Add EIP-8078: GETDEPLOYER opcode (provenance lookup for upgrades and…

[maldiohead]

… delegatecall)

ATTENTION: ERC-RELATED PULL REQUESTS NOW OCCUR IN ETHEREUM/ERCS

--

When opening a pull request to submit a new EIP, please use the suggested template: https://github.com/ethereum/EIPs/blob/master/eip-template.md

We have a GitHub bot that automatically merges some PRs. It will merge yours immediately if certain criteria are met:

• The PR edits only existing draft PRs.
• The build passes.
• Your GitHub username or email address is listed in the 'author' header of all affected PRs, inside .
• If matching on email address, the email address is the one publicly listed on your GitHub profile.

[eth-bot]

File eip-getdeployer-draft.md

Requires 2 more reviewers from @g11tech, @lightclient, @SamWilsn, @xinbenlv

[Copilot]

Pull Request Overview

This PR introduces EIP draft for a new GETDEPLOYER opcode that allows contracts to query the deployer address of other contracts, providing an additional security layer for delegatecall operations and upgradeable contract patterns.

• Proposes a new EVM opcode GETDEPLOYER that returns the deployer address of a given contract
• Adds a new per-account deployer state field tracked from fork activation onwards (forward-only, no historical reprocessing)
• Provides reference implementations in Solidity and Go pseudocode with usage examples for secure proxy patterns

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The function signature uses incorrect parameter types. The first parameter pc *uint64 is unusual for an opcode implementation in go-ethereum. Typically, opcode functions don't receive the program counter as a parameter since it's managed by the interpreter. The signature should likely match the standard opcode function signature pattern used in go-ethereum. Additionally, ScopeContext should probably be passed as a pointer *ScopeContext for consistency with actual go-ethereum implementations.

Suggested change

	func opGetDeployer(pc *uint64, evm *EVM, scope *ScopeContext) {
	func opGetDeployer(evm *EVM, scope *ScopeContext) {

[Copilot]

Typo: "whitelisting" is used inconsistently with "allowlist"/"allowlisting" throughout the document. Line 179 uses "Whitelisting deployers" while lines 232, 237 use "whitelisting" and lines 226, 237-238 use "allowlist". Modern technical documentation typically prefers "allowlist" over "whitelist" for inclusive language. Consider standardizing on "allowlist"/"allowlisting" throughout the document.

Suggested change

	Whitelisting deployers is intentionally simple; richer schemes (code hash + deployer, signature verification) can be layered without further protocol changes.
	Allowlisting deployers is intentionally simple; richer schemes (code hash + deployer, signature verification) can be layered without further protocol changes.

[Copilot]

The address extraction logic in the Go reference implementation is incorrect. addrWord.Bytes()[12:32] attempts to extract bytes 12-31 (20 bytes) from a 32-byte word to get an address, but this assumes the word has at least 32 bytes. The correct slice should be addrWord.Bytes20() or proper bounds checking should be added. Additionally, slice [12:32] would be the correct range only if the address is left-padded; EVM addresses are typically right-aligned in 32-byte words, meaning bytes 0-19 or using the last 20 bytes.

Suggested change

	addr := common.Address(addrWord.Bytes()[12:32])
	addr := common.BytesToAddress(addrWord.Bytes()[12:])

[Copilot]

[nitpick] The specification states addresses are "left padded to 32 bytes" but Ethereum addresses on the stack are typically represented as 32-byte values with the address in the lower 20 bytes (right-aligned/left-zero-padded in big-endian representation). The phrasing "left padded" could be ambiguous. Consider clarifying this as "zero-padded to 32 bytes with the address occupying the rightmost 20 bytes" or "represented as a 32-byte value as with other addresses on the stack" for consistency with EVM conventions.

Suggested change

	4. Otherwise pushes the stored `deployer` field (left padded to 32 bytes as with addresses elsewhere on the stack).
	4. Otherwise pushes the stored `deployer` field, zero-padded to 32 bytes with the address occupying the rightmost 20 bytes (as with other addresses on the stack).

[Copilot]

The date format is incorrect. According to the EIP template and existing EIPs, dates should be in ISO 8601 format (yyyy-mm-dd), but November 2025 hasn't occurred yet. The current date in the real world is before November 2025. This appears to be a future date that should be corrected to the actual date when this EIP draft was created.

Suggested change

	created: 2025-11-12
	created: 2024-06-12

[Copilot]

The pseudocode at line 99 references acct.creationBlock but this field is never defined in the specification. According to line 103, clients may omit explicit storage of this field and instead flag pre-fork contracts by absence of the deployer field. This makes the pseudocode inconsistent with the actual implementation guidance. Consider either: (1) defining creationBlock as an optional tracking field, or (2) updating the pseudocode to check for the absence/presence of the deployer field instead.

Suggested change

	if forkBlockNotReachedAt(acct.creationBlock): push(0); return // pre-fork deployment
	if acct.deployer is absent: push(0); return // pre-fork deployment

[Copilot]

Inconsistent capitalization: "Allowlists" is capitalized in this bullet point list, but the same term appears lowercase as "allowlist" throughout the rest of the document (e.g., lines 237, 238). For consistency with the rest of the document and standard usage in technical documentation, this should be lowercase "allowlists".

Suggested change

	- Allowlists of trusted deployers
	- allowlists of trusted deployers

[Copilot]

Missing RFC 2119 key words boilerplate. According to the EIP template (lines 50-55 of eip-template.md) and best practices, when using normative language like "MUST", "SHOULD", "MAY", etc., the specification should include the standard RFC 2119/8174 interpretation statement: "The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in RFC 2119 and RFC 8174." This statement should appear near the beginning of the Specification section.

Suggested change

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC 8174.

[crypto3699]

False

[Copilot]

The specification states that reading deployer "MUST count as an account access for warm/cold classification" but doesn't specify whether accessing a non-existent account (addr with no code) also counts as an account access. Line 55 states it pushes 0x0 for non-contracts, but it's unclear if this also triggers the warm/cold gas cost or uses a different, cheaper path. This should be explicitly specified to ensure consistent implementations across clients.

Suggested change

	Touch semantics: Reading `deployer` MUST count as an account access for warm/cold classification but MUST NOT mark the account for deletion protection nor alter `accessed_addresses` beyond normal rules.
	Touch semantics: Reading `deployer` with GETDEPLOYER MUST always count as an account access for warm/cold classification and incur the corresponding gas cost, regardless of whether the address is a contract or not. This applies even if the address has no code and `0x0` is pushed. However, it MUST NOT mark the account for deletion protection nor alter `accessed_addresses` beyond normal rules.

[github-actions]

The commit 2e6ec90 (as a parent of 6dc1aa1) contains errors.
Please inspect the Run Summary for details.

[g11tech]

eip: 8078

[g11tech]

suggest to create a table

[g11tech]

generally EL Pseudocode is provided in python in EIP reference, consider changing to that syntax