From decker.christian at gmail.com Tue Jul 3 12:05:09 2018 From: decker.christian at gmail.com (Christian Decker) Date: Tue, 03 Jul 2018 14:05:09 +0200 Subject: [Lightning-dev] [bitcoin-dev] BIP sighash_noinput In-Reply-To: References: <871sewirni.fsf@gmail.com> Message-ID: <871sckjzii.fsf@gmail.com> Gregory Maxwell writes: > I know it seems kind of silly, but I think it's somewhat important > that the formal name of this flag is something like > "SIGHASH_REPLAY_VULNERABLE" or likewise or at least > "SIGHASH_WEAK_REPLAYABLE". This is because noinput is materially > insecure for traditional applications where a third party might pay to > an address a second time, and should only be used in special protocols > which make that kind of mistake unlikely. Otherwise, I'm worried > that wallets might start using this sighash because it simplifies > handling malleability without realizing that when a third party reuses > a script pubkey, completely outside of control of the wallet that uses > the flag, funds will be lost as soon as a troublemaker shows up (but > not, sadly, in testing). This sort of risk is magnified because the > third party address reuser has no way to know that this sighash flag > has (or will) be used with a particular scriptpubkey. Absolutely agree that we should be signaling the danger of using noinput as clearly as possible to developers, and I'm more than happy to adopt the _unsafe suffix suggested by jb55. I think using non-sighash_all sighashes is always a huge danger, as you have correctly pointed out, so maybe we should be marking all of them as being unsafe, or make sure to communicate that danger on a higher level (docs).