Per-opcode security analysis covering smart contract exploitation and protocol-level threats. This page has two sections: the basics needed to read the threat models, then the table of opcodes with links to each threat note. For the full opcode reference, gas costs, precompiled contracts, notes, and resources, see EVM Reference.
EVM basics (expand/collapse)
What is the EVM?
The Ethereum Virtual Machine is a stack-based machine that runs contract bytecode. Essentials:
- Stack: Up to 1024 cells of 32-byte values. Most opcodes pop inputs and push outputs; only
PUSHreads from code. - Deterministic: Same code and inputs give the same result on every node.
- Execution: One instruction at a time. JUMP / JUMPI change where execution goes; STOP / RETURN end the call successfully; REVERT aborts and rolls back all state changes for the call. If an opcode cannot run (e.g. stack underflow, out of gas), execution reverts.
Execution context
Each call has a context with these regions. Threat models often refer to which region an opcode reads or writes.
| Region | Persistence | Access opcodes | Notes |
|---|---|---|---|
| Code | Permanent (on-chain) | CODESIZE, CODECOPY, EXTCODESIZE, EXTCODECOPY | Immutable bytecode of the contract (or target contract) |
| Stack | Per call | PUSH, POP, DUP, SWAP, … | LIFO; operands and results for opcodes |
| Memory | Per call | MLOAD, MSTORE, MSTORE8, MSIZE | Byte-addressable, zero-initialized, volatile |
| Storage | Permanent (on-chain) | SLOAD, SSTORE | 32-byte key → 32-byte value, per contract |
| Transient storage | Per transaction | TLOAD, TSTORE | Cleared after the transaction (EIP-1153) |
| Calldata | Per call | CALLDATALOAD, CALLDATASIZE, CALLDATACOPY | Immutable input to the call |
| Return data | Per call | RETURNDATASIZE, RETURNDATACOPY | Output of the last external call |
Program counter
The PC is the index of the next instruction in code. It normally steps one byte at a time. PUSHn skips its immediate bytes (the pushed constant). JUMP / JUMPI set the PC to a JUMPDEST; invalid jumps cause a revert. This is where control-flow and reentrancy show up in threat models.
| File | Description | Security risk rating | Human validated |
|---|---|---|---|
| 0x00-STOP | Halt execution | Low | — |
| 0x01-ADD | Addition modulo 2^256 | Critical | — |
| 0x02-MUL | Multiplication modulo 2^256 | High | — |
| 0x03-SUB | Subtraction modulo 2^256 | Critical | — |
| 0x04-DIV | Unsigned integer division | Critical | — |
| 0x05-SDIV | Signed integer division | High | — |
| 0x06-MOD | Unsigned modulus | High | — |
| 0x07-SMOD | Signed modulus | High | — |
| 0x08-ADDMOD | Addition modulo N | Medium | — |
| 0x09-MULMOD | Multiplication modulo N | Medium | — |
| 0x0A-EXP | Exponentiation modulo 2^256 | High | — |
| 0x0B-SIGNEXTEND | Sign-extend from (b+1) bytes to 32 bytes | Medium | — |
| 0x10-LT | Unsigned less-than | Low | — |
| 0x11-GT | Unsigned greater-than | Low | — |
| 0x12-SLT | Signed less-than | Low | — |
| 0x13-SGT | Signed greater-than | Low | — |
| 0x14-EQ | Equality | Low | — |
| 0x15-ISZERO | Is zero | Low | — |
| 0x16-AND | Bitwise AND | Low | — |
| 0x17-OR | Bitwise OR | Low | — |
| 0x18-XOR | Bitwise XOR | Low | — |
| 0x19-NOT | Bitwise NOT | Low | — |
| 0x1A-BYTE | Extract byte at position i | Low | — |
| 0x1B-SHL | Shift left | Medium | — |
| 0x1C-SHR | Logical shift right | Low | — |
| 0x1D-SAR | Arithmetic shift right | Low | — |
| 0x20-KECCAK256 | Compute Keccak-256 hash | Low | — |
| 0x30-ADDRESS | Address of executing contract | Low | — |
| 0x31-BALANCE | Balance in wei (warm/cold access) | Critical | — |
| 0x32-ORIGIN | Transaction originator address | High | — |
| 0x33-CALLER | Direct caller address | Medium | — |
| 0x34-CALLVALUE | Value sent with call, in wei | Medium | — |
| 0x35-CALLDATALOAD | Read 32-byte word from calldata | High | — |
| 0x36-CALLDATASIZE | Calldata size in bytes | Medium | — |
| 0x37-CALLDATACOPY | Copy calldata to memory | High | — |
| 0x38-CODESIZE | Size of executing contract code | Low | — |
| 0x39-CODECOPY | Copy contract code to memory | High | — |
| 0x3A-GASPRICE | Gas price of transaction | Medium | — |
| 0x3B-EXTCODESIZE | Size of external contract code | High | — |
| 0x3C-EXTCODECOPY | Copy external code to memory | High | — |
| 0x3D-RETURNDATASIZE | Size of last call’s return data | Critical | — |
| 0x3E-RETURNDATACOPY | Copy return data to memory | High | — |
| 0x3F-EXTCODEHASH | Keccak-256 of external code | Medium | — |
| 0x40-BLOCKHASH | Hash of a recent block (last 256) | Medium | — |
| 0x41-COINBASE | Current block proposer address | Low | — |
| 0x42-TIMESTAMP | Current block timestamp | High | — |
| 0x43-NUMBER | Current block number | High | — |
| 0x44-PREVRANDAO | Randomness beacon (post-Merge) | High | — |
| 0x45-GASLIMIT | Current block gas limit | Medium | — |
| 0x46-CHAINID | Current chain ID (EIP-155) | High | — |
| 0x47-SELFBALANCE | Balance of executing contract | Critical | — |
| 0x48-BASEFEE | Base fee of current block (EIP-1559) | Medium | — |
| 0x49-BLOBHASH | Blob versioned hash (EIP-4844) | Medium | — |
| 0x4A-BLOBBASEFEE | Blob base fee (EIP-7516) | Low | — |
| 0x50-POP | Remove top stack item | Low | — |
| 0x51-MLOAD | Load word from memory | Medium | — |
| 0x52-MSTORE | Store word to memory | High | — |
| 0x53-MSTORE8 | Store single byte to memory | High | — |
| 0x54-SLOAD | Load word from storage | Critical | — |
| 0x55-SSTORE | Store word to storage | Critical | — |
| 0x56-JUMP | Set PC to dst (must be JUMPDEST) | High | — |
| 0x57-JUMPI | Conditional jump | High | — |
| 0x58-PC | Current program counter | Low | — |
| 0x59-MSIZE | Size of active memory in bytes | Low | — |
| 0x5A-GAS | Remaining gas | Low | — |
| 0x5B-JUMPDEST | Mark valid jump destination | Low | — |
| 0x5C-TLOAD | Load from transient storage (EIP-1153) | Medium | — |
| 0x5D-TSTORE | Store to transient storage (EIP-1153) | Medium | — |
| 0x5E-MCOPY | Copy memory area (EIP-5656) | Low | — |
| 0x5F-PUSH0 | Push zero onto stack (EIP-3855) | Low | — |
| 0x60-PUSH | Push 1–32 bytes from code onto stack | Low | — |
| 0x80-DUP | Clone nth stack item to top | Low | — |
| 0x90-SWAP | Swap top with (n+1)th stack item | Low | — |
| 0xA0-LOG | Emit log with 0–4 topics | Low | — |
| 0xF0-CREATE | Create new contract (addr from sender, nonce) | Critical | — |
| 0xF1-CALL | Call another contract | Critical | — |
| 0xF2-CALLCODE | Like DELEGATECALL but doesn’t propagate msg.sender/value | High | — |
| 0xF3-RETURN | Return data from memory (or deployed bytecode in CREATE) | Critical | — |
| 0xF4-DELEGATECALL | Call with caller’s context | Critical | — |
| 0xF5-CREATE2 | Create with deterministic address | Critical | — |
| 0xFA-STATICCALL | Read-only call (no state modification) | Critical | — |
| 0xFD-REVERT | Revert with return data, refund unused gas | High | — |
| 0xFE-INVALID | Designated invalid opcode; consumes all gas | High | — |
| 0xFF-SELFDESTRUCT | Mark contract for destruction, send ETH to addr | Critical | — |
- EVM Reference & notes — Full opcode tables, gas costs, precompiled contracts, resources.