Published on: 2014-11-06T12:39:48+00:00
On November 6th, 2014, Bitcoin developer Peter Todd raised concerns about an invalid transaction being accepted into the mempool by git head. The transaction in question spends the redeemScript: CHECKSIG NOT. Todd also mentioned that Bitcoin-Ruby had undergone another fork. Another user asked for clarification on the potential forking issue, as a webbtc node had just received a block, but no further information was provided.Emails between Pieter Wuille and Peter Todd discuss the vulnerability of pubkey formats not recognized by the STRICTENC flag. This vulnerability allows garbage transactions to fill up the mempool, although it does not affect IsStandard() transactions. Wuille suggests adding a second validity check with the actual consensus rules. Todd proposes two solutions: either failing unrecognized pubkeys immediately or failing the script if the pubkey is non-standard but signature verification succeeds. They agree to implement the latter solution as a "least invasive" measure, with plans to eventually eliminate hybrid-encoded pubkeys.On the same day, Pieter Wuille proposed changing the STRICTENC protocol to either fail unrecognized pubkeys immediately or fail the script if the pubkey is non-standard and signature verification succeeds. This proposal was accepted, but there was a discussion about whether this rule should apply to all pubkeys passed to CHECKMULTISIG or just the ones checked otherwise. They also acknowledged the potential difficulty of spending existing outputs and how making this a consensus rule could render existing P2SH outputs/addresses unspendable.In a message dated November 6, 2014, Peter Todd discusses the vulnerability of the STRICTENC flag implementation in the Bitcoin software. He explains that the flag treats public key formats unrecognized by the software as invalid signatures rather than rejecting the entire transaction. Exploiting this loophole allows attackers to flood the mempool with fake transactions that will never be mined. However, Todd states that he found no way to exploit this vulnerability in version 0.9.x IsStandard() transactions. He suggests changing the STRICTENC flag to either fail unrecognized pubkeys immediately or fail the script if the pubkey is non-standard but signature verification succeeds. Pieter agrees with Todd's suggestion, and they also mention the lack of softfork safety for the STRICTENC flag.On November 6, 2014, Peter Todd reported a flaw in the Bitcoin protocol where git head accepts an invalid transaction into the mempool, which spends the redeemScript. This flaw could potentially enable double spending attacks and increase the risk of fraud. Additionally, Bitcoin-Ruby experienced another fork during this time. Todd includes a signature.asc file with a digital signature along with his report.The current implementation of the STRICTENC flag in git head allows unrecognized pubkeys to be accepted into the mempool, resulting in garbage transactions that will never be mined. The issue lies in the fact that this flag treats unrecognized pubkey formats as though the signature is invalid, rather than failing the entire transaction. While this vulnerability does not affect v0.9.x IsStandard() transactions, it is uncertain if alt-implementations have been impacted. To address this, the suggested solutions are to either change STRICTENC to fail unrecognized pubkeys immediately or to fail the script if the pubkey is non-standard and signature verification succeeds.
Updated on: 2023-08-01T10:37:18.667905+00:00