Skip to content

feat: add depth-based worst-case attack benchmarks for execute mode#1936

Closed
CPerezz wants to merge 1 commit intoethereum:forks/osakafrom
CPerezz:feat/depth-bench-without-deploys
Closed

feat: add depth-based worst-case attack benchmarks for execute mode#1936
CPerezz wants to merge 1 commit intoethereum:forks/osakafrom
CPerezz:feat/depth-bench-without-deploys

Conversation

@CPerezz
Copy link
Copy Markdown
Contributor

@CPerezz CPerezz commented Dec 17, 2025

Summary

This PR adds comprehensive benchmarks for testing worst-case depth attacks on Ethereum state and account tries in execute mode.

Description

These benchmarks test the worst-case scenario for Ethereum clients when dealing with extremely deep state and account tries. The attack exploits the computational complexity of Patricia Merkle Trie operations through:

  1. Pre-deployed contracts with deep storage tries that maximize trie traversal costs
  2. CREATE2-based addressing for deterministic contract addresses across test runs
  3. Optimized batched attacks using an AttackOrchestrator contract that can execute up to 2,510 attacks per transaction
  4. Account trie depth increased by funding auxiliary accounts that make the path deeper

The test measures the performance impact of state root recomputation and IO when modifying deep storage slots across thousands of contracts, simulating the maximum theoretical load on the state trie.

Setup Instructions

For complete deployment setup and instructions, see: https://gist.github.com/CPerezz/44d521c0f9e6adf7d84187a4f2c11978

Key Changes

  • Added test_worst_depth_stateroot_recomp test with configurable storage/account depth parameters
  • Added AttackOrchestrator.sol contract for efficient batched attacks
  • Optimized gas forwarding from 50,000 to 3,650 gas per attack (8.3x throughput improvement)
  • Added comprehensive documentation for the attack scenario and workflow

Performance Improvements

  • Before: 303 attacks per transaction (with 50,000 gas forwarding)
  • After: 2,510 attacks per transaction (with optimized 3,650 gas forwarding)
  • Improvement: 8.3x throughput increase

This allows testing much larger attack surfaces within the same gas constraints.

Test Parameters

The test supports multiple depth configurations:

  • Storage depths: 9, 10
  • Account depths: 3, 4, 5, 6
  • Fixed 1,000 or 15,000 contracts (configurable via NUM_CONTRACTS)

@CPerezz
feat: add worst-case depth attack benchmarks for Ethereum state tries
f2998c2 
This PR introduces comprehensive benchmarks to test Ethereum clients under
worst-case scenarios involving extremely deep state and account tries.

The attack scenario:
- Pre-deployed contracts with deep storage tries (depth=9) maximizing traversal costs
- CREATE2-based deterministic addressing for reproducible benchmarks
- AttackOrchestrator contract that batches up to 2,510 attacks per transaction
- Tests measure state root recomputation impact when modifying deep slots

Key components:
- depth_9.sol, depth_10.sol: Contracts with deep storage tries
- s9_acc3.json: Pre-computed CREATE2 addresses and auxiliary accounts (15k contracts)
- AttackOrchestrator.sol: Optimized attack coordinator (3,650 gas per attack)
- deep_branch_testing.py: EEST test harness for pre-deployed contracts
- README.md: Complete documentation and setup instructions

Performance optimizations:
- Reduced gas forwarding from 50k to 3,650 per attack (8.3x throughput increase)
- MAX_ATTACKS_PER_TX increased from 303 to 2,510
- Precise EVM opcode cost analysis with safety margins
- Read init_code_hash directly from JSON instead of recompiling

Deployment setup and instructions available at:
https://gist.github.com/CPerezz/44d521c0f9e6adf7d84187a4f2c11978

This benchmark helps identify performance bottlenecks in state trie handling
and validates client implementations under extreme depth conditions.
@CPerezz CPerezz mentioned this pull request Dec 17, 2025
Closed
3 tasks
@SamWilsn
Copy link
Copy Markdown
Contributor

SamWilsn commented Dec 17, 2025

You beat me to updating the base branch of this pull request! Closing this one in favour of #1937

@SamWilsn SamWilsn closed this Dec 17, 2025
@CPerezz
Copy link
Copy Markdown
Contributor Author

CPerezz commented Dec 17, 2025

@SamWilsn the plan was to not close this for now. And wait until the discussion settles on something with @marioevz and @LouisTsai-Csie

Notice these 2 PRs do the same in different ways. And from the Gaslightning call yesterday, it's not yet clear which will be the chosen path to follow.

Carsons-Eels pushed a commit to Carsons-Eels/execution-specs that referenced this pull request Jan 6, 2026
@marioevz
fix(plugins): Don't copy test list during collection (ethereum#1936)
34a4914 
safer implementation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CPerezz @SamWilsn