Author: kiminuo 2023-09-08 14:36:16+00:00
Published on: 2023-09-08T14:36:16+00:00
BIP 21 defines a URI scheme for making Bitcoin payments, allowing users to easily make payments by clicking links on webpages or scanning QR codes. Bitcoin wallets register the "bitcoin" URI scheme to parse BIP21 URIs and pre-fill data in a form for sending bitcoin to a recipient. However, I have noticed that according to the BIP21 grammar, it is allowed to specify URI parameters multiple times.For example, the URI "bitcoin:bc1qd4fxq8y8c7qh76gfnvl7amuhag3z27uw0w9f8p?amount=0.004&label=Kiminuo&message=Donation&amount=1.004" is actually valid, with the 'amount' parameter specified twice. Bitcoin Core implements "the last value wins" behavior, so the value "amount=1.004" will be taken into account instead of "amount=0.004". However, this ability to specify parameters multiple times can lead to confusion for users and developers.In the worst case scenario, it could be exploited by social engineering attempts to craft a clever BIP21 URI and manipulate the behavior of a particular wallet software. While there is no evidence of this happening currently, it is still a concern. Therefore, the main question posed in this post is whether allowing multiple specifications of BIP21 parameters is useful or harmful.To read the full context, please refer to the original email [link].
Updated on: 2023-09-09T01:48:39.743387+00:00