Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Ethereum Virtual Machine (EVM) has EIPs for various large or VM breaking changing. At some specific point, these changes are made to the VM and are there until some other change is made.

When creating a new version of the EVM, the EIPs are based upon the block number. These changes are typically for gas things and opcode changes. However, the merge upgrade can be enabled even with older EIPs disabled. This desync in programmatic expectations is the root cause of the bug.

EIP2929 has a wrapper function that does some changing on the gas calculations. First, the oldCalculator() is called to get the raw price of gas. If the account is cold (hasn't been accessed in the TX yet), there's a 2500 extra fee. Theoretically, the operation of gas + coldCost could overflow, resulting in a lot less gas than necessary being charged.

The gasCall() function calculates the cost of allocating the specific amount of memory, with a maximum of 128GB. There are some other gas operations in this area being calculated, with one of them overflowing if it occurs.

So, the goal here is to get the gas + coldCost to overflow while not overflowing the checked overflow in the function above that. If this was possible, then the returned gas would be super small, resulting in way too much resources being consumed.

What's the actual consequence? Making this call 5 times is taking up an absurd amount of RAM, which results in the node crashing. This only needs to be an eth_call on an exposed RPC node to trigger this. It just requires a very precise gas being provided to a CALL instruction via the stack to trigger this.

This effected mainnet RPC providers like Infura, Alchemy, QuickNode, Flashbots and more. For whatever reason, the Ethereum foundation felt it was out of scope because it excludes RPC execution bugs from their bug bounty. Overall, an interesting post on breaking the RPC node of Ethereum. I hope to see more of this author in the future!