SegwitAddress: include length check for Taproot witness programs#2663
Conversation
johnzweng
force-pushed
the
add-taproot-script-length-check
branch
from
4f95b25 to
0f95144
Compare
|
Note: I just force-pushed again, I had overlooked an existing test in |
schildbach
left a comment
schildbach
left a comment
There was a problem hiding this comment.
Thanks for this PR!
I think the intention of BIP 341 to not strongly forbid non-32-byte programs is extensibility. They want to be able to softfork future script types.
But you're right, with bitcoinj being used as a client (rather than a full bitcoin node), we should probably follow policy more closely than consensus – we've done so in other areas as well. This would mean that if a new script type comes up and a consumer of bitcoinj wants to use it, the consumer would be forced to upgrade to a newer bitcoinj (if it already exists). But I guess that's ok.
So I agree with this PR.
I've added one review comment inline, but it's a really minor one. Thanks specifically for the intensive documentation and rationale – it really helps with reviewing!
johnzweng
force-pushed
the
add-taproot-script-length-check
branch
from
0f95144 to
56e936d
Compare
You're welcome! 🙂 I know from a reviewer's perspective how valuable this is. |
|
Side note: I think segwit v0 used to be extensible too, but they found a vulnerability in the bech32 format. The existing 20 and 32 byte programs were luckily not affected. So the fix was to "close" v0 by restricting it to these 2 usages, and add a new fixed and extensible v1 + bech32m. |
Interesting learning of Bitcoin history. :) I was aware that bech32m was introduced because of this vulnerability, but didn't know that v0 had been planned to be extensible in the first place. |
|
Merged! Let's see if someone complains about future script types… |
Aaaaand here we come: |
|
I am impressed how much love was put into every detail of this specific transaction. 😃 Later on the creator also published a stacker.news article where he reveleaed even more details: https://stacker.news/items/600187 Mindblowing! 😊 |
2 participants
Hi @schildbach ! I have another PR, this time a very little change, but a little bit more reasoning behind it. So I'm very curious to hear your feedback. 🙂
Overview
SegwitAddressconstructor so that it only accepts 32-byte long witness programs (the only valid length for Taproot as defined in BIP 341).AddressParser.parseAddress(...)will in future throw an exception for too short or too long Segwit v1 addresses (as it already does today for Segwit v0 addresses with invalid lengths). Currently too short/long Taproot addresses are accepted as valid byAddressParser.parseAddress(...).Current state
SegwitAddresswith an invalid length.SegwitAddressinstance with too short or too long Taproot addresses without exception.true.SCRIPT_VERIFY_DISCOURAGE_UPGRADABLE_WITNESS_PROGRAMis set here inpolicy.h, which will lead to returning an error on validation here). This makes it more difficult to spend such an invalid Taproot anyone-can-spend address as nodes will not accept such transactions in their mempool by default.Rationale
I was unsure if this PR is reasonable (and you might still argue about it) as BIP 341 not explicitly marks these scripts as invalid. But from a practical point of view I still would argue that we should treat them as invalid addresses. Implementors of Bitcoin services (ATMs, exchanges) use
AddressParser.parseAddress(...)as an easy check to see if a given address is valid. And while invalid-length-v1 addresses technically still might be valid I think in most cases it is not what the user intends.So if there are buggy wallets out there which create crap addresses (example: v1 addresses with length 20 like v0), it would be nice if such addresses would raise attention (to prevent services from just blindly sending coins there). Many callers of
AddressParser.parseAddress(...)may not dive that deep into these semantics and just use it as a simple validation check (without the need for a deeper understanding).I also understand if you don't agree with my reasoning and don't accept this PR. But then maybe we could add some "dangerous" flag, so that validation fails by default on such addresses (and also currently unused Segwit versions) but instantiation of such addresses can still be enforced by providing the "dangerous" flag (or something similiar).