EVM Threat Models
Opcodes, precompiles & protocol-level attack surfaces
Per-opcode and per-precompile security analysis covering smart contract exploitation and infrastructure-relevant protocol threats. Use this page as a jump-off point: the EVM basics section explains execution context, the opcode table links to each threat note, and the precompile table covers every precompiled contract from Frontier through Pectra.
Quick start
Open EVM basics to understand which regions (code, stack, memory, storage, calldata) opcodes read and write, then click an opcode or precompile row below to open its threat note.
| File | Description |
|---|---|
| 0x00-STOP | Halt execution |
| 0x01-ADD | Addition modulo 2^256 |
| 0x02-MUL | Multiplication modulo 2^256 |
| 0x03-SUB | Subtraction modulo 2^256 |
| 0x04-DIV | Unsigned integer division |
| 0x05-SDIV | Signed integer division |
| 0x06-MOD | Unsigned modulus |
| 0x07-SMOD | Signed modulus |
| 0x08-ADDMOD | Addition modulo N |
| 0x09-MULMOD | Multiplication modulo N |
| 0x0A-EXP | Exponentiation modulo 2^256 |
| 0x0B-SIGNEXTEND | Sign-extend from (b+1) bytes to 32 bytes |
| 0x10-LT | Unsigned less-than |
| 0x11-GT | Unsigned greater-than |
| 0x12-SLT | Signed less-than |
| 0x13-SGT | Signed greater-than |
| 0x14-EQ | Equality |
| 0x15-ISZERO | Is zero |
| 0x16-AND | Bitwise AND |
| 0x17-OR | Bitwise OR |
| 0x18-XOR | Bitwise XOR |
| 0x19-NOT | Bitwise NOT |
| 0x1A-BYTE | Extract byte at position i |
| 0x1B-SHL | Shift left |
| 0x1C-SHR | Logical shift right |
| 0x1D-SAR | Arithmetic shift right |
| 0x20-KECCAK256 | Compute Keccak-256 hash |
| 0x30-ADDRESS | Address of executing contract |
| 0x31-BALANCE | Balance in wei (warm/cold access) |
| 0x32-ORIGIN | Transaction originator address |
| 0x33-CALLER | Direct caller address |
| 0x34-CALLVALUE | Value sent with call, in wei |
| 0x35-CALLDATALOAD | Read 32-byte word from calldata |
| 0x36-CALLDATASIZE | Calldata size in bytes |
| 0x37-CALLDATACOPY | Copy calldata to memory |
| 0x38-CODESIZE | Size of executing contract code |
| 0x39-CODECOPY | Copy contract code to memory |
| 0x3A-GASPRICE | Gas price of transaction |
| 0x3B-EXTCODESIZE | Size of external contract code |
| 0x3C-EXTCODECOPY | Copy external code to memory |
| 0x3D-RETURNDATASIZE | Size of last call’s return data |
| 0x3E-RETURNDATACOPY | Copy return data to memory |
| 0x3F-EXTCODEHASH | Keccak-256 of external code |
| 0x40-BLOCKHASH | Hash of a recent block (last 256) |
| 0x41-COINBASE | Current block proposer address |
| 0x42-TIMESTAMP | Current block timestamp |
| 0x43-NUMBER | Current block number |
| 0x44-PREVRANDAO | Randomness beacon (post-Merge) |
| 0x45-GASLIMIT | Current block gas limit |
| 0x46-CHAINID | Current chain ID (EIP-155) |
| 0x47-SELFBALANCE | Balance of executing contract |
| 0x48-BASEFEE | Base fee of current block (EIP-1559) |
| 0x49-BLOBHASH | Blob versioned hash (EIP-4844) |
| 0x4A-BLOBBASEFEE | Blob base fee (EIP-7516) |
| 0x50-POP | Remove top stack item |
| 0x51-MLOAD | Load word from memory |
| 0x52-MSTORE | Store word to memory |
| 0x53-MSTORE8 | Store single byte to memory |
| 0x54-SLOAD | Load word from storage |
| 0x55-SSTORE | Store word to storage |
| 0x56-JUMP | Set PC to dst (must be JUMPDEST) |
| 0x57-JUMPI | Conditional jump |
| 0x58-PC | Current program counter |
| 0x59-MSIZE | Size of active memory in bytes |
| 0x5A-GAS | Remaining gas |
| 0x5B-JUMPDEST | Mark valid jump destination |
| 0x5C-TLOAD | Load from transient storage (EIP-1153) |
| 0x5D-TSTORE | Store to transient storage (EIP-1153) |
| 0x5E-MCOPY | Copy memory area (EIP-5656) |
| 0x5F-PUSH0 | Push zero onto stack (EIP-3855) |
| 0x60-PUSH | Push 1–32 bytes from code onto stack |
| 0x80-DUP | Clone nth stack item to top |
| 0x90-SWAP | Swap top with (n+1)th stack item |
| 0xA0-LOG | Emit log with 0–4 topics |
| 0xF0-CREATE | Create new contract (addr from sender, nonce) |
| 0xF1-CALL | Call another contract |
| 0xF2-CALLCODE | Like DELEGATECALL but doesn’t propagate msg.sender/value |
| 0xF3-RETURN | Return data from memory (or deployed bytecode in CREATE) |
| 0xF4-DELEGATECALL | Call with caller’s context |
| 0xF5-CREATE2 | Create with deterministic address |
| 0xFA-STATICCALL | Read-only call (no state modification) |
| 0xFD-REVERT | Revert with return data, refund unused gas |
| 0xFE-INVALID | Designated invalid opcode; consumes all gas |
| 0xFF-SELFDESTRUCT | Mark contract for destruction, send ETH to addr |
Precompile Threat Models
| File | Gas | Description |
|---|---|---|
| 0x01-ECRECOVER | 3,000 | ECDSA public key recovery from signature |
| 0x02-SHA256 | 60 + 12/word | SHA-256 hash function |
| 0x03-RIPEMD160 | 600 + 120/word | RIPEMD-160 hash function |
| 0x04-IDENTITY | 15 + 3/word | Data copy (identity function) |
| 0x05-MODEXP | Complex (EIP-2565) | Modular exponentiation |
| 0x06-BN256ADD | 150 | alt_bn128 point addition |
| 0x07-BN256MUL | 6,000 | alt_bn128 scalar multiplication |
| 0x08-BN256PAIRING | 45,000 + 34,000/pair | alt_bn128 pairing check (zkSNARK verification) |
| 0x09-BLAKE2F | rounds × 1 | BLAKE2b compression function |
| 0x0A-POINT_EVALUATION | 50,000 | KZG point evaluation (EIP-4844 blobs) |
| 0x0B-BLS12_G1ADD | 375 | BLS12-381 G1 point addition |
| 0x0C-BLS12_G1MSM | Variable (discount table) | BLS12-381 G1 multi-scalar multiplication |
| 0x0D-BLS12_G2ADD | 600 | BLS12-381 G2 point addition |
| 0x0E-BLS12_G2MSM | Variable (discount table) | BLS12-381 G2 multi-scalar multiplication |
| 0x0F-BLS12_PAIRING_CHECK | 37,700 + 32,600/pair | BLS12-381 pairing check (BLS signature verification) |
| 0x10-BLS12_MAP_FP_TO_G1 | 5,500 | Map field element to G1 point |
| 0x11-BLS12_MAP_FP2_TO_G2 | 23,800 | Map Fp2 element to G2 point |
- EVM Reference & notes — Full opcode tables, gas costs, precompiled contracts, resources.