Author: Pieter Wuille 2019-11-07 22:35:42
Published on: 2019-11-07T22:35:42+00:00
Pieter, a developer of bitcoin, has posted a message on the Bitcoin-dev mailing list addressing a mutation weakness in bech32. Specifically, when a bech32 string ends with a "p", inserting or erasing "q"s right before that "p" does not invalidate it. While insertion/erasure robustness was not an explicit goal, this is very much not by design, and this specific issue could have been made much less impactful with a slightly different approach. The mutation weakness has little effect on the security of P2WPKH/P2WSH addresses, as those are only valid for specific lengths. However, Pieter is concerned that this property may influence design decisions around bip-taproot, as was brought up in the review session past Tuesday. In the current draft, witness v1 outputs of length other than 32 remain unencumbered, which means that for now such an insertion or erasure would result in an output that can be spent by anyone. If that is considered unacceptable, it could be prevented by outlawing v1 witness outputs of length 31 and 33.Pieter apologizes for not catching this issue earlier and asks for thoughts from the community regarding preventing such issues in the future.
Updated on: 2023-05-20T21:04:16.410716+00:00