Skip to content

Fix e/o bug in miniscript threshold correctness rules #349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 20, 2022
Merged

Fix e/o bug in miniscript threshold correctness rules #349

merged 5 commits into from
Apr 20, 2022

Conversation

@sanket1729
Copy link
Member

@sanket1729 sanket1729 commented Apr 19, 2022

Multiple type system bugs:

The first two bugs are not severe: They relax rules so existing systems should not be affected. However the third commit is a fix that will be backported.

Pasting description #348

The value it leaves on the stack depends on the last element on the
stack. However, we can't make sure this element is OP_1 (which would
give us the 'u' property) without the MINIMALIF rule.
MINIMALIF is only policy for P2WSH, therefore giving 'd:' the 'u'
property breaks consensus soundness: it makes it possible (by consensus
but not policy) for instance to satisfy a thresh() without satisfying
at least k of its subs.

This bug was found and reported by Andrew Poelstra #341.

@sanket1729
Fix e/o bug in miniscript threshold correctness rules
6a1ceac 
This will not affect existing users of rust-miniscript as we were
previously more strict in the miniscript that we accepted. This
allows more more scripts to parsed as miniscripts.

This allows correctly tagging thresh z, o values as per the spec. For
example, miniscript with thresh(2,older(9),older(10)) to be tagged as `z`
and thresh(2,pk(),older()) as `o`

Found while doing a line to line comparison with c++ codebase and spec
@sanket1729
Fix malleability rules according to website
77d7d79 
We were marking extra miniscripts as non-malleable. Note that this
change is previously marked non-malleable miniscripts as malleable.

In particular, this affects miniscripts that are have a thresh child
that does not have the `s` property. (Meaning that the thresh can be
satisfied without signatures
@sanket1729
Remove u property from d
db97c39 
Parallel to sipa/miniscript#117

This is a severe bug reporting that needs backporting as it affects the
correctness properties of miniscript
@sanket1729
Fix bug in exec stack elements calculation
9766e30
@sanket1729
Fix compiler test cases for new typing rules
c74934b
apoelstra
apoelstra approved these changes Apr 19, 2022
View reviewed changes
Copy link
Member

@apoelstra apoelstra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK c74934b

@apoelstra apoelstra mentioned this pull request Apr 19, 2022
Closed
@sanket1729 sanket1729 merged commit 8426519 into rust-bitcoin:master Apr 20, 2022
heap-coder added a commit to heap-coder/rust-miniscript that referenced this pull request Sep 27, 2025
@heap-coder
Merge rust-bitcoin/rust-miniscript#349: Fix e/o bug in miniscript thr…
24818cb 
…eshold correctness rules

c74934bf0864a463c42c5a44502f803bf61eb57c Fix compiler test cases for new typing rules (sanket1729)
9766e30c94f85562e3687f00b84a281ac76d2eff Fix bug in exec stack elements calculation (sanket1729)
db97c39afa4053c2c3917f04392f6e24964b3972 Remove `u` property from `d` (sanket1729)
77d7d796aab10373a3dd5e49a232a920f59c05b4 Fix malleability rules according to website (sanket1729)
6a1ceac81dfd275aecc7ee6594d2f2e88de37473 Fix e/o bug in miniscript threshold correctness rules (sanket1729)

Pull request description:

  Multiple type system bugs:

  The first two bugs are not severe: They relax rules so existing systems should not be affected. However the third commit is a fix that will be backported.

  Pasting description #348

  > The value it leaves on the stack depends on the last element on the
  stack. However, we can't make sure this element is OP_1 (which would
  give us the 'u' property) without the MINIMALIF rule.
  MINIMALIF is only policy for P2WSH, therefore giving 'd:' the 'u'
  property breaks consensus soundness: it makes it possible (by consensus
  but not policy) for instance to satisfy a thresh() without satisfying
  at least k of its subs.

  This bug was found and reported by Andrew Poelstra rust-bitcoin/rust-miniscript#341.

ACKs for top commit:
  apoelstra:
    ACK c74934bf0864a463c42c5a44502f803bf61eb57c

Tree-SHA512: 274a3c2f93eb56b8cda3bf8f9befd9c93494f398d1564b90716330e1c73fbb503e7c1dcc1ffd232bcbae8f1c4e316bfbc705b3d5fc02b9491de1fcdb8c3dbe79
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apoelstra apoelstra apoelstra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sanket1729 @apoelstra