SIMD-0431: Loader V3: Minimum Extend Program Size#431
SIMD-0431: Loader V3: Minimum Extend Program Size#431deanmlittle wants to merge 18 commits intosolana-foundation:mainfrom
Conversation
|
Hello deanmlittle! Welcome to the SIMD process. By opening this PR you are affirming that your SIMD has been thoroughly discussed and vetted in the SIMD discussion section. The SIMD PR section should only be used to submit a final technical specification for review. If your design / idea still needs discussion, please close this PR and create a new discussion here. This PR requires the following approvals before it can be merged:
Once all requirements are met, you can merge this PR by commenting |
deanmlittle
changed the title
|
Lgtm |
|
@0xRigel requesting your review as this pertains to multisig wallets like Squads. I know we discussed at breakpoint but worth double checking you don't foresee any issues. I think it is actually as simple as throwing a lighthouse instruction at the end to ensure the authority doesn't change. |
|
Whats the current reason for Aside from that, this looks good. We'll just have to make a few adjusments to the UI's under the hood logic for extend program. |
ACK, thanks for reviewing! There are a many dumb restrictions on LoaderV3 due to security issues that can arise as a result of problematic account midstates created during the upgrade process. Hopefully we can ship a few more fixes that would allow us to relax these constraints in the future! |
deanmlittle
changed the title
buffalojoec
left a comment
buffalojoec
left a comment
There was a problem hiding this comment.
I think this proposal could actually use a bit of fleshing out for context.
I've written a draft implementation here: anza-xyz/agave#9859
The first major issue I found is that we'd actually need to break the
ExtendProgram instruction's accounts list beyond just requiring a signature.
The authority is actually not a member of the required accounts for
ExtendProgram. We would need to add it.
For this reason, I'm actually considering SIMD-0164 as a preferred solution. We
would introduce a new instruction with a new accounts list and deprecate the
old one.
Since callers will have to modify their code anyway in order to support the
ExtendProgram instruction after this feature, are we certain changing the
existing instruction is cleaner? It seems like maybe not.
Additionally, this proposal can probably add more details about some of the
deliberation that occurred in SIMD-0164. After all, it's going to be the exact
same design, just a different rollout strategy.
There was a bit of discussion about how this change affects multisigs. However,
in SIMD-0164 and also here in this proposal (via ack by @0xRigel) these
concerns were curtailed. We can probably at least mention how this affects
multisigs in one of the lower sections of the SIMD.
@Lichtso also added context to SIMD-0164 about already-deployed, possibly
frozen programs. This proposal will have the same issues.
We probably have to add that ExtendProgram will be accessible via CPI as a
result of this proposal's feature activation. If we don't, self-upgrading
programs won't be able to invoke ExtendProgram via CPI with their PDA
signers.
I am of the opinion that simply modifying the existing instruction makes more sense for several reasons:
Thus 164 is actually doing more work to achieve the same outcome. For that reason, I do not think 164 is a better solution. |
I re-read SIMD-0164 any yes you are right, it does not mention the old one being disabled, but that would be my intention. Can update that SIMD.
It is not about displaying error messages but preventing unauthorized access from others. Currently |
|
I believe I have addressed all outstanding feedback. It is really just a matter of making the decision of whether we go with #164 or #431. As we would be throwing a missing signer error either way, I find no justification to pollute our Enum with an additional instruction when we can simply modify the existing one to achieve the same result. |
OK, I can appreciate these points. I did some digging, and it seems like we've used both methods, but it depends on what we've historically done with the previous wire format. For example, with System's With ALT, we relaxed signer requirements for So, since we don't wish to support the old version (as @deanmlittle said above) and we will break the program's interface either way (as I said in the second block of this comment), this proposal does in fact appear to be cleaner to me. |
SIMD-0431: flesh out detailed design
Clarify security considerations and alternatives in the proposal.
| constraints of ABI V1, in the case that a multisig upgrade authority wishes to | ||
| extend the program data account by greater than 10KiB, it will either need to | ||
| create multiple resize proposals, or atomically set its authority to a | ||
| top-level signer and reclaim it in the same transaction. The `ExtendProgram` |
There was a problem hiding this comment.
| top-level signer and reclaim it in the same transaction. The `ExtendProgram` | |
| top-level signer and extend it in the same transaction. The `ExtendProgram` |
think this is what you meant here?
There was a problem hiding this comment.
That line means reclaim the authority after extending at top-level with the temporary authority.
|
The only reason why If we make it permissioned self upgrading programs would have to use the transient (but atomic) authority shuffle pattern to sign In that sense neither SIMD-0431 nor SIMD-0164 are needed, we can just disable |
The authority shuffle is very clunky, and I agree with you that if we do have to shuffle, why not just combine this into upgrade directly? Upon reevaluating our options, I think I actually have an even better solution to this. I think we should instead:
By doing so, Extend can remain "permissionless" as it is today, so none of our workflows change, but it can piggyback on the safety of the |
Only top-level instructions are known ahead of time. For self upgrading programs the By then it becomes very similar to the retract-modify-redeploy-workflow in the early designs of loader-v4. With the difference being that loader-v4 explicitly persisted the retracted state in the program account, while this dirty flag here would be implicit and only exist during the transaction. |
Ahh yeah, you're right. Though I suppose we could go the other way and have the upgrade instruction introspect for the |
- Near max account size (10 MiB): allow sub-10 KiB extends when less than 10 KiB of headroom remains - Frozen programs: already rejected by the loader with Immutable
SIMD-0431: revise to use minimum extension size approach
deanmlittle
changed the title
|
@Lichtso we've reworked this proposal to use a minimum extension length, as proposed by jstarry here on SIMD-0164. Please give this another review, and if it's acceptable by all parties, we'll update dependent SIMDs like SIMD-0430 and SIMD-0433. |
Lichtso
left a comment
Lichtso
left a comment
There was a problem hiding this comment.
I am still in favor of "Disable ExtendProgram entirely", as I think that being able to manipulate other peoples programs at all is fishy. However, in the interest of getting this fixed, I will approve this simpler yet potentially incomplete solution.
Yeah, disabling permissionless resizing of program accounts would be the most complete fix, but at the cost of breaking many long-existing workflows for self-upgrading programs and multisig upgrades. I documented this out in the Alternatives Considered section. |
| status: Review | ||
| created: 2025-12-14 | ||
| feature: (fill in with feature key and github tracking issues once accepted) | ||
| supersedes: '0164' |
There was a problem hiding this comment.
Does this mean ExtendProgramChecked will be removed from Loader v3 ixs? Might be nice to restate that explicitly in the summary
Edit: I see SIMD-0164 was never actually approved but it's in the code
There was a problem hiding this comment.
many such cases 🙃
There was a problem hiding this comment.
Yeah, merging and implementing this effectively nulls that SIMD anyway, even though it was closed out.
If this lands, we can land my two PRs to clean up ExtendProgramChecked:
anza-xyz/solana-sdk#656
anza-xyz/agave#11685
| All other existing checks (program ownership, account state, rent-exempt | ||
| balance) remain unchanged. |
There was a problem hiding this comment.
do we need to specify precedence of errors?
There was a problem hiding this comment.
Technically no, since the specific codes are not relevant to consensus, and it gives us a bit of flexibility for program performance improvements.
| Enforce a minimum extension size of 10,240 bytes (10 KiB) on the | ||
| `ExtendProgram` instruction in Loader V3, mitigating the existing | ||
| denial-of-service vector through economic deterrence while preserving the | ||
| instruction's permissionless nature. |
There was a problem hiding this comment.
outside the scope of this SIMD, but if the account is overfunded for whatever reason, can anyone extend the size and "lock up" that SOL?
There was a problem hiding this comment.
Yep, but I'm about to update SIMD-0430 and SIMD-0433 so that the program owner can just resize it down to the correct length and they'll get all of the attacker's funds. So it's a non-issue IMO.
| full 10 KiB minimum. The excess capacity is available for future use. | ||
| - Only 1.0% of mainnet programs have a total size below 10 KiB. | ||
| - No changes to the instruction's account list. No changes to signer | ||
| requirements. No impact on existing tooling or multisig workflows. |
There was a problem hiding this comment.
might want to update tools to enforce this minimum resize up the stack
There was a problem hiding this comment.
while not relevant to consensus, that's true. will add a comment about this.
There was a problem hiding this comment.
I don't think we need to add anything to the proposal for non-protocol tooling. I try to avoid doing so.
6 participants
No description provided.