BLS consensus failure

[holiman]

From EIP

G1 multiexponentiation call expects 160*k bytes as an input that is interpreted as byte concatenation of k slices each of them being a byte concatenation of encoding of G1 point (128 bytes) and encoding of a scalar value (32 bytes). Output is an encoding of multiexponentiation operation result - single G1 point (128 bytes).

So each input point is 160 bytes.

To avoid non-integer arithmetic call cost is calculated as k * multiplication_cost * discount / multiplier where multiplier = 1000, k is a number of (scalar, point) pairs for the call, multiplication_cost is a corresponding single multiplication call cost for G1/G2.

But: https://github.com/NethermindEth/nethermind/blob/master/src/Nethermind/Nethermind.Evm/Precompiles/Bls/Shamatar/G1MultiExpPrecompile.cs#L45 ,

        public long DataGasCost(byte[] inputData, IReleaseSpec releaseSpec)
        {
            int k = inputData.Length / 192;
            return 12000L * k * Discount.For(k) / 1000;
        }

        private const int ItemSize = 160;
        
        public (byte[], bool) Run(byte[] inputData)
        {
            inputData ??= Array.Empty<byte>();
            if (inputData.Length % ItemSize > 0)

The itemSize is correctly set to 160, but alas not used for cost calculation.

Credits to goevmlab fuzzing and @MariusVanDerWijden 's bls-fuzzer

[holiman]

cc @shamatar

[shamatar]

Thank you for mentioning, @holiman :)