Can someone explain this [outdated] BIP12 OP_EVAL exploit?

1

I understand that BIP12 was withdrawn, and probably because of this exploit below. Can someone explain how this attack would have worked and the effect it would have on the network?

 for (;;) {
    RAND_bytes(nonce.b, sizeof(nonce));
    RIPEMD160(nonce.b, sizeof(nonce), digest);
    if (
      digest[0] == 174 && // OP_CHECKMULTISIG
      digest[1] ==  76 && // OP_PUSHDATA1
      digest[2] ==  16    // 0x16
    ) {
      // We'll print status info on partial hits, just to make things more
      // interesting.
      printf("%llx\n", nonce.i);
      print_hex(digest, 20);

      // Check for full hit
      if (digest[19] == 117) // OP_DROP
        return;
    }

goodguys_activate

Posted 2012-12-22T15:33:18.097

Reputation: 11 898

Answers

3

Each transaction has a certain number of "sigops", the number of signature validation script ops like OP_CHECKSIG in its scripts. These script ops are very expensive to compute. Transactions with too many sigops are considered non-standard and will not be relayed by most clients. Blocks with too many sigops in their transactions are illegal and will be rejected entirely.

That exploit allows you to include sigops in transactions without increasing the sigop count. It could be used to create a very slow-to-compute transaction that isn't very big size-wise. Not a huge exploit, and it could be worked around, but it demonstrates an important weakness in BIP 12: OP_EVAL scripts can't be analyzed accurately without running them first.

theymos

Posted 2012-12-22T15:33:18.097

Reputation: 8 228

Thank you, I need to learn sigop count and how it's done.... I'm getting the impression the QT client counts operations in a weighted curve.. (OP_CheckSig counts as X operations, and OP_Equal counts as Y operations where X > Y) Is this correct? Is cost per operation sometimes >1 per operation?goodguys_activate 2012-12-22T18:41:54.000

@makerofthings7 Only CHECKSIG and CHECKMULTISIG count. CHECKSIG counts as 1 sigop. CHECKMULTISIG always counts as 20 except inside of a P2SH transaction's hashed script where it usually counts as the number of public keys passed to CHECKMULTISIG.theymos 2012-12-22T21:14:03.063

Asked: 2012-12-22T15:33:18.097

Viewed: 153 times

Active: 2014-12-13T05:50:34.847