Benchmark precompiles Curve25519* and Sha3FIPS* (Fix audit 2505 S2-57)#1736
Merged
Benchmark precompiles Curve25519* and Sha3FIPS* (Fix audit 2505 S2-57)#1736
Conversation
librelois
force-pushed
the
fix-audit-2505-S2-57
branch
from
c270559 to
0a1fea2
Compare
RomarQ
reviewed
Aug 14, 2025
RomarQ
approved these changes
Aug 14, 2025
Collaborator
|
@sorpaas, do you also agree with the changes. If yes, we could try to merge it this week, it completes the fixes for the findings reported in the audit. @librelois There is still a lint issue. |
sorpaas
approved these changes
Aug 22, 2025
Member
sorpaas
left a comment
sorpaas
left a comment
There was a problem hiding this comment.
Still missing a few clippy fixes!
dnjscksdn98
pushed a commit
to bifrost-platform/bifrost-frontier
that referenced
this pull request
Sep 15, 2025
polkadot-evm#1736) * impl benchmarks for Curve25519 precompiles * impl benchmarks for sha3fips precompiles * editor config * taplo * fix rust tests * rustfmt * clippy warnings * for some reason pallet calls macro generate useless conversion * revert rust toolchain changes * Revert "for some reason pallet calls macro generate useless conversion" This reverts commit 46d438a. * Revert "clippy warnings" This reverts commit 8236e80. * remove commented deps * Provide sane default values for precompiles WeightInfo * rustfmt * fix clippy warnings * fix more clippy warnings
dnjscksdn98
added a commit
to bifrost-platform/bifrost-frontier
that referenced
this pull request
Sep 15, 2025
* Add DecodeWithMemTracking where it's missing (polkadot-evm#1740) * SRLabs: initialize fuzzing harness (polkadot-evm#1677) * SRLabs: initialize fuzzer * update license * fmt * fmt * lint * auth list * clippy * allow uppercase acronyms * clippy * clippy * Update precompile_set.rs (polkadot-evm#1697) * Bump RUST 1.88.0 (polkadot-evm#1741) * bump rust-1.88.0 * fix clippy * Benchmark precompiles Curve25519* and Sha3FIPS* (Fix audit 2505 S2-57) (polkadot-evm#1736) * impl benchmarks for Curve25519 precompiles * impl benchmarks for sha3fips precompiles * editor config * taplo * fix rust tests * rustfmt * clippy warnings * for some reason pallet calls macro generate useless conversion * revert rust toolchain changes * Revert "for some reason pallet calls macro generate useless conversion" This reverts commit 46d438a. * Revert "clippy warnings" This reverts commit 8236e80. * remove commented deps * Provide sane default values for precompiles WeightInfo * rustfmt * fix clippy warnings * fix more clippy warnings * FIx: eip-7702 gas estimation fail with non-empty authorization list (polkadot-evm#1747) * test: ✅ add failing test for gas estimation of EIP-7702 transactions * fix: estimate: auth list should be send unchecked to the runtime The runtime api expect type `Vec<AuthorizationListItem>`, the client should pass the authorization list without any pre-conversion --------- Co-authored-by: Manuel Mauro <manuel.mauro@protonmail.com> * build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (polkadot-evm#1750) Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.19 to 0.3.20. - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-version: 0.3.20 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump polkavm-derive from 0.25.0 to 0.28.0 (polkadot-evm#1749) Bumps [polkavm-derive](https://github.com/koute/polkavm) from 0.25.0 to 0.28.0. - [Commits](paritytech/polkavm@v0.25.0...v0.28.0) --- updated-dependencies: - dependency-name: polkavm-derive dependency-version: 0.28.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-pages-artifact from 3 to 4 (polkadot-evm#1748) Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-pages-artifact dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump brace-expansion in /ts-tests (polkadot-evm#1746) Bumps and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together. Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `brace-expansion` from 2.0.1 to 2.0.2 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect - dependency-name: brace-expansion dependency-version: 2.0.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump cipher-base from 1.0.4 to 1.0.6 in /ts-tests (polkadot-evm#1745) Bumps [cipher-base](https://github.com/crypto-browserify/cipher-base) from 1.0.4 to 1.0.6. - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.6) --- updated-dependencies: - dependency-name: cipher-base dependency-version: 1.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump tempfile from 3.20.0 to 3.21.0 (polkadot-evm#1743) Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.20.0 to 3.21.0. - [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md) - [Commits](https://github.com/Stebalien/tempfile/commits) --- updated-dependencies: - dependency-name: tempfile dependency-version: 3.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump serde_json from 1.0.142 to 1.0.143 (polkadot-evm#1742) Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.142 to 1.0.143. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@v1.0.142...v1.0.143) --- updated-dependencies: - dependency-name: serde_json dependency-version: 1.0.143 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump slab from 0.4.10 to 0.4.11 (polkadot-evm#1739) Bumps [slab](https://github.com/tokio-rs/slab) from 0.4.10 to 0.4.11. - [Release notes](https://github.com/tokio-rs/slab/releases) - [Changelog](https://github.com/tokio-rs/slab/blob/master/CHANGELOG.md) - [Commits](tokio-rs/slab@v0.4.10...v0.4.11) --- updated-dependencies: - dependency-name: slab dependency-version: 0.4.11 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump pbkdf2 from 3.1.2 to 3.1.3 in /ts-tests (polkadot-evm#1696) Bumps [pbkdf2](https://github.com/crypto-browserify/pbkdf2) from 3.1.2 to 3.1.3. - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: pbkdf2 dependency-version: 3.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump ark-std from 0.4.0 to 0.5.0 (polkadot-evm#1685) Bumps [ark-std](https://github.com/arkworks-rs/std) from 0.4.0 to 0.5.0. - [Changelog](https://github.com/arkworks-rs/std/blob/master/CHANGELOG.md) - [Commits](arkworks-rs/std@v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: ark-std dependency-version: 0.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump sha.js from 2.4.11 to 2.4.12 in /ts-tests (polkadot-evm#1744) Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11 to 2.4.12. - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) --- updated-dependencies: - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add bifrost related packages * hotfix: resolve evm version mismatches for ethapi's (#2) * fix: try to resolve debug trace parsing error * fix: update debug dependencies * fix: update evm crates * Refactor: use workspace dependencies (#3) * refactor: use workspace dependencies * update substrate deps * update Cargo.lock * deps: release v1.3.0 * use stable rust * remove TxPool RPC (moonbeam-foundation/moonbeam#3218) * chore: pull stable2503 * chore: update to bifrost-polkadot-stable2506 * update Cargo * update Cargo * remove txpool crates --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tarek Mohamed Abdalla <tarekkma@gmail.com> Co-authored-by: Aarnav <aarnavbos@gmail.com> Co-authored-by: leopardracer <136604165+leopardracer@users.noreply.github.com> Co-authored-by: zjb0807 <zjb0807@qq.com> Co-authored-by: Éloïs <c@elo.tf> Co-authored-by: Manuel Mauro <manuel.mauro@protonmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: alstjd0921 <kwonarseus@gmail.com>
l0r1s
pushed a commit
to opentensor/frontier
that referenced
this pull request
Jan 5, 2026
polkadot-evm#1736) * impl benchmarks for Curve25519 precompiles * impl benchmarks for sha3fips precompiles * editor config * taplo * fix rust tests * rustfmt * clippy warnings * for some reason pallet calls macro generate useless conversion * revert rust toolchain changes * Revert "for some reason pallet calls macro generate useless conversion" This reverts commit 46d438a. * Revert "clippy warnings" This reverts commit 8236e80. * remove commented deps * Provide sane default values for precompiles WeightInfo * rustfmt * fix clippy warnings * fix more clippy warnings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SRLabs audited the frontier codebase on may 2025: https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf
Several issues mentioned in the audit are not fixed, this PR aims to fix the issue
S2-57: "Various underpriced precompiles can lead to DoS attack".Background
Both Curve25519Add and Sha3FIPS512 precompiles implement the
LinearCostPrecompile, whichmeans that their gas usage is dependent on the input data size, a factor rounded up to the nearest
number of words – as stated in the Ethereum yellow paper [19] for SHA2-256 and RIPEMD-160.
Issue description
The gas cost for the
Curve25519Addprecompile is under-priced relative to its compute, specificallywhen compared to the
Sha3FIPS512precompile. Both use the same gas calculation constants, butCurve25519Addrequires significantly more computation.Risk
Attackers can craft transactions calling the underpriced precompile, consuming substantial node
resources (CPU time) while paying relatively little gas, potentially leading to availability and denial-of-service issues which slows down block processing.
Mitigation
This PR creates FRAME benchmarks for the
Curve25519*andSha3FIPS*precompiles, allowing downstream projects to estimate the actual CPU time according to their hardware requirements.It also adds the relevant precompiles to the Frontier template to demonstrate how to implement them with benchmarks.