eth
eth is the public facade crate for a no_std-first Ethereum
execution-layer protocol workspace.
The crate is intentionally conservative at 0.23.0: it provides explicit
Ethereum primitive domains, bounded decode-budget policy, stable error
categories, primitive RLP bridge helpers, a caller-provided Keccak-256 boundary,
RLP fuzz-harness evidence, a transaction envelope shell, unvalidated legacy
transaction field decoding, unvalidated EIP-2930 access-list transaction field
decoding, unvalidated EIP-1559 dynamic-fee transaction field decoding,
unvalidated EIP-4844 blob transaction field decoding, no-allocation canonical
transaction envelope encoding for admitted decoded domains, explicit chain and
fork activation context, proof-gated transaction typestate transitions,
replay-domain validation for transaction chain binding, transaction
signing-hash helpers, decoded transaction signature validation helpers, RLP
derive design evidence, digest-level secp256k1 sender recovery, EIP-712
domain-safety checks, small first-party crate boundaries, optional sanitization
support, and release evidence before RPC, signer, EVM, Reth, or P2P
integrations become real dependencies.
Current Status
The current release candidate is 0.23.0; decoded transaction signature
validation is ready for pentest.
Implemented now:
no_stdfacade with small first-party support crates.- Ethereum domain newtypes for chain, block, gas, nonce, timestamp, address, hash, wei, and transaction type values.
- Constant-time equality composition for fixed-width hash and wei values.
- Bounded decode limits plus stateful cumulative allocation, item, and proof-node accounting.
- Canonical RLP scalar, list, and integer decoding plus no-allocation canonical encoding helpers.
- No-allocation primitive RLP encode and exact-decode helpers for chain, block, gas, nonce, timestamp, address, hash, and wei values.
- EIP-2718 transaction envelope shell classification for typed and legacy transaction bytes.
- Unvalidated legacy transaction field decoding for nonce, gas price, gas limit, to/create, value, input, and signature words.
- Unvalidated EIP-2930 access-list transaction field decoding, including bounded borrowed access-list entry and storage-key iteration.
- Unvalidated EIP-1559 dynamic-fee transaction field decoding for max priority fee, max fee, gas limit, destination/create, value, calldata, access list, and signature words.
- Unvalidated EIP-4844 blob transaction field decoding for blob fee, required call target, blob versioned hash list, calldata, access list, and signature words.
- No-allocation canonical transaction envelope encoding for admitted unvalidated legacy, EIP-2930, EIP-1559, and EIP-4844 transaction domains.
- Explicit caller-provided
ChainSpec,ForkSpec,Hardfork, andValidationContextAPIs for fork activation selection, including fail-closed checks for duplicate forks, wrong-chain entries, and non-monotonic fork or activation ordering. - Proof-gated transaction typestate transitions for decoded, canonical, fork-validated, and sender-recovered state tokens.
- Replay-domain validation for legacy EIP-155 and typed transaction chain IDs before sender recovery results are accepted.
- Canonical transaction signing-preimage encoding and signing-hash helpers for legacy EIP-155, EIP-2930, EIP-1559, and EIP-4844 decoded transaction domains.
- Digest-level secp256k1 sender recovery with low-s rejection, Ethereum y-parity policy, and caller-provided Keccak-256 public-key hashing.
- Decoded transaction signature validation helpers that combine replay-domain checks, signing hashes, low-s/y-parity policy, sender recovery, and optional expected-sender comparison.
- EIP-712 domain-safety checks for required
chainIdandverifyingContractfields, plus a domain-gated sender recovery helper. - RLP derive design and private derive-crate prototype tests for future
RlpEncode/RlpDecodesupport. - Caller-provided Keccak-256 trait boundary without a default hash implementation dependency.
- RLP fuzz harness with committed hex seed corpus and crash reproduction docs.
- Stable error codes, messages, categories, and formatting for codec, protocol, fork, feature, resource, and verification failures.
- Optional sanitization bridge and derive macros outside the default feature set.
- Release gates for formatting, clippy, tests, packaging, MSRV compatibility, dependency policy, audit, SBOM, and pentest evidence.
Not implemented yet:
- No RPC transport.
- No signer or local key storage.
- No EVM execution adapter.
- No Reth or P2P integration.
- No set-code typed transaction field parser yet; scheduled for
v0.24.0. - No full EIP-712 typed-data encoder yet; scheduled for
v0.26.0. - No block parser yet.
- No ABI/contract helper surface yet; scheduled for
v0.47.0throughv0.55.0. - No consensus/Engine API support yet; scheduled for
v0.56.0throughv0.62.0. - No P2P, txpool, sync, mining, builder, or validator-adjacent boundary yet;
scheduled for
v0.63.0throughv0.69.0.
Trust Dashboard
| Area | Status |
|---|---|
| License | MIT OR Apache-2.0 |
| MSRV | Rust 1.90.0 |
| Latest verified stable | Rust 1.96.1 |
| Default target | no_std |
| Default features | protocol-core only |
| Default networking/signing | none |
| Unsafe policy | first-party crates use #![forbid(unsafe_code)] |
| Release evidence | local gates, cargo-deny, cargo-audit, SBOM, pentest report |
| Formal verification | Kani harness planned for v0.71.0 as extra assurance |
| Crate versions | tracked in the version matrix |
Install
[]
= "0.23"
Disable defaults explicitly for embedded or freestanding builds:
[]
= { = "0.23", = false }
Optional sanitization support:
[]
= { = "0.23", = ["sanitization"] }
Features
| Feature | Default | Purpose |
|---|---|---|
std |
no | Enables std support in admitted core crates. |
evm |
no | Future explicit EVM adapter boundary. |
rpc |
no | Future explicit RPC trust-policy boundary. |
sanitization |
no | Re-exports optional secret sanitization bridge APIs. |
signer |
no | Future signer isolation boundary. |
reth |
no | Future Reth integration boundary. |
testkit |
no | Test fixtures, conformance helpers, and adversarial inputs. |
Default builds do not enable networking, signing, local key storage, Reth, P2P, or EVM execution.
Primitive Domains
Use explicit Ethereum domains instead of unqualified integers and byte arrays:
use ;
let chain = new;
let block = new;
let gas = new;
let nonce = new;
let address = from;
let hash = B256from;
let value = from_u128;
let tx_type = try_new_typed;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
Legacy transactions are not typed EIP-2718 envelopes. Use
TransactionType::LEGACY for APIs that need a legacy domain value, and
try_new_typed for type bytes that will be encoded as typed envelopes.
Primitive domains bridge directly to the bounded codec without allocation:
use DecodeLimits;
use ;
let limits = DecodeLimits ;
let chain = new;
let mut encoded_chain = ;
let written = chain.encode_rlp?;
assert_eq!;
assert_eq!;
let value = from_u128;
let mut encoded_value = ;
let written = value.encode_rlp?;
assert_eq!;
assert_eq!;
let address = from;
let mut encoded_address = ;
let written = address.encode_rlp?;
assert_eq!;
assert_eq!;
# Ok::
Transaction Decode
Transaction decoders return explicitly unvalidated borrowed field models. They classify and bound wire data, but do not validate signatures from the full transaction, check account state, or prove fork validity:
use DecodeLimits;
use ;
use ;
let dynamic_fee_tx = ;
let limits = DecodeLimits ;
let tx = decode_dynamic_fee_transaction?;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
let mut encoded = ;
let written = encode_dynamic_fee_transaction?;
assert_eq!;
# Ok::
Replay Domain Checks
Replay-domain helpers reject wrong-chain transactions before sender recovery results are trusted:
use DecodeLimits;
use ChainId;
use decode_dynamic_fee_transaction;
use ;
let dynamic_fee_tx = ;
let limits = DecodeLimits ;
let tx = decode_dynamic_fee_transaction?;
require_dynamic_fee_replay_domain?;
assert_eq!;
# Ok::
Transaction Signing Hashes
Decoded transaction domains can be converted into canonical signing hashes without admitting a default hash backend:
use Keccak256;
use B256;
use decode_dynamic_fee_transaction;
use dynamic_fee_transaction_signing_hash;
use DecodeLimits;
let dynamic_fee_tx = ;
let limits = DecodeLimits ;
let tx = decode_dynamic_fee_transaction?;
let mut scratch = ;
let signing_hash = dynamic_fee_transaction_signing_hash?;
assert_eq!;
# Ok::
The example hasher is illustrative only. Production hashers must compute
Ethereum Keccak-256. For full decoded transaction signature validation, use
validate_transaction_signature or the type-specific validation helpers so
replay-domain checks, signing-hash construction, low-s/y-parity policy, sender
recovery, and optional expected-sender comparison are applied together. Callers
that reuse the scratch buffer across multiple in-flight transactions should
zero it after hashing before reusing or releasing it.
EIP-712 Domain Safety
EIP-712 signing paths should check the structured-data domain before any signature result is trusted:
use ;
use ;
let expected_chain = new;
let expected_contract = from;
let domain = complete;
require_eip712_domain?;
assert_eq!;
let domain_separator = B256from;
let message_hash = B256from;
let _digest = eip712_signing_digest;
#
#
# Ok::
This is not a full EIP-712 encoder. Callers still compute the domain separator
and hashStruct(message) with a conformant typed-data encoder.
Sender Recovery
Sender recovery operates on an already constructed Ethereum signing digest. Transaction callers should prefer the signing-hash helpers above over hand-built transaction digests, then recover the sender with an admitted Keccak-256 backend:
use Keccak256;
use B256;
use SignatureYParity;
use ;
let digest = B256from;
let signature = from_parts;
let _result = recover_sender_from_digest;
The recovery layer rejects malformed scalar values, high-s signatures, and
non-Ethereum recovery IDs. The example hasher above is illustrative only and
does not compute a real digest. Production hashers must implement Ethereum
Keccak-256, not FIPS SHA3-256, and should be checked with
eth::hash::verify_empty_digest_with before being wired into
recover_sender_from_digest. A wrong backend produces a wrong sender address
silently; there is no runtime cross-check. A successful recovered address is
still not a full transaction-validity proof.
Constant-Time Composition
B256::ct_eq and Wei::ct_eq return subtle::Choice so compound checks can
use & and | without short-circuiting:
use B256;
let block_hash = B256from;
let expected_block_hash = B256from;
let receipts_root = B256from;
let expected_receipts_root = B256from;
let valid = block_hash.ct_eq
& receipts_root.ct_eq;
assert!;
Convert Choice to bool only at the final trust boundary.
Keccak Boundary
eth defines a no_std Keccak-256 trait boundary and intentionally does not
ship a default hashing backend yet:
use ;
use B256;
let digest = hash_one;
assert_eq!;
Implementations must compute Ethereum Keccak-256, not FIPS SHA3-256. See the Keccak boundary document for the dependency decision and future backend admission checklist.
Stable Errors
Error values expose stable codes, messages, and categories. They do not carry input bytes, keys, signatures, or other secret-bearing payloads:
use ;
let error = AllocationExceeded;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
Decode Budgets
Every future untrusted decoder is required to use explicit limits. Use
DecodeAccumulator when more than one allocation can occur:
use ;
let limits = DecodeLimits ;
assert_eq!;
let mut budget = limits.accumulator;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
RLP Codec
The RLP codec admits canonical byte-string scalars, lists, and Ethereum integers with exact consumption. Decoders require explicit limits; encoders are buffer-based and do not allocate:
use ;
let limits = DecodeLimits ;
let scalar = decode_rlp_scalar?;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
let mut encoded = ;
let written = encode_decoded_scalar?;
assert_eq!;
assert_eq!;
assert_eq!;
assert!;
let list = decode_rlp_list?;
assert_eq!;
assert_eq!;
let mut items = list.items;
let first = items.next.transpose?.and_then;
let second = items.next.transpose?.and_then;
assert!;
assert!;
let mut scalar_output = ;
assert_eq!;
assert_eq!;
let list_payload = ;
let mut list_output = ;
assert_eq!;
assert_eq!;
# Ok::
The RLP parser surface has cargo-fuzz targets and committed seed fixtures. See the fuzzing guide for seed materialization, target scope, and crash reproduction.
Transaction Envelopes
The protocol crate can classify the outer transaction envelope without decoding or validating transaction fields:
use DecodeLimits;
use ;
let limits = DecodeLimits ;
let envelope = decode_transaction_envelope?;
assert!;
if let Typed = envelope
# Ok::
Typed payloads can be classified first, then decoded with the matching transaction decoder. Legacy transactions can also be decoded into an explicitly unvalidated field model:
use DecodeLimits;
use ;
let limits = DecodeLimits ;
let raw = ;
let tx = decode_legacy_transaction?;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
assert_eq!;
# Ok::
The decoded value is not chain-valid, signature-valid, sender-recovered, or
fork-valid. It is only a bounded, canonical field parse. Use
eip155_chain_id instead of subtracting directly from the raw v signature
word; reserved ChainId(0) maps to None.
Optional Sanitization
The main facade stays small by default. Applications that handle local secret material can opt into the sanitization bridge:
use ;
let mut key = from_array;
key.secure_sanitize;
assert!;
For derive macros, depend on the support crate directly:
[]
= { = "0.7", = ["derive"] }
RLP encode/decode derives are not public yet. The current design is documented
in the workspace docs/rlp-derive-design.md.
Support Crates
Most users should depend on eth. The eth-valkyoth-* crates are published so
the workspace can keep small, auditable boundaries:
| Crate | Default | Purpose |
|---|---|---|
eth-valkyoth-primitives |
yes | Chain, block, gas, nonce, address, hash, wei, and transaction type domains. |
eth-valkyoth-codec |
yes | Bounded exact-consumption wire codec policy. |
eth-valkyoth-hash |
yes | Keccak-256 trait boundary for caller-provided hash implementations. |
eth-valkyoth-protocol |
yes | Fork-aware validation states and protocol context. |
eth-valkyoth-verify |
yes | Verification boundaries for signatures, proofs, replay domains, and EIP-712 domain checks. |
eth-valkyoth-sanitization |
no | Optional bridge to the sanitization crate. |
eth-valkyoth-derive |
no | Optional sanitization derive macros. |
eth-valkyoth-evm |
no | Future EVM adapter boundary. |
eth-valkyoth-rpc |
no | Future RPC trust-policy boundary. |
eth-valkyoth-signer |
no | Future signer isolation boundary. |
eth-valkyoth-reth |
no | Future Reth integration boundary. |
eth-valkyoth-testkit |
no | Future fixtures and conformance helpers. |
Rust Version Support
The minimum supported Rust version is Rust 1.90.0. New deployments should use
the latest stable Rust verified by the release gates.
Compatibility evidence for 0.23.0:
| Rust | Local Evidence |
|---|---|
1.90.0 |
cargo check --workspace --all-features |
1.91.0 |
cargo check --workspace --all-features |
1.92.0 |
cargo check --workspace --all-features |
1.93.0 |
cargo check --workspace --all-features |
1.94.0 |
cargo check --workspace --all-features |
1.95.0 |
cargo check --workspace --all-features |
1.96.0 |
cargo check --workspace --all-features |
1.96.1 |
full release gate |
License
Licensed under either of Apache License, Version 2.0 or MIT license at your option.