policy.cpp
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 // NOTE: This file is intended to be customised by the end user, and includes only local node policy logic 7 8 #include <policy/policy.h> 9 10 #include <coins.h> 11 #include <consensus/amount.h> 12 #include <consensus/consensus.h> 13 #include <consensus/validation.h> 14 #include <policy/feerate.h> 15 #include <primitives/transaction.h> 16 #include <script/interpreter.h> 17 #include <script/script.h> 18 #include <script/solver.h> 19 #include <serialize.h> 20 #include <span.h> 21 #include <tinyformat.h> 22 23 #include <algorithm> 24 #include <cstddef> 25 #include <vector> 26 27 CAmount GetDustThreshold(const CTxOut& txout, const CFeeRate& dustRelayFeeIn) 28 { 29 // "Dust" is defined in terms of dustRelayFee, 30 // which has units satoshis-per-kilobyte. 31 // If you'd pay more in fees than the value of the output 32 // to spend something, then we consider it dust. 33 // A typical spendable non-segwit txout is 34 bytes big, and will 34 // need a CTxIn of at least 148 bytes to spend: 35 // so dust is a spendable txout less than 36 // 182*dustRelayFee/1000 (in satoshis). 37 // 546 satoshis at the default rate of 3000 sat/kvB. 38 // A typical spendable segwit P2WPKH txout is 31 bytes big, and will 39 // need a CTxIn of at least 67 bytes to spend: 40 // so dust is a spendable txout less than 41 // 98*dustRelayFee/1000 (in satoshis). 42 // 294 satoshis at the default rate of 3000 sat/kvB. 43 if (txout.scriptPubKey.IsUnspendable()) 44 return 0; 45 46 uint64_t nSize{GetSerializeSize(txout)}; 47 int witnessversion = 0; 48 std::vector<unsigned char> witnessprogram; 49 50 // Note this computation is for spending a Segwit v0 P2WPKH output (a 33 bytes 51 // public key + an ECDSA signature). For Segwit v1 Taproot outputs the minimum 52 // satisfaction is lower (a single BIP340 signature) but this computation was 53 // kept to not further reduce the dust level. 54 // See discussion in https://github.com/bitcoin/bitcoin/pull/22779 for details. 55 if (txout.scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) { 56 // sum the sizes of the parts of a transaction input 57 // with 75% segwit discount applied to the script size. 58 nSize += (32 + 4 + 1 + (107 / WITNESS_SCALE_FACTOR) + 4); 59 } else { 60 nSize += (32 + 4 + 1 + 107 + 4); // the 148 mentioned above 61 } 62 63 return dustRelayFeeIn.GetFee(nSize); 64 } 65 66 bool IsDust(const CTxOut& txout, const CFeeRate& dustRelayFeeIn) 67 { 68 return (txout.nValue < GetDustThreshold(txout, dustRelayFeeIn)); 69 } 70 71 std::vector<uint32_t> GetDust(const CTransaction& tx, CFeeRate dust_relay_rate) 72 { 73 std::vector<uint32_t> dust_outputs; 74 for (uint32_t i{0}; i < tx.vout.size(); ++i) { 75 if (IsDust(tx.vout[i], dust_relay_rate)) dust_outputs.push_back(i); 76 } 77 return dust_outputs; 78 } 79 80 bool IsStandard(const CScript& scriptPubKey, TxoutType& whichType) 81 { 82 std::vector<std::vector<unsigned char> > vSolutions; 83 whichType = Solver(scriptPubKey, vSolutions); 84 85 if (whichType == TxoutType::NONSTANDARD) { 86 return false; 87 } else if (whichType == TxoutType::MULTISIG) { 88 unsigned char m = vSolutions.front()[0]; 89 unsigned char n = vSolutions.back()[0]; 90 // Support up to x-of-3 multisig txns as standard 91 if (n < 1 || n > 3) 92 return false; 93 if (m < 1 || m > n) 94 return false; 95 } 96 97 return true; 98 } 99 100 bool IsStandardTx(const CTransaction& tx, const std::optional<unsigned>& max_datacarrier_bytes, bool permit_bare_multisig, const CFeeRate& dust_relay_fee, std::string& reason) 101 { 102 if (tx.version > TX_MAX_STANDARD_VERSION || tx.version < TX_MIN_STANDARD_VERSION) { 103 reason = "version"; 104 return false; 105 } 106 107 // Extremely large transactions with lots of inputs can cost the network 108 // almost as much to process as they cost the sender in fees, because 109 // computing signature hashes is O(ninputs*txsize). Limiting transactions 110 // to MAX_STANDARD_TX_WEIGHT mitigates CPU exhaustion attacks. 111 unsigned int sz = GetTransactionWeight(tx); 112 if (sz > MAX_STANDARD_TX_WEIGHT) { 113 reason = "tx-size"; 114 return false; 115 } 116 117 for (const CTxIn& txin : tx.vin) 118 { 119 // Biggest 'standard' txin involving only keys is a 15-of-15 P2SH 120 // multisig with compressed keys (remember the MAX_SCRIPT_ELEMENT_SIZE byte limit on 121 // redeemScript size). That works out to a (15*(33+1))+3=513 byte 122 // redeemScript, 513+1+15*(73+1)+3=1627 bytes of scriptSig, which 123 // we round off to 1650(MAX_STANDARD_SCRIPTSIG_SIZE) bytes for 124 // some minor future-proofing. That's also enough to spend a 125 // 20-of-20 CHECKMULTISIG scriptPubKey, though such a scriptPubKey 126 // is not considered standard. 127 if (txin.scriptSig.size() > MAX_STANDARD_SCRIPTSIG_SIZE) { 128 reason = "scriptsig-size"; 129 return false; 130 } 131 if (!txin.scriptSig.IsPushOnly()) { 132 reason = "scriptsig-not-pushonly"; 133 return false; 134 } 135 } 136 137 unsigned int datacarrier_bytes_left = max_datacarrier_bytes.value_or(0); 138 TxoutType whichType; 139 for (const CTxOut& txout : tx.vout) { 140 if (!::IsStandard(txout.scriptPubKey, whichType)) { 141 reason = "scriptpubkey"; 142 return false; 143 } 144 145 if (whichType == TxoutType::NULL_DATA) { 146 unsigned int size = txout.scriptPubKey.size(); 147 if (size > datacarrier_bytes_left) { 148 reason = "datacarrier"; 149 return false; 150 } 151 datacarrier_bytes_left -= size; 152 } else if ((whichType == TxoutType::MULTISIG) && (!permit_bare_multisig)) { 153 reason = "bare-multisig"; 154 return false; 155 } 156 } 157 158 // Only MAX_DUST_OUTPUTS_PER_TX dust is permitted(on otherwise valid ephemeral dust) 159 if (GetDust(tx, dust_relay_fee).size() > MAX_DUST_OUTPUTS_PER_TX) { 160 reason = "dust"; 161 return false; 162 } 163 164 return true; 165 } 166 167 /** 168 * Check the total number of non-witness sigops across the whole transaction, as per BIP54. 169 */ 170 static bool CheckSigopsBIP54(const CTransaction& tx, const CCoinsViewCache& inputs) 171 { 172 Assert(!tx.IsCoinBase()); 173 174 unsigned int sigops{0}; 175 for (const auto& txin: tx.vin) { 176 const auto& prev_txo{inputs.AccessCoin(txin.prevout).out}; 177 178 // Unlike the existing block wide sigop limit which counts sigops present in the block 179 // itself (including the scriptPubKey which is not executed until spending later), BIP54 180 // counts sigops in the block where they are potentially executed (only). 181 // This means sigops in the spent scriptPubKey count toward the limit. 182 // `fAccurate` means correctly accounting sigops for CHECKMULTISIGs(VERIFY) with 16 pubkeys 183 // or fewer. This method of accounting was introduced by BIP16, and BIP54 reuses it. 184 // The GetSigOpCount call on the previous scriptPubKey counts both bare and P2SH sigops. 185 sigops += txin.scriptSig.GetSigOpCount(/*fAccurate=*/true); 186 sigops += prev_txo.scriptPubKey.GetSigOpCount(txin.scriptSig); 187 188 if (sigops > MAX_TX_LEGACY_SIGOPS) { 189 return false; 190 } 191 } 192 193 return true; 194 } 195 196 /** 197 * Check transaction inputs. 198 * 199 * This does three things: 200 * * Prevents mempool acceptance of spends of future 201 * segwit versions we don't know how to validate 202 * * Mitigates a potential denial-of-service attack with 203 * P2SH scripts with a crazy number of expensive 204 * CHECKSIG/CHECKMULTISIG operations. 205 * * Prevents spends of unknown/irregular scriptPubKeys, 206 * which mitigates potential denial-of-service attacks 207 * involving expensive scripts and helps reserve them 208 * as potential new upgrade hooks. 209 * 210 * Note that only the non-witness portion of the transaction is checked here. 211 * 212 * We also check the total number of non-witness sigops across the whole transaction, as per BIP54. 213 */ 214 TxValidationState ValidateInputsStandardness(const CTransaction& tx, const CCoinsViewCache& mapInputs) 215 { 216 TxValidationState state; 217 if (tx.IsCoinBase()) { 218 return state; // Coinbases don't use vin normally 219 } 220 221 if (!CheckSigopsBIP54(tx, mapInputs)) { 222 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", "non-witness sigops exceed bip54 limit"); 223 return state; 224 } 225 226 for (unsigned int i = 0; i < tx.vin.size(); i++) { 227 const CTxOut& prev = mapInputs.AccessCoin(tx.vin[i].prevout).out; 228 229 std::vector<std::vector<unsigned char> > vSolutions; 230 TxoutType whichType = Solver(prev.scriptPubKey, vSolutions); 231 if (whichType == TxoutType::NONSTANDARD) { 232 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", strprintf("input %u script unknown", i)); 233 return state; 234 } else if (whichType == TxoutType::WITNESS_UNKNOWN) { 235 // WITNESS_UNKNOWN failures are typically also caught with a policy 236 // flag in the script interpreter, but it can be helpful to catch 237 // this type of NONSTANDARD transaction earlier in transaction 238 // validation. 239 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", strprintf("input %u witness program is undefined", i)); 240 return state; 241 } else if (whichType == TxoutType::SCRIPTHASH) { 242 std::vector<std::vector<unsigned char> > stack; 243 ScriptError serror; 244 // convert the scriptSig into a stack, so we can inspect the redeemScript 245 if (!EvalScript(stack, tx.vin[i].scriptSig, SCRIPT_VERIFY_NONE, BaseSignatureChecker(), SigVersion::BASE, &serror)) { 246 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", strprintf("p2sh scriptsig malformed (input %u: %s)", i, ScriptErrorString(serror))); 247 return state; 248 } 249 if (stack.empty()) { 250 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", strprintf("input %u P2SH redeemscript missing", i)); 251 return state; 252 } 253 CScript subscript(stack.back().begin(), stack.back().end()); 254 unsigned int sigop_count = subscript.GetSigOpCount(true); 255 if (sigop_count > MAX_P2SH_SIGOPS) { 256 state.Invalid(TxValidationResult::TX_INPUTS_NOT_STANDARD, "bad-txns-nonstandard-inputs", strprintf("p2sh redeemscript sigops exceed limit (input %u: %u > %u)", i, sigop_count, MAX_P2SH_SIGOPS)); 257 return state; 258 } 259 } 260 } 261 262 return state; 263 } 264 265 bool IsWitnessStandard(const CTransaction& tx, const CCoinsViewCache& mapInputs) 266 { 267 if (tx.IsCoinBase()) 268 return true; // Coinbases are skipped 269 270 for (unsigned int i = 0; i < tx.vin.size(); i++) 271 { 272 // We don't care if witness for this input is empty, since it must not be bloated. 273 // If the script is invalid without witness, it would be caught sooner or later during validation. 274 if (tx.vin[i].scriptWitness.IsNull()) 275 continue; 276 277 const CTxOut &prev = mapInputs.AccessCoin(tx.vin[i].prevout).out; 278 279 // get the scriptPubKey corresponding to this input: 280 CScript prevScript = prev.scriptPubKey; 281 282 // witness stuffing detected 283 if (prevScript.IsPayToAnchor()) { 284 return false; 285 } 286 287 bool p2sh = false; 288 if (prevScript.IsPayToScriptHash()) { 289 std::vector <std::vector<unsigned char> > stack; 290 // If the scriptPubKey is P2SH, we try to extract the redeemScript casually by converting the scriptSig 291 // into a stack. We do not check IsPushOnly nor compare the hash as these will be done later anyway. 292 // If the check fails at this stage, we know that this txid must be a bad one. 293 if (!EvalScript(stack, tx.vin[i].scriptSig, SCRIPT_VERIFY_NONE, BaseSignatureChecker(), SigVersion::BASE)) 294 return false; 295 if (stack.empty()) 296 return false; 297 prevScript = CScript(stack.back().begin(), stack.back().end()); 298 p2sh = true; 299 } 300 301 int witnessversion = 0; 302 std::vector<unsigned char> witnessprogram; 303 304 // Non-witness program must not be associated with any witness 305 if (!prevScript.IsWitnessProgram(witnessversion, witnessprogram)) 306 return false; 307 308 // Check P2WSH standard limits 309 if (witnessversion == 0 && witnessprogram.size() == WITNESS_V0_SCRIPTHASH_SIZE) { 310 if (tx.vin[i].scriptWitness.stack.back().size() > MAX_STANDARD_P2WSH_SCRIPT_SIZE) 311 return false; 312 size_t sizeWitnessStack = tx.vin[i].scriptWitness.stack.size() - 1; 313 if (sizeWitnessStack > MAX_STANDARD_P2WSH_STACK_ITEMS) 314 return false; 315 for (unsigned int j = 0; j < sizeWitnessStack; j++) { 316 if (tx.vin[i].scriptWitness.stack[j].size() > MAX_STANDARD_P2WSH_STACK_ITEM_SIZE) 317 return false; 318 } 319 } 320 321 // Check policy limits for Taproot spends: 322 // - MAX_STANDARD_TAPSCRIPT_STACK_ITEM_SIZE limit for stack item size 323 // - No annexes 324 if (witnessversion == 1 && witnessprogram.size() == WITNESS_V1_TAPROOT_SIZE && !p2sh) { 325 // Taproot spend (non-P2SH-wrapped, version 1, witness program size 32; see BIP 341) 326 std::span stack{tx.vin[i].scriptWitness.stack}; 327 if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) { 328 // Annexes are nonstandard as long as no semantics are defined for them. 329 return false; 330 } 331 if (stack.size() >= 2) { 332 // Script path spend (2 or more stack elements after removing optional annex) 333 const auto& control_block = SpanPopBack(stack); 334 SpanPopBack(stack); // Ignore script 335 if (control_block.empty()) return false; // Empty control block is invalid 336 if ((control_block[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT) { 337 // Leaf version 0xc0 (aka Tapscript, see BIP 342) 338 for (const auto& item : stack) { 339 if (item.size() > MAX_STANDARD_TAPSCRIPT_STACK_ITEM_SIZE) return false; 340 } 341 } 342 } else if (stack.size() == 1) { 343 // Key path spend (1 stack element after removing optional annex) 344 // (no policy rules apply) 345 } else { 346 // 0 stack elements; this is already invalid by consensus rules 347 return false; 348 } 349 } 350 } 351 return true; 352 } 353 354 bool SpendsNonAnchorWitnessProg(const CTransaction& tx, const CCoinsViewCache& prevouts) 355 { 356 if (tx.IsCoinBase()) { 357 return false; 358 } 359 360 int version; 361 std::vector<uint8_t> program; 362 for (const auto& txin: tx.vin) { 363 const auto& prev_spk{prevouts.AccessCoin(txin.prevout).out.scriptPubKey}; 364 365 // Note this includes not-yet-defined witness programs. 366 if (prev_spk.IsWitnessProgram(version, program) && !prev_spk.IsPayToAnchor(version, program)) { 367 return true; 368 } 369 370 // For P2SH extract the redeem script and check if it spends a non-Taproot witness program. Note 371 // this is fine to call EvalScript (as done in ValidateInputsStandardness/IsWitnessStandard) because this 372 // function is only ever called after IsStandardTx, which checks the scriptsig is pushonly. 373 if (prev_spk.IsPayToScriptHash()) { 374 // If EvalScript fails or results in an empty stack, the transaction is invalid by consensus. 375 std::vector <std::vector<uint8_t>> stack; 376 if (!EvalScript(stack, txin.scriptSig, SCRIPT_VERIFY_NONE, BaseSignatureChecker{}, SigVersion::BASE) 377 || stack.empty()) { 378 continue; 379 } 380 const CScript redeem_script{stack.back().begin(), stack.back().end()}; 381 if (redeem_script.IsWitnessProgram(version, program)) { 382 return true; 383 } 384 } 385 } 386 387 return false; 388 } 389 390 int64_t GetSigOpsAdjustedWeight(int64_t weight, int64_t sigop_cost, unsigned int bytes_per_sigop) 391 { 392 return std::max(weight, sigop_cost * bytes_per_sigop); 393 } 394 395 int64_t GetVirtualTransactionSize(int64_t nWeight, int64_t nSigOpCost, unsigned int bytes_per_sigop) 396 { 397 return (GetSigOpsAdjustedWeight(nWeight, nSigOpCost, bytes_per_sigop) + WITNESS_SCALE_FACTOR - 1) / WITNESS_SCALE_FACTOR; 398 } 399 400 int64_t GetVirtualTransactionSize(const CTransaction& tx, int64_t nSigOpCost, unsigned int bytes_per_sigop) 401 { 402 return GetVirtualTransactionSize(GetTransactionWeight(tx), nSigOpCost, bytes_per_sigop); 403 } 404 405 int64_t GetVirtualTransactionInputSize(const CTxIn& txin, int64_t nSigOpCost, unsigned int bytes_per_sigop) 406 { 407 return GetVirtualTransactionSize(GetTransactionInputWeight(txin), nSigOpCost, bytes_per_sigop); 408 }