Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9239BC002F for ; Wed, 29 Mar 2023 07:10:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5777B41D78 for ; Wed, 29 Mar 2023 07:10:35 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5777B41D78 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=f6Jzw6zc X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpXrJbHlnqrZ for ; Wed, 29 Mar 2023 07:10:32 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B914B41D76 Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) by smtp4.osuosl.org (Postfix) with ESMTPS id B914B41D76 for ; Wed, 29 Mar 2023 07:10:31 +0000 (UTC) Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-5416698e889so277297017b3.2 for ; Wed, 29 Mar 2023 00:10:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680073830; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=C7NskZD03Bedl/fUL+2smrockG2fHkkO/PNX5rTtSmk=; b=f6Jzw6zceZEgJnWQFyckanCibBwHMDo8sr3Zh4D1L6U7KsSzqAWii2kVbkWGSz5XXW P56+s6GM+TdVb1ePo78Tgl2/WOV9Q1VjwkU4WdZiFWE8pd//Gm2FWyF3OF1u4fiPoIyC TbRvRgxSz/sBQ1EIOoy5oJCLU38dsZve3zbHpSInmLxQXEQVJ1QQkd6UPfqDlaSaR8fE Bxfa8nIQiMStd/LibfiXEIUBVkp09+RP6TxN3Q3DW7X8Kh/ajSilqiidz3mCqYghIrzX MyxCoZTKXwLgh1SpFqd2kSZOC+I8+EOZx3F93EnAjBkR9RydOjsEF7Xw7AeF8O3ZdUEa Ir6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680073830; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=C7NskZD03Bedl/fUL+2smrockG2fHkkO/PNX5rTtSmk=; b=gB1rTTEebCrwy6e7rNbxNendNpiA7ZN/e6x/brZVdjj0S0zRaPyIXwPJB9y0PlxBBi ajmLug206GOpTpzXOq5jA+ozdmD257QS+O9xu/sTb6q+DhKGpMI/UralC9o4H8WmX9Su 4eTHSxEFZcucyDz2bLwhbunDVrZxhBR3ivFPXxPqyu+ufH146NAIH7LzI7BuQMl8PVN1 IBvZblI4KHT1ixvSBYyEPuFC+5OQmo9NirzYhwG4Z1UJocnU4jJ5S+h+vzujVJVUY6m6 21PLRppqihYO5jZU8bixriGCdDetCRnAdx7IEN48PI0Qk11snq7QUUFkCKZp0ZRHX/P4 AXTg== X-Gm-Message-State: AAQBX9dmstFwa/YE9Zc10+u1Ncf5t6fCYUrlaq31DT2uC8Y5kUmSIa7U aaxbbFLqOcHLQpqmVBnztZ+lD3XZEVIueOg9MUg= X-Google-Smtp-Source: AKy350ZNjslGroINmDyZEtXNxz1EBf+qk05kHi2vn2GFI7XPAWs8oXTd35l0MiHHzVbSiAfHNztQ2dmOFe/xw4f9Xks= X-Received: by 2002:a81:b620:0:b0:541:8995:5334 with SMTP id u32-20020a81b620000000b0054189955334mr8727408ywh.3.1680073830565; Wed, 29 Mar 2023 00:10:30 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Zac Greenwood Date: Wed, 29 Mar 2023 15:10:19 +0800 Message-ID: To: Anthony Towns , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000de0b9005f804ab5e" X-Mailman-Approved-At: Wed, 29 Mar 2023 09:09:19 +0000 Subject: Re: [bitcoin-dev] BIP for OP_VAULT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2023 07:10:35 -0000 --000000000000de0b9005f804ab5e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I=E2=80=99m not sure why any effort should be spent on theorizing how new o= pcodes might be used to facilitate parasitical use cases of the blockchain. If anything, business models relying on the ability to abuse the blockchain as a data store must be made less feasible, not more. Zac On Fri, 24 Mar 2023 at 20:10, Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Tue, Mar 07, 2023 at 10:45:34PM +1000, Anthony Towns via bitcoin-dev > wrote: > > I think there are perhaps four opcodes that are interesting in this > class: > > > > idx sPK OP_FORWARD_TARGET > > -- sends the value to a particular output (given by idx), and > > requires that output have a particular scriptPubKey (given > > by sPK). > > > > idx [...] n script OP_FORWARD_LEAF_UPDATE > > -- sends the value to a particular output (given by idx), and > > requires that output to have almost the same scriptPubKey as this > > input, _except_ that the current leaf is replaced by "script", > > with that script prefixed by "n" pushes (of values given by [...]= ) > > > > idx OP_FORWARD_SELF > > -- sends the value to a particular output (given by idx), and > > requires that output to have the same scriptPubKey as this inpu= t > > > > amt OP_FORWARD_PARTIAL > > -- modifies the next OP_FORWARD_* opcode to only affect "amt", > > rather than the entire balance. opcodes after that affect the > > remaining balance, after "amt" has been subtracted. if "amt" is > > 0, the next OP_FORWARD_* becomes a no-op. > > The BIP 345 draft has been updated [0] [1] and now pretty much defines > OP_VAULT to have the behaviour specced for OP_FORWARD_LEAF_UPDATE above, > and OP_VAULT_RECOVER to behave as OP_FORWARD_TARGET above. Despite > that, for this email I'm going to continue using the OP_FORWARD_* > naming convention. > > Given the recent controversy over the Yuga labs ordinal auction [2], > perhaps it's interesting to consider that these proposed opcodes come > close to making it possible to do a fair, non-custodial, on-chain auction > of ordinals [3]. > > The idea here is that you create a utxo on chain that contains the ordina= l > in question, which commits to the address of the current leading bidder, > and can be spent in two ways: > > 1) it can be updated to a new bidder, if the bid is raised by at least > K satoshis, in which case the previous bidder is refunded their > bid; or, > > 2) if there have been no new bids for a day, the current high bidder > wins, and the ordinal is moved to their address, while the funds > from their winning bid are sent to the original vendor's address. > > I believe this can be implemented in script as follows, > assuming the opcodes OP_FORWARD_TARGET(OP_VAULT_RECOVER), > OP_FORWARD_LEAF_UPDATE(OP_VAULT), OP_FORWARD_PARTIAL (as specced above), > and OP_PUSHCURRENTINPUTINDEX (as implemented in liquid/elements [4]) > are all available. > > First, figure out the parameters: > > * Set VENDOR to the scriptPubKey corresponding to the vendor's address. > * Set K to the minimum bid increment [5]. > * Initially, set X equal to VENDOR. > * Initially, set V to just below the reserve price (V+K is the > minimum initial bid). > > Then construct the following script: > > [X] [V] [SSS] TOALT TOALT TOALT > 0 PUSHCURRENTINPUTINDEX EQUALVERIFY > DEPTH NOT IF > 0 10000 FORWARD_PARTIAL > 0 FROMALT FORWARD_TARGET > 1 [VENDOR] FWD_TARGET > 144 > ELSE > FROMALT SWAP TUCK FROMALT > [K] ADD GREATERTHANOREQUAL VERIFY > 1 SWAP FORWARD_TARGET > DUP FORWARD_PARTIAL > 0 ROT ROT > FROMALT DUP 3 SWAP FORWARD_LEAF_UPDATE > 0 > ENDIF > CSV > 1ADD > > where "SSS" is a pushdata of the rest of the script ("TOALT TOALT TOALT > .. 1ADD"). > > Finally, make that script the sole tapleaf, accompanied by a NUMS point > as the internal public key, calculate the taproot address corresponding > to that, and send the ordinal to that address as the first satoshi. > > There are two ways to spend that script. With an empty witness stack, > the following will be executed: > > [X] [V] [SSS] TOALT TOALT TOALT > -- altstack now contains [SSS V X] > 0 PUSHCURRENTINPUTINDEX EQUALVERIFY > -- this input is the first, so the ordinal will move to the first > output > DEPTH NOT IF > -- take this branch: the auction is over! > 1 [VENDOR] FWD_TARGET > -- output 1 gets the entire value of this input, and pays to > the vendor's hardcoded scriptPubKey > 0 10000 FORWARD_PARTIAL > 0 FROMALT FORWARD_TARGET > -- we forward at least 10k sats to output 0 (if there were 0 sats, > the ordinal would end up in output 1 instead, which would be a > bug), and output 0 pays to scriptPubKey "X" > 144 > ELSE .. ENDIF > -- skip over the other branch > CSV > -- check that this input has baked for 144 blocks (~1 day) > 1ADD > -- leave 145 on the stack, which is true. success! > > Alternatively, if you want to increase the bid you provide a stack with > two items: your scriptPubKey and the new bid [X' V']. Execution this > time looks like: > > [X] [V] [SSS] TOALT TOALT TOALT > -- stack contains [X' V'], altstack now contains [SSS V X] > 0 PUSHCURRENTINPUTINDEX EQUALVERIFY > -- this input is the first, so the ordinal will move to the first > output > DEPTH NOT IF ... ELSE > -- skip over the other branch (without violating minimalif rules) > FROMALT SWAP TUCK FROMALT > -- stack contains [X' V' X V' V], altstack contains [SSS] > [K] ADD GREATERTHANOREQUAL VERIFY > -- check V' >=3D V+K, stack contains [X' V' X] > 1 SWAP FORWARD_TARGET > -- output 1 pays to X (previous bidder's scriptPubKey), and the > entire value of this input goes there; stack contains [X' V'] > DUP FORWARD_PARTIAL > -- execute "V' FORWARD_PARTIAL", stack contains [X' V'] > 0 ROT ROT > -- stack contains [0 X' V'] > FROMALT DUP 3 SWAP FORWARD_LEAF_UPDATE > -- execute "0 X' V' SSS 3 SSS FORWARD_LEAF_UPDATE" which checks > that output 0 spends at least V' satoshis back to the same > script (because that's how we defined SSS), except the first > three pushes (previously X V SSS) are replaced by X' V' SSS. > 0 > ENDIF > CSV > -- "0 CSV" requires nSequnce to be set, which makes the tx rbf'able, > which hopefully makes it harder to pin > 1ADD > -- ends with 1 on the stack; success! > > (The "SSS n SSS FORWARD_LEAF_UPDATE" construct is more or less a quine, > ie a program that outputs its own source code) > > I think that script is about 211 witness bytes, with an additional 40 > witness bytes for X'/V', so when making a bid, your tx would be > something like: > > tx header, 10vb > input 0: 103vb for the old bid including witness and control block > input 1: 58vb for a taproot key path spend > output 0: 43vb for the new bid > output 1: 43vb for your change > > for a total of about 257vb -- slightly larger than a regular 2-in-2-out > transaction, but not terribly much. Mostly because input 0 doesn't requir= e > a signature -- it's size is effectively 6 pubkeys: X, X' VENDOR twice, > and the script code twice, along with a little extra to encode the > various numbers (10000, 144, K, V, V'). > > This approach seems pretty "MEV" resistant: you pay fees via input 1 if > your bid succeeds; if it doesn't, you don't pay any fees. A potential > scalper might want to put in an early low ball bid, then prevent > higher bidders from winning the auction, take control of the ordinal, > and resell it later, but unless they can prevent another miner from > mining alternative bids for 144 blocks, they will fail at that. The bid > is fixed by the bidder and committed to by the signature on input 1, so > frontrunning a bid can't do anything beyond invalidate the bid entirely. > > Obviously, this is a pretty limited auction mechanism in various ways; > eg maybe you'd rather specify K as a percentage than an absoute increment= ; > maybe you'd like to have the auction definitely finish by some particular > time; maybe you'd like to be able to have the auction be able to continue > above 21.47 BTC (2**31 sats); maybe you'd like to do a dutch auction > rather than an english auction. I think you can probably do all those > things with this set of opcodes and clever scripting, though it probably > gets ugly. > > I don't think this is easily extensible to taro or rgb style assets, > as rather than being able to ensure the asset is transferred by > controlling the input/output positions, I think you'd need to build > up merkle trees and do point tweaks beyond what's supported by > OP_FORWARD_LEAF_UPDATE/OP_VAULT. Of course, without something like > OP_PUSHCURRENTINPUTINDEX I don't think you could do it for ordinals > either. > > Cheers, > aj > > [0] > https://github.com/bitcoin/bips/blob/7f747fba82675f28c239df690a07b75529bd= 0960/bip-0345.mediawiki > > [1] https://twitter.com/jamesob/status/1639019107432513537 > > [2] > https://cointelegraph.com/news/scammers-dream-yuga-s-auction-model-for-bi= tcoin-nfts-sees-criticism > > [3] Inscriptions remain a wasteful way of publishing/committing > to content, however! > > [4] > https://github.com/ElementsProject/elements/blob/master/doc/tapscript_opc= odes.md > > [5] Setting K too low probably invites griefing, where a bidder may be > able to use rbf pinning vectors to prevent people who would be willin= g > to bid substantially higher from getting their bid confirmed on > chain. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000de0b9005f804ab5e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I=E2=80=99m not sure why any effort should be spent on th= eorizing how new opcodes might be used to facilitate parasitical use cases = of the blockchain.

If an= ything, business models relying on the ability to abuse the blockchain as a= data store must be made less feasible, not more.
Zac


On Fri, 24 Ma= r 2023 at 20:10, Anthony Towns via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org&= gt; wrote:
On Tue, Mar 07, 2023 at 10:45:34PM +10= 00, Anthony Towns via bitcoin-dev wrote:
> I think there are perhaps four opcodes that are interesting in this cl= ass:
>
>=C2=A0 =C2=A0 idx sPK OP_FORWARD_TARGET
>=C2=A0 =C2=A0 =C2=A0 -- sends the value to a particular output (given b= y idx), and
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0requires that output have a particula= r scriptPubKey (given
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0by sPK).
>
>=C2=A0 =C2=A0 idx [...] n script OP_FORWARD_LEAF_UPDATE
>=C2=A0 =C2=A0 =C2=A0 -- sends the value to a particular output (given b= y idx), and
>=C2=A0 =C2=A0 =C2=A0 =C2=A0requires that output to have almost the same= scriptPubKey as this
>=C2=A0 =C2=A0 =C2=A0 =C2=A0input, _except_ that the current leaf is rep= laced by "script",
>=C2=A0 =C2=A0 =C2=A0 =C2=A0with that script prefixed by "n" p= ushes (of values given by [...])
>
>=C2=A0 =C2=A0 idx OP_FORWARD_SELF
>=C2=A0 =C2=A0 =C2=A0 -- sends the value to a particular output (given b= y idx), and
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0requires that output to have the same= scriptPubKey as this input
>
>=C2=A0 =C2=A0 amt OP_FORWARD_PARTIAL
>=C2=A0 =C2=A0 =C2=A0 -- modifies the next OP_FORWARD_* opcode to only a= ffect "amt",
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rather than the entire balance. opcod= es after that affect the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0remaining balance, after "amt" has= been subtracted. if "amt" is
>=C2=A0 =C2=A0 =C2=A0 =C2=A00, the next OP_FORWARD_* becomes a no-op.
The BIP 345 draft has been updated [0] [1] and now pretty much defines
OP_VAULT to have the behaviour specced for OP_FORWARD_LEAF_UPDATE above, and OP_VAULT_RECOVER to behave as OP_FORWARD_TARGET above. Despite
that, for this email I'm going to continue using the OP_FORWARD_*
naming convention.

Given the recent controversy over the Yuga labs ordinal auction [2],
perhaps it's interesting to consider that these proposed opcodes come close to making it possible to do a fair, non-custodial, on-chain auction of ordinals [3].

The idea here is that you create a utxo on chain that contains the ordinal<= br> in question, which commits to the address of the current leading bidder, and can be spent in two ways:

=C2=A0 1) it can be updated to a new bidder, if the bid is raised by at lea= st
=C2=A0 =C2=A0 =C2=A0K satoshis, in which case the previous bidder is refund= ed their
=C2=A0 =C2=A0 =C2=A0bid; or,

=C2=A0 2) if there have been no new bids for a day, the current high bidder=
=C2=A0 =C2=A0 =C2=A0wins, and the ordinal is moved to their address, while = the funds
=C2=A0 =C2=A0 =C2=A0from their winning bid are sent to the original vendor&= #39;s address.

I believe this can be implemented in script as follows,
assuming the opcodes OP_FORWARD_TARGET(OP_VAULT_RECOVER),
OP_FORWARD_LEAF_UPDATE(OP_VAULT), OP_FORWARD_PARTIAL (as specced above), and OP_PUSHCURRENTINPUTINDEX (as implemented in liquid/elements [4])
are all available.

First, figure out the parameters:

=C2=A0* Set VENDOR to the scriptPubKey corresponding to the vendor's ad= dress.
=C2=A0* Set K to the minimum bid increment [5].
=C2=A0* Initially, set X equal to VENDOR.
=C2=A0* Initially, set V to just below the reserve price (V+K is the
=C2=A0 =C2=A0minimum initial bid).

Then construct the following script:

=C2=A0[X] [V] [SSS] TOALT TOALT TOALT
=C2=A00 PUSHCURRENTINPUTINDEX EQUALVERIFY
=C2=A0DEPTH NOT IF
=C2=A0 =C2=A00 10000 FORWARD_PARTIAL
=C2=A0 =C2=A00 FROMALT FORWARD_TARGET
=C2=A0 =C2=A01 [VENDOR] FWD_TARGET
=C2=A0 =C2=A0144
=C2=A0ELSE
=C2=A0 =C2=A0FROMALT SWAP TUCK FROMALT
=C2=A0 =C2=A0[K] ADD GREATERTHANOREQUAL VERIFY
=C2=A0 =C2=A01 SWAP FORWARD_TARGET
=C2=A0 =C2=A0DUP FORWARD_PARTIAL
=C2=A0 =C2=A00 ROT ROT
=C2=A0 =C2=A0FROMALT DUP 3 SWAP FORWARD_LEAF_UPDATE
=C2=A0 =C2=A00
=C2=A0ENDIF
=C2=A0CSV
=C2=A01ADD

where "SSS" is a pushdata of the rest of the script ("TOALT = TOALT TOALT
.. 1ADD").

Finally, make that script the sole tapleaf, accompanied by a NUMS point
as the internal public key, calculate the taproot address corresponding
to that, and send the ordinal to that address as the first satoshi.

There are two ways to spend that script. With an empty witness stack,
the following will be executed:

=C2=A0[X] [V] [SSS] TOALT TOALT TOALT
=C2=A0 =C2=A0-- altstack now contains [SSS V X]
=C2=A00 PUSHCURRENTINPUTINDEX EQUALVERIFY
=C2=A0 =C2=A0-- this input is the first, so the ordinal will move to the fi= rst
=C2=A0 =C2=A0 =C2=A0 output
=C2=A0DEPTH NOT IF
=C2=A0 =C2=A0-- take this branch: the auction is over!
=C2=A0 =C2=A01 [VENDOR] FWD_TARGET
=C2=A0 =C2=A0-- output 1 gets the entire value of this input, and pays to =C2=A0 =C2=A0 =C2=A0 the vendor's hardcoded scriptPubKey
=C2=A0 =C2=A00 10000 FORWARD_PARTIAL
=C2=A0 =C2=A00 FROMALT FORWARD_TARGET
=C2=A0 =C2=A0-- we forward at least 10k sats to output 0 (if there were 0 s= ats,
=C2=A0 =C2=A0 =C2=A0 the ordinal would end up in output 1 instead, which wo= uld be a
=C2=A0 =C2=A0 =C2=A0 bug), and output 0 pays to scriptPubKey "X"<= br> =C2=A0 =C2=A0144
=C2=A0ELSE .. ENDIF
=C2=A0 =C2=A0-- skip over the other branch
=C2=A0CSV
=C2=A0 =C2=A0-- check that this input has baked for 144 blocks (~1 day)
=C2=A01ADD
=C2=A0 =C2=A0-- leave 145 on the stack, which is true. success!

Alternatively, if you want to increase the bid you provide a stack with
two items: your scriptPubKey and the new bid [X' V']. Execution thi= s
time looks like:

=C2=A0[X] [V] [SSS] TOALT TOALT TOALT
=C2=A0 =C2=A0-- stack contains [X' V'], altstack now contains [SSS = V X]
=C2=A00 PUSHCURRENTINPUTINDEX EQUALVERIFY
=C2=A0 =C2=A0-- this input is the first, so the ordinal will move to the fi= rst
=C2=A0 =C2=A0 =C2=A0 output
=C2=A0DEPTH NOT IF ... ELSE
=C2=A0 =C2=A0-- skip over the other branch (without violating minimalif rul= es)
=C2=A0 =C2=A0FROMALT SWAP TUCK FROMALT
=C2=A0 =C2=A0-- stack contains [X' V' X V' V], altstack contain= s [SSS]
=C2=A0 =C2=A0[K] ADD GREATERTHANOREQUAL VERIFY
=C2=A0 =C2=A0-- check V' >=3D V+K, stack contains [X' V' X]<= br> =C2=A0 =C2=A01 SWAP FORWARD_TARGET
=C2=A0 =C2=A0-- output 1 pays to X (previous bidder's scriptPubKey), an= d the
=C2=A0 =C2=A0 =C2=A0 entire value of this input goes there; stack contains = [X' V']
=C2=A0 =C2=A0DUP FORWARD_PARTIAL
=C2=A0 =C2=A0-- execute "V' FORWARD_PARTIAL", stack contains = [X' V']
=C2=A0 =C2=A00 ROT ROT
=C2=A0 =C2=A0-- stack contains [0 X' V']
=C2=A0 =C2=A0FROMALT DUP 3 SWAP FORWARD_LEAF_UPDATE
=C2=A0 =C2=A0-- execute "0 X' V' SSS 3 SSS FORWARD_LEAF_UPDATE= " which checks
=C2=A0 =C2=A0 =C2=A0 that output 0 spends at least V' satoshis back to = the same
=C2=A0 =C2=A0 =C2=A0 script (because that's how we defined SSS), except= the first
=C2=A0 =C2=A0 =C2=A0 three pushes (previously X V SSS) are replaced by X= 9; V' SSS.
=C2=A0 =C2=A00
=C2=A0ENDIF
=C2=A0CSV
=C2=A0 =C2=A0-- "0 CSV" requires nSequnce to be set, which makes = the tx rbf'able,
=C2=A0 =C2=A0 =C2=A0 which hopefully makes it harder to pin
=C2=A01ADD
=C2=A0 =C2=A0-- ends with 1 on the stack; success!

(The "SSS n SSS FORWARD_LEAF_UPDATE" construct is more or less a = quine,
ie a program that outputs its own source code)

I think that script is about 211 witness bytes, with an additional 40
witness bytes for X'/V', so when making a bid, your tx would be
something like:

=C2=A0 =C2=A0tx header, 10vb
=C2=A0 =C2=A0input 0: 103vb for the old bid including witness and control b= lock
=C2=A0 =C2=A0input 1: 58vb for a taproot key path spend
=C2=A0 =C2=A0output 0: 43vb for the new bid
=C2=A0 =C2=A0output 1: 43vb for your change

for a total of about 257vb -- slightly larger than a regular 2-in-2-out
transaction, but not terribly much. Mostly because input 0 doesn't requ= ire
a signature -- it's size is effectively 6 pubkeys: X, X' VENDOR twi= ce,
and the script code twice, along with a little extra to encode the
various numbers (10000, 144, K, V, V').

This approach seems pretty "MEV" resistant: you pay fees via inpu= t 1 if
your bid succeeds; if it doesn't, you don't pay any fees. A potenti= al
scalper might want to put in an early low ball bid, then prevent
higher bidders from winning the auction, take control of the ordinal,
and resell it later, but unless they can prevent another miner from
mining alternative bids for 144 blocks, they will fail at that. The bid
is fixed by the bidder and committed to by the signature on input 1, so
frontrunning a bid can't do anything beyond invalidate the bid entirely= .

Obviously, this is a pretty limited auction mechanism in various ways;
eg maybe you'd rather specify K as a percentage than an absoute increme= nt;
maybe you'd like to have the auction definitely finish by some particul= ar
time; maybe you'd like to be able to have the auction be able to contin= ue
above 21.47 BTC (2**31 sats); maybe you'd like to do a dutch auction rather than an english auction. I think you can probably do all those
things with this set of opcodes and clever scripting, though it probably gets ugly.

I don't think this is easily extensible to taro or rgb style assets, as rather than being able to ensure the asset is transferred by
controlling the input/output positions, I think you'd need to build
up merkle trees and do point tweaks beyond what's supported by
OP_FORWARD_LEAF_UPDATE/OP_VAULT. Of course, without something like
OP_PUSHCURRENTINPUTINDEX I don't think you could do it for ordinals
either.

Cheers,
aj

[0] = https://github.com/bitcoin/bips/blob/7f747fba82675f28c239df690a07b75529bd09= 60/bip-0345.mediawiki

[1] https://twitter.com/jamesob/status/163901= 9107432513537

[2] https://cointelegraph.com/news/scammers-dream-yuga-s-auction-model-for-bi= tcoin-nfts-sees-criticism

[3] Inscriptions remain a wasteful way of publishing/committing
=C2=A0 =C2=A0 to content, however!

[4] https://github.c= om/ElementsProject/elements/blob/master/doc/tapscript_opcodes.md

[5] Setting K too low probably invites griefing, where a bidder may be
=C2=A0 =C2=A0 able to use rbf pinning vectors to prevent people who would b= e willing
=C2=A0 =C2=A0 to bid substantially higher from getting their bid confirmed = on
=C2=A0 =C2=A0 chain.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000de0b9005f804ab5e--