MSTORE(retDataCTX)
+
+    ; return gas not used to previous context
+    $ => B          :MLOAD(gasCTX)
+    GAS + B => GAS
+
+    ; restore SP and PC
+    $ => SP         :MLOAD(lastSP)
+    $ => PC         :MLOAD(lastPC)
+
+    ; write 0 in previous context stack
+    0               :MSTORE(SP++), JMP(readCode)