Published on: 2018-03-05T15:28:20+00:00
Rusty Russell has raised concerns about the flexibility of BIP 117 in a post on the bitcoin-dev mailing list. He believes that BIP 117 is trying to do too much and finds the use of altstack awkward. Instead, he suggests implementing a simpler form of tail recursion by having a single blob. He also expresses concern over the dropping of SIGOP and opcode limits in BIP 117 and calls for more justification, including measurements and bounds on execution times.Rusty proposes restoring statically analyzability by limiting rules to version 3 segwit transactions, counting only the top element of the stack, and requiring the popped-off blob for tail recursion to be identical to that top element of the stack.Regarding the use of altstack, Rusty suggests leaving it untouched in v0 P2WSH. He points out that if anyone is already using altstack, BIP 117 could potentially confiscate those UTXOs as the altstack would likely be non-executable. Even in v1 witness, Rusty believes altstack should remain temporary data storage.Rusty also highlights the security vulnerability in BIP 117, where concatenated scripts can be skipped by using an invalid push operation in the scriptSig, making the whole concatenated script a simple push.Luke Dashjr also contributes to the discussion, shifting the conversation to the added requirement that some pubkeys in a multisig must be parsable. He mentions that people have reported difficulty retrieving their funds due to this change, but clarifies that it is only a change to the standardness rules, not a consensus change. He assures that these funds are not permanently lost and can be retrieved with miner help.The discussion on the bitcoin-dev mailing list further explores the situation for BIP 117 and BIP-141. It is noted that BIP-141 requires a script to result in exactly a single TRUE on the stack, while P2SH scripts have not followed this rule. However, this does not affect the altstack, which is a separate stack. The principle of "standard transactions must still work" was violated with low-S, but it was considered trivial due to specific mitigating factors.The viability of BIP 117 as a soft fork for Script is also discussed, comparing it to past soft forks. BIP 117 introduces new rules that could render existing commitments unspendable and remove ownership of funds. It is argued that new consensus features should follow the UNIX philosophy of being small, modular, and incremental changes to enable unrestricted innovation.Mark Friedenbach discusses the use of the alt stack as a hack for segwit script version 0 and proposes future improvements to switch to a witness script version and a new segwit output version that supports native MAST. The author argues against removing SIGOP and opcode limits entirely and suggests limiting per-script execution proportional to the script size.Overall, there are concerns about the flexibility, security, and potential loss of funds associated with BIP 117. Various suggestions and proposals are made to address these concerns and improve the implementation of Segregated Witness in Bitcoin.
Updated on: 2023-08-01T22:27:01.437678+00:00