From rusty at rustcorp.com.au Mon May 2 23:39:10 2016 From: rusty at rustcorp.com.au (Rusty Russell) Date: Tue, 03 May 2016 09:09:10 +0930 Subject: [Lightning-dev] Oversize preimage attack. In-Reply-To: References: <871t5lf3p1.fsf@rustcorp.com.au> Message-ID: <874maguj1d.fsf@rustcorp.com.au> Olaoluwa Osuntokun writes: >> Or require a 110k preimage to redeem, drop to the blockchain, then >> redeem it by sending direct to a miner. A node trying to use that >> preimage would create a non-standard transaction, which may not >> propagate. Similarly with an almost 4MB preimage which requires you >> to grind out a tiny signature to redeem in a tx small enough... >> > > Segwit's witness program validation logic ensures that each element of the > passed witness stack is less-than-or-equal-to the maximum script element > size (520 bytes). This check is enforced before execution itself. > Therefore, even without the additional OP_SIZE check, Script will enforce a > ceiling on the pre-image size. Right! I'd missed MAX_SCRIPT_ELEMENT_SIZE, thanks. > We've also recently made such an observation, resulting in a modification > to our scripts similar to the one you've detailed. Thanks for sounding the > alarm with this mailing-list post! Hmm, are there any other issues you've come across? Every time I find something like this I worry what else we've missed :( Thanks! Rusty.