Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: garlonicon on January 04, 2022, 06:07:26 PM



Title: How Segwit handles SIGHASH_SINGLE bug?
Post by: garlonicon on January 04, 2022, 06:07:26 PM
I know for old addresses, SHA-256 value of one is used. But is it the case for Segwit? As far as I understand https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#cite_note-7 it should work for zero instead of one, right? But when I am trying to use z=0 in my signature, Bitcoin Core says it is invalid. Also, the same signature as for non-Segwit address is invalid, so z=1 is not the case. So: is it possible to spend P2WPKH output with SIGHASH_SINGLE, when there is no matching output index for a given input? Is it relayed by default if broadcasted? Is it nonstandard, but valid somehow? How this bug works for Segwit addresses? Or is it fixed and there is no way to use SIGHASH_SINGLE in Segwit addresses without matching output?


Title: Re: How Segwit handles SIGHASH_SINGLE bug?
Post by: gmaxwell on January 04, 2022, 09:08:25 PM
https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#specification

The only thing set to zero is the hashOutputs portion of this.

If the entire 'hash' were set to zero, someone could instantly steal anyone's coins, which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found.


Title: Re: How Segwit handles SIGHASH_SINGLE bug?
Post by: pooya87 on January 05, 2022, 03:56:25 AM
Also it is not a bug, it is a feature.
It has always been well known how out of range indexes for SIGHASH_SINGLE work, calling it a bug is like saying sending your coins to an output script equal to OP_TRUE (that anyone can spend) is a bug!


Title: Re: How Segwit handles SIGHASH_SINGLE bug?
Post by: garlonicon on January 05, 2022, 01:50:15 PM
Quote
If the entire 'hash' were set to zero, someone could instantly steal anyone's coins
How?

Quote
which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found
What is that vulnerability? Is the case when z=0 somehow more dangerous than z=1? If it is, I didn't expect that, so I don't know what should I "ethically report".

Quote
Also it is not a bug, it is a feature.
If it is a feature, then why it does not work in the same way as for non-Segwit addresses? And if it is a feature, then why it is disabled (https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#common-signature-message) in Taproot? Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.


Title: Re: How Segwit handles SIGHASH_SINGLE bug?
Post by: pooya87 on January 06, 2022, 03:57:05 AM
Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.
That's not how it works, if the SIGHASH is changed (eg from ALL to SINGLE), the previous signature is no longer valid. You have to willingly and knowingly sign the transaction with the specified SIGHASH and publish it. That makes it a feature not a bug.
I already gave you the example with sending coins to OP_TRUE, another one is sending your coins to P2SH-P2TR (wrapped Taproot), anyone can spend your coins if you do that and they know your script. That is a known feature and can't be called a bug.