Chapter 0x8: Writing Secure Yul Code and Deploying Yul Smart Contracts

Writing Secure Yul Code : If you’re diving into the world of Ethereum development, you might have heard about Yul—a low-level, intermediate language designed to write efficient and optimized smart contracts. While Solidity is the go-to language for most developers, Yul offers unparalleled control over Ethereum Virtual Machine (EVM) bytecode. In this guide, we’ll explore everything you need to know about writing secure Yul code, deploying Yul contracts, and creating a smart contract entirely in Yul.

Why Yul?

Before jumping into the specifics, let’s address the question: why use Yul? Yul is often used in cases where developers need maximum efficiency or want to optimize the gas consumption of their smart contracts. It’s particularly useful for:

• Writing assembly-like code while maintaining some structure.
• Optimizing performance-critical parts of a contract.
• Learning the inner workings of the EVM.

However, with great power comes great responsibility. Writing secure Yul code requires a deep understanding of EVM and careful attention to detail.

Writing Secure Yul Code

Understand the Basics of Yul

Yul is an intermediate language designed for the EVM. It is supported by the Solidity compiler and allows you to write low-level code. Some of the fundamental concepts of Yul include:

• Variables and Control Flow: Yul uses let, if, switch, and loops (for and while).
• Function Definitions: Functions are defined with the function keyword and must be explicitly called.
• Operations: Arithmetic, logical, and bitwise operations are all supported.

For example:

function add(x, y) -> result {
    result := add(x, y)
}

Avoid The Common Mistakes

While Yul is powerful, it’s easy to make mistakes that compromise the security or efficiency of your contract. Here are some best practices:

• Validate Inputs: Always check input values to prevent underflows, overflows, or invalid states. For example, you can validate function arguments at the beginning of each function.
• Use Static Analysis Tools: Tools like Mythril and Slither can identify vulnerabilities in your Yul code. These tools provide insights into potential bugs and inefficiencies.
• Minimize External Calls: External calls can introduce reentrancy vulnerabilities. Use internal calls or ensure proper locking mechanisms.
• Optimize Gas Usage: While Yul is designed for optimization, ensure you’re using the most efficient operations. For example, use addmod and mulmod for arithmetic operations to save gas.

Implement Security Best Practices

• Access Control: Implement robust access control mechanisms to restrict unauthorized actions. You can achieve this by checking the caller’s address in critical functions.
• Safe Arithmetic: Use built-in EVM functions like addmod and mulmod for modular arithmetic to avoid overflows and underflows.
• Avoid Hardcoding: Use dynamic storage or calldata wherever possible. Hardcoding can make your contract brittle and less flexible.
• Test Edge Cases: Always test for edge cases, such as extreme input values or scenarios that might trigger unusual behavior.

Writing and Deploying Yul Smart Contracts

Structuring a Yul Contract

A typical Yul contract includes:

1. Data Section: Define constants or variables. For example, initialize key variables or storage slots.
2. Code Section: Main logic, including functions. This section contains the core logic of the contract.
3. Deployment Script: Handles initialization and storage setup. This script ensures the contract is deployed correctly.

Here’s an example of a basic Yul contract:

{
    function main() -> result {
        let x := 10
        let y := 20
        result := add(x, y)
    }
}

Deployment Workflow

To deploy a Yul contract:

1. Write the Contract: Use a text editor or IDE like Remix. Write the Yul code with proper formatting and comments for clarity.
2. Compile to Bytecode: Use the Solidity compiler to generate EVM-compatible bytecode. Compilation is necessary as Yul code is not directly deployable.
3. Deploy the Contract: Deploy using tools like Hardhat, Foundry, or Remix. These tools simplify the deployment process.

Creating a Smart Contract in Yul

Creating a complete smart contract in Yul requires a deployment script.

Let’s look at a detailed example:

{
    function constructor() {
        sstore(0x0, caller()) // Store deployer's address
    }

    function setValue(slot, value) {
        sstore(slot, value)
    }

    function getValue(slot) -> value {
        value := sload(slot)
    }
}

Features:

• Constructor: Initializes the contract by storing the deployer’s address in a storage slot. This can be extended to set up other initial values.
• Set and Get Functions: Interact with storage slots efficiently. These functions demonstrate direct interaction with storage, a common pattern in Yul contracts.

Security Enhancements

1. Restrict Access: Add checks to ensure only the owner can call sensitive functions.
2. Validate Inputs: Ensure that slot and value parameters are within expected ranges.

Compiling Yul to EVM Bytecode Using the Solidity Compiler

The Solidity compiler (Solc) is the primary tool for compiling Yul code. Here’s how you can do it:

1. Install Solc:

npm install -g solc

2. Compile Yul Code: Save your Yul code in a file (e.g., contract.yul) and compile it:

solc --strict-assembly contract.yul

3. Retrieve Bytecode: The compiler will output the EVM bytecode, which you can deploy to the blockchain.

Optimizations

Solc provides optimization flags to reduce gas usage. Use the --optimize flag for best results:

solc --strict-assembly --optimize contract.yul

Optimization helps reduce deployment costs and improves runtime efficiency.

Deploying the Contract Using Remix, Hardhat, or Foundry

Deploying with Remix

Remix is a browser-based IDE for Ethereum development. It provides a user-friendly interface for compiling and deploying contracts.

Steps:

1. Open Remix and create a new file with your Yul code.
2. Compile the code using the Remix Solidity compiler. Ensure there are no syntax errors.
3. Deploy the contract using the “Deploy & Run” tab. Configure the deployment settings such as gas limit and network.

Deploying with Hardhat

Hardhat is a developer environment for Ethereum smart contracts. It supports custom scripts for deploying Yul contracts.

Steps:

1. Install Hardhat:

npm install --save-dev hardhat

2. Add your Yul contract to the project directory.

3. Use a deployment script to deploy the bytecode:

const { ethers } = require("hardhat");

async function main() {
    const bytecode = "<your-bytecode>";
    const factory = new ethers.ContractFactory([], bytecode, ethers.provider.getSigner());
    const contract = await factory.deploy();
    console.log("Contract deployed at:", contract.address);
}

main();

Deploying with Foundry

Foundry is a fast, portable, and modular toolkit for Ethereum development. It’s ideal for developers working with low-level contracts.

Steps:

1. Install Foundry:

curl -L https://foundry.paradigm.xyz | bash

2. Compile the Yul contract:

forge build

3. Deploy the contract:

forge create --bytecode contract.bin

Debugging Yul Code

Debugging low-level code can be challenging. Use tools like:

• Remix Debugger: Step through transactions to identify issues.
• Hardhat Debugging Tools: Analyze errors and stack traces.
• EVM Traces: Enable detailed execution traces to understand execution flow.

Testing Yul Contracts

Always test your contracts rigorously:

• Write unit tests in Solidity and call the Yul functions.
• Use Foundry’s forge test for advanced testing scenarios. Write detailed test cases covering all edge cases.

Optimizing Gas Efficiency

• Use mstore and mload for efficient memory operations. Minimize memory usage where possible.
• Reduce storage writes. Since storage operations are gas-intensive, consider batching writes or using memory.
• Utilize loops and conditional branching judiciously. Optimize the loop conditions to minimize unnecessary iterations.

Conclusion

Writing and deploying Yul contracts can seem daunting at first, but with a solid understanding of the language and the right tools, it becomes an empowering experience. Whether you’re optimizing gas costs or gaining a deeper understanding of the EVM, Yul is a valuable skill for Ethereum developers.

Remember, security is paramount. Always validate your inputs, test your contracts thoroughly, and stay updated on best practices for secure Yul programming.