feat: add depth-based worst-case attack benchmarks for execute mode

[CPerezz]

This commit introduces a comprehensive worst-case attack benchmark suite that exploits Patricia Merkle Trie computational complexity through:

• Pre-mined CREATE2 addresses with configurable prefix sharing depth
• Deep storage slots with configurable trie depth
• Attack orchestrator contract for efficient batch attacks
• Execute mode support with pre-allocation pattern

Key changes:

• Add test_worst_case_attack_execute.py for execute mode testing
• Include AttackOrchestrator.sol for batch attack execution
• Add depth_9.sol and depth_10.sol contracts with deep storage
• Include pre-mined address data files (s9_acc3/4/5.json)
• Dynamic deep slot extraction based on storage_depth parameter
• Pre-allocation of all contracts and funds in pre-state
• Single-block attack transaction pattern for execute mode

The test deploys contracts at addresses with shared prefixes to maximize trie traversal overhead, then uses an orchestrator to efficiently attack deep storage slots, creating worst-case computational scenarios for benchmarking Ethereum client performance.

[LouisTsai-Csie]

I think this is why the current execute remote flow is failing. From my understanding of the implementation, here we intend to fund 1 wei to aux_address. However, pre.fund_eoa() does not work this way, it creates a new EOA instead of funding an existing account.

I experimented with manually injecting the account, but this only works in fill mode:

pre[aux_address] = Account(address=aux_address, balance=1)

The correct solution might be to create funding transactions instead:

funding_tx = Transaction(
    to=aux_address,
    value=1,  # 1 wei to create the account in the trie
    gas_limit=21_000,
    sender=deployer_eoa,
)
funding_txs.append(funding_tx)

[CPerezz]

This sends 15k txs (as in execute mode even if we split them in blocks, they're all sent at the same time).
Thus, killink any RPC endpoint you have even locally.

For 1000 contracts this all works. But for 15k (the goal fo this tests) it just kills Anvil, Geth etc...

Unsure how to proceed..

[LouisTsai-Csie]

We need some rate limit that wait until the first 1000 transactions are complete before proceeding the next 1000 transactions in execute remote. Thanks for sharing these number, i will try with 750 at first

[jochem-brouwer]

Can also deploy more contracts in a single tx by creating a contract which calls multiple times in 0x4e59b44847b379578588920ca78fbf26c0b4956c (CREATE2 factory). As calldata we give the starting salt, and for each call into CREATE2 it increases the salt. Alternatively can also not put that in calldata and just store the current salt in storage. Only call into the CREATE2 factory if there is enough gas left. Depending on the size of the contract which we are deploying (this one does not look super big) we will get at least 3x less txs but possibly even more.

[CPerezz]

I need to do all this crap such that I can get some values from inside the contract (cause I can't call RPCs directly through the tooling).

[marioevz]

Can't we rather store metadata with the solidity source code? RPC calls will not work because filled tests, when consumed by the client test executors don't even spawn an RPC node.

[jochem-brouwer]

The depth contracts look alike: the difference is the storage written to in the constructor and the target storage slot. We can encode these as constructor arguments (so there is then also no need for depth_9.sol and depth_10.sol, the storage keys to write to and attack are then in a metadata list, which are thus the values provided currently in those files)

[CPerezz]

This is (I assume) useless? As basically it just doesn't propagate blocks as I would expect it to. Neither it waits between blocks to not send all the txs at once.

[marioevz]

Is this to counter the RPC crashing when sending 15k transactions at once? I think we need a proper fix in the execute command machinery to handle extreme cases like this (perhaps setting a max-txs-per-request and split this line into multiple ones?)

[CPerezz]

We can get rid of this and just have the bytecode file.

[CPerezz]

ping @danceratopz @LouisTsai-Csie

Notice that I can simply take a turn and avoid deploying anything here. (Just the orchestator).

Thus, on this way, I can just send a single tx. And that would be the whole test. But, this would make this test only runnable on bloatnet. (Which is fine).

[marioevz]

Left some comments with improvement suggestions. I'm still not completely sold on the need for compiling solidity, and that's because it's a pain to maintain and make the tests forward compatible.

[marioevz]

This is automatically calculated by fill/execute, no need to add this.

Suggested change

	max_fee_per_gas=10_000_000_000, # 10 gwei
	max_priority_fee_per_gas=1_000_000_000, # 1 gwei

[marioevz]

Suggested change

	32000 # CREATE2 base cost
	gas_costs.G_TRANSACTION_CREATE # CREATE2 base cost

[marioevz]

This should be a failure. If we modify parametrization and add a bunch of invalid tests for which json files do not exist we will not notice as they will only show up as skipped tests.

[marioevz]

These files have a known format, we need to use Pydantic to load these into the proper types:

class ContractInFile(base_model):
    salt: int
    contract_address: Address
    auxiliary_accounts: List[Address]

class ContractsFile(base_model):
    deployer: Address
    init_code_hash: Hash
    target_depth: int
    num_contracts: int
    total_time: float
    contracts: List[ContractInFile]

Or something like that, then you can do ContractsFile.model_validate_json to load the file's contents.

[marioevz]

Suggested change

	auxiliary_accounts = contract_data.get("auxiliary_accounts", [])
	auxiliary_accounts = contract_data.auxiliary_accounts

After we update the loaded files to use Pydantic.

[marioevz]

This function should be a pytest fixture instead, which allows pytest to not have to reload the entire file each time for every test.

[marioevz]

Use compute_create_address.

[marioevz]

Suggested change

	import rlp
	from eth_utils import keccak
	# Nonce = 0 since orchestrator is deployed first
	nonce_for_orchestrator = 0
	deployer_bytes = bytes.fromhex(str(deployer_address)[2:])
	orchestrator_address_bytes = keccak(rlp.encode([deployer_bytes, nonce_for_orchestrator]))[12:]
	orchestrator_address = Address("0x" + orchestrator_address_bytes.hex())
	orchestrator_address = orchestrator_deploy_tx.created_contract

[marioevz]

Is this to counter the RPC crashing when sending 15k transactions at once? I think we need a proper fix in the execute command machinery to handle extreme cases like this (perhaps setting a max-txs-per-request and split this line into multiple ones?)

[marioevz]

Can't we rather store metadata with the solidity source code? RPC calls will not work because filled tests, when consumed by the client test executors don't even spawn an RPC node.

[jochem-brouwer]

Some comments.

Regarding the need to compile solidity, for these kind of setups it certainly lowers the time spent on creating these contracts, because without solidity we have to write everything by hand. That would however be super optimized code (in most cases). For this one, ERC20 contracts with some extra logic have to be created, and it would be rather impossible to create such contract by hand without a compiler.

However, I'm not sure why the code here needs to be an ERC20 contract. If the attack here is a trie-depth based attack then we could also do with minimal code, right? This would write the storage in the constructor and at runtime it would run the attack (writing the value to the target storage slot).

These mined storage keys/account keys, how did you retrieve those? 😄 👍

[jochem-brouwer]

There are constants stored in this for loop which do not need to be there. You can move these constant mstores before the loop (to init the constant parts of memory once)

[jochem-brouwer]

For clarity I would not use hex here, but rather ints, so it is easier to check if these constants are correct.

[jochem-brouwer]

Masking is not necessary. If you CALL something then the EVM will mask it (so hide the topmost 12 bytes)

[jochem-brouwer]

I think this should be somewhat more explicit: the deployed contracts will write to the storage there, but in such way that with a minimal set of key/values we get a certain trie depth (storage slots all share some prefix).

As a side-note, this is a good way to test the impact of "depth" but it does not test the impact of the actual contract (if it would actually have the depth if we would consider the MPT balanced - here it is completely the opposite and super unbalanced in one direction 😆 ). So if a client reads from a flat database (can directly load storage key without having to traverse the trie first), then if we read a storage key the more keys which "share" some prefix might have impact on the read speed (so the difference between the unbalanced/balanced tree on the state). This is obviously dependent on the database backend used and the db config.

[jochem-brouwer]

FYI, this is also keccak256("attack(uint256)")[:4] 😄 👍

[jochem-brouwer]

Isn't this part of the json already? .contract_address field? Or was that deployed on a different address (so not the 0x4e59b44847b379578588920ca78fbf26c0b4956c)?

[jochem-brouwer]

Can also deploy more contracts in a single tx by creating a contract which calls multiple times in 0x4e59b44847b379578588920ca78fbf26c0b4956c (CREATE2 factory). As calldata we give the starting salt, and for each call into CREATE2 it increases the salt. Alternatively can also not put that in calldata and just store the current salt in storage. Only call into the CREATE2 factory if there is enough gas left. Depending on the size of the contract which we are deploying (this one does not look super big) we will get at least 3x less txs but possibly even more.

[jochem-brouwer]

Can deploy using Nick's method to be sure the deterministic address is equal 😉

[jochem-brouwer]

The depth contracts look alike: the difference is the storage written to in the constructor and the target storage slot. We can encode these as constructor arguments (so there is then also no need for depth_9.sol and depth_10.sol, the storage keys to write to and attack are then in a metadata list, which are thus the values provided currently in those files)

[jochem-brouwer]

Shouldn't this be attack_value?

[jsign]

Does the address miner also put as a constraint that the preimages have this "nibble by nibble" overlap for the required depth?

Mostly asking because what matters for this to be deep branches is that the hashes of the storage slot numbers satisfy this, not the storage numbers themselves (i.e. the storage slots are hashed to define which is the storage trie address).

(Maybe I'm missing something else from the whole PR setup!)

Edit: or maybe the code that generates this contract is putting the hashes instead of the preimages?

[LouisTsai-Csie]

Close as PR #1976 done