In our previous articles, we reviewed in detail the lifecycle of Ethereum validators and discussed various aspects related to the upcoming Electra hard fork. Now, it's time to focus on the changes in the upcoming Electra and Prague upgrades and explain them in detail.
The history of Ethereum 2.0's Proof of Stake hard fork is complex. It began with the addition of the beacon chain to the existing execution layer, while the execution layer still maintained Proof of Work (Phase 0 and Altair hard forks) consensus. Then, in the Bellatrix hard fork, PoS was fully activated (although withdrawals were not enabled). Next, the Capella hard fork allowed withdrawals, completing the validator lifecycle. The recent Deneb hard fork (part of the Deneb/Cancun upgrade) made minor revisions to the beacon chain parameters, such as the inclusion of proof of time windows, handling voluntary exits, and validator rotation restrictions. The major changes in Deneb occurred in the execution layer, introducing blob transactions, blob gas, KZG commitments for blobs, and deprecating the SELFDESTRUCT operation.
Now, the Prague/Electra (also known as Pectra) hard fork introduces important upgrades to the execution and consensus layers. As auditors of the Lido project, we primarily focus on the changes related to consensus and staking in this hard fork. However, we cannot ignore the changes in the execution layer in Prague, as they include important features that impact the Ethereum network and validators. Let's delve into the details of these changes.
Higher-level Overview of Pectra
Electra has introduced many features to the beacon layer. The main updates include:
Allowing the effective balance of validators to vary between 32 and 2048 ETH (instead of a fixed 32 ETH).
Validators are allowed to initiate withdrawals using secondary 'withdrawal' credentials (active validator keys are no longer required).
Change the way the beacon chain handles Eth1 deposits (no longer parsing events from the deposit contract).
Add a new general framework for processing requests from regular Eth1 contracts on the beacon layer (similar to the management method of Electra's pre-deposit).
At the same time, Prague has introduced the following changes to the execution layer:
A new precompiled contract that supports the BLS12-381 curve to verify zkSNARK proofs (in addition to the popular BN254 curve).
A new system contract for storing and accessing up to 8192 historical block hashes (very useful for stateless clients).
Increase calldata gas costs to reduce block size and encourage projects to migrate calldata-intensive operations (such as rollup) to the blobs introduced in Dencun.
Support more blobs per Eth1 block and provide API to read these quantities.
Allows EOA (External Owned Account) to have its own account code, greatly expanding the operations that EOA can perform, such as executing multicalls or delegating execution to other addresses.
Let's refer to the relevant Ethereum Improvement Proposal (EIP) for further discussion:
EIP-7251: Add MAX_EFFECTIVE_BALANCE
EIP-7002: Execution Layer Triggered Exits
EIP-6110: Provide validators deposit on-chain
EIP-7549: Remove committee index from proof
EIP-7685: Universal Execution Layer Request
EIP-2537: Precompile for BLS12-381 curve operations
EIP-2935: Save historical block hashes in state
EIP-7623: Increase calldata cost
EIP-7691: Increase blob throughput
EIP-7840: Add blob scheduling to EL configuration file
EIP-7702: Set EOA account code
Some of these EIPs mainly involve the consensus (beacon) layer, while others are related to the execution layer. Some span across both layers because certain operations, such as deposits and withdrawals, require synchronized changes between the consensus and execution layers. Due to this interdependency, separating Electra and Prague is impractical, so we will review each EIP in turn and specify the affected Ethereum components in each case.
EIP-7251: Increase MAX_EFFECTIVE_BALANCE
Reference: EIP-7251
Since the first Phase0 hard fork, in preparation for Ethereum's proof of stake, up until Electra, the maximum effective balance for validators has been fixed at 32 ETH. Activating validators requires a minimum of spec.min_activation_balance (32 ETH). After activation, validators start from this maximum effective balance but can decrease their effective balance to spec.ejection_balance (16 ETH) and be ejected upon reaching that threshold. This 'minimum' logic remains unchanged in Electra, but now spec.max_effective_balance has increased to 2048 ETH. Therefore, validators can deposit between 32 and 2048 ETH to activate, all of which will contribute to their effective balance. This shift marks a transition from '32ETH-proof-of-stake' to 'proof-of-stake' :)
This variable effective balance will now be used for:
Increase the probability of becoming a block proposer, proportional to the effective balance.
The probability of becoming a member of the synchronization committee is increased in proportion to the effective balance.
As the basis for calculating the relative reduction and inactive penalty amount
The first two activities are the most rewarding operations for validators. Therefore, after Electra, validators with large staking amounts will participate more frequently in block proposals and synchronization committees, with the frequency being proportional to their effective balance.
Another impact is related to reduction. All reduction penalties are proportional to the effective balance of the validator:
The reduction of the penalty for "immediate" and "delayed" is greater for validators with high stakes.
The 'delayed' slashing penalty with validators who have a high staked amount is also greater because the 'slashed' portion in the total staked amount becomes larger.
Reporters who report validators with higher effective balances receive a larger proportion of slashed stakes.
Electra also proposed changes to the slashing ratio, defining a portion of the slashed validator balance to be received by the reporter.
Next is the impact of invalidity. When validators are offline (either for proof or proposal) while being active, the invalidity score accumulates, resulting in invalidity penalties imposed per epoch. These penalties are also proportional to the validator's effective balance.
Due to the increase in effective balances, the validators' 'churn limit' has also changed. In the Ethereum 'pre-Electra' phase, validators typically had the same effective balance, and the exit churn limit was defined as 'maximum 1/65536 (spec.churn_limit_quotient) of the total stake can exit within one epoch.' This created a 'fixed' number of validators exiting with the same stake. However, in the 'post-Electra' phase, there may be cases where only a few 'whales' exit, as they represent a significant portion of the total stake.
Another consideration is the rotation of many validator keys on a single validator instance. Large validators are currently forced to run thousands of validator keys on one instance to accommodate large stakes, splitting them into 32 ETH portions. With Electra, this behavior is no longer mandatory. From a financial perspective, this change has little impact, as rewards and probabilities scale linearly with the stake amount. Therefore, 100 validators with 32 ETH each are equivalent to one validator with 3200 ETH. Additionally, multiple active validator keys can have the same Eth1 withdrawal credential, allowing all rewards to be extracted to a single ETH address, thus avoiding gas costs associated with reward consolidation. However, managing a large number of keys incurs additional management costs.
The ability to aggregate the balance of validators has added a new type of execution layer request. Previously, we had deposits and withdrawals. Now, there will be another type: aggregate request. It combines two validators into one. The operation request will include the public keys of the source validator and the target validator, and will be processed similar to deposits and withdrawals. Aggregation will also have pending requests and balance replacement restrictions, just like deposits and withdrawals.
Summary as follows:
For small independent validators, Electra introduces the ability to automatically increase their effective balance (and rewards). Previously, any surplus over 32 ETH could only be withdrawn, but with Electra, this surplus will ultimately contribute to their effective balance. However, the effective balance can only be increased in multiples of spec.effective_balance_increment (1 ETH), which means that the increase only occurs after reaching the next '1 ETH threshold'.
For large independent validators, Electra provides significant management simplification by allowing multiple active validator keys to be consolidated into one. While this does not change the rules of the game, operating a 1x2048 staking is undoubtedly much simpler than managing 64x32 stakings.
For liquidity providers, they collect small stakes from users and distribute them among validators. Electra adds more flexibility to the staking distribution scheme, but also requires a significant overhaul of the validator accounting based on a fixed 32 ETH effective balance.
Another important topic is the historical data and profit estimation of validators, which is particularly relevant for new participants who are trying to assess risks and rewards. Prior to Electra (at the time of writing this article), the 32 ETH cap (regardless of whether it is minimum or maximum, actually) created uniformity in the historical data. All validators have the same effective balance, rewards, individual slashing penalties, block proposal frequency, and other metrics. This uniformity allows Ethereum to test its consensus mechanism without statistical outliers and collect valuable network behavior data.
After Electra, there will be significant changes in the distribution of staking. Large validators will participate more frequently in block proposal and sync committees, face greater penalties in slashing events, and have a greater impact on delayed slashing, activation queue, and exit queue. While this may pose challenges in data aggregation, Ethereum's consensus ensures that non-linear computation is minimal. The only non-linear component uses sqrt(total_effective_balance) to calculate base rewards, applicable to all validators. This means validator rewards and slashing can still be estimated on a 'per 1 ETH' basis (or more accurately, based on spec.effective_balance_increment, which may change in the future).
For more detailed information, please refer to our previous article on validator behavior.
EIP-7002: Triggerable Execution Layer Exit
Reference: EIP-7002
Each validator in Ethereum has two key pairs: an active key and a withdrawal key. The active public BLS key serves as the primary identity of the validator in the beacon chain. This key pair is used to sign blocks, attestations, slashings, sync committee aggregations, and voluntary exits (prior to this EIP) to initiate the consensus exit of the validator after a delay. The second key pair ("withdrawal credentials") can be another BLS key pair or a regular Eth1 account (private key and address). Now, extracting to an ETH address requires a withdrawal message signed by the active BLS private key. This EIP has made changes to this process.
In fact, the owners of these two (active and withdrawal) key pairs can be different. The active key of the validator is responsible for verification duties: running servers, keeping them running, etc., while the withdrawal credentials are usually controlled by the staking owner, who receives rewards and is responsible for the funds. Currently, only the staking owner who controls the withdrawal credentials cannot initiate the validator's exit, only withdraw rewards. This situation allows the owner of the active key of the validator to effectively hold the balance of the validator as a "hostage." The validator can "pre-sign" the exit message and hand it over to the staking owner, but this workaround is not ideal. In addition, both withdrawal and exit currently require interaction with the beacon chain validator through a dedicated API.
The best solution is to allow the staking owner to execute both the exit and withdrawal operations simultaneously by calling a regular smart contract. This involves standard Eth1 signature checks, greatly simplifying the process.
This EIP allows stakers to trigger withdrawals and exits by sending standard transactions from their ETH address to a dedicated smart contract, similar to the existing deposit process using the 'deposit' contract. The withdrawal (or exit when enough staking is removed) process is as follows:
The pledger sends a withdrawal request (an 'in' request) to the system's 'withdrawal' contract.
The contract charges a specific fee (calculated in ETH) to mitigate potential malicious attacks, similar to EIP-1559, and the fee increases when the request queue is busy.
The contract saves the 'in' withdrawal/exit request to its storage.
When a block is proposed to the beacon chain, the "in" withdrawal/exit requests in the queue will be retrieved from storage.
The beacon chain processes 'in' requests, interacts with the balances of active validators, arranges validator exits, and generates 'out' withdrawal requests.
The 'out' withdrawal request is processed at the execution layer, and the pledger receives their ETH.
Although deposits are triggered in the Eth1 block and then 'moved' to the beacon chain through the 'pending' deposit queue, withdrawals follow a different scheme. They are triggered on the beacon chain (via CLI) and then 'moved' to the Eth1 block. Now, both schemes will operate through the same generic framework (as described below): creating requests at the Eth1 layer, processing 'pending' deposit/withdrawal/merge queues, and handling them at the beacon chain. For 'output' operations like withdrawals, the output queue will also be processed, and the results will be 'settled' in the Eth1 block.
Through this EIP, validators can use regular ETH transactions to deposit and withdraw their validators without directly interacting with the validator CLI or accessing the validator's infrastructure. This greatly simplifies the staking operation, especially for large staking providers. The validator's infrastructure can now be almost completely isolated, as only the keys of active validators need to be maintained, and all staking operations can be handled elsewhere. It eliminates the need for independent stakers to wait for active validator actions and significantly simplifies the off-chain portion of services like the Community Staking Module in Lido.
Therefore, this EIP 'completed' the staking operation, completely migrating it to Eth1 layer, significantly reducing infrastructure security risks, and enhancing the decentralization of the independent staking initiative.
EIP-6110: On-chain supply verification for staking validators
Reference: EIP-6110
Currently, deposits are implemented through the event in the 'deposit' contract of the system (as discussed in detail in previous articles). The contract accepts ETH and validator credentials, and emits the 'Deposit()' event, which is then parsed and converted into a deposit request on the beacon chain. The system has many drawbacks: it requires a vote on eth1data on the beacon chain layer, which adds significant latency. In addition, the beacon chain needs to query the execution layer, further increasing complexity. These issues are discussed in detail in the EIP. A simpler approach, without dealing with many of these issues, is to directly include deposit requests in Eth1 blocks at specified locations. This mechanism is similar to the withdrawal process described in previous EIPs.
The changes proposed in this EIP are very promising. The handling of eth1data can now be completely removed, eliminating the need to vote or have long delays between the events on the Eth1 side and the beacon layer deposits (currently about 12 hours). It also removes the logic for deposit contract snapshots. This EIP simplifies the handling of deposits and aligns it with the withdrawal processing solution mentioned above.
For both stakers and validators, these changes significantly reduce the delay between deposit and validator activation. The necessary replenishment will also be faster when validators are slashed.
There is nothing more to say about this EIP, except that it removes outdated logic, simplifies the process, and creates better results for all parties involved.
EIP-7685: General Execution Layer Request
Reference: EIP-7685
This EIP should have been proposed before the first three EIPs related to deposit/withdrawal/merge, as it lays the foundation for these EIPs. However, it is introduced here to emphasize the growing need to move specialized data for consistency between Eth1 (execution) and Beacon (consensus) chain blocks (layers). This EIP affects both layers, making request processing triggered by regular ETH transactions more efficient. Currently, we observe:
The deposit event in Eth1 blocks is 'moved' to the beacon block for processing.
Withdrawal requests in the beacon block (using CLI) have been "moved" to the Eth1 block for processing.
beacon request.
These three operations indicate the necessity of consistent processing of various types of requests when converting between the execution layer and the beacon layer. In addition, we need the ability to trigger these operations only at the Eth1 layer, as this will allow us to isolate the infrastructure of validators from the infrastructure of staking management, thereby improving security. Therefore, a general solution for managing such requests is both practical and necessary.
This EIP establishes a framework for at least three main cases: deposits, withdrawals, and consolidations. That's why the early EIP introduced fields like WITHDRAWAL_REQUEST_TYPE and DEPOSIT_REQUEST_TYPE, and now consolidation will add another field, CONSOLIDATION_REQUEST_TYPE. In addition, this EIP may also include a general mechanism for handling such requests (reference constants: PENDING_DEPOSITS_LIMIT, PENDING_PARTIAL_WITHDRAWALS_LIMIT, PENDING_CONSOLIDATIONS_LIMIT).
Although the detailed implementation details of this framework are not yet available, it will certainly include key request types, integrity mechanisms (such as hashing and Merkleization requests), as well as queue processing and rate limiting.
This EIP has architectural significance, enabling Eth1 to trigger key operations in the beacon layer through a unified framework. For end users and projects, this means that all requests triggered at the Eth1 layer will be delivered and processed more efficiently in the beacon layer.
EIP-2537: Precompile for BLS12-381 Curve Operations
Reference: EIP-2537
If you don't want to delve into it, you can think of the precompile of BLS12-381 as a complex cryptographic 'hash' operation that can now be used in smart contracts. For those who are interested, let's explore further.
Mathematical operations on elliptic curves such as BLS12-381 (and its corresponding BN-254) are currently mainly used for two purposes:
BLS signatures, which use a special operation called 'pairing' to verify these signatures. BLS signatures are widely used by verifiers because they allow multiple signatures to be aggregated into one. Verifiers rely on BLS signatures based on the BLS12-381 curve (although they can also use any curve implementation that supports pairings, such as BN254).
Verification of zkSNARK proofs, where pairings are used to verify the proofs. In addition, pairings are also used to verify block commitments for large blocks introduced by the Dencun hard fork with KZG commitments.
If you want to verify BLS signatures or zkSNARK proofs in smart contracts, you have to compute these 'pairings', which is very expensive in terms of computation. Ethereum already has a precompiled contract for BN254 curve operations (EIP-196 and EIP-197). However, the BLS12-381 curve (now considered more secure and widely used today) has not been implemented as a precompile. Without such a precompile, implementing pairings and other curve operations in smart contracts requires a large amount of computation, as shown here, and consumes a huge amount of gas (approximately ~10^5 to 10^6 gas).
This EIP opens the door to many potential applications, especially in inexpensive BLS signature verification based on the BLS12-381 curve. This makes it possible to implement threshold schemes for various purposes. As mentioned earlier, Ethereum validators are already using BLS12-381 based signatures. With this EIP, standard smart contracts can now efficiently verify aggregated validator signatures. This can simplify consensus proofs and bridging of cross-network assets, as BLS signatures are widely used in blockchains. Threshold BLS signatures themselves allow for the construction of many efficient threshold schemes for voting, decentralized random number generation, multisig, and more.
Cheaper zkSNARK proof verification will unlock a wealth of applications. Many zkSNARK-based solutions are currently hindered by high proof verification costs, making certain projects almost impractical. This EIP has the potential to change that.
EIP-2935: Saving Historical Block Hashes in State
Reference: EIP-2935
This EIP proposes storing 8192 (approximately 27.3 hours) historical block hashes in the blockchain state, providing extended history for stateless clients such as rollups and smart contracts. It suggests retaining the current behavior of the BLOCKHASH opcode, maintaining the limit of 256 blocks, while introducing a new system contract specifically designed for storing and retrieving historical hashes. This contract performs the set() operation when processing blocks at the execution layer. Its get() method is accessible to anyone to retrieve the desired block hash from the circular buffer.
Currently, referencing historical block hashes in the EVM is possible, but access is limited to the most recent 256 blocks (about 50 minutes). However, in some cases, accessing older block data is crucial, especially for cross-chain applications (which require proof of previous block data) and stateless clients, which regularly need to access early block hashes.
This EIP extends the time range available for rollup and cross-chain applications, allowing them to directly access historical data in the EVM without the need for external aggregation. As a result, these solutions become more robust and sustainable.
EIP-7623: Increase calldata cost
Reference: EIP-7623
calldata adjusts the available size of the transaction payload, which can be significant in some cases (e.g., when passing large arrays or binary buffers as parameters). The significant use of calldata is primarily attributed to rollups, which send payloads by including the calldata of the current rollup state.
Introducing large, verifiable binary data into the blockchain is crucial for rollup. The upgrade of Dencun (Deneb-Cancun) introduces an important innovation for such use cases - blob transactions (EIP-4844). Blob transactions have their own dedicated 'blob' gas fees, and although their bodies are temporarily stored, their cryptographic proofs (KZG commitments) along with their hashes are integrated into the consensus layer. Therefore, compared to using calldata to store data, blob provides a better solution for rollup.
Encouraging rollup to move its data to blob can be achieved through the "carrot and stick" approach. The reduced blob gas fee serves as the "carrot", while this EIP increases the calldata cost as the "stick", thereby restraining excessive data storage in transactions. This EIP complements the next EIP-7691 (Blob Throughput Increase), which increases the maximum number of blobs allowed per block.
EIP-7691: blob throughput increase
Reference: EIP-7691
In the previous Dencun hard fork, blob was introduced, and the initial values for the maximum and target numbers of blobs per block were conservative estimates. This is due to the complexity of predicting how the p2p network will handle the propagation of large binary objects between validating nodes. The previous configuration has proven to be good, making it a suitable time to test the new values. Previously, the target/maximum blob quantity per block was set to 3/6. These limits have now been increased to 6/9.
Building on the previous EIP-7623 (increased calldata cost), this adjustment further incentivizes rollup to move its data from calldata to blobs. The work of finding the optimal blob parameters is still ongoing.
EIP-7840: Add blob scheduling to EL configuration file
Reference: EIP-7840
This EIP proposes to add the target and maximum 'per-block' blob numbers (discussed earlier) and the baseFeeUpdateFraction value to the Ethereum Execution Layer (EL) configuration file. It also enables clients to retrieve these values through the node API. This feature is particularly useful for tasks such as estimating blob gas costs.
EIP-7702: Setting EOA Account Code
Reference: EIP-7702
This is a very important EIP that will bring significant changes to Ethereum users. As we know, EOA (External Owned Account) cannot have any code but can provide transaction signatures (tx.origin). In contrast, smart contracts have bytecode but cannot actively provide their own direct signatures. Any user interaction that requires additional, automated, and verifiable logic can currently only be executed by calling external contracts to perform the required operations. However, in this case, the external contract becomes the msg.sender of subsequent contracts, making the call "from the contract, not the user".
This EIP introduces a new SET_CODE_TX_TYPE=0x04 transaction type (we previously had the old 0x1 transaction, the new 0x02 transaction from the Berlin and EIP-1559 upgrades, and the 0x03 blob transaction introduced in Dencun). This new transaction type allows for setting code for EOA accounts. In fact, it allows EOA to execute external code "in the context of its own EOA account". From an external perspective, during the transaction process, EOA seems to "borrow" code from an external contract and execute it. Technically, this is achieved by adding a special authorization data tuple to the "code" storage of the EOA address (prior to this EIP, this "code" storage for EOA was always empty).
Currently, the new 0x04 transaction type proposed by this EIP includes an array:
Each element allows an account to use code from a specified address (from the last valid authorization item). When processing such transactions, the code for the given EOA is set to a special 0xef0100 || address value (23 bytes), where the address points to a contract with the required code, || means concatenation, and 0xef0100 represents a special magic value not inclusible in a regular smart contract (per EIP-3541). This magic value ensures that this EOA cannot be treated as a regular contract and cannot be invoked as one.
When this EOA initiates a transaction, the designated address will be used to invoke the corresponding code in the context of the EOA. Although the full implementation details of this EIP are not yet clear, it can be determined that it will bring significant changes.
One major impact is the ability to perform multicall directly from EOA. Multicall is a recurring trend in DeFi, and many protocols offer this feature as a powerful tool (such as Uniswap V4, Balancer V3, or Euler V2). With this EIP, multicall can now be initiated directly from EOA.
For example, this new feature addresses a common issue in DeFi: the inefficiency of requiring two separate transactions for approve() + anything(). This EIP allows for a generic 'pre-approval' logic, enabling actions like approve(X) + deposit(X) to be completed in a single transaction.
Another advantage of being able to 'represent' EOA delegated transaction execution is the concept of sponsorship. Sponsorship is a frequently discussed and highly desired feature to help new users enter Ethereum.
The programmable logic associated with EOA has unlocked many possibilities, such as implementing security restrictions, setting spending limits, enforcing KYC requirements, etc.
Of course, this shift also raises many design issues. One issue is the use of chain_id, which determines whether the same signature can be valid across multiple networks, depending on whether it is included in the signature. Another complex issue is the choice between using the address of the target code and embedding the actual bytecode. Each of these methods has its own unique characteristics and limitations. In addition, the use of nonce plays a key role in defining whether permissions are 'multi-purpose' or 'single-purpose.' These elements affect functionality and security issues, including batch invalidation of signatures and usability. Vitalik raised these issues in a discussion (here), which is worth further exploration.
It is worth noting that this change will affect one security mechanism of Ethereum, tx.origin. More details about the implementation of this EIP are necessary, but it seems that the behavior of require(tx.origin == msg.sender) will be changed. This check has always been the most reliable method to ensure that msg.sender is an EOA rather than a contract. Other methods, such as checking EXTCODESIZE (to check if it is a contract), often fail and can be bypassed (for example, by calling the constructor or deploying code at predefined addresses after the transaction). These checks are used to prevent reentrancy and flash loan attacks, but they are far from ideal as they also hinder integration with external protocols. After this EIP, even the reliable require(tx.origin == msg.sender) check seems to become obsolete. Protocols must adapt by removing these checks because the distinction between 'EOA' and 'contract' will no longer apply - now every address could have associated code.
The separation between traditional EOA and smart contracts continues to blur. This EIP brings Ethereum closer to designs like TON, where every account is essentially executable code. As interactions with protocols become increasingly complex, using programmable logic to improve the end-user experience is a natural progression.
Conclusion
The upgrade of Prague/Electra (Pectra) is scheduled for March 2025. Its most significant planned changes include:
Variable validators can stake effectively, up to 2048 ETH, which will significantly change the staking distribution, validator timetable, and simplify management for large stakers by integrating smaller stakes.
Improve the interaction between the execution layer and the consensus layer, simplifying the data exchange between Eth1 execution blocks and beacon chain blocks. This will greatly simplify the processes of depositing, activating, withdrawing, and exiting, speeding up these processes and laying the foundation for further interaction between the consensus layer and the execution layer.
Support cheaper BLS signatures and zkSNARK verifications directly through the new 'pairing-friendly' BLS12-381 precompiles in smart contracts.
Encourage Rollups to adopt blob transactions by increasing the transaction threshold and raising the calldata cost for blob transactions
Make EOA act as a programmable account, giving it multiple invocations, sponsorship, and other advanced features
As you can see, Pectra will have a significant impact on the staking and consensus layer, as well as the end user experience of the execution layer. Although we cannot detail all these changes through code at this stage, as development is still ongoing, we will cover these updates in future articles.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Analyzing the upcoming Hard Fork of Ethereum - Pectra Upgrade
Introduction
In our previous articles, we reviewed in detail the lifecycle of Ethereum validators and discussed various aspects related to the upcoming Electra hard fork. Now, it's time to focus on the changes in the upcoming Electra and Prague upgrades and explain them in detail.
The history of Ethereum 2.0's Proof of Stake hard fork is complex. It began with the addition of the beacon chain to the existing execution layer, while the execution layer still maintained Proof of Work (Phase 0 and Altair hard forks) consensus. Then, in the Bellatrix hard fork, PoS was fully activated (although withdrawals were not enabled). Next, the Capella hard fork allowed withdrawals, completing the validator lifecycle. The recent Deneb hard fork (part of the Deneb/Cancun upgrade) made minor revisions to the beacon chain parameters, such as the inclusion of proof of time windows, handling voluntary exits, and validator rotation restrictions. The major changes in Deneb occurred in the execution layer, introducing blob transactions, blob gas, KZG commitments for blobs, and deprecating the SELFDESTRUCT operation.
Now, the Prague/Electra (also known as Pectra) hard fork introduces important upgrades to the execution and consensus layers. As auditors of the Lido project, we primarily focus on the changes related to consensus and staking in this hard fork. However, we cannot ignore the changes in the execution layer in Prague, as they include important features that impact the Ethereum network and validators. Let's delve into the details of these changes.
Higher-level Overview of Pectra
Electra has introduced many features to the beacon layer. The main updates include:
At the same time, Prague has introduced the following changes to the execution layer:
Let's refer to the relevant Ethereum Improvement Proposal (EIP) for further discussion:
Some of these EIPs mainly involve the consensus (beacon) layer, while others are related to the execution layer. Some span across both layers because certain operations, such as deposits and withdrawals, require synchronized changes between the consensus and execution layers. Due to this interdependency, separating Electra and Prague is impractical, so we will review each EIP in turn and specify the affected Ethereum components in each case.
EIP-7251: Increase MAX_EFFECTIVE_BALANCE
Reference: EIP-7251
Since the first Phase0 hard fork, in preparation for Ethereum's proof of stake, up until Electra, the maximum effective balance for validators has been fixed at 32 ETH. Activating validators requires a minimum of spec.min_activation_balance (32 ETH). After activation, validators start from this maximum effective balance but can decrease their effective balance to spec.ejection_balance (16 ETH) and be ejected upon reaching that threshold. This 'minimum' logic remains unchanged in Electra, but now spec.max_effective_balance has increased to 2048 ETH. Therefore, validators can deposit between 32 and 2048 ETH to activate, all of which will contribute to their effective balance. This shift marks a transition from '32ETH-proof-of-stake' to 'proof-of-stake' :)
This variable effective balance will now be used for:
The first two activities are the most rewarding operations for validators. Therefore, after Electra, validators with large staking amounts will participate more frequently in block proposals and synchronization committees, with the frequency being proportional to their effective balance.
Another impact is related to reduction. All reduction penalties are proportional to the effective balance of the validator:
Electra also proposed changes to the slashing ratio, defining a portion of the slashed validator balance to be received by the reporter.
Next is the impact of invalidity. When validators are offline (either for proof or proposal) while being active, the invalidity score accumulates, resulting in invalidity penalties imposed per epoch. These penalties are also proportional to the validator's effective balance.
Due to the increase in effective balances, the validators' 'churn limit' has also changed. In the Ethereum 'pre-Electra' phase, validators typically had the same effective balance, and the exit churn limit was defined as 'maximum 1/65536 (spec.churn_limit_quotient) of the total stake can exit within one epoch.' This created a 'fixed' number of validators exiting with the same stake. However, in the 'post-Electra' phase, there may be cases where only a few 'whales' exit, as they represent a significant portion of the total stake.
Another consideration is the rotation of many validator keys on a single validator instance. Large validators are currently forced to run thousands of validator keys on one instance to accommodate large stakes, splitting them into 32 ETH portions. With Electra, this behavior is no longer mandatory. From a financial perspective, this change has little impact, as rewards and probabilities scale linearly with the stake amount. Therefore, 100 validators with 32 ETH each are equivalent to one validator with 3200 ETH. Additionally, multiple active validator keys can have the same Eth1 withdrawal credential, allowing all rewards to be extracted to a single ETH address, thus avoiding gas costs associated with reward consolidation. However, managing a large number of keys incurs additional management costs.
The ability to aggregate the balance of validators has added a new type of execution layer request. Previously, we had deposits and withdrawals. Now, there will be another type: aggregate request. It combines two validators into one. The operation request will include the public keys of the source validator and the target validator, and will be processed similar to deposits and withdrawals. Aggregation will also have pending requests and balance replacement restrictions, just like deposits and withdrawals.
Summary as follows:
Another important topic is the historical data and profit estimation of validators, which is particularly relevant for new participants who are trying to assess risks and rewards. Prior to Electra (at the time of writing this article), the 32 ETH cap (regardless of whether it is minimum or maximum, actually) created uniformity in the historical data. All validators have the same effective balance, rewards, individual slashing penalties, block proposal frequency, and other metrics. This uniformity allows Ethereum to test its consensus mechanism without statistical outliers and collect valuable network behavior data.
After Electra, there will be significant changes in the distribution of staking. Large validators will participate more frequently in block proposal and sync committees, face greater penalties in slashing events, and have a greater impact on delayed slashing, activation queue, and exit queue. While this may pose challenges in data aggregation, Ethereum's consensus ensures that non-linear computation is minimal. The only non-linear component uses sqrt(total_effective_balance) to calculate base rewards, applicable to all validators. This means validator rewards and slashing can still be estimated on a 'per 1 ETH' basis (or more accurately, based on spec.effective_balance_increment, which may change in the future).
For more detailed information, please refer to our previous article on validator behavior.
EIP-7002: Triggerable Execution Layer Exit
Reference: EIP-7002
Each validator in Ethereum has two key pairs: an active key and a withdrawal key. The active public BLS key serves as the primary identity of the validator in the beacon chain. This key pair is used to sign blocks, attestations, slashings, sync committee aggregations, and voluntary exits (prior to this EIP) to initiate the consensus exit of the validator after a delay. The second key pair ("withdrawal credentials") can be another BLS key pair or a regular Eth1 account (private key and address). Now, extracting to an ETH address requires a withdrawal message signed by the active BLS private key. This EIP has made changes to this process.
In fact, the owners of these two (active and withdrawal) key pairs can be different. The active key of the validator is responsible for verification duties: running servers, keeping them running, etc., while the withdrawal credentials are usually controlled by the staking owner, who receives rewards and is responsible for the funds. Currently, only the staking owner who controls the withdrawal credentials cannot initiate the validator's exit, only withdraw rewards. This situation allows the owner of the active key of the validator to effectively hold the balance of the validator as a "hostage." The validator can "pre-sign" the exit message and hand it over to the staking owner, but this workaround is not ideal. In addition, both withdrawal and exit currently require interaction with the beacon chain validator through a dedicated API.
The best solution is to allow the staking owner to execute both the exit and withdrawal operations simultaneously by calling a regular smart contract. This involves standard Eth1 signature checks, greatly simplifying the process.
This EIP allows stakers to trigger withdrawals and exits by sending standard transactions from their ETH address to a dedicated smart contract, similar to the existing deposit process using the 'deposit' contract. The withdrawal (or exit when enough staking is removed) process is as follows:
Although deposits are triggered in the Eth1 block and then 'moved' to the beacon chain through the 'pending' deposit queue, withdrawals follow a different scheme. They are triggered on the beacon chain (via CLI) and then 'moved' to the Eth1 block. Now, both schemes will operate through the same generic framework (as described below): creating requests at the Eth1 layer, processing 'pending' deposit/withdrawal/merge queues, and handling them at the beacon chain. For 'output' operations like withdrawals, the output queue will also be processed, and the results will be 'settled' in the Eth1 block.
Through this EIP, validators can use regular ETH transactions to deposit and withdraw their validators without directly interacting with the validator CLI or accessing the validator's infrastructure. This greatly simplifies the staking operation, especially for large staking providers. The validator's infrastructure can now be almost completely isolated, as only the keys of active validators need to be maintained, and all staking operations can be handled elsewhere. It eliminates the need for independent stakers to wait for active validator actions and significantly simplifies the off-chain portion of services like the Community Staking Module in Lido.
Therefore, this EIP 'completed' the staking operation, completely migrating it to Eth1 layer, significantly reducing infrastructure security risks, and enhancing the decentralization of the independent staking initiative.
EIP-6110: On-chain supply verification for staking validators
Reference: EIP-6110
Currently, deposits are implemented through the event in the 'deposit' contract of the system (as discussed in detail in previous articles). The contract accepts ETH and validator credentials, and emits the 'Deposit()' event, which is then parsed and converted into a deposit request on the beacon chain. The system has many drawbacks: it requires a vote on eth1data on the beacon chain layer, which adds significant latency. In addition, the beacon chain needs to query the execution layer, further increasing complexity. These issues are discussed in detail in the EIP. A simpler approach, without dealing with many of these issues, is to directly include deposit requests in Eth1 blocks at specified locations. This mechanism is similar to the withdrawal process described in previous EIPs.
The changes proposed in this EIP are very promising. The handling of eth1data can now be completely removed, eliminating the need to vote or have long delays between the events on the Eth1 side and the beacon layer deposits (currently about 12 hours). It also removes the logic for deposit contract snapshots. This EIP simplifies the handling of deposits and aligns it with the withdrawal processing solution mentioned above.
For both stakers and validators, these changes significantly reduce the delay between deposit and validator activation. The necessary replenishment will also be faster when validators are slashed.
There is nothing more to say about this EIP, except that it removes outdated logic, simplifies the process, and creates better results for all parties involved.
EIP-7685: General Execution Layer Request
Reference: EIP-7685
This EIP should have been proposed before the first three EIPs related to deposit/withdrawal/merge, as it lays the foundation for these EIPs. However, it is introduced here to emphasize the growing need to move specialized data for consistency between Eth1 (execution) and Beacon (consensus) chain blocks (layers). This EIP affects both layers, making request processing triggered by regular ETH transactions more efficient. Currently, we observe:
These three operations indicate the necessity of consistent processing of various types of requests when converting between the execution layer and the beacon layer. In addition, we need the ability to trigger these operations only at the Eth1 layer, as this will allow us to isolate the infrastructure of validators from the infrastructure of staking management, thereby improving security. Therefore, a general solution for managing such requests is both practical and necessary.
This EIP establishes a framework for at least three main cases: deposits, withdrawals, and consolidations. That's why the early EIP introduced fields like WITHDRAWAL_REQUEST_TYPE and DEPOSIT_REQUEST_TYPE, and now consolidation will add another field, CONSOLIDATION_REQUEST_TYPE. In addition, this EIP may also include a general mechanism for handling such requests (reference constants: PENDING_DEPOSITS_LIMIT, PENDING_PARTIAL_WITHDRAWALS_LIMIT, PENDING_CONSOLIDATIONS_LIMIT).
Although the detailed implementation details of this framework are not yet available, it will certainly include key request types, integrity mechanisms (such as hashing and Merkleization requests), as well as queue processing and rate limiting.
This EIP has architectural significance, enabling Eth1 to trigger key operations in the beacon layer through a unified framework. For end users and projects, this means that all requests triggered at the Eth1 layer will be delivered and processed more efficiently in the beacon layer.
EIP-2537: Precompile for BLS12-381 Curve Operations
Reference: EIP-2537
If you don't want to delve into it, you can think of the precompile of BLS12-381 as a complex cryptographic 'hash' operation that can now be used in smart contracts. For those who are interested, let's explore further.
Mathematical operations on elliptic curves such as BLS12-381 (and its corresponding BN-254) are currently mainly used for two purposes:
If you want to verify BLS signatures or zkSNARK proofs in smart contracts, you have to compute these 'pairings', which is very expensive in terms of computation. Ethereum already has a precompiled contract for BN254 curve operations (EIP-196 and EIP-197). However, the BLS12-381 curve (now considered more secure and widely used today) has not been implemented as a precompile. Without such a precompile, implementing pairings and other curve operations in smart contracts requires a large amount of computation, as shown here, and consumes a huge amount of gas (approximately ~10^5 to 10^6 gas).
This EIP opens the door to many potential applications, especially in inexpensive BLS signature verification based on the BLS12-381 curve. This makes it possible to implement threshold schemes for various purposes. As mentioned earlier, Ethereum validators are already using BLS12-381 based signatures. With this EIP, standard smart contracts can now efficiently verify aggregated validator signatures. This can simplify consensus proofs and bridging of cross-network assets, as BLS signatures are widely used in blockchains. Threshold BLS signatures themselves allow for the construction of many efficient threshold schemes for voting, decentralized random number generation, multisig, and more.
Cheaper zkSNARK proof verification will unlock a wealth of applications. Many zkSNARK-based solutions are currently hindered by high proof verification costs, making certain projects almost impractical. This EIP has the potential to change that.
EIP-2935: Saving Historical Block Hashes in State
Reference: EIP-2935
This EIP proposes storing 8192 (approximately 27.3 hours) historical block hashes in the blockchain state, providing extended history for stateless clients such as rollups and smart contracts. It suggests retaining the current behavior of the BLOCKHASH opcode, maintaining the limit of 256 blocks, while introducing a new system contract specifically designed for storing and retrieving historical hashes. This contract performs the set() operation when processing blocks at the execution layer. Its get() method is accessible to anyone to retrieve the desired block hash from the circular buffer.
Currently, referencing historical block hashes in the EVM is possible, but access is limited to the most recent 256 blocks (about 50 minutes). However, in some cases, accessing older block data is crucial, especially for cross-chain applications (which require proof of previous block data) and stateless clients, which regularly need to access early block hashes.
This EIP extends the time range available for rollup and cross-chain applications, allowing them to directly access historical data in the EVM without the need for external aggregation. As a result, these solutions become more robust and sustainable.
EIP-7623: Increase calldata cost
Reference: EIP-7623
calldata adjusts the available size of the transaction payload, which can be significant in some cases (e.g., when passing large arrays or binary buffers as parameters). The significant use of calldata is primarily attributed to rollups, which send payloads by including the calldata of the current rollup state.
Introducing large, verifiable binary data into the blockchain is crucial for rollup. The upgrade of Dencun (Deneb-Cancun) introduces an important innovation for such use cases - blob transactions (EIP-4844). Blob transactions have their own dedicated 'blob' gas fees, and although their bodies are temporarily stored, their cryptographic proofs (KZG commitments) along with their hashes are integrated into the consensus layer. Therefore, compared to using calldata to store data, blob provides a better solution for rollup.
Encouraging rollup to move its data to blob can be achieved through the "carrot and stick" approach. The reduced blob gas fee serves as the "carrot", while this EIP increases the calldata cost as the "stick", thereby restraining excessive data storage in transactions. This EIP complements the next EIP-7691 (Blob Throughput Increase), which increases the maximum number of blobs allowed per block.
EIP-7691: blob throughput increase
Reference: EIP-7691
In the previous Dencun hard fork, blob was introduced, and the initial values for the maximum and target numbers of blobs per block were conservative estimates. This is due to the complexity of predicting how the p2p network will handle the propagation of large binary objects between validating nodes. The previous configuration has proven to be good, making it a suitable time to test the new values. Previously, the target/maximum blob quantity per block was set to 3/6. These limits have now been increased to 6/9.
Building on the previous EIP-7623 (increased calldata cost), this adjustment further incentivizes rollup to move its data from calldata to blobs. The work of finding the optimal blob parameters is still ongoing.
EIP-7840: Add blob scheduling to EL configuration file
Reference: EIP-7840
This EIP proposes to add the target and maximum 'per-block' blob numbers (discussed earlier) and the baseFeeUpdateFraction value to the Ethereum Execution Layer (EL) configuration file. It also enables clients to retrieve these values through the node API. This feature is particularly useful for tasks such as estimating blob gas costs.
EIP-7702: Setting EOA Account Code
Reference: EIP-7702
This is a very important EIP that will bring significant changes to Ethereum users. As we know, EOA (External Owned Account) cannot have any code but can provide transaction signatures (tx.origin). In contrast, smart contracts have bytecode but cannot actively provide their own direct signatures. Any user interaction that requires additional, automated, and verifiable logic can currently only be executed by calling external contracts to perform the required operations. However, in this case, the external contract becomes the msg.sender of subsequent contracts, making the call "from the contract, not the user".
This EIP introduces a new SET_CODE_TX_TYPE=0x04 transaction type (we previously had the old 0x1 transaction, the new 0x02 transaction from the Berlin and EIP-1559 upgrades, and the 0x03 blob transaction introduced in Dencun). This new transaction type allows for setting code for EOA accounts. In fact, it allows EOA to execute external code "in the context of its own EOA account". From an external perspective, during the transaction process, EOA seems to "borrow" code from an external contract and execute it. Technically, this is achieved by adding a special authorization data tuple to the "code" storage of the EOA address (prior to this EIP, this "code" storage for EOA was always empty).
Currently, the new 0x04 transaction type proposed by this EIP includes an array:
authorization_list = [[chain_id, address, nonce, y_parity, r, s], ...]
Each element allows an account to use code from a specified address (from the last valid authorization item). When processing such transactions, the code for the given EOA is set to a special 0xef0100 || address value (23 bytes), where the address points to a contract with the required code, || means concatenation, and 0xef0100 represents a special magic value not inclusible in a regular smart contract (per EIP-3541). This magic value ensures that this EOA cannot be treated as a regular contract and cannot be invoked as one.
When this EOA initiates a transaction, the designated address will be used to invoke the corresponding code in the context of the EOA. Although the full implementation details of this EIP are not yet clear, it can be determined that it will bring significant changes.
One major impact is the ability to perform multicall directly from EOA. Multicall is a recurring trend in DeFi, and many protocols offer this feature as a powerful tool (such as Uniswap V4, Balancer V3, or Euler V2). With this EIP, multicall can now be initiated directly from EOA.
For example, this new feature addresses a common issue in DeFi: the inefficiency of requiring two separate transactions for approve() + anything(). This EIP allows for a generic 'pre-approval' logic, enabling actions like approve(X) + deposit(X) to be completed in a single transaction.
Another advantage of being able to 'represent' EOA delegated transaction execution is the concept of sponsorship. Sponsorship is a frequently discussed and highly desired feature to help new users enter Ethereum.
The programmable logic associated with EOA has unlocked many possibilities, such as implementing security restrictions, setting spending limits, enforcing KYC requirements, etc.
Of course, this shift also raises many design issues. One issue is the use of chain_id, which determines whether the same signature can be valid across multiple networks, depending on whether it is included in the signature. Another complex issue is the choice between using the address of the target code and embedding the actual bytecode. Each of these methods has its own unique characteristics and limitations. In addition, the use of nonce plays a key role in defining whether permissions are 'multi-purpose' or 'single-purpose.' These elements affect functionality and security issues, including batch invalidation of signatures and usability. Vitalik raised these issues in a discussion (here), which is worth further exploration.
It is worth noting that this change will affect one security mechanism of Ethereum, tx.origin. More details about the implementation of this EIP are necessary, but it seems that the behavior of require(tx.origin == msg.sender) will be changed. This check has always been the most reliable method to ensure that msg.sender is an EOA rather than a contract. Other methods, such as checking EXTCODESIZE (to check if it is a contract), often fail and can be bypassed (for example, by calling the constructor or deploying code at predefined addresses after the transaction). These checks are used to prevent reentrancy and flash loan attacks, but they are far from ideal as they also hinder integration with external protocols. After this EIP, even the reliable require(tx.origin == msg.sender) check seems to become obsolete. Protocols must adapt by removing these checks because the distinction between 'EOA' and 'contract' will no longer apply - now every address could have associated code.
The separation between traditional EOA and smart contracts continues to blur. This EIP brings Ethereum closer to designs like TON, where every account is essentially executable code. As interactions with protocols become increasingly complex, using programmable logic to improve the end-user experience is a natural progression.
Conclusion
The upgrade of Prague/Electra (Pectra) is scheduled for March 2025. Its most significant planned changes include:
As you can see, Pectra will have a significant impact on the staking and consensus layer, as well as the end user experience of the execution layer. Although we cannot detail all these changes through code at this stage, as development is still ongoing, we will cover these updates in future articles.