CCC: Cryptocurrency Course slide set

## [![btc logo](../slides/images/logos/btc-coin-symbol.svg)](https://coinmarketcap.com/currencies/bitcoin/) Bitcoin
- Created in 2009
- Bitcoin script is not Turing-complete
- Really only for transactions
  - Tokens possible, but difficult
  - More complicated TXNs are not enforceable

## History

- Vitalik Buterin in 2013: Bitcoin can do so  much more!
- Bitcoin devs: meh
- Vitalik: Fine. I'll do it myself
- Vitalik then created Ethereum (at age 20)
  - Now a multi-billionaire

## Definitions
- [![eth logo](../slides/images/logos/eth-coin-symbol.svg)](https://coinmarketcap.com/currencies/ethereum/) *Ethereum* is the system / blockchain / network
- *Ether* or *Eth* (symbol: ETH) is the currency <br clear='all'>
- A *smart contract* is a program on the Etherem blockchain
  - Analogous to a Bitcoin script on the Bitcoin blockchain
- *Solidity* is one (of many) programming languages that compiles to Ethereum bytecode
  - Others: Serpent (Python-like), Vyper (Python-like), Bamboo (Erlang-like), etc.

## ETH
- The currency of Ethereum
- Current value: see [here](https://coinmarketcap.com/currencies/ethereum/)
- A *wei* is $1/10^{18}$ ETH
  - Amounts on the blockchain are speified as an integer number of wei
- A *gwei* (giga-wei) is $1/10^9$ ETH
  - If 1 ETH is worth `$`1,250, then 1 gwei is worth `$`0.00000125
  - Or 800,000 gwei to the dollar
- TXN fees are typically reported in gwei

## ETH part synonyms ([ref](https://www.languagesandnumbers.com/articles/en/ethereum-ether-units/))
| Int'l system | Usual name | Effigy |
|------------|--------|---------|
| $10^{-18}$ : attoether | wei | Wei Dai |
| $10^{-15}$ : femtoether | kwei, ada | Ada Lovelace |
| $10^{-12}$ : picoether | mwei, babbage | Charles Babbage |
| $10^{-9}$ : nanoether | gwei, shannon | Claude Shannon |
| $10^{-6}$ : microether | szabo, micro | Nick Szabo |
| $10^{-3}$ : milliether | finney, milli | Harold Finney |
| $1$: ether | ether | |
| $10^{3}$: kiloether | kether, grand, einstein | Albert Einstein |
| $10^{6}$: megaether | mether | |
| $10^{9}$: gigaether | gether | |
| $10^{12}$: teraether | tether | |

## Change of Perception
- Think of the Ethereum blockchain as an append-only database...
  - ...of current accounts, programs, and tokens (NFTs)
- We can easily (if slowly) search the blockchain for anything
  - With proper indexing (hash tables!), we can do that in almost constant time
- Blockchains store *all* iterations of a thing (account balances, etc.)
  - Our index only needs to store the most recent version
  - And doesn't need to store spent txn outputs

## Blockchain data
- Some items are on the blockchain itself
  - A smart contract, a TXN for an account, etc.
- Others can be inferred or computed from the blockchain
  - The current balance of an account or a contract
  - These are the current *state*, and not stored directly on the blockchain
  - The Ethereum Virtual Machine (EVM) keeps track of these, so it's called the *EVM state*
- Yet others can be determined by "rewinding" the blockchain to a previous point in time
  - How much balance an account had after a given block
  - The result of a specific function call

## Tokens
- A token is a "thing" on the blockchain that represents an asset
  - Perhaps a physical asset, like a deed for a car
     - (the legal basis for this is unclear, at best)
  - Perhaps a digital asset, like ownership of an image
  - Perhaps a blockchain asset, like another cryptocurrency
- Ethereum implements them as smart contracts
- Other cryptocurrencies natively support them (Ravencoin)
- This is a whole [separate lecture](tokens.html#/), coming soon...

## Account addresses
- Keypairs use 256-bit ECDSA (with secp256k1)
  - Hashing algorithm is SHA3 (aka Keccak-256)
- Given a 256-bit ECDSA (secp256k1) public/private key pair...
  - Take the SHA3 (aka Keccak-256) hash of the public key
  - Take the last 20 bytes (160 bits) / 40 digits
  - Render that in hexadecimal, and prefix with '0x'
- Example: 0xb794f5ea0ba39494ce839613fffba74279579268
- Notably, this address does NOT change per transaction like in Bitcoin!
- This is called an "owned" address
  - ... because a person owns it

## Address checksum
- Equivalent addresses:
  - `0x858d8f4cf6e8de4e8eba54d853c7d36015e1f36c`
  - `0x858d8F4cF6e8dE4e8Eba54D853C7D36015e1f36C`
- Remix, the Solidity compiler, will insist on the checksummed form
- Ethereum's 15 bit (on average) checksum is less than Bitcoin's 32 bits
  - A mis-typed address will be missed in $1/(2^{15}) = 0.3$% of cases
  - Bitcoin: missed in $1/(2^{32}) = 0.00000002$% of cases
- Algorithm: if the $i^{th}$ digit is a letter:
  - Print it in uppercase if the $4 \ast i^{th}$ bit of the hash of the lowercase hexadecimal address is 1
  - Otherwise print it in lowercase

## Checksum implementation
JavaScript implementation from [EIP-55](https://eips.ethereum.org/EIPS/eip-55):
```
function toChecksumAddress (address) {
  address = address.toLowerCase().replace('0x', '')
  var hash = createKeccakHash('keccak256').
                      update(address).digest('hex')
  var ret = '0x'

for (var i = 0; i < address.length; i++) {
    if (parseInt(hash[i], 16) >= 8) {
      ret += address[i].toUpperCase()
    } else {
      ret += address[i]
    }
  }

return ret
}
```

## How to checksum
- Some things may require a checksummed address
  - Solidity does, in some cases
  - Also some aspects of web3.py
- Ways to checksum:
  - Use https://ethsum.netlify.app
    - Try it with 0x858d8f4cf6e8de4e8eba54d853c7d36015e1f36c
  - Solidity will warn you and suggest the checksummed address
    - Just copy-and-paste that into your code
  - Web3.py has a function for this: `toChecksumAddress()`
    - We'll see this later

## Account Nonce
- The *account nonce* is an incrementing counter associated with each account
  - Starts at 0
  - *Each* transaction uses the nonce and *then* increments it
- This is NOT stored in the account address
  - But it is inferred (computed) from the blockchain
  - With proper indexing, finding it is almost $\Theta(1)$
    - (Assuming that a hash table lookup is almost $\Theta(1)$)
- There is also a (separate) nonce in the block header, like in Bitcoin

## Contract addresses
- Some transactions put a smart contract (program) onto the blockchain
  - Those programs need a *contract address* to be called
- To generate the contract address:
  - Take the (binary) account address of who is executing this transaction
    - That could be an owned address or a contract address
  - Append the nonce (in binary) to that
  - Take the SHA3 (aka Keccak-256) hash of that
  - Take the last 20 bytes (160 bits)
  - Render that in hexadecimal, and prefix with '0x'
- With proper indexing, finding a contract by address is fast

## Byte code
- Take Bitcoin Script, and add just one opcode: JUMP
  - Conditional jumps via OP_IF statements
- Suddenly it's Turing-complete (most likely)
- Ethereum adds a bunch more
  - Conditional jumps, subroutine call and return, etc.
    - But really only JUMP is needed for Turing-completeness
  - See the full list [here](https://ethereum.org/en/developers/docs/evm/opcodes/)
    - Better link: [here](https://github.com/wolflo/evm-opcodes)

## Solidity
- One (of many) programming languages used for Ethereum
- A Turing-complete programming language
  - It has loops!  Recursion!  Function calls!
  - And is object-oriented
    - It has inheritance!  Visibilities!
- A Solidity program is called a "smart contract"
- Each transaction (and program call) is evaluated on every one of the Ethereum Virtual Machines (EVMs)
  - And there are a [lot of them](https://ethernodes.org/)
- But how to prevent an infinite loop in a smart contract?
  - Bitcoin, which doesn't have loops, paid TXN fees based on transaction byte size

## Gas
- Each TXN has a maximum number of "computational steps" the smart contract is allowed to execute
  - Gas price: how much to pay, in ETH, per computational step
  - Gas limit (aka *start gas*): the maximum amount of gas to pay
- If your smart contract exceeds the number of gas steps you have paid for, the smart contract is not executed
  - And you lose all your gas fees!  [Here](https://ethplorer.io/tx/0x70fc74551a132a301e5b4a6c1c6dbbfe23d4a6479501b60c6468cd2f6ba0cf3b) is such a TXN
- You can see a [graph of historical gas prices](https://ycharts.com/indicators/ethereum_average_gas_price)
- Current block limit: see [here](https://etherscan.io/blocks) (in the "Gas Limit" column)

## Gas example
- Assume that you agree to pay 200 gwei per gas unit
  - This is your gas price: $200 * 10^{-9}$ ETH
- And you agree to pay for $g$ gas units, say $g=21,000$
  - This is your *startgas*
- Example to evaluate the transaction:
  - Buy $g$ gas at 200 gwei; total of 200 * 21,000 gwei = 0.0042 ETH
  - As the script executes, it deducts gas from the 21,000 amount
  - At the end of execution, any extra gas is refunded
- Formally:
  - Let $p$ be the gas price (200 gwei), $g$ be startgas (21k)
  - Let $u$ be the gas actually used: $u \le g$
  - The maximum transaction fee you are willing to pay is $g \ast p$
  - The actual transaction fee is $u \ast p \le g \ast p$

## Gas examples
- A simple TXN might use 21,000 gas (the typical amount)
    - [This one](https://ethplorer.io/tx/0xf42fde83749cd2aa91d4d436a959a8b9e151bf7d87b716aa5b51bde43c557ea3), for example
      - Gas price was about 100 gwei (actually 105.702 gwei) for that txn
    - Total gas used was 21,000
    - Total fee was thus 21,000 gas steps $\ast$ 105.702 gwei/step = 0.002219732760483 ETH
    - At $3,045.41 per ETH (at the time)...
      - That was $6.76 for the TXN
- A complex TXN could use 1 million gas (~$322 at that price)
- See the [average ETH TXN fees](https://messari.io/asset/ethereum/chart/txn-fee-avg)
  - That includes more complex TXNs!
- Also see the [average gas costs](https://ethgas.watch/)
  - And [how much to pay for txn speed](https://etherscan.io/gastracker)

## Exact gas costs
- Solidity is compiled down into bytecode
- Each bytecode opcode costs a different amount of gas
  - 2-10 gas for simple instructions, but up to 1,000 gas for complex instructions (such as hashes)
  - See the (older) table [here](https://github.com/djrtwo/evm-opcode-gas-costs/blob/master/opcode-gas-costs_EIP-150_revision-1e18248_2017-04-12.csv)
  - The exact gas costs are determined from formulas in the [Ethereum yellow paper](https://ethereum.github.io/yellowpaper/paper.pdf)
- The Ethereum Virtual Machine (EVM) will keep computing until it runs out of gas

## Exact gas costs
- The "standard" transaction fee is a startgas of 21,000
  - This is for a typical transfer of ETH
    - No computational code computed
    - This "standard" is as of August 2021 (London upgrade)
  - Nothing is refunded, even if you use less gas!
  - You can offer less startgas, but miners probably will not include it in their blocks
- Consider the current gas costs [here](https://ethgas.watch/)

## Why so high for gas?
- Supply and demand
- Ethereum has a fixed block rate (12-15 seconds)
  - Some transactions are quite large due to the large compiled contracts therein
- But everybody wants to use it, and it can't process the transactons fast enough

## Why pay high gas fees?
- Miners will only choose the most profitable TXNs
  - There are always more TXNs to mine than can fit in a block
- If you pay to little for the gas, the miners will pass it by
- See the [average gas price](https://etherscan.io/chart/gasprice) over time
- You can add a "tip" to incentivize miners to include your block faster
- See [different gas fee times](https://etherscan.io/gastracker)
  - 200 gwei for gas @ 3k USD / ETH for 21k gas is $12.60
  - It turns out fee computation is more complex...

## Ethereum 2.0
- In September 2022 Ethereum changed over from proof-of-work (PoW) to proof-of-stake (PoS)
- Partly to increase scalability, partly to decrease transaction fees
- It's still a bit early to see how well that worked
  - TXN fees have not really gone down as much as was hoped
  - Although it will probably be successful
- Current gas prices seem to be stabilizing around 14 gwei
  - If Ethereum costs `$`1,500, then a "standard" transaction (21k gas) costs about `$`0.45
  - A large contract deployment (1M gas) costs about `$`20

## Messages
- We have two known types of transactions so far:
  - Transfer of ether from one account to another
  - Deployment of a smart contract
- A message is another type of transaction
  - It's invoking a smart contract's method(s)
- It also consumes gas!
  - That gas is consumed by the original call, regardless of any other sub-calls or recursive calls
- You call contract A with 1,000 startgas
  - That call uses 600 gas
  - Contract A calls contract B, which uses 300 gas
  - You only get 100 gas back

## Transaction fields
![](images/ethereum/graphs/ethereum.dot.1.svg)
- Nonce: the overall TXN number for the account
- gasPrice & gasLimit: how much gas
- to: the recipient account address
- value: how much ETH (in wei)
- v, r, s: ECDSA fields: $(r,s)$ is the signature and $v$ specifies how the tuple $(r,s)$ is encoded
- init or data: empty if just ETH xfer
  - If a smart contract deployment: init is the smart contract hex code
  - If a smart contract function call: data has the code to make the call

## Evaluating a TXN
1. Is TXN well-formed and valid?  If not, error.
2. Fee starts at *start_gas* $\ast$ *gas_price*
    - Determine sending address from the signature
    - Subtract fee from sending account; if not enough, error
3. set *gas* = *start_gas*, and subtract for each step
4. Transfer TXN value from sender to receiver
    - If receiver is a contract, execute that code (using gas)
5. Not enough gas to execute? Revert back to start, but keep the fees
6. Else refund unspent gas to sender, send gas consumed to miner

## Ethereum TXNs
- See them at [ethplorer.io](https://ethplorer.io/last) or [etherscan.io](https://etherscan.io/)
- [TXN calling a smart contract](https://ethplorer.io/tx/0x1dd8887f7c4283f17ae5d5490f6a0e26302e8e1908cb0a9b59fe709ff54ad850)
- [Issuing a WETH token](https://ethplorer.io/tx/0x56752aba0ed7e68265576a5205c9228eba926d0d339f83b517d3b520f6d8498d)
- [Contract for SHIB](https://ethplorer.io/address/0x95ad61b0a150d79219dcf64e1e6cc01f0b64c4ce#chart=candlestick)
- [ETH trasnfer from 2miners](https://ethplorer.io/tx/0xf42fde83749cd2aa91d4d436a959a8b9e151bf7d87b716aa5b51bde43c557ea3)

## London upgrade: Gas fees
- Before the London upgrade (August 5, 2021), gas fees were computed as described
- Since London...
    - There is a [base fee](https://ethereum.org/en/developers/docs/gas/#base-fee) -- a minimum amount to pay (21k)
    - You can add a [priority fee](https://ethereum.org/en/developers/docs/gas/#priority-fee) to incentivize miners to mine your TXN
- This was when Ethereum was proof-of work
  - The real Ethereum network is now proof-of-stake
  - But the fees are still the same
- On our course blockchain, gas cost is set at 1 gwei
  - Much less than the real Ethereum!

## Recall: Merkle Trees

![](images/bitcoin/Hash_Tree.svg)

## Overview
- From the Ethereum white paper: a Patricia tree includes

> a modification to the Merkle tree concept that allows for
nodes to be inserted and deleted, and not just changed, efficiently.

## Trie
A *trie* is a $k$-ary prefix tree that holds (usually) strings
[![](images/ethereum/trees/Trie_example.svg)](https://en.wikipedia.org/wiki/Trie#/media/File:Trie_example.svg)

## Tries
[![](images/ethereum/trees/Trie_example.svg)](https://en.wikipedia.org/wiki/Trie#/media/File:Trie_example.svg)
- The key is the characters on the transitions between nodes
  - The values in the nodes just show the values via the path so far
- The value is the number by each node
  - Some internal nodes may not have an associated value!
- Any node has a common prefix -- the path to the root
- Reference: Wikipedia's article on [Tries](https://en.wikipedia.org/wiki/Trie)

## Radix Tree
A space-optimized Trie

- Any paths that can be combined, are
- Reference: Wikipedia's article on [Radix Trees](https://en.wikipedia.org/wiki/Radix_tree)

## Binary Trie
- Like a regular Trie, but any node can have at most 2 children
  - Left child is a 0 bit, right child is a 1 bit
- Used to store binary values (hashes, etc.)
  - Not great for dictionaries of ASCII characters
- We can store hashes of the nodes / children to make it like a Merkle tree

## Example Binary Trie
[![](images/ethereum/tries/tries.dot.1.svg)](images/ethereum/tries/tries.dot.1.svg)
- We store the hex digits 3, 7, e, and f
- The bit transitions are on the edges
- In each node:
  - The path so far is in curly brackets (not actually stored in the node)
  - `h(L+R)` means hash of left child and right child
    - Or hash of the concatenation if only one child
  - The leaves show the hex values

## Insert into a Binary Trie
[![](images/ethereum/tries/tries.dot.2.svg)](images/ethereum/tries/tries.dot.2.svg)
- Insertion of hex value b (1011) into the tree
- Notice that we had to add 3 nodes

## Insert into a Binary Radix Tree
- What about the compact (radix) form of the trie?
[![](images/ethereum/tries/tries.dot.3.svg)](images/ethereum/tries/tries.dot.3.svg)

## Insert into a Binary Radix Tree
- Insert hex b (1011) into the tree; still have to add 2 nodes
[![](images/ethereum/tries/tries.dot.4.svg)](images/ethereum/tries/tries.dot.4.svg)

## PATRICIA Trees
- Reference: [this wiki page](https://eth.wiki/fundamentals/patricia-tree) and the [Ethereum yellow paper](https://ethereum.github.io/yellowpaper/paper.pdf)
- PATRICIA stands for Practical Algorithm To Retrieve Information Coded In Alphanumeric ([original paper](http://dl.acm.org/citation.cfm?id=321481))
- Design goals:
  - Any insert of a value creates exactly one new node
  - Storage is compact as possible
- Has 3 types of nodes: extension node, branch node, and leaf node
- The image on the next slide is from [this stackoverflow post](https://ethereum.stackexchange.com/questions/6415/eli5-how-does-a-merkle-patricia-trie-tree-work), and [released under a CC BY-SA license](https://stackoverflow.com/help/licensing)

[![](images/ethereum/patricia.webp)](images/ethereum/patricia.webp)