Concluding remarksHere is a brief explanation of how and why the posted addresses are vulnerable, so-called anyone-can-spend, and this is not intended for those of you who already figured it all out - at least one person did, since the coins are swept - but for the rest of you. (After this, I promise to take it easy with further P2SH-jibberish, unless I cook up a new angle not covered before.)
OK, so in order to spend from an address, or rather a UTXO, you need a Sigscript that, when it is hashed, matches the public address, which is proof of ownership that allows you to create and broadcast a valid transaction. (This is a grave oversimplification, but I think it suffices for now.)
A Sigscript, in turn, is divided into an unlocking script and a locking script, that are added together in that order, then executed and evaluated. So, not only does a Sigscript need to make mathematical sense (i.e. return the desired hash), it must make programmatical sense too (i.e. the code is actually run and must return "TRUE" [defined as a "clean" stack, containing a positive integer top value, and nothing else].
The locking script corresponds, if you will, to the padlock (and, nonetheless, unambiguously to one defined public address) which can only be opened by the right key (or keys - let's not go there for now), which is the unlocking script.
What I did here was creating this quite nonsensical locking script:
#locking script
OP_DUP
OP_DUP
OP_DUP
OP_DUP
OP_RIPEMD160
20 0xc32570171b6234e158dfe6a05e4b2648fbfd36e5
OP_EQUALVERIFY
OP_SHA1
20 0x017665afd86034088ecfb0a936eaa0f2dae8b60d
OP_EQUALVERIFY
OP_SHA256
32 0x67182f446b2512c6f7abe26a7073ae9abb95c3ddbfb0d746c74fad9f6250507a
OP_EQUALVERIFY
OP_HASH160
20 0x8fb2bfa8d595dce0a2444bf5490f494bb08894f5
OP_EQUALVERIFY
OP_HASH256
32 0x980addf8c77cd6d996cb47565a5fcc869f4552e4f509495a5ff6314ef09212ed
OP_EQUAL
What it does it that it takes a simple input (push), duplicates it four times so there are five copies in the stack, and hashes them with all five different hashing methods that are the Bitcoin script language contains, and compares them, sequentially, with hardcoded values. (That's why I call it "nonsensical" because you have to surrender the full solution, visible by all, to spend, so that anyone who analyzes the blockchain, the public ledger, can recycle the key again and again - there are no signatures involved in any of the steps.)
This means that you "only" need to find the one value that unlocks it. And admittedly, I thought I was a little clever when I took
a random transaction from the blockchain, and copied the so-called witness program from it, and used that data as the unlocking code (the hardcoded values in the locking script are the five different hashes of this input, which I precomputed):
#unlocking script
OP_PUSHDATA1 104 0x30440220387157915c57edba6b745cfc2087bad1f27fa76c2519c21391890aa559d801fe0220313e4929d94ac513540d091816f47ae2b4e09222f41b17d2af70b1297378272c01037364148a47880aa6c2980af699a9ee46531818cd4c483c48d3f2aef387f328ba
(There are a couple of length bytes you need to throw in to make this work, and one opcode that must be pruned, but I won't go there for now.)
In other words, I tried to disguise an any-one-can-spend address by having it require data that
looks like a witness program but is in fact just a data push - hence my "is it obvious"-question.
The locking script corresponds to exactly 3CBWRPgPsudcvi4EMpJat55jBX1MF7wwX6 on the Bitcoin mainnet and 2N3jiV8cRVN8y8Vgn2wvTW24zPsDX5dKjGT on the Bitcoin testnet. (I have posted multiple times about how to convert scripts into P2SH addresses with a few lines of Python, so let's skip that too.)
Well. That's about it.I could write in great length about how to manually construct a valid transaction hexadecimal string that you can broadcast in Electrum, Bitcoin Core GUI, or via a number of web pages, but it is beyond the scope and limitation here. Also, others have written about it much better than I ever could. If you're not a big fan of assembling raw transactions in Notepad++, check out for example coinb.in that can do it for you, given the right inputs.
We good?
P.S. Yeah, the transaction fee someone coughed up for the mainnet satoshis is pretty crazy, agreed. We can choose to see is positive: 10k sats were given back to the community (well, the miner of the block, but... yeah.)