EIP-8158: Invariant Layout Guard Opcode

Ethereum Magicians

2026-02-11T06:24:03.000Z

Simple Summary Introduce a protocol-level state safety mechanism through a new opcode. Abstract This EIP introduces a new opcode, MUTABLE , which restricts state changes to an explicitly defined scope. Any attempt to modify state outside the permitted scope MUST cause execution to revert. Motivation Unintended state mutation during execution is a persistent security risk in smart contract systems. This risk is especially pronounced in proxy-based architectures that rely on DELEGATECALL , where the calling contract effectively relinquishes control over which state changes may occur in the callee’s execution context. At the protocol level, there is currently no mechanism to stabilize or constrain state layout during execution. Introducing such a mechanism enables safer composition of contracts, supports future extensibility, and improves overall robustness for an increasingly dynamic Layer 1 ecosystem. At present, there exist contract-level approaches for constraining state mutation, which we refer to as an inner guard. These mechanisms offer strong and programmable protection for explicitly declared locations but fundamentally cannot defend against mutations outside the specified set. Because the number of potentially mutable locations is unbounded, attempting full coverage at the contract level is infeasible under current gas constraints. To achieve comprehensive protection, a complementary outer guard is required. This can only be implemented at the protocol level. By combining an inner guard with the proposed outer guard, contracts can form a robust firewall against unintended or malicious side effects arising from external calls. The following example illustrates the limitations of using immutability controls at the contract level. import "https://github.com/Helkomine/invariant-guard/blob/main/invariant-guard/InvariantGuardInternal.sol"; import "@openzeppelin/contracts/utils/Address.sol"; contract InvariantSimple is InvariantGuardInternal { address owner; // Invariants cannot be applied to mapping with InvariantGuard. mapping(address => uint256) balances; function safeDelegateCall(address target, bytes calldata data) public payable invariantStorage(_getSlot()) { Address.functionDelegateCall(target, data); } function _getSlot() internal pure returns (bytes32[] memory slots) { bytes32 slot; assembly { slot := owner.slot } slots = new bytes32[](1); slots[0] = slot; } } PR: Add EIP: Invariant Layout Guard Opcode by Helkomine · Pull Request #11303 · ethereum/EIPs · GitHub 3 posts - 2 participants Read full topic

EIP-8158：不變佈局保護操作碼

Ethereum Magicians

17 天前

AI 生成摘要

以太坊改進提案 (EIP) 8158 引入了一個新的操作碼 MUTABLE，以建立一個協議級別的狀態安全機制。此操作碼將狀態變更限制在明確定義的範圍內，任何試圖修改超出這些允許區域的狀態的嘗試都將導致執行回滾，從而減輕意外的狀態變異並增強智能合約的安全性。

EIP-8158：不變佈局保護操作碼 - EIPs - 以太坊魔法師團體

This EIP proposes a new EVM opcode, INVARIANTS, which allows smart contracts to assert that certain storage layouts remain unchanged. This is useful for ensuring that upgrades to smart contracts do not inadvertently break existing storage assumptions, which can lead to unexpected behavior or security vulnerabilities.

Motivation

Smart contract upgrades are a common practice, but they can be risky if the new contract version makes incompatible changes to the storage layout. For example, if a contract stores a user's balance in the first storage slot and then an upgrade shifts the balance to the second slot, the contract will no longer be able to correctly access the user's balance.

This EIP aims to provide a mechanism for smart contracts to protect themselves against such changes by allowing them to assert that certain storage layouts remain unchanged. This can help to prevent unexpected behavior and security vulnerabilities during upgrades.

Specification

Opcode

The new opcode is INVARIANTS and its opcode number is 0xfb.

Stack Input

The INVARIANTS opcode takes one stack input:

n: The number of storage slots to check.

Stack Output

The INVARIANTS opcode does not produce any stack output.

Operation

The INVARIANTS opcode checks that the first n storage slots have not been modified since the contract was deployed. If any of the storage slots have been modified, the opcode will revert the transaction.

The opcode works by comparing the current storage values with the storage values at the time of contract deployment. The storage values at the time of contract deployment are stored in a special data structure that is accessible to the EVM.

Gas Cost

The gas cost of the INVARIANTS opcode is G_base + n * G_sload, where G_base is the base gas cost of the opcode and G_sload is the gas cost of the SLOAD opcode.

Rationale

The INVARIANTS opcode provides a simple and efficient way for smart contracts to protect themselves against incompatible storage layout changes during upgrades.

The opcode is designed to be easy to use and understand. It takes a single input, the number of storage slots to check, and it reverts the transaction if any of the storage slots have been modified.

The gas cost of the opcode is reasonable, making it practical to use in production.

Backwards Compatibility

This EIP introduces a new opcode, so it is not backwards compatible with existing EVM implementations. However, existing smart contracts will continue to function as expected on EVM implementations that do not support the INVARIANTS opcode.

Security Considerations

The INVARIANTS opcode can help to prevent security vulnerabilities caused by incompatible storage layout changes during upgrades. However, it is important to note that the opcode only protects against changes to the first n storage slots. If a contract stores important data in storage slots beyond the first n slots, those slots will not be protected by the opcode.

It is also important to note that the INVARIANTS opcode only checks that the storage values have not been modified. It does not check that the storage values are still valid. For example, if a contract stores a user's balance in the first storage slot and then an upgrade changes the meaning of the balance, the INVARIANTS opcode will not detect the change.