π
Original date posted:2018-01-15
π Original message:Hi Matt,
Thanks for raising this. Since the compiler only produces SegWit addresses,
I hadn't worried at all about malleability, but as you pointed out
out-of-band, malleability in the length of an argument can allow an
attacker to deflate the feerate of a transaction.
There was in fact a minor witness malleability problem with how the
compiler was handling clause selection. It's now been fixed in version
0.0.7 of the compiler.
As far as I can tell (and I haven't looked all that carefully), any
sensible Ivy contract won't have any witness malleability problem. (A funny
exception is the RevealCollision contract, since you can length-extend the
arguments to get another collision. But without a signature check, that one
has a more serious transaction malleability problem anyway.) But the
compiler currently doesn't prevent you from doing dumb unconstrained stuff
like:
```
clause spend(a: Bytes, b: Bytes, sig: Signature) {
verify a == b
verify checkSig(publicKey, sig)
unlock val
}
```
Maybe it should, particularly since there's no reason to include a trivial
condition like that anyway. But I think it would probably be about as easy
(and more generally useful) to build a static analyzer that solved this
problem for low-level Bitcoin Script.
On Sun, Jan 14, 2018 at 5:42 PM Matt Corallo <lf-lists at mattcorallo.com>
wrote:
> I'm curious if you've considered adding some form of compiler-time
> enforcement to prevent witness malleability? With that, Ivy could help to
> resolve for it's users one of the things that can make Bitcoin scripts more
> complicated to write, instead of simply type-checking and providing a
> high-level language mapped 1-to-1 with Bitcoin script.
>
>
> On December 18, 2017 8:32:17 PM UTC, Daniel Robinson via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>>
>> Today, weβre releasing Ivy, a prototype higher-level language and
>> development environment for creating custom Bitcoin Script programs. You
>> can see the full announcement here
>> <https://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-compiles-to-bitcoin-script-bec06377141a>;,
>> or check out the docs <https://docs.ivy-lang.org/bitcoin/>; and source
>> code <https://github.com/ivy-lang/ivy-bitcoin>;.
>>
>> Ivy is a simple smart contract language that can compile to Bitcoin
>> Script. It aims to improve on the useability of Bitcoin Script by adding
>> affordances like named variables and clauses, static (and domain-specific)
>> types, and familiar syntax for function calls.
>>
>> To try out Ivy, you can use the Ivy Playground for Bitcoin
>> <https://ivy-lang.org/bitcoin/>;, which allows you to create and test
>> simulated contracts in a sandboxed environment.
>>
>> This is prototype software intended for educational and research purposes
>> only. Please don't try to use Ivy to control real or testnet Bitcoins.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180115/ee189ac5/attachment.html>;
Daniel Robinson [ARCHIVE] /
npub1hyβ¦7jzt2
2023-06-07 20:09:45
in reply to nevent1qβ¦56jh
Author Public Key
npub1hy94r8apyzhxsdl76rtgspps5sdg2d9darnyzlrcfqcwjl073trqc7jzt2Published at
2023-06-07 20:09:45Event JSON
{
"id": "3942a55a8826c6bc7422e0b80e3c00eeaa41c985c8f2f5767ce24bae456a7f8e",
"pubkey": "b90b519fa120ae6837fed0d6880430a41a8534ade8e6417c784830e97dfe8ac6",
"created_at": 1686161385,
"kind": 1,
"tags": [
[
"e",
"52b8beef849a356e17f2f8997470b8a10575d2e4112fe514f158b2d1e2c84081",
"",
"root"
],
[
"e",
"d11a92e4c731d35717603b9d9f07e0c72df0c710c501df436555080f7a94f8f3",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "π
Original date posted:2018-01-15\nπ Original message:Hi Matt,\n\nThanks for raising this. Since the compiler only produces SegWit addresses,\nI hadn't worried at all about malleability, but as you pointed out\nout-of-band, malleability in the length of an argument can allow an\nattacker to deflate the feerate of a transaction.\n\nThere was in fact a minor witness malleability problem with how the\ncompiler was handling clause selection. It's now been fixed in version\n0.0.7 of the compiler.\n\nAs far as I can tell (and I haven't looked all that carefully), any\nsensible Ivy contract won't have any witness malleability problem. (A funny\nexception is the RevealCollision contract, since you can length-extend the\narguments to get another collision. But without a signature check, that one\nhas a more serious transaction malleability problem anyway.) But the\ncompiler currently doesn't prevent you from doing dumb unconstrained stuff\nlike:\n\n```\nclause spend(a: Bytes, b: Bytes, sig: Signature) {\n verify a == b\n verify checkSig(publicKey, sig)\n unlock val\n}\n```\n\nMaybe it should, particularly since there's no reason to include a trivial\ncondition like that anyway. But I think it would probably be about as easy\n(and more generally useful) to build a static analyzer that solved this\nproblem for low-level Bitcoin Script.\n\nOn Sun, Jan 14, 2018 at 5:42 PM Matt Corallo \u003clf-lists at mattcorallo.com\u003e\nwrote:\n\n\u003e I'm curious if you've considered adding some form of compiler-time\n\u003e enforcement to prevent witness malleability? With that, Ivy could help to\n\u003e resolve for it's users one of the things that can make Bitcoin scripts more\n\u003e complicated to write, instead of simply type-checking and providing a\n\u003e high-level language mapped 1-to-1 with Bitcoin script.\n\u003e\n\u003e\n\u003e On December 18, 2017 8:32:17 PM UTC, Daniel Robinson via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e\n\u003e\u003e Today, weβre releasing Ivy, a prototype higher-level language and\n\u003e\u003e development environment for creating custom Bitcoin Script programs. You\n\u003e\u003e can see the full announcement here\n\u003e\u003e \u003chttps://blog.chain.com/ivy-for-bitcoin-a-smart-contract-language-that-compiles-to-bitcoin-script-bec06377141a\u003e,\n\u003e\u003e or check out the docs \u003chttps://docs.ivy-lang.org/bitcoin/\u003e and source\n\u003e\u003e code \u003chttps://github.com/ivy-lang/ivy-bitcoin\u003e.\n\u003e\u003e\n\u003e\u003e Ivy is a simple smart contract language that can compile to Bitcoin\n\u003e\u003e Script. It aims to improve on the useability of Bitcoin Script by adding\n\u003e\u003e affordances like named variables and clauses, static (and domain-specific)\n\u003e\u003e types, and familiar syntax for function calls.\n\u003e\u003e\n\u003e\u003e To try out Ivy, you can use the Ivy Playground for Bitcoin\n\u003e\u003e \u003chttps://ivy-lang.org/bitcoin/\u003e, which allows you to create and test\n\u003e\u003e simulated contracts in a sandboxed environment.\n\u003e\u003e\n\u003e\u003e This is prototype software intended for educational and research purposes\n\u003e\u003e only. Please don't try to use Ivy to control real or testnet Bitcoins.\n\u003e\u003e\n\u003e\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180115/ee189ac5/attachment.html\u003e",
"sig": "bf1e68e755f5b7ed0708359c5f62a2148bf0688c5679e481bdac5b693c933c32c396b124b1a2693d4acc7361466161f25dcb0c5e77f50c1cea93c35e6a1c3584"
}