EIP-2330: EXTSLOAD and ABI for lower gas cost and off-chain apps

dominic · September 27, 2023, 10:33am

Hey Renan but also @deluca-mike I think there is a misunderstanding here how Ethereum state actually works.

The “public” or “private” field markers are only architectural decorators inside Solidity, but in Ethereum all storage is always readable. Please have a look at the documentation and examples of the RPC call getStorageAt JSON-RPC API | ethereum.org

So in your example of price and isSold can be fetched using:

price in the first 0x0 position of the contract:

curl -X POST --data '{"jsonrpc":"2.0", "method": "eth_getStorageAt", "params": ["0x295a70b2de5e3953354a6a8344e616ed314d7251", "0x0000000000000000000000000000000000000000000000000000000000000000", "latest"], "id": 1}' localhost:8545
{"jsonrpc":"2.0","id":1,"result":"0x0000000000000000000000000000000000000000000000000000000000000064"}

isSold in the second 0x1 position of the contract:

curl -X POST --data '{"jsonrpc":"2.0", "method": "eth_getStorageAt", "params": ["0x295a70b2de5e3953354a6a8344e616ed314d7251", "0x0000000000000000000000000000000000000000000000000000000000000001", "latest"], "id": 1}' localhost:8545
{"jsonrpc":"2.0","id":1,"result":"0x0000000000000000000000000000000000000000000000000000000000000000"}

So in fact the keyword private is a false friend as many developers confuse this with meaning it’s not readable from the outside - when in fact anyone can read it using RPC calls - it is just inside Solidity where it’s impossible to access. This is a restriction in Solidity that you don’t have when writing e.g. a python script using RPC calls from the outside. This EIP-2330 is proposing the addition of EXTSLOAD so that this in-equality is fixed and you get the same powers inside Solidity that you have from the outside already.

Cheers!

neburo · January 30, 2024, 11:49am

I think that Renan suggested that making isSold private could prevent attacks during EVM execution. However, this might not be effective. Even if isSold is set to private, it’s possible to manipulate the process. An attacker could record the initial price() call and modify the response.

Example of Buyer contract:

contract Buyer {
  bool invoked = false;
  uint price1 = 100;
  uint price2 = 0;

  function price() public returns (uint) {
    if (invoked == false) {
      invoked = true;
      return price1; 
    }
    
    return price2;
  }
}

P.S. The addition of this opcode in the EVM sounds interesting. It would enable practical on-chain checks of transaction execution.

RenanSouza2 · February 19, 2024, 11:58pm

Hey Neburo, this would fail because the buyer.price function is marked as external, so the Shop contract would make an staticcall and would revert if it tryed to store something in storage

RenanSouza2 · February 20, 2024, 12:03am

hey @dominic , really sorry for the long time,

internal/private are indeed misleading words for state variables in smart contracts,

But as @neburo said, my concern is reading the state of a contract during EVM execution