Author: Greg Sanders 2019-11-07 22:45:02
Published on: 2019-11-07T22:45:02+00:00
Pieter Wuille posted on the bitcoin-dev mailing list about a mutation weakness in bech32, which was discovered some time ago. He explains that inserting or erasing 'q's before the final 'p' in a bech32 string does not invalidate it due to an oversight in the original design. Wuille notes that this has little effect on the security of P2WPKH/P2WSH addresses, as those are only valid for specific lengths; however, this may influence design decisions around bip-taproot. In the current draft of bip-taproot, witness v1 outputs of length other than 32 remain unencumbered. This means that inserting or erasing one character could result in an output that can be spent by anyone. To prevent this, one option is to outlaw v1 witness outputs of length 31 and 33. Wuille asks for thoughts on this issue.
Updated on: 2023-06-13T22:07:39.817317+00:00