add motivation and security info for unsafe precompiles

ethereum · Oct 16, 2024 · 823bd5a · 823bd5a
1 parent b4d88a8
commit 823bd5a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/EIPS/eip-2537.md b/EIPS/eip-2537.md
@@ -324,6 +324,10 @@ The motivation section covers a total motivation to have operations over the BLS
 
 Explicit separate MSM operation that allows one to save execution time (so gas) by both the algorithm used (namely Pippenger's algorithm) and (usually forgotten) by the fact that `CALL` operation in Ethereum is expensive (at the time of writing), so one would have to pay non-negligible overhead if e.g. for MSM of `100` points would have to call the multiplication precompile `100` times and addition for `99` times (roughly `138600` would be saved).
 
+### Unsafe precompiles
+
+In many cases the caller of the precompile may be confident that the points are in the correct subgroup, so performing expensive subgroup checks is not necessary. In such cases the unsafe precompiles can be used to reduce gas costs. Using these precompiles on points outside of the subgroup can result in security vulnerabilities in applications, and so the name 'unsafe' is used to highlight that they should be used with caution.
+
 ## Backwards Compatibility
 
 There are no backward compatibility questions.
@@ -383,6 +387,8 @@ Strictly following the spec will eliminate security implications or consensus im
 
 Important topic is a "constant time" property for performed operations. We explicitly state that this precompile **IS NOT REQUIRED** to perform all the operations using constant time algorithms.
 
+Incorrect use of the unsafe precompiles can lead to security vulnerabilities in applications. Users of these precompiles are assumed to be advanced and aware of the risks.
+
 ## Copyright
 
 Copyright and related rights waived via [CC0](../LICENSE.md).