Author

Topic: Catastrophic P2SH public addresses? (Read 298 times)

staff
Activity: 3458
Merit: 6793
Just writing some code
June 26, 2020, 12:08:35 AM
#11
A script of just OP_FALSE will do the trick. Alternative single byte scripts include: OP_RETURN, OP_IF, OP_NOTIF, any invalid opcode, and any disabled opcode.
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
June 25, 2020, 11:33:03 PM
#10
But the script is hashed, nodes cannot know the size and content of the script until someone tries to spend from it!
that is correct but i was talking about while that hashed script inside the output is being spent, that is when the redeem script is revealed.

Quote
Here is an interesting and verified transaction

https://www.blockchain.com/btc/tx/38fe36c532c7336c6db407268803787f168781660b64b7a62a63c83168200618

The underlying scripts for all the receiving P2SH addresses (most being successfully spent!), as far as I can see, a single byte script (i.e. each valid OP-code).
well these are all standard as they are using correct OP codes for numbers meaning 0x52 (which is OP_2) for example instead of using OP_PUSHDATA1.
copper member
Activity: 193
Merit: 255
Click "+Merit" top-right corner
June 25, 2020, 01:05:15 PM
#9
This script ("0x4c01014c010287" in hexadecimal)

FWIW this script is non-standard too so almost all nodes are going to reject it on first round (on 0x4c) without even reaching the EQUAL part since it is not minimal push (one and two should use OP_1 and OP_2)
https://github.com/bitcoin/bitcoin/blob/master/src/script/interpreter.cpp#L234-L236

But the script is hashed, nodes cannot know the size and content of the script until someone tries to spend from it!

Here is an interesting and verified transaction

https://www.blockchain.com/btc/tx/38fe36c532c7336c6db407268803787f168781660b64b7a62a63c83168200618

The underlying scripts for all the receiving P2SH addresses (most being successfully spent!), as far as I can see, a single byte script (i.e. each valid OP-code).
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
June 25, 2020, 10:12:44 AM
#8
This script ("0x4c01014c010287" in hexadecimal)

FWIW this script is non-standard too so almost all nodes are going to reject it on first round (on 0x4c) without even reaching the EQUAL part since it is not minimal push (one and two should use OP_1 and OP_2)
https://github.com/bitcoin/bitcoin/blob/master/src/script/interpreter.cpp#L234-L236
copper member
Activity: 193
Merit: 255
Click "+Merit" top-right corner
June 24, 2020, 08:23:14 AM
#7
Here is what I came up with. It may not be the simplest possible solution, but it is quite pedagogical, yes?
Code:
OP_PUSHDATA1 1 0x01
OP_PUSHDATA1 1 0x02
OP_EQUALVERIFY
Since 1 is never equal to 2, and there are no other inputs or variables, when the script is executed, it must always return FALSE.

This public address is thus provable unspendable. A Bitcoin black hole. Beware.

Actually...
I think that address is NOT completely unspendable.
It is unspendable with your script, yes, but if someone can come up with another script that has the same hash and that returns TRUE, then with that script the address is spendable Cheesy




Well, until someone finds exploits for SHA-256 _and_ RIPEMD-160, a.k.a. collisions, this will not happen. And should it one day happen, a negligible side-effect is that this little experiment will stop working, and a little worse is that the internet will collapse (encryption cannot be trusted) together with Bitcoin.
full member
Activity: 378
Merit: 197
June 24, 2020, 05:38:47 AM
#6
Here is what I came up with. It may not be the simplest possible solution, but it is quite pedagogical, yes?
Code:
OP_PUSHDATA1 1 0x01
OP_PUSHDATA1 1 0x02
OP_EQUALVERIFY
Since 1 is never equal to 2, and there are no other inputs or variables, when the script is executed, it must always return FALSE.

This public address is thus provable unspendable. A Bitcoin black hole. Beware.

Actually...
I think that address is NOT completely unspendable.
It is unspendable with your script, yes, but if someone can come up with another script that has the same hash and that returns TRUE, then with that script the address is spendable Cheesy

copper member
Activity: 193
Merit: 255
Click "+Merit" top-right corner
June 24, 2020, 04:49:00 AM
#5
Here is what I came up with. It may not be the simplest possible solution, but it is quite pedagogical, yes?

Code:
OP_PUSHDATA1 1 0x01
OP_PUSHDATA1 1 0x02
OP_EQUALVERIFY

You don't need to be a kick-ass coder to decipher this: "Add the number 1 to the stack. Add the number 2 to the stack. Verify that these are equal."

Since 1 is never equal to 2, and there are no other inputs or variables, when the script is executed, it must always return FALSE.

This script ("0x4c01014c010287" in hexadecimal) corresponds to Bitcoin mainnet P2SH address 3Qvy14U4thp4iLZSMz2Jm4on7hVZBwAwhp (calculate it yourself, or use a nice tool such as this to verify).

This public address is thus provable unspendable. A Bitcoin black hole. Beware.



copper member
Activity: 193
Merit: 255
Click "+Merit" top-right corner
June 23, 2020, 07:31:56 AM
#4
it is not just P2SH outputs, you can always create any script in your scriptpub that would eventually fail during evaluation and sending coins to such outputs would be lost forever. redeem scripts just have an additional step and P2SH would always be standard unlike the non-standard scriptpubs.

i created a topic a while ago about provably unspendable UTXOs which you may find interesting (https://bitcointalksearch.org/topic/is-there-any-research-about-utxos-that-are-not-spendable-without-a-fork-5238872). you can wrap any of those scripts like the one with OP_IF but no OP_ENDIF in a redeem script and then create is corresponding address. this script will always fail to evaluate. it doesn't even have to have a private key involved a simple lone OP_IF would suffice to fail in this case.

Quote
Am I right? Can I create a "P2SH public address blackhole", send coins to it, reveal its full script (private key), and still no one would ever be able to spend the coins?
yes but a simple OP_RETURN would do just fine.


EDIT: the single OP_IF seems to have already been used (in 2014):
3MpTk145zbm5odhRALfT9BnUs8DB5w4ydw

Yes, EXACTLY the information I was looking for. Much obliged!

It is thus super-easy to create public address black holes AND prove that they really are black holes, by sharing the intentionally messed up script (if P2SH) and the private key and "good luck spending the coins already there according to the blockchain".
sr. member
Activity: 310
Merit: 727
---------> 1231006505
June 23, 2020, 06:33:51 AM
#3
Been diving into redeemScript and their corresponding P2SH addresses. Have a question I can't find a definite answer for, trying here:

Is it possible to create what I would call a catastrophic redeem script, hash it and output its "3-address", which will - even though you have the full script and hence the private key - always fail, i.e. always return "false", so that any coins sent to it are forever unspendable?

Since P2SH addresses contain only the hash of the script, it is impossible for anyone to call it "bad" until the underlying full script is revealed, i.e. when someone tries to spend from it.

If I understand things right, redeemScript are actually executed during spending, not only "this hash matches this input, we're good", and I would guess that it was fairly easy to create a script that no matter what always returns "false"?

Am I right? Can I create a "P2SH public address blackhole", send coins to it, reveal its full script (private key), and still no one would ever be able to spend the coins?

If this is a well-known thing, what is it normally called? Thanks.
 
Sure that is possible. With a P2SH address, the hash of the redeem script is being used as input for generating the address. In other words, the redeem script will be evaluated when you try to use it as an input for a transaction. So if the script itself is faulty or for instance would always push a 0 to the stack it is indeed unspendable.

So: the 3-address itself is not based on the private/public key (like in P2PKH) but instead on the redeem script. So having the private key doesn't change the fact you can't spend it.

legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
June 23, 2020, 06:26:35 AM
#2
it is not just P2SH outputs, you can always create any script in your scriptpub that would eventually fail during evaluation and sending coins to such outputs would be lost forever. redeem scripts just have an additional step and P2SH would always be standard unlike the non-standard scriptpubs.

i created a topic a while ago about provably unspendable UTXOs which you may find interesting (https://bitcointalksearch.org/topic/is-there-any-research-about-utxos-that-are-not-spendable-without-a-fork-5238872). you can wrap any of those scripts like the one with OP_IF but no OP_ENDIF in a redeem script and then create is corresponding address. this script will always fail to evaluate. it doesn't even have to have a private key involved a simple lone OP_IF would suffice to fail in this case.

Quote
Am I right? Can I create a "P2SH public address blackhole", send coins to it, reveal its full script (private key), and still no one would ever be able to spend the coins?
yes but a simple OP_RETURN would do just fine.


EDIT: the single OP_IF seems to have already been used (in 2014):
3MpTk145zbm5odhRALfT9BnUs8DB5w4ydw
copper member
Activity: 193
Merit: 255
Click "+Merit" top-right corner
June 23, 2020, 06:15:36 AM
#1
Been diving into redeemScript and their corresponding P2SH addresses. Have a question I can't find a definite answer for, trying here:

Is it possible to create what I would call a catastrophic redeem script, hash it and output its "3-address", which will - even though you have the full script and hence the private key - always fail, i.e. always return "false", so that any coins sent to it are forever unspendable?

Since P2SH addresses contain only the hash of the script, it is impossible for anyone to call it "bad" until the underlying full script is revealed, i.e. when someone tries to spend from it.

If I understand things right, redeemScript are actually executed during spending, not only "this hash matches this input, we're good", and I would guess that it was fairly easy to create a script that no matter what always returns "false"?

Am I right? Can I create a "P2SH public address blackhole", send coins to it, reveal its full script (private key), and still no one would ever be able to spend the coins?

If this is a well-known thing, what is it normally called? Thanks.



 
Jump to: