How did this transaction get validated?

2 replies 427 views
tony777Member
Posts: 3 · Reputation: 112
#1May 17, 2024, 10:42 PM
txid: b3e977a2c48145255d84e1c82d4ea07522528991d50ead1cf3a783559d9733e3 So, check it out, the r and s values for the signature are r = 0x52 and s = 0x53. There's no way those could’ve come from a k, which basically means the signature is bogus. So how on earth did this transaction with a bad signature get validated? I was digging around for info on this transaction and stumbled upon a document that said transactions like this are more expensive to verify, and it might be wise to just not allow them at all. But that still doesn't clear up why this one got the green light.
4 Reply Quote Share
byte2019Senior Member
Posts: 270 · Reputation: 1836
#2May 20, 2024, 04:12 AM
Because the Script required any invalid signature. There are many things, which can be done by scripts: you can require a single key, multiple keys, or even no keys at all. Or: you can also require some valid signature, some invalid signature, some identical signature for the same public key, some different signature for the same key, or even some valid signature, which will take less than N bytes. There are a lot of options, probably much more, than people already tried. Classically, you can have something like that: "<pubkey> OP_CHECKSIG". However, nothing stops you from doing "<pubkey> OP_CHECKSIG OP_NOT" instead, which would require any invalid signature, and will be strictly rejected, if you make a valid one. Or you can even use "OP_CHECKSIG" alone, and it would then require any valid key, with any valid signature. Or even "OP_CHECKSIG OP_NOT", to accept anything, what wouldn't pass through OP_CHECKSIG for various reasons. Yes, because using OP_CODESEPARATOR will enforce re-hashing transaction data. And even if producing some invalid signature is trivial, then validating it requires similar effort, as checking some valid one, because you have to be 100% sure, that nobody produced a matching signature. And also, slow things can be combined. So, you can mix OP_CODESEPARATOR with OP_CHECKMULTISIG. And in case of Taproot, you can make even more tricky cases, like "OP_SHA256 OP_CHECKSIG OP_NOT", which would hash your message, use it as x-value of your public key, and make sure, that it won't pass Schnorr signature verification.
6 Reply Quote Share
tony777Member
Posts: 3 · Reputation: 112
#3May 20, 2024, 10:08 AM
I hadn't realized that it was the Bitcoin scripting opcodes that explicitly required an invalid signature. Thank you so much for your response
6 Reply Quote Share

Related topics