Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 354233AB6 for ; Tue, 9 Jul 2019 22:21:39 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-yw1-f51.google.com (mail-yw1-f51.google.com [209.85.161.51]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9754C67F for ; Tue, 9 Jul 2019 22:21:38 +0000 (UTC) Received: by mail-yw1-f51.google.com with SMTP id z63so162112ywz.9 for ; Tue, 09 Jul 2019 15:21:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitcoinbank.co.jp; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Wkyun53VyXSpbVZ931Xrl9vweizwIqS7Th1GxU6aFw=; b=PCUl5CzAcVuUMpT0XmuzFAzDhUGCz4QE8JINQS1VLqGt+ZjDPpq+gtu6QHl4WdZ9zK FTXjJ1MhyP7g2rNGBohjtpXK1HduyrMlF+aqkrF8Q0LAznd9pGPNKQVRzkcS73w+0pbO 5a46RTuggpfHGQQQujr236w/132CskX8VjiP2LX4uTZJn23bmgdAx152tfeFPuX3e6JJ /Zds4gQjQMwCeVoWvgKVMTf0VfM+heCdcBWgPWvUpzCWQeG8b6Xssv62VOrExYuAe9ki /SeG16IroAs2Zi82z6W+aU6n+20IR7pmJI9o3j8scPeMFDZ4fidbm85Wr5E+lDVf//sc y21Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Wkyun53VyXSpbVZ931Xrl9vweizwIqS7Th1GxU6aFw=; b=WGWnNOpW3ANU/K2vPMl0ZSb7wKy0azk34wJxhmHpY77l9YBedazqLOrC51gYBeEC1a 0ZSQEpa6WYii8G1acL5rcxyZfTnu1v4YSFdEDjzRrJQRlPNFTCaeRNF+9Y2G80zB1rsB clLAZECBy+8oRAVBO5myAjwf4r56TXiPstnkKhEv6QXaLRNzThkrP/rp8B3YYKeYHJte spA7TUpFocu1TZS0NsnuLz3moRYYE0fKiMb9PbuyTVlNHdbnFNA+OHan3BoAskFg96aL TPbARy9jj/AycSKXzKzdiXjf5NMmPhPiewvS3DimL4DPwcgyND4ZVfaCREeC8SuXIYNS gDfw== X-Gm-Message-State: APjAAAX+kx7ZU9/Bz8bQOclsSbKwYv9OVvWYaYi53/FGRSYvBOrUwnOW h6llidsK+BGCgqENTMTBXyFEf+DsosT6KieeEjoP X-Google-Smtp-Source: APXvYqwGl0n/SJVQjTYdIDwxdPWo+nBhKmkrIjvhDLdRRZsvrStOMIC8039buSGUVUrjBMOSfibnRZ9k13lAeG5v6wM= X-Received: by 2002:a81:5e44:: with SMTP id s65mr15543187ywb.441.1562710897555; Tue, 09 Jul 2019 15:21:37 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jonathan Underwood Date: Wed, 10 Jul 2019 07:21:25 +0900 Message-ID: To: Andrew Chow Content-Type: multipart/alternative; boundary="000000000000ef94e9058d46fbbf" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 10 Jul 2019 05:16:23 +0000 Cc: Bitcoin development mailing list Subject: Re: [bitcoin-dev] BIP174 amendment proposal (Important Signer Check should be mentioned) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2019 22:21:39 -0000 --000000000000ef94e9058d46fbbf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Andrew, Ok, I will go ahead and write the amendment and make a PR. Thanks! Jon 2019=E5=B9=B47=E6=9C=8810=E6=97=A5(=E6=B0=B4) 5:26 Andrew Chow : > This was the original intent of the sighash field. Either the sighash is > acceptable to the signer and the signer signs with it, or they do not sig= n > at all. > > On 7/9/19 11:58 AM, Jonathan Underwood via bitcoin-dev wrote: > > Hi all, > > Just to be brief, I'll kick off with an attack scenario. > > 1. I am a signer, I get a PSBT that is ready to sign. I parse. I sign > according to the PSBT as-is. > 2. I notice my UTXO was stolen by a hacker because they changed my PSBT > input's sighashtype to SIGHASH_ANYONECANPAY | SIGHASH_NONE and after the > fact they changed the outputs to send to themselves, and added an input > they signed with SIGHASH_ALL. > 3. I lose the BTC in my UTXO. > > So we should definitely add to the signer checks "ensure the sighash type > given is the type of sighash you want to sign." etc. > > My proposal for a wording change would be addition to the bullet list: > > - If a sighash type is provided, the signer MUST check that the sighash > type is acceptable to them, and fail signing if unacceptable. > - If a sighash type is not provided, the signer SHOULD sign using > SIGHASH_ALL, but may sign with any sighash type they wish. > > Any thoughts? > > Thanks, > Jon > > -- > ----------------- > Jonathan Underwood > =E3=83=93=E3=83=83=E3=83=88=E3=83=90=E3=83=B3=E3=82=AF=E7=A4=BE =E3=83=81= =E3=83=BC=E3=83=95=E3=83=93=E3=83=83=E3=83=88=E3=82=B3=E3=82=A4=E3=83=B3=E3= =82=AA=E3=83=95=E3=82=A3=E3=82=B5=E3=83=BC > ----------------- > > =E6=9A=97=E5=8F=B7=E5=8C=96=E3=81=97=E3=81=9F=E3=83=A1=E3=83=83=E3=82=BB= =E3=83=BC=E3=82=B8=E3=82=92=E3=81=8A=E9=80=81=E3=82=8A=E3=81=AE=E6=96=B9=E3= =81=AF=E4=B8=8B=E8=A8=98=E3=81=AE=E5=85=AC=E9=96=8B=E9=8D=B5=E3=82=92=E3=81= =94=E5=88=A9=E7=94=A8=E4=B8=8B=E3=81=95=E3=81=84=E3=80=82 > > =E6=8C=87=E7=B4=8B: 0xCE5EA9476DE7D3E45EBC3FDAD998682F3590FEA3 > > > --000000000000ef94e9058d46fbbf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Andrew,

O= k, I will go ahead and write the amendment and make a PR.

Thanks!
Jon
<= /div>
2= 019=E5=B9=B47=E6=9C=8810=E6=97=A5(=E6=B0=B4) 5:26 Andrew Chow <achow101-lists@achow101.com>= :
This was the original intent of the sighash field. Either the sighash is acceptable to the signer and the signer signs with it, or they do not sign at all.

On 7/9/19 11:58 AM,= Jonathan Underwood via bitcoin-dev wrote:
=20
Hi all,

Just to be brief, I'll kick off with an attack scenario.

1. I am a signer, I get a PSBT that is ready to sign. I parse. I sign according to the PSBT as-is.
2. I notice my UTXO was stolen by a hacker because they changed my PSBT input's sighashtype to SIGHASH_ANYONECANPAY | SIGHASH_NONE and after the fact they changed the outputs to send to themselves, and added an input they signed with SIGHASH_ALL.
3. I lose the BTC in my UTXO.

So we should definitely add to the signer checks "ensure the sighash type given is the type of sighash you want to sign." etc.

My proposal for a wording change would be addition to the bullet list:

- If a sighash type is provided, the signer MUST check that the sighash type is acceptable to them, and fail signing if unacceptable.
- If a sighash type is not provided, the signer SHOULD sign using SIGHASH_ALL, but may sign with any sighash type they wish.

Any thoughts?

Thanks,
Jon

--
-----------------
Jonathan Underwood
=E3=83=93=E3=83=83=E3=83=88=E3=83=90=E3=83=B3=E3= =82=AF=E7=A4=BE=E3=80=80=E3=83=81=E3=83=BC=E3=83=95=E3=83=93=E3=83=83=E3=83= =88=E3=82=B3=E3=82=A4=E3=83=B3=E3=82=AA=E3=83=95=E3=82=A3=E3=82=B5=E3=83=BC=
-----------------

=E6=9A=97=E5=8F=B7=E5=8C=96=E3=81=97=E3=81=9F=E3= =83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8=E3=82=92=E3=81=8A=E9=80=81=E3=82= =8A=E3=81=AE=E6=96=B9=E3=81=AF=E4=B8=8B=E8=A8=98=E3=81=AE=E5=85=AC=E9=96=8B= =E9=8D=B5=E3=82=92=E3=81=94=E5=88=A9=E7=94=A8=E4=B8=8B=E3=81=95=E3=81=84=E3= =80=82

=E6=8C=87=E7=B4=8B: 0xCE5EA9476DE7D3E45EBC3FDAD998= 682F3590FEA3

=20
--000000000000ef94e9058d46fbbf--