Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: How Segwit handles SIGHASH_SINGLE bug? (Read 137 times)

pooya87
legendary
Activity: 3472
Merit: 10611
How Segwit handles SIGHASH_SINGLE bug?
January 05, 2022, 10:57:05 PM
#5
Quote from: garlonicon on January 05, 2022, 08:50:15 AM
Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.
That's not how it works, if the SIGHASH is changed (eg from ALL to SINGLE), the previous signature is no longer valid. You have to willingly and knowingly sign the transaction with the specified SIGHASH and publish it. That makes it a feature not a bug.
I already gave you the example with sending coins to OP_TRUE, another one is sending your coins to P2SH-P2TR (wrapped Taproot), anyone can spend your coins if you do that and they know your script. That is a known feature and can't be called a bug.
garlonicon
copper member
Activity: 821
Merit: 1992
Re: How Segwit handles SIGHASH_SINGLE bug?
January 05, 2022, 08:50:15 AM
#4
Quote
If the entire 'hash' were set to zero, someone could instantly steal anyone's coins
How?

Quote
which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found
What is that vulnerability? Is the case when z=0 somehow more dangerous than z=1? If it is, I didn't expect that, so I don't know what should I "ethically report".

Quote
Also it is not a bug, it is a feature.
If it is a feature, then why it does not work in the same way as for non-Segwit addresses? And if it is a feature, then why it is disabled in Taproot? Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.
pooya87
legendary
Activity: 3472
Merit: 10611
Re: How Segwit handles SIGHASH_SINGLE bug?
January 04, 2022, 10:56:25 PM
#3
Also it is not a bug, it is a feature.
It has always been well known how out of range indexes for SIGHASH_SINGLE work, calling it a bug is like saying sending your coins to an output script equal to OP_TRUE (that anyone can spend) is a bug!
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: How Segwit handles SIGHASH_SINGLE bug?
January 04, 2022, 04:08:25 PM
#2
https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#specification

The only thing set to zero is the hashOutputs portion of this.

If the entire 'hash' were set to zero, someone could instantly steal anyone's coins, which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found.
garlonicon
copper member
Activity: 821
Merit: 1992
Re: How Segwit handles SIGHASH_SINGLE bug?
January 04, 2022, 01:07:26 PM
#1
I know for old addresses, SHA-256 value of one is used. But is it the case for Segwit? As far as I understand https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#cite_note-7 it should work for zero instead of one, right? But when I am trying to use z=0 in my signature, Bitcoin Core says it is invalid. Also, the same signature as for non-Segwit address is invalid, so z=1 is not the case. So: is it possible to spend P2WPKH output with SIGHASH_SINGLE, when there is no matching output index for a given input? Is it relayed by default if broadcasted? Is it nonstandard, but valid somehow? How this bug works for Segwit addresses? Or is it fixed and there is no way to use SIGHASH_SINGLE in Segwit addresses without matching output?
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: