Pieter Wuille pieter.wuille at gmail.com
Thu Nov 6 10:47:29 UTC 2014

On Thu, Nov 6, 2014 at 2:38 AM, Peter Todd <pete at petertodd.org> wrote:
> However the implementation of the STRICTENC flag simply makes pubkey
> formats it doesn't recognize act as through the signature was invalid,
> rather than failing the transaction. Similar to the invalid due to too
> many sigops DoS attack I found before, this lets you fill up the mempool
> with garbage transactions that will never be mined. OTOH I don't see any
> way to exploit this in a v0.9.x IsStandard() transaction, so we haven't
> shipped code that actually has this vulnerability. (dunno about
> alt-implementations)

Yeah, there's even a comment in script/interpreter.h currently about
how STRICTENC is not softfork safe. I didn't realize that this would
lead to the mempool accepting invalid transactions (I thought there
was a second validity check with the actual consensus rules; if not,
maybe we need to add that).

> I suggest we either change STRICTENC to simply fail unrecognized pubkeys
> immediately - similar to how non-standard signatures are treated - or
> fail the script if the pubkey is non-standard and signature verification
> succeeds.

Sounds good to me, I disliked those semantics too.


More information about the bitcoin-dev mailing list