We recently found a bug in how we parse taproot script pubkeys in our bitcoin-s library. When scanning the blockchain, an exception was thrown at block height 718448. The exception was thrown because this output does not properly conform to BIP340s specification. The bug in bitcoin-s was because we were too strictly enforcing invariants for our WitnessScriptPubKeyV1 data structure. Namely we were requiring that all v1 scripts are properly constructed with the x coordinate on the secp256k1 curve.

This is a bad idea, as we cannot control user input from the blockchain. However this was useful as it finds other Scripts on the blockchain that have burnt user funds with Taproot. Here is the Script that burned 0.0002 BTC.

OP_1 OP_PUSHBYTES_32 658204033e46a1fa8cceb84013cfe2d376ca72d5f595319497b95b08aa64a970

The problem with this Script is the public key 658…970 is not a valid x coordinate on the secp256k1 curve. This means that these funds – 0.0002 BTC – are burned forever. You cannot satisfy the logic requirements in the Script interpreter due to the public key embedded in the Script being an invalid x coordinate.

I’m unsure if this output was an intentional test, or if the developer was unaware of how to build correct BIP340 public keys. Either way, I think it is prudent to put a warning out to the rest of the bitcoin developer ecosystem to be very careful that you are following BIP340, else your funds will be burned. If you want to run this experiment yourself, you can use this branch I pushed up to do this with bitcoin-s and a local bitcoind. Here is the result from running it

 

Some of these outputs seem totally misguided. Taproot does not have a spending path that is valid for 20 byte scripts. The last script is an instance of an invalid Taproot pubkey.

Unfortunately I haven’t seen this well communicated by the bitcoin developer ecosystem, so hopefully this blog post will help spread awareness. When talking with a few friends, it appears that there aren’t any online tools that can easily verify BIP340 compliance for public keys. Perhaps this blog post can motivate someone to make these tools, or someone on social media can share the tool with us and we will add it to this blog post.

 

 

Post comment