Add EIP: Builder Execution Requests#11760
Open
wemeetagain wants to merge 12 commits into
Open
Conversation
Draft EIP for a builder-specific deposit predeploy that verifies BLS proof-of-possession signatures on chain via the EIP-2537 precompiles, serving the EIP-7732 builder population. A separate top_up entrypoint adds unverified stake to an already-registered builder.
Replace event-log delivery with the EIP-7685 request mechanism used by EIP-7002 (withdrawals) and EIP-7251 (consolidations): two single-type predeploys sharing a RequestQueue base, drained by a SYSTEM_ADDRESS end-of-block system call and committed via the block requests_hash. - BuilderDepositContract (request type 0x03): deposit() verifies the BLS proof-of-possession, then appends a record to its queue; no logs. - BuilderTopUpContract (request type 0x04): unverified top_up() appends a record to its queue. - No request fee: the staked value is the anti-spam gate. BLS verification and the prior audit fixes (domain separation, sign-bit binding, precompile gas caps) are unchanged. Dequeued records carry no signature, since the consensus layer trusts the execution-layer check. Tests rewritten for the queue / system-read model (14 passing). Adds requires 7685; request-type bytes and predeploy addresses are placeholders.
…fixes Request fee (like EIP-7002/7251): RequestQueue gains an excess/count fee market with fake_exponential; deposit/top_up require msg.value >= stake + fee. No EXCESS_INHIBITOR (predeploys install with empty storage, so excess starts at the minimum fee). Unsigned amount: the BLS proof-of-possession now commits only to the 2-field message (pubkey, withdrawal_credentials); amount_gwei is an explicit, unsigned parameter. Signing the amount added no security (the unverified top_up already adds unsigned stake) and would otherwise force a signed value derived from a fee unknown at signing time. The distinct 2-field message also reinforces cross-context replay protection. Round-2 audit fixes: - Queue storage is now a head/tail ring over a mapping that resets both pointers to 0 when emptied (EIP-7002 dequeue behavior), bounding storage to peak in-flight depth instead of leaking a slot per request forever. - fallback requires empty calldata, so only the system read-out / fee getter reach it. - Spec: a 0x03 record for an already-registered pubkey MUST be treated as a top-up (credit stake, never change withdrawal credentials), making the replayable deposit signature harmless. - Fixed stale entrypoint signatures in the contract header comment. Tests: 20 passing (17 without EIP-2537), incl. fee dynamics, queue reset, and fallback-calldata regressions. Vectors regenerated for the 2-field signing message.
Add the SSZ container definitions BuilderDepositRequest (pubkey, withdrawal_credentials, amount) and BuilderTopUpRequest (pubkey, amount) to the spec, matching the EIP-7002/7251 style and tying the 88/56-byte record serialization to what the contract appends; note the absence of a signature/index field versus the EIP-6110 DepositRequest. Reduce the "Consensus-layer processing of records" rules to normative statements that reference the new objects by name; the replayability rationale lives in Security Considerations.
Add BuilderWithdrawalContract (request type 0x05, EIP-7002-style) for builder partial withdrawals and full exits, and broaden the draft to the full builder lifecycle (renamed to "Builder Execution Requests").
Switch from fork-time installation to a presigned deployment transaction plus an EXCESS_INHIBITOR that blocks requests until the first end-of-block system call, matching EIP-7002/7251. Updates the spec, the RequestQueue reference contract, and the tests.
The builder deposit contract no longer verifies BLS; it carries the signature for the consensus layer to verify, bounded by the per-block cap. Top-up folds into the deposit request (0x03, register-or-credit) and the withdrawal/exit contract becomes exit-only (0x04), authorized by execution_address. Adds a normative "Changes to EIP-7732" section (remove the process_deposit_request and process_voluntary_exit builder branches; keep onboard_builders_from_pending_deposits for genesis). Updates the spec, contracts, and tests; deletes the BLS machinery and py_ecc fixtures.
…t precondition (review 2) Resolves the second adversarial review of the redesigned EIP. Builder deposits reuse DOMAIN_DEPOSIT (document the benign cross-class signature interchange instead of asserting a non-existent domain separation); give the exact process_deposit_request inert-return for a 0x03-prefix deposit plus a post-fork deposit-routing transition window so in-flight pre-fork deposits are not stranded; align the exit predicate to gloas is_active_builder and document consumed-not-retried; correct the PoP message to the 3-field DepositMessage; name the EIP-7804 0x03 collision; add Spam/state-growth and Locked-funds security notes. Spec-only; contracts and tests unchanged.
…ition window (review 3) Resolves the third adversarial review of the redesigned EIP. Require a builder first deposit to carry a 0x03-prefixed withdrawal_credentials (a consensus-layer check mirroring process_deposit_request), so a registered builder always has a well-formed execution_address and validator and builder deposits no longer cross-register; the cross-class Security note is rewritten accordingly and now records that DOMAIN_DEPOSIT is chain- and fork-agnostic. Drop the post-fork deposit-routing transition window in favour of a single deterministic cutover: the genesis snapshot onboards pending builder deposits, and from the fork onward every 0x03-credentialed validator-contract deposit is dropped (a late straggler is re-onboarded via the builder deposit contract). Document the exited-builder top-up (credited stake is non-reactivatable and sweeps to the execution_address) and the custodial-split exit standoff (a bidding operator can hold the pending balance non-zero and block the execution_address holder from exiting). Spec-only; contracts and tests unchanged.
github-actions
Bot
added
c-new
Collaborator
File
|
eth-bot
added
e-consensus
abcoathup
reviewed
Jun 4, 2026
abcoathup
reviewed
Jun 4, 2026
|
The commit ff4ff86 (as a parent of fe4d5ef) contains errors. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A new EIP that gives EIP-7732 (ePBS) builders their own
execution-layer request contracts on the EIP-7685 request bus, rather than routing
builder onboarding and exit through the validator flows. Two predeploys:
0x03deposit(pubkey, withdrawal_credentials, amount, signature)pubkey ++ wc ++ amount ++ signature(184 B)0x04exit(pubkey)source_address ++ pubkey(68 B)Both are thin queues over a shared
RequestQueue(EIP-1559-style fee,EXCESS_INHIBITOR,end-of-block
SYSTEM_ADDRESSdrain), modeled on the EIP-7002/7251 request bus. Neitherperforms on-chain cryptography or emits logs. Addresses, request-type bytes, and runtime
code are placeholders pending allocation and audit.
Rationale
route by type instead of inspecting withdrawal-credential prefixes, keying the validator
and builder registries independently — which also lets a single public key be both a
validator and a builder (a restriction this EIP removes).
possession is verified by the consensus layer (as in EIP-7732). Delivering deposits
through a request bus capped at
MAX_REQUESTS_PER_BLOCKper block, plus the EIP-1559 feeon top of the 1-ETH stake, bounds the per-block verification work and the spam economics.
the builder's
execution_address, mirroring EIP-7002's rationale for0x01credentials.