pull down to refresh

Supertestnet's gotcha: BIP16 also confiscated coins bitcoin.stackexchange.com/questions/115803/did-the-p2sh-bip-0016-make-some-bitcoin-unspendable/115804

2066 sats \ 34 comments \ @Scoresby 4h bitcoin

Stealing people's coins is a red line

I find myself in a surprising position: I agree with @nvk. Here's what he posted on X:

UTXOs are sacred. We don't fork to steal them. We don't fork to expire them. We don't fork cancel them.

This is the slippery slope.

This is the hill worth dying on.

I strongly agree with this statement. It's something that I've argued as evidence that things like BIP 110 and The Cat are not serious proposal.

Surely @supertestnet is not going to come along and tell me that there is a soft fork that I am actively enforcing with my node which confiscated utxos...

Did BIP 16 makes some coins unspendable?

Super recently posted about this Stack Exchange question on X:

The BIP turned a particular "hashlock" locking script pattern (OP_HASH160 OP_DATA_20 20-byte-value OP_EQUAL) into a "magical" bytecode pattern which, after authenticating an input's top stack element against the hash then also executes it using Script VM.

The BIP references 1 historical transaction that spent from an output that matched the pattern:

These new rules should only be applied when validating transactions in blocks with timestamps >= 1333238400 (Apr 1 2012) [1]. There are transactions earlier than 1333238400 in the block chain that fail these new validation rules. [2]. Older transactions must be validated under the old rules. (see the Backwards Compatibility section for details).

which made me wonder - are there other, unspent, historical hashlock outputs which may have been made unspendable (if they weren't already) by introduction of the P2SH feature?

The answer to this question is provided by the same person who asked it:

Even before BIP-0016 activation, there were some outputs that matched the P2SH pattern. Only one of them was spent before activation, and the rest have likely been made unspendable by the BIP-0016 upgrade since spending them would have to satisfy consensus rules not enforced when they were created. Total amount locked in those outputs was 0.044 BTC.

And they also provide a handy table of the utxos they believe were made unspendable by BIP 16.

Table 1: Outputs matching the locking script pattern OP_HASH160 OP_DATA_20 value_20 OP_EQUAL, extracted from blocks 0 to 173805.

Block Height	TXID	Output Index	Satoshi Amounts	Locking Script	Status
170052	9C08A4D78931342B37FD5F72900FB9983087E6F46C4A097D8A1F52C74E28EAF6	1	400000	a91419a7d869032368fd1f1e26e5e73a4ad0e474960e87	Spent
170054	B0539A45DE13B3E0403909B8BD1A555B8CBE45FD4E3F3FDA76F3A5F52835C29D	1	400000	a914e8c300c87986efa84c37c0519929019ef86eb5b487	Unspent
170434	D0636198EA55FADEE5B4CCC07C85012DB7D07C2D25790B3AEC770C86617801C0	1	1000000	a91484b8ee2ee2970e4a5c3a18e73a9e251ad5c1df1c87	Unspent
170442	9AB59E2D4BE16C470160EB9B9A9D9799EAF29AF0461AEA131E748659D806FA1A	0	1000000	a91484b8ee2ee2970e4a5c3a18e73a9e251ad5c1df1c87	Unspent
170442	658FC92061F1C4125D5CD1034EB8A1F09BFEBD32A988D855EB7EE63689759A21	0	1000000	a91484b8ee2ee2970e4a5c3a18e73a9e251ad5c1df1c87	Unspent
170556	510B5A44935109E249A704C2900AA9D8303166062E81D2AC852C965B6266DCEE	0	1000000	a91484b8ee2ee2970e4a5c3a18e73a9e251ad5c1df1c87	Unspent

Super also found another Stack Exchange question about when the first BIP 16 spend occurred and which was answered by the same user:

Before P2SH activation, they could be spent as just hashlock contracts. After P2SH activation, they could only be spent if the hash preimage also happened to be a redeem script that would pass execution.

The TXO created in block 170052 was actually spent in block 170060 as hashlock, not P2SH, because P2SH rules weren't active at the time.

If all of this feels too confusing, just think about it

So was it a mistake or was it intentional?

Ever-helpful, Super comes to the conclusion that freezing these five utxos (one utxo was specifically exempted) was indeed intentional.

Super found a note in Bitcoin Core that says:

    // BIP16 didn't become active until Apr 1 2012 (on mainnet, and
    // retroactively applied to testnet)
    // However, only one historical block violated the P2SH rules (on both
    // mainnet and testnet).
    // Similarly, only one historical block violated the TAPROOT rules on
    // mainnet.
    // For simplicity, always leave P2SH+WITNESS+TAPROOT on except for the two
    // violating blocks.

Intention doesn't even matter: if you run anything greater than Core v 0.6.0, you are actively preventing five utxos from being spent

Super argues that it is inconsistent to be against confiscation in one case but to be totally fine for it in another case.

For those wondering how this relates to the spam debate, some people on the Core side like to say they oppose any attempts to disable the utxos of spammers because confiscation is unconscionable. But their node is actively keeping old utxos unspendable too

He also says:

If the best counter you've got is "it happened 13 years ago and there's a chance it was by accident" then I'll remind you that the confiscatory rule is still in your node right now. You can eliminate it if confiscation violates your principles. You can't claim ignorance.

The nuances

Vojtěch Strnad (who also edited the original Stack Exchange question) replied to Super with some nuance about these five utxos:

There is a major difference, the outputs made unspendable by P2SH were anyone-can-spend before (i.e. weren't secured by a signature) and so had no ownership guarantees to begin with. Also we're talking about 0.044 BTC at 2012 prices, less than a single dollar.

I suspect it does not much matter whether the intent of the original PR was to confiscate those five utxos or not. I do, however, recognize that there may be a difference along the lines Vojtěch describes: freezing nyone can spend outputs may be less problematic than freezing outputs secured by private keys. But Super's point is pretty strong: there are five utxos that are actively considered unspendable by everyone running the post segwit Bitcoin code.

This makes it difficult for people like nvk and me to say "UTXOs are sacred, they are a red line." If that is true, why aren't we making a fuss about the utxos that were frozen by BIP 16?

Super makes a good point here:

If you think it's okay to maintain that confiscatory rule to avoid bad consequences, maybe show a little grace toward those who want to add a new confiscatory rule to eliminate different bad consequences.

I still do not feel that confiscating people's utxos should be treated lightly or accepted as a reasonable course in changes to block validation rules; however, I can't deny that I run a node that has confiscated 5 utxos worth .044 BTC.

view all related items

190 sats \ 9 replies \ @rblb 2h

My mechanic refuses to do oil changes to my car because the previous owner never did, so, to stay coherent, I have to either keep driving it until it breaks or rebuild the engine.

^This is his face when he explains why I’m not entitled to make my own choices because of logic and facts.

0 sats \ 7 replies \ @Scoresby OP 2h

I agree with the sentiment, but it is the case that you are actively enforcing the BIP 16 confiscation with your node if you run anything later than v 0.6 -- it's not merely a case of something that happened in the past. So to put it in the starkest words: by not forking out this rule we are actively colluding with the confiscation of 0.044 BTC.

144 sats \ 5 replies \ @optimism 2h

it's not merely a case of something that happened in the past. You are actively enforcing the BIP 16 confiscation with your node if you run anything later than v 0.6 -- it's not merely a case of something that happened in the past.

Have to call this out because I think that this is false, sorry. If you weren't an economic participant at the time of BIP16, there is nothing you can do now because consensus enforces it. Any coin received after BIP16 activation will be reversed if you want to challenge BIP16, so you have no choice really; if you allow these to be spent, you're the one hard forking. These coins are lost. Did anyone complain?

100 sats \ 4 replies \ @Scoresby OP 2h

you make a good point. I want to agree, but I'm nervous because it feels like an easy out.

Why isn't it the case that we ought to put up with the nightmare that is a hard fork in order to fix this problem?

As I was writing this, @rblb wrote a pretty good reply that probably suffices to put my argument down. #1350201

102 sats \ 3 replies \ @optimism 1h

Why isn't it the case that we ought to put up with the nightmare that is a hard fork in order to fix this problem?

Because it's anyonecanspend. No one can prove ownership. If it weren't and there was an actual victim, it's cheaper to raise 4.4M sats.

121 sats \ 2 replies \ @Scoresby OP 1h

This is Vojtěch's response, as well. It looks like him and Super have continued to discuss.

As of an hour ago, this is where Vojtěch was:

I'm most definitely okay with a soft fork like P2SH confiscating a dollar of value as collateral damage, I just don't think confiscation itself should be the goal.

I think this is reasonable, but I want to take it further: I want to have the strong stance embodied by nvk at the top of my OP: utxos are sacred, don't fucking take them from anyone.

102 sats \ 0 replies \ @optimism 1h

I'm most definitely okay with a soft fork like P2SH confiscating a dollar of value as collateral damage, I just don't think confiscation itself should be the goal.

I'm not fully okay with this, much like you, but I am sensitive to the point that spending to explicitly unimplemented opcodes to do anyonecanspend, is an appeal to undefined behavior being static. That means no more soft forks ever. So to protect Bitcoin, in case we are confronted with something that absolutely requires a softfork, if you want to donate coin, spend to OP_TRUE. Any undefined behavior is undefined.

If inscriptions were using undefined opcodes, witness programs or other things to put data on the chain, then I'd be okay with dropping support for these. But since they are not, it's just not feasible to prevent past usage.

0 sats \ 0 replies \ @nitter 1h

https://twiiit.com/vostrnad/status/2001213587541430526

1323 sats \ 0 replies \ @rblb 2h

No, because changing consensus has a cost, like rebuilding an engine. We simply decide to not to incur in that cost for past mistakes.

Bitcoin isn't a religion, we don't need to prove it's pure or perfect. We only need to keep it running.

0 sats \ 0 replies \ @SimpleStacker 2h

Good analogy

202 sats \ 6 replies \ @justin_shocknet 3h

The spam psyop is making more sense, the quantum fudders also want to confiscate UTXOs... But many of them are arguing against the spam confiscation

Mfw the spam psyop has been a setup for the quantum fork

100 sats \ 5 replies \ @Scoresby OP 3h

yes, that does make a little sense. I am still surprised that anyone seriously suggests confiscating (freezing/burning/whatever) coins that don't upgrade in the event of a quantum signature upgrade. It seems like such a bad idea.

202 sats \ 4 replies \ @justin_shocknet 2h

bad idea

These are very conflicted dishonest people

0 sats \ 3 replies \ @optimism 2h

Do they know they are dishonest?

100 sats \ 2 replies \ @justin_shocknet 2h

You'd think they have to unless they believe in a paycheck fairy

17 sats \ 1 reply \ @optimism 2h

Hmm... I always feel that the ring leaders just move on to the next grift?

202 sats \ 0 replies \ @justin_shocknet 2h

Things usually reduce down to chaos and order, its the nature of the universe.

Agents of chaos force change, more virtual block space, more spam, more op_codes, forced upgrades

With each change, the system, a thing and people they do not control, becomes more malleable and creates for them more opportunities.

There are organizations at extremely high levels that do not want bitcoin to be stable, disintermediated, with contented holders... because it leaves them no seat at the table.

Forcing upgrades, scaring people into selling or never buying, tricking hipsters into wanting more... if that pattern sounds familiar:

The ring leaders as we see them are usually just punching a clock for an NGO, they know not what they do, they're themselves malleable hipsters... not talented enough to do something of their own volition. It's who funds the NGO's, the Courtier, that have a long tail plan for chaos.

102 sats \ 9 replies \ @optimism 4h

I'm with nvk on this one too. And super is right to call BIP16 out, but my conclusion instead is: BIP16 was a bad upgrade.

And you know what? This "activation" is what people use as an example to point out that UASFs are good. So super just made the point against UASF. Thanks super, I agree: UASF is a nuclear warhead best not used. Its function is a deterrent.

PS: I just opened that tweet threat (using the bot link) and never before have I felt myself so estranged from Bitcoin Twitter. I'm happy I'm not there. I'm also very unhappy that this is the discourse now.

100 sats \ 8 replies \ @Scoresby OP 4h

Yes, I unfortunately let myself get pulled into a twitter discussion last night. I regret it.

Super posted his BIP16 point on nostr as well, so probably I should have linked to that one, but it didn't have some of the replies I wanted to reference.

I'm sure there were reasons, but I guess I'm surprised that the BIP authors didn't just let all blocks prior to BIP 16 activation get validated with pre-BIP 16 rules. As always there is so much about Bitcoin I need to learn.

123 sats \ 6 replies \ @optimism 2h

I unfortunately let myself get pulled into a twitter discussion last night. I regret it.

I saw the reference to Chris' statement. He's wrong. Your forkshitcoin can easily take less than 51% with it. All you need to do is consensus-enforce what any minority agrees on should be the real consensus and fuck right off.

Everything else is a branding discussion: Bitcoin don't give a shit if it is called Bitcoin or therealBitcoin or lukesEmpireCoin or whether there are 2, 3 or 4 of it all claiming to be Bitcoin. The only ones who care are the humans.

Do note that if you fork with less than a large majority of SHA256 compute out there, you may consider doing a consensus change to no longer be attackable by everyone that, probably due to your toxic lies and shitposting, really hates your guts.

0 sats \ 5 replies \ @Scoresby OP 2h

That's what I find so important about Bitcoin: it is voluntary and that to me means it is not vulnerable to this "majority rules" bullshit. You can keep the rules you started with for as long as you like, even to the point where you have a consensus of 1 if need be.

(I know I'm exaggerating, but it's a pretty important aspect of I think)

The discussion I had on X last night ended up hinging on what "voluntary" means and whether any system that freezes other people's coins can still be called voluntary.

I maintained that it cannot. Because if a system is capable of arbitrarily freezing coins that the rules previously did not allow to be frozen, then no user of the system is able to operate without permission. Of course, this is why I don't have a good response to Super's point about the five utxos BIP16 froze.

Perhaps I should have used the word "permissionless" instead of voluntary. They are very closely intertwined.

I suppose the devil's advocate here is that the ability to fork is part of the mechanism that makes Bitcoin voluntary/permissionless...but I'm dissatisfied with this answer -- the forking mechanism may defend the permissionless nature of bitcoin, but there is no guarantee the thing you forked from remains permissionless.

102 sats \ 4 replies \ @optimism 1h

You can keep the rules you started with for as long as you like, even to the point where you have a consensus of 1 if need be.

I'd say consensus of 2, otherwise it has no function; but conceptually, yes. Ultimately, the thing isn't whether BIP-110 or any other confiscation BIP is good or bad. It's not about what the majority does either. It's about what you and your counterparties decide is good or bad.

Of course, this is why I don't have a good response to Super's point about the five utxos BIP16 froze.

The solution to this, like I hinted at elsewhere in this thread, is to not take blame for things you didn't have a part in. If super is against BIP16, then I wish everyone good luck with SuperBitcoin that reverts 14 years of transactions. I'm not really convinced that super himself was around back at that upgrade, I personally wasn't: every sat I own today, and every sat I ever transacted would cease to exist.

I suppose the devil's advocate here is that the ability to fork is part of the mechanism that makes Bitcoin voluntary/permissionless

Exactly. So you can do whatever you want, and so can I, and so can everyone. Freedom doesn't mean free of consequences though.

100 sats \ 3 replies \ @Scoresby OP 1h

that reverts 14 years of transactions

Does it have to revert all those blocks? If those outputs still exist as unspent outputs, wouldn't the split occur from the block that tries to spend them? In other words, isn't the fork latent?

If I use version 0.5 or something to create a transaction spending one of those utxos and I get miners running the same to mine it today at 928299, all the blocks between BIP16 activation and 928298 still sync for all of us, it's just that now we have a split because all the people who are running >0.6 see this new block (928299) as invalid and me and the miners who mined it do not?

(This is really just me trying to understand how this works; I agree with your points in your comment)

102 sats \ 2 replies \ @optimism 1h

Well, by the sentiment of the purity discussion you're referring to, you'd still be condoning 14 years of censorship! So no. If you're a confiscation maxi, fork off before p2sh activation and you're good. Otherwise you would be as evil as you are now. You'd be a collaborator with the devil that did that. lol.

Either way, yes. You can also just hard fork on block 928299. While you're at it, I think that you should also give Satoshi's coin to CSW in that block. He really wants them.

100 sats \ 1 reply \ @Scoresby OP 1h

😭

(is that the one I'm supposed to use?)

view all 1 replies

102 sats \ 0 replies \ @optimism 3h

So I'm not 100% sure, but I think that the first implementation of IsSuperMajority() for MASF was done for BIP-30 (0.7) and everything before that wasn't really decentrally "activated". I think that this is when Gavin first proposed code for it, but maybe I've missed something. This was the "novel" mechanism when I started looking deeper into Bitcoin code.

I think that BIPs 30, 66 and 65 were activated using this, then from 112/113 (CSV) onward, versionbits were the primary activation indicator instead of hard version numbers.

102 sats \ 5 replies \ @Undisciplined 3h

Why can’t these 5 utxos be addressed in an upgrade?

It seems like it should be easy enough give them the same exemption that all of the older utxos received.

192 sats \ 1 reply \ @optimism 2h

Because accepting things that are currently rejected is a hard fork; whereas rejecting things that are currently accepted is - given you get high miner activation support - a soft fork.

100 sats \ 0 replies \ @Undisciplined 2h

Got it

90 sats \ 2 replies \ @Scoresby OP 3h

This gets a little beyond my technical understanding, but at the very least, such an extended exemption is a hard fork: if anyone running current rules sees one of those utxos get included in a new block, they'll treat it as invalid.

This then comes with all the trouble of a hard fork: how do we make sure all people running old software don't get forked off?

0 sats \ 1 reply \ @Undisciplined 3h

I see. So, they could have easily exempted them at the time but now we’re stuck with this?

69 sats \ 0 replies \ @Scoresby OP 3h

I don't know about "easily" but I think it would have been easier.

0 sats \ 0 replies \ @nitter 4h

https://twiiit.com/nvk/status/1998765929837326470