Author: Gregory Maxwell 2018-07-02 18:11:54
Published on: 2018-07-02T18:11:54+00:00
On April 30, 2018, Christian Decker via bitcoin-dev proposed a new sighash flag called `SIGHASH_NOINPUT` that removes the commitment to the previous. However, the author of this email believes that it is important to name this flag as "SIGHASH_REPLAY_VULNERABLE" or "SIGHASH_WEAK_REPLAYABLE" because noinput is materially insecure for traditional applications where a third party might pay to an address a second time. This flag should only be used in special protocols which make that kind of mistake unlikely. The author expressed their concern that wallets may start using this sighash without realizing that when a third party reuses a script pubkey, completely outside of control of the wallet that uses the flag, funds will be lost as soon as a troublemaker shows up. The risk associated with this problem is magnified because the third party address reuser has no way to know that this sighash flag has (or will) be used with a particular scriptpubkey. The author argued that the possibility that someone might use this flag means that it's generally unsafe to reuse a scriptpubkey. In conclusion, the author suggests that the best mitigation for this issue is defense in depth to ensure that anyone who uses this sighash flag understands the consequences.
Updated on: 2023-05-20T08:22:07.907043+00:00