HomeEIPs
EIPsEIP-4760
EIP-4760

SELFDESTRUCT bomb

Deactivate SELFDESTRUCT by changing it to SENDALL and stage this via a stage of exponential gas cost increases.
StagnantStandards Track: Core
Created: 2022-02-03
Guillaume Ballet (@gballet), Vitalik Buterin (@vbuterin), Dankrad Feist (@dankrad)
DiscussionsOriginal linkEdit
1 min read

EIP-4760 proposes to rename the SELFDESTRUCT opcode to SENDALL and replace its functionality. The new functionality will only be to send all Ether in the account to the caller. This change is necessary because Verkle trees will make it impossible to remove all code and storage from an account in the future. The EIP also proposes to exponentially increase the gas costs of the opcode to give developers time to react and implement a version of their contract that does not rely on SELFDESTRUCT. The gas cost will double every 9 days, and SELFDESTRUCT will be converted to SENDALL at a specific block height. Applications that only use SELFDESTRUCT to retrieve funds will still work.

Video
Anyone may contribute to propose contents.
Go propose
Original

Abstract

This EIP renames the SELFDESCRUCT opcode to SENDALL, and replaces its functionality. The new functionality will be only to send all Ether in the account to the caller.

In order to give apps more warning even if their developers are completely unaware of the EIP process, this version will exponentially increase the gas costs of the opcode, so any developer has time to see this change and react by implementing a version of their contract that does not rely on SELFDESTRUCT .

Motivation

The SELFDESTRUCT opcode requires large changes to the state of an account, in particular removing all code and storage. This will not be possible in the future with Verkle trees: Each account will be stored in many different account keys, which will not be obviously connected to the root account.

This EIP implements this change. Applications that only use SELFDESTRUCT to retrieve funds will still work.

Specification

Constants

NameValueComment
OLD_SELFDESTRUCT_COST5000Current gas cost of SELFDESTRUCT opcode
HARD_FORK_BLOCKTBD(Shanghai HF block height)
DOUBLING_SLOTS2**16(Time for gas price to double, ca. 9 days)
DOUBLINGS_BEFORE_SENDALL13SELFDESTRUCT will be converted to SENDALL at HARD_FORK_BLOCK + DOUBLING_SLOTS * DOUBLINGS_BEFORE_SENDALL
  • If HARD_FORK_BLOCK <= slot < HARD_FORK_BLOCK + DOUBLING_SLOTS * DOUBLINGS_BEFORE_SENDALL
    • SELFDESTRUCT functionality remains unchanged
    • SELFDESTRUCT gas cost is now OLD_SELFDESTRUCT_COST * 2 ** ((slot - HARD_FORK_BLOCK) // DOUBLING_SLOTS)
  • For slot >= HARD_FORK_BLOCK + DOUBLING_SLOTS * DOUBLINGS_BEFORE_SENDALL
    • The cost reverts back to OLD_SELFDESTRUCT_COST
    • The SELFDESTRUCT opcode is renamed to SENDALL, and now only immediately moves all ETH in the account to the target; it no longer destroys code or storage or alters the nonce
    • All refunds related to SELFDESTRUCT are removed

Rationale

The idea behind this EIP is to disable SELFDESTRUCT in a way that gives ample warning to Dapp developers. Many developers do not watch the EIP process closely and can therefore be caught by surprise when an opcode is deactivated and does not fulfill its original purpose anymore. However, at least if the smart contract has regular use, then users will notice the price of the operation going up tremendously. The period over which this is happening (HARD_FORK_BLOCK + DOUBLING_SLOTS * DOUBLINGS_BEFORE_SENDALL) is chosen to be long enough (ca. 4 months) such that it gives developers time to react to this change and prepare their application.

Backward Compatibility

This EIP requires a hard fork, since it modifies consensus rules.

Few applications are affected by this change. The only use that breaks is where a contract is re-created at the same address using CREATE2 (after a SELFDESTRUCT). The only application that is significantly affected (and where code can be analyzed) is able to switch to a different model, and should have ample time to do so.

Security Considerations

The following applications of SELFDESTRUCT will be broken and applications that use it in this way are not safe anymore:

  1. Any use where SELFDESTRUCT is used to burn non-ETH token balances, such as ERC20, inside a contract. We do not know of any such use (since it can easily be done by sending to a burn address this seems an unlikely way to use SELFDESTRUCT)
  2. Where CREATE2 is used to redeploy a contract in the same place. There are two ways in which this can fail:
    • The destruction prevents the contract from being used outside of a certain context. For example, the contract allows anyone to withdraw funds, but SELFDESTRUCT is used at the end of an operation to prevent others from doing this. This type of operation can easily be modified to not depend on SELFDESTRUCT.
    • The SELFDESTRUCT operation is used in order to make a contract upgradable. This is not supported anymore and delegates should be used.

Copyright and related rights waived via CC0.

Further reading
Anyone may contribute to propose contents.
Go propose
Adopted by projects
Anyone may contribute to propose contents.
Go propose

Not miss a beat of EIPs' update?

Subscribe EIPs Fun to receive the latest updates of EIPs Good for Buidlers to follow up.

View all
Serve Ethereum Builders, Scale the Community.
Resources
GitHub
Supported by