Published on: 2016-05-02T23:39:10+00:00
In a recent email exchange, Olaoluwa Osuntokun discusses the requirement of using a 110k preimage to redeem and dropping it to the blockchain. This process would create a non-standard transaction which may not propagate. Similarly, an almost 4MB preimage would require grinding out a tiny signature to redeem in a tx small enough.However, Segwit's witness program validation logic ensures that each element of the passed witness stack is less-than-or-equal-to the maximum script element size of 520 bytes. This check is enforced before execution itself, thus enforcing a ceiling on the pre-image size even without the additional OP_SIZE check.Following this, a modification was made to their scripts similar to the one discussed. In response, Rusty thanks Olaoluwa Osuntokun for sounding the alarm with the mailing-list post and enquires about any other issues that may have been missed.The context describes the process of redeeming a preimage by dropping it to the blockchain and sending it directly to a miner. However, a node attempting to use that preimage would create a non-standard transaction that may not propagate.This is where Segwit's witness program validation logic comes into play, which ensures that each element of the passed witness stack is less-than-or-equal-to the maximum script element size of 520 bytes. This check is enforced before execution itself, effectively enforcing a ceiling on the pre-image size.The writer of the post notes that they have also recently made a similar observation resulting in a modification to their scripts.Rusty, a developer, plans to modify the HTLC (Hash Time Lock Contract) scripts for the first time in a while. He intends to prepend "OP_SIZE 32 OP_EQUALVERIFY" to the scripts, which will mean that timing out an HTLC requires a 32-byte value. This change will define the length of a scriptsig that redeems a transaction, which was previously ill-defined.The wire protocol mandates a 32-byte R preimage to redeem an HTLC, but there was no such on-chain restriction. Due to this limitation, an attacker could create an HTLC that requires a different-sized preimage to redeem, then drop the commit tx to the blockchain and redeem it.Moreover, Rusty plans to drop the per-side HTLC limit from 1500 to 450 in BOLT #2. This means that a single "steal" transaction that spends all the inputs is still under 400k cost, simplifying the protocol. If the limit remained at 1500, stealing the inputs would have cost more than 1 MB, and the resulting transaction would be non-standard, meaning it may not propagate.
Updated on: 2023-07-31T18:59:59.706615+00:00