NFTs in the Bitcoin blockchain - Ordinal Theory

[garlonicon]

Miners shouldn't follow non-standardness, but pure profit.

Ignoring standardness can break upgradeability. For example, if miners will start including Segwit v2 spending transactions, even if the meaning is not defined, then it will be impossible to reliably introduce those addresses if needed, because they will be massively used in the wild, and then creating a soft-fork with some strict definition of what is spendable, and what is not, could invalidate timelocked transactions.

[BlackHatCoiner]

For example, if miners will start including Segwit v2 spending transactions, even if the meaning is not defined, then it will be impossible to reliably introduce those addresses if needed, because they will be massively used in the wild

Could you please elaborate further? I don't understand with a first sight how can this be a problem.

[garlonicon]

Currently, if you have "OP_2 <anything>" as a Segwit address, it can be spent in any way you want. So, you can have that output, and use anything as your input, it will be non-standard, but valid in a block. For example, there is bc1zqyqs3juw9m address. It has "52020101" Script.

Imagine that it will be widely used, so users will create "OP_2 <anything>" outputs, and then spend it with any witness they want, for example they include a huge witness with some NFT. What then?

Then, imagine that some proposal will be discussed. For example, there could be some FutureScript, where after "OP_2", there will be the number, representing some index in some extension tree. What then? Then it would mean that the owner of bc1zqyqs3juw9m can no longer spend those coins under new soft-forked rules, it has to be a valid input for 257th output of the extension tree.

The same was true in Taproot: if you had "OP_1 <anything>" before activation, you could use any input, and move those coins. But now, after "OP_1", it is required to put a valid 256-bit x-value for a public key, and create a Schnorr signature, or reveal another public key, and push matching TapScript data.

And now, if you allow any non-standard scripts, then it will effectively stop such upgrades, because then it will be a choice between activating some new soft-fork, and potentially invalidating a lot of existing outputs, or looking for a more complex way to introduce new features. Then, you cannot simply assume that non-standard scripts are not used. If many nodes will allow those transactions, then you have to assume that someone could make a timelocked transaction with such output. Or, there could be a pair of transactions, one creating this output, and another one spending it, and by invalidating this in a new soft-fork, you will invalidate those off-chain transactions, that are currently valid.

Because each soft-fork is about making currently valid things invalid in a new version. As long as you know what is standard, you can pick something non-standard, and standardize it. If everything is standard, then there is nothing you can standardize, because there is a huge risk that it is currently used by someone, and after network upgrade, that person will lose those coins.

[n0nce]

I don't think we have a protection against that, either. Much harder problem than here, since those would be 'legitimate' regular transactions.

My point is that if protocol defines "legitimacy", Ordinals and millions-in-fees transactions are legitimate. If someone pays for the damage, it's acceptable.

Again, the same question: if something bad has been done, should we continue allowing it? In this context: should the protocol change to prevent abuse of the system?

Just saying that there are ways to attack Bitcoin and if there are easy mitigations that still allow us to have full freedom in its usage as a payment system, they should be considered.

What's the best method we have to mitigate from these attacks? My best guess is to educate and convince users that Ordinals are nonsense. We definitely can't prevent an attacker from executing this, though.

I like to solve problems with science & technology, if I can. In this case, we can look at what Monero or Grin are doing and maybe learn something from them.

My main issue is storing and distributing other people's data, to be honest. If a random person hands me a hard drive with copyrighted movies and asks me to put that data on my webserver, I will kindly decline.

As I said, I don't have much to provide in the legislative part.

It is also a moral question, though. If you believe it is not trivial to legally determine whether storing and distributing illegal digital material, maybe ask yourself if you are fine storing and distributing it. You know what we are talking about.
Also: why should I commit a crime for someone else just because they pay me? (if we can agree that there is data that is 1000% guaranteed to be criminal to store & distribute)

What if I decide to write a script and spend a few BTC to just send transactions between 2 wallets of mine at 1000sat/vB and render Bitcoin unusable (without paying more than 1000sat/vB to send a transaction)?

But unlike creating an NFT/Inscription, loop of sending Bitcoin between 2 address won't make you any money.

So? Sure, I would waste my money doing that, but render Bitcoin basically useless. There are certainly people with such a goal in mind with enough money to do it. I suggest that we look into protecting against attacks, instead of shrugging them off, just because they follow Bitcoin protocol.

[pooya87]

And now, if you allow any non-standard scripts, then it will effectively stop such upgrades, because then it will be a choice between activating some new soft-fork, and potentially invalidating a lot of existing outputs, or looking for a more complex way to introduce new features.

That should never be a concern, definitely not enough to discourage such an upgrade because anybody who goes out of their way to create such outputs should already be well aware of the consequences of doing so (anyone can spend before soft-fork and nobody may spend after it).

[Wind_FURY]

I'm blaming the miners. Seems that they will benefit the most from this whether it hurts bitcoin or doesn't. They'd be fully aware of the potential pitfalls too.

We can't and shouldn't demand for miners to control the type of data stored on-chain / to censor anything. It is their job to just mine blocks and nothing more or less than that.
Also, blaming anyone doesn't help us right now. We should think about solutions, instead.

It's not just "we can't" blame the miners, it's very stupid to suggest that they are "blamable". Everything that's making everything stick together stems from the miners being continued to be incentiviized by the network. As long as the block rewards are enough, as long as there are users willing to over-pay in network fees, the miners will be there to include ANY transaction into the blocks. If a miner decides not to include a transaction, it's another miner's gain. That's good for the network, but what it's also doing is it's neutering Bitcoin from a network for Hard Money that could weaken political strongholds, to a network cloud storage of dick pics and fart sounds.

[BlackHatCoiner]

If everything is standard, then there is nothing you can standardize, because there is a huge risk that it is currently used by someone, and after network upgrade, that person will lose those coins.

Correct, but if someone wants a non-standard transaction to get confirmed, and pays for it, I'm quite sure the miner will not think of the future soft forks. Maybe he should, maybe he shouldn't. I'm only saying he should prioritize profit.

Again, the same question: if something bad has been done, should we continue allowing it? In this context: should the protocol change to prevent abuse of the system?

Yes, but it depends on what manner you'll prevent the abuse.

I like to solve problems with science & technology, if I can. In this case, we can look at what Monero or Grin are doing and maybe learn something from them.

Sure. What do Monero and Grin do to mitigate this attack?

It is also a moral question, though.

I can make a stand morally. Just as I'm not liable for the economic activity of the rest of the users, some of which is illegal, I don't feel guilty of incidentally distributing illegal content as well. I don't consider myself responsible for that. I don't sell it, I don't stream it, I don't even know it exists. I'm also of the opinion that when you're trying to do good things by means of censorship, the bad moral value of censorship triumphs the good intentions.

Also: why should I commit a crime for someone else just because they pay me?

That's not a moral concern, but a legal. And I'm still curious how you can prevent the inclusion of illegal content without preventing the inclusion of any content that is valid but just non-standard.

[ABCbits]

But unlike creating an NFT/Inscription, loop of sending Bitcoin between 2 address won't make you any money.

Debatable. Some billionaire could execute this attack by the impression that it'll ruin Bitcoin's image.

That's possible, but it doesn't change such attack won't make you any money. Although it's different case if that billionaire got paid or think running Bitcoin image would make people move to their centralized coin or their service.

Another method to mitigate such attack is making TX which push data (using Taproot OP_FALSE OP_IF OP_PUSH) higher than X bytes become non-standard. It's already discussed by some Bitcoin Core contributor on early February[1]

Sure, you can configure your node to accept whatever it wants, but that won't stop you from Ordinal fans who'll pay miners include their transactions that pay more. I'm questioning if it even does anything if there's real demand for it.

That's true, but it'd discourage some people since it'll be more expensive and take more time (e.g. only some pool offer such service and copy-paste raw signed transaction to miner's website).

Miners shouldn't follow non-standardness, but pure profit.

But on other hand, including non-standard transaction would bring additional complexity to their software which might not be worth it. For example, there's very few pool willing to include transaction created with uncompressed segwit address.

What if I decide to write a script and spend a few BTC to just send transactions between 2 wallets of mine at 1000sat/vB and render Bitcoin unusable (without paying more than 1000sat/vB to send a transaction)?

But unlike creating an NFT/Inscription, loop of sending Bitcoin between 2 address won't make you any money.

So? Sure, I would waste my money doing that, but render Bitcoin basically useless. There are certainly people with such a goal in mind with enough money to do it. I suggest that we look into protecting against attacks, instead of shrugging them off, just because they follow Bitcoin protocol.

My point is there are far less people willing do that. As for protection against such attack, one possible option is dynamic blocksize and neutral fee which implemented on Monero[1]. Another option is modifying behavior on old version of Bitcoin-Qt which determine free transaction based on coin age, expect it's implemented on protocol level.

[1] https://monero.stackexchange.com/a/4567
[2] https://en.bitcoin.it/wiki/Miner_fees#Priority_transactions

[n0nce]

I like to solve problems with science & technology, if I can. In this case, we can look at what Monero or Grin are doing and maybe learn something from them.

Sure. What do Monero and Grin do to mitigate this attack?

tromp wrote something about in their own forum. I believe point 1 and 2 both hold true for Monero as well, not sure about #3 and 4.

I think Grin is about the most spam proof chain there is. Where spam is shorthand for inscribed arbitrary data. This is because

• Grin is scriptless. So there’s no scripts in which to embed data.
• Grin has no addresses. So you can’t embed data in a pretend address. (you can in other hybrid MW chains like Litecoin).
• Kernels only allow a few bytes of arbitrary data in past lock heights. If you spread such data over many kernels of one tx, then finding them among a block’s sorted kernels is a challenge.
• Outputs only allow some arbitrary data in the rangeproofs, much of which is only retrievable by the owner. Since I don’t understand BPs in detail, someone else will need to say how many bytes could be made publicly visible. It will in any case be a small percentage of the BP size of 674 bytes. And it suffers the same challenge of finding a tx’s outputs among a block’s sorted ones. Finally, it will disappear from most full nodes once the output is spent.

It is also a moral question, though.

I can make a stand morally. Just as I'm not liable for the economic activity of the rest of the users, some of which is illegal, I don't feel guilty of incidentally distributing illegal content as well. I don't consider myself responsible for that. I don't sell it, I don't stream it, I don't even know it exists. I'm also of the opinion that when you're trying to do good things by means of censorship, the bad moral value of censorship triumphs the good intentions.

I see. I'd agree with the 'I do not even know it exists' since before Ordinals. Embedding data in transactions, addresses, whatever, was always considered a rare, hacky solution that only few users could and would pull off & there was no incentive for doing so. Now, things changed.
I'm not advocating for censorship, but generally restricting the ability to upload arbitrary data, without interfering (censoring) with payments at all.

Also: why should I commit a crime for someone else just because they pay me?

That's not a moral concern, but a legal. And I'm still curious how you can prevent the inclusion of illegal content without preventing the inclusion of any content that is valid but just non-standard.

To be honest, switching to scriptless or a heavily restricted scripting language, seems unrealistic for Bitcoin. So I'm not sure how to implement it; just saying that it is technically possible, because others are already doing it.

My point is there are far less people willing do that. As for protection against such attack, one possible option is dynamic blocksize and neutral fee which implemented on Monero[1]. Another option is modifying behavior on old version of Bitcoin-Qt which determine free transaction based on coin age, expect it's implemented on protocol level.

[1] https://monero.stackexchange.com/a/4567
[2] https://en.bitcoin.it/wiki/Miner_fees#Priority_transactions

That's true. So attacking Bitcoin through NFTs is much more probable and much riskier than through the attack I presented. Which makes it much more important to protect against it...? Or not?

[tromp]

tromp wrote something about in their own forum. I believe point 1 and 2 both hold true for Monero as well, not sure about #3 and 4.

I think Grin is about the most spam proof chain there is. Where spam is shorthand for inscribed arbitrary data. This is because

• Grin is scriptless. So there’s no scripts in which to embed data.
• Grin has no addresses. So you can’t embed data in a pretend address. (you can in other hybrid MW chains like Litecoin).
• Kernels only allow a few bytes of arbitrary data in past lock heights. If you spread such data over many kernels of one tx, then finding them among a block’s sorted kernels is a challenge.
• Outputs only allow some arbitrary data in the rangeproofs, much of which is only retrievable by the owner. Since I don’t understand BPs in detail, someone else will need to say how many bytes could be made publicly visible. It will in any case be a small percentage of the BP size of 674 bytes. And it suffers the same challenge of finding a tx’s outputs among a block’s sorted ones. Finally, it will disappear from most full nodes once the output is spent.

While Monero indeed lacks scripts, 2 doesn't hold for Monero as I noted before:

Is that so? https://monerodocs.org/ Only monetary transactions are possible. Technically possible.

Besides the 32-byte tx_extra field you can also put arbitrary data into each output stealth address (making it unspendable as a side effect).

Monero has no time locks, so 3 is irrelevant. Monero does have bulletproofs, so you could store a few bytes there, but unlike Grin, Monero keeps the bulletproofs ordered with the transaction, so it doesn't pose the challenge that Grin does to recover them.

The biggest spam threat to Monero is embedding data in fake addresses of many outputs while aggregating the corresponding rangeproofs into one. That would allow over 90% spam...

[BlackHatCoiner]

To be honest, switching to scriptless or a heavily restricted scripting language, seems unrealistic for Bitcoin.

Removing Script from Bitcoin is like redoing Bitcoin. It's a matter of tradeoffs from that point on. Would a heavily restricted language do more good than bad? I don't know, I only know that you don't do such experiments in a world's reserve currency.

I'm curious how this wasn't an issue before in colored coins.

[fillippone]

I definetly want to play with this.
I have some basi questions like: is there an official, or rather a de facto marketplace for ordinals?
If I wan tot buy an NFT on the ETH blockchain, I go to opensea.io: is there an equivalent market for the bitcoin blockchain?

[n0nce]

To be honest, switching to scriptless or a heavily restricted scripting language, seems unrealistic for Bitcoin.

Removing Script from Bitcoin is like redoing Bitcoin. It's a matter of tradeoffs from that point on. Would a heavily restricted language do more good than bad? I don't know, I only know that you don't do such experiments in a world's reserve currency.

I agree; that's why I also oppose NFT experiments on the 'world's reserve currency' mainnet chain.. Tough question, how to solve this. Easiest (suggested by some here) would be to just keep silent, hope Ordinals / Bitcoin NFTs won't have long-term success and pretend it has never happened and we are not storing and distributing people's data (potentially classified or otherwise illegal) on our nodes.

I'm curious how this wasn't an issue before in colored coins.

Colored coins had no data embedded into them.

[ABCbits]

Also: why should I commit a crime for someone else just because they pay me?

That's not a moral concern, but a legal. And I'm still curious how you can prevent the inclusion of illegal content without preventing the inclusion of any content that is valid but just non-standard.

To be honest, switching to scriptless or a heavily restricted scripting language, seems unrealistic for Bitcoin. So I'm not sure how to implement it; just saying that it is technically possible, because others are already doing it.

It's definitely unrealistic when you consider backward compatibility and notable usage which rely on script (such as LN and sidechain). As for implementation, AFAIK it should be possible by creating new standard (with more strict scripting) which use SegWit version 2 (version 0 refer to "default" SegWit and version 1 refer to Taproot) where it's address use prefix bc1z.

My point is there are far less people willing do that. As for protection against such attack, one possible option is dynamic blocksize and neutral fee which implemented on Monero[1]. Another option is modifying behavior on old version of Bitcoin-Qt which determine free transaction based on coin age, expect it's implemented on protocol level.

[1] https://monero.stackexchange.com/a/4567
[2] https://en.bitcoin.it/wiki/Miner_fees#Priority_transactions

That's true. So attacking Bitcoin through NFTs is much more probable and much riskier than through the attack I presented. Which makes it much more important to protect against it...? Or not?

Hard to say. But at least, it's an attack which should be prevented when you believe Bitcoin should be either mainly/mostly/only used as currency or payment method.

I definetly want to play with this.
I have some basi questions like: is there an official, or rather a de facto marketplace for ordinals?
If I wan tot buy an NFT on the ETH blockchain, I go to opensea.io: is there an equivalent market for the bitcoin blockchain?

One method i know is use wrapped Bitcoin and buy Ordinals NFT on opensea.io.

[Carlton Banks]

"latest hype" again?

actual (i.e. Ethereum based) NFTs already have a bad reputation for being the ultimate cryptocurrency scam, so I don't see how this trend won't just burn itself out pretty quick

[Wind_FURY]

"latest hype" again?

actual (i.e. Ethereum based) NFTs already have a bad reputation for being the ultimate cryptocurrency scam, so I don't see how this trend won't just burn itself out pretty quick

NFTs will come and go, but what's truly always there is an attack vector ready to be activated. If all of a sudden a "very popular" NFT in the Bitcoin blockchain became so in demand, and it kept fees constantly high by those over-paying NFT users. The attackers are now incentivized to spam and congest the network by simply creating a market for their dick pics and fart sounds, forever stored in full nodes.

[BlackHatCoiner]

I agree; that's why I also oppose NFT experiments on the 'world's reserve currency' mainnet chain..

I don't see any experiments. What is currently happening was always possible on a protocol level. People have saved texts, messages, PDFs likewise.

Colored coins had no data embedded into them.

But they do make use of OP_RETURN, which is metadata.

actual (i.e. Ethereum based) NFTs already have a bad reputation for being the ultimate cryptocurrency scam, so I don't see how this trend won't just burn itself out pretty quick

Greater fool's theory. Some poor guy will acquire the "rarest" satoshis, but with little to zero value because nobody will buy that nonsense later on.

[fillippone]

actual (i.e. Ethereum based) NFTs already have a bad reputation for being the ultimate cryptocurrency scam, so I don't see how this trend won't just burn itself out pretty quick

Greater fool's theory. Some poor guy will acquire the "rarest" satoshis, but with little to zero value because nobody will buy that nonsense later on.

What about using ordinals for legitimate uses? I.e. a simpler and easier notarization of documents inside the mod secure blockchain ever?

[tromp]

What about using ordinals for legitimate uses? I.e. a simpler and easier notarization of documents inside the mod secure blockchain ever?

I don't see what ordinals offers there beyond what is already provided by https://en.wikipedia.org/wiki/OpenTimestamps

[fillippone]

What about using ordinals for legitimate uses? I.e. a simpler and easier notarization of documents inside the mod secure blockchain ever?

I don't see what ordinals offers there beyond what is already provided by https://en.wikipedia.org/wiki/OpenTimestamps

OpenTimes stamps provide a proof of existence of a document at a certain block. But they secure only the SHA of the document, not the document itself. So you have to worry about keeping a copy to of the data alive.
Ordinals have a more secure approach, as the data itself is stored in the bitcoin blockchain.