Recent "SigOp" "Attack" On The Blockchain Or Advanced Power Rangering

Signature operations or "SigOps" in Bitcoin transaction scripts requires checking ECDSA signatures to assure a Bitcoin transaction is valid. This is computationally expensive work making it anĀ  avenue of potential disruption on the Bitcoin network. The possibility was known for months (archived). Yet little attention was paid until yesterday's events caused ineffective block filling. The mining side was amply discussed there, and can be easily fixed by miners who know their stuff. I rather wish to shed some light on network propagation of these transactions, as the burden of signature checking rests on full nodes, too.

The Bitcoin Foundation codebase inherited sane limit of one SigOp per 34 bytes of transaction,
as seen from source codeĀ  in src/main.cpp (archived):

// Checking ECDSA signatures is a CPU bottleneck, so to avoid denial-of-service
// attacks disallow transactions with more than one SigOp per 34 bytes.
// 34 bytes because a TxOut is:
// 20-byte address + 8 byte bitcoin amount + 5 bytes of ops + 1 byte script length
if (GetSigOpCount() > nSize / 34 || nSize < 100)
return error("AcceptToMemoryPool() : transaction with out-of-bounds SigOpCount");

Power Rangers, namely Gavin Andresen and Matt Corallo attempted to "improve" (archived) upon it while rushing out a new "standard" type of transaction (BIP0016)
and decreed that transactions with 1000000/50/5 = 4000 sigops are swell regardless of size (in src/main.h):

/** The maximum allowed number of signature check operations in a block (network rule) */
static const unsigned int MAX_BLOCK_SIGOPS = MAX_BLOCK_SIZE/50;
/** Maximum number of signature check operations in an IsStandard() P2SH script */
static const unsigned int MAX_P2SH_SIGOPS = 15;
/** The maximum number of sigops we're willing to relay/mine in a single tx */
static const unsigned int MAX_TX_SIGOPS = MAX_BLOCK_SIGOPS/5;

Luke-jr soon restored a "20 bytes per sigop" policy, a proposal which at time of writing remains outside of the Core fork (archived).

At present multiple varying rule sets for transaction propagation are in effect on the Bitcoin network. For best transaction propagation Bitcoin users should strive for minimal signature operations in their outgoing transactions and use fees to maximize their transaction's appeal to miners. The foundation's reference client remains the standard for measuring how kindly the Bitcoin network is likely to take to your transaction.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>