Consensus Cleanup BIP draft

[Antoine Poinsot]

Hi everyone,

About two months ago i shared an update on this list about my (and others', really) work on the
Consensus Cleanup [0]. I am now ready to share a BIP draft for a Consensus Cleanup soft fork.

The BIP draft can be found here: https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md

It includes the following fixes:
- a restriction on the timestamp of the first and last blocks of a difficulty adjustment period to
address the Timewarp and Murch-Zawy attacks;
- a limit on the number of legacy signature operations that may be executed in validating a single
transaction to address long block validation times;
- making 64 bytes transactions invalid to address weaknesses in the block Merkle tree construction;
- mandating coinbase transactions be timelocked to their block height to prevent future transaction
duplication without resorting to BIP30 validation.

This BIP draws on the 2019 Great Consensus Cleanup proposal from Matt Corallo [1]. A number of
people contributed ideas, testing, data or useful discussions. This includes Ava Chow, Matt Corallo,
Mark Erhardt, Brian Groll, David A. Harding, Sjors Provoost, Anthony Towns, Greg Sanders, Chris
Stewart, Eric Voskuil, @0xb10c and others.

Antoine Poinsot

[0] https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldcugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnNLRBn3MopuATI=@protonmail.com
[1] https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki

[Chris Stewart]

Hi Antoine,

First off, concept ACK. My concerns are procedural rather than objections to the individual security fixes themselves.

The "Great Consensus Cleanup" is a fantastic brand for communicating these protocol changes to non-technical users. However, since this is a technical forum and we are producing BIPs intended for technical audiences, I believe we should document these changes in separate BIPs.

The proposed security fixes are largely unrelated from a technical standpoint:

1. Timewarp attack mitigation

2. Worst-case block validation constraints

3. Disallowing 64-byte transactions

4. Avoiding duplicate transactions

We should absolutely retain the "Great Consensus Cleanup" branding while independently documenting each security enhancement.

A common concern I’ve heard about splitting this BIP is that deploying soft forks is difficult, so all changes should be bundled together. While soft fork deployment is indeed challenging, we've successfully activated multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot. If the community reaches consensus, we can still deploy all these changes together, even if they are documented separately.

This approach also provides flexibility: if one of the proposed changes turns out to be controversial, we could remove it without holding up the rest of the improvements. Additionally, once these fixes are deployed, there will likely be significant research and documentation to incorporate, and maintaining independent BIPs will make it easier to manage that growth.

I do see merit in implementing all the security fixes in a single PR for Bitcoin Core. More active contributors to the project may have stronger opinions on the best approach there.

-Chris

---

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e0V7a4V4Pd-c4-2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUcbl7Zne4g%3D%40protonmail.com.

[Antoine Poinsot]

Hi Chris,

As i already explained on this very list 2 months ago [0], i don't find the argument for splitting my BIP convincing. On the contrary i think it would be counterproductive as it would create more churn, invite bikeshedding and overall impede progress on this proposal.

we've successfully activated multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot.

Those BIPs had much more content to them. The specifications of the Consensus Cleanup is trivial in comparison: they fit in less than a dozen lines of text when described in details. Splitting them in 4 different BIPs with a single or a couple lines of specifications would just introduce unnecessary overhead.

if one of the proposed changes turns out to be controversial, we could remove it without holding up the rest of the improvements.

First of all, i do not expect to remove any of the mitigations from the BIP at this stage. The fact that each of these mitigations was researched and discussed at length by multiple people over the past year gives me confidence to move forward with every single one of those. Otherwise i would not have proposed this BIP in the first place.

Now, even if somehow we should drop one of the mitigations from the proposal, having them in separate BIPs does not make that any easier.

More active contributors to the project may have stronger opinions on the best approach there.

Yes.

Best,
Antoine

[0] https://gnusha.org/pi/bitcoindev/mm_NvE4votqtjm455I3AmdrLOTzwgfFpqbtbFFNy0Zf2PywGt220MXfn76it60q_kbnS9Rw97cv6XzqogNgQMfIXi6-HdOnamw7tUrMtmXc=@protonmail.com

[jeremy]

> First of all, i do not expect to remove any of the mitigations from the BIP at this stage. The fact that each of these mitigations was researched and discussed at length by multiple people over the past year gives me confidence to move forward with every single one of those. Otherwise i would not have proposed this BIP in the first place.

I'd recommend taking a much more flexible mindset at this stage. The set of eyeballs you get at a pre-BIP and BIP stage, and the level of attention are very different, and this type of messaging is very discouraging for someone with expertise to care to put review in v.s. disregarding the effort as non-constructive.

Critically:

In your "discussed at length" proposal, you failed to realize that there were indeed 64 byte transactions on-chain until it was pointed out to you 7 days ago.

You also include a hack using coinbase nSequence -- have you bothered to talk to anyone in the mining business how they feel about that? Are you sure no ASIC in the wild don't hardcode a field that never needed to be set before?

I'm also personally strongly against removing 64-byte transactions. It's a wart in how transactions work, and future upgrades (especially around tx programmability) might integrate very poorly with this kind of edge condition.

regards,

Jeremy

[Sjors Provoost]

> Op 27 mrt 2025, om 21:45 heeft jeremy <jeremy....@gmail.com> het volgende geschreven:
>
> I'm also personally strongly against removing 64-byte transactions. It's a wart in how transactions work, and future upgrades (especially around tx programmability) might integrate very poorly with this kind of edge condition.

Do you have an example in mind where a 64-byte transaction could appear in such a system?

Given the limited space, in particular no room for a public key or signature, I could imagine a burn or anyone-can-spend clause. Those don't have to be exactly 64 bytes. Even if 64 byte transactions are generated by accident, I believe they can be tweaked after the fact (though that claim could use more scrutiny):

https://bitcoin.stackexchange.com/q/125971/4948

If we grant that any smart contract system has to engineer around this "ward", we should also consider how much engineering effort is saved in other smart contract systems by having simpler SPV proofs.

Imo the real ward is the originally broken Merkle tree design. That has required a bunch of engineering all over the place to compensate. Afaik it can only be truly fixed with a hard fork. This seems to be as good as it gets with a soft fork.

- Sjors

[Chris Stewart]

Hi Sjors,

An example is any segwit transaction that 1 input 1 output that pays to a 2 byte witness program. Since witness data doesn't count towards the 64 byte limit, the witness could be of arbitrary size. This was pointed out by garlonicon on delvingbitcoin. This type of witness program is used for pay-to-anchor outputs currently - although I don't believe anchor outputs make sense in a 1 input 1 output transaction? The author of pay to anchor outputs is aware of this issue, but I haven't heard of any further updates since his post on delving.

-Chris

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/17A67D4A-3EF4-4676-8356-B1DE6B0C2D8D%40sprovoost.nl.

[Sjors Provoost]

Hi Chris,

Thanks for that example.

I also realised that there indeed can exist 64 byte transactions that can't be malleated into a different size (see Stack Exchange link below). The example uses SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, so as long as our hypothetical smart contracting system uses those flags for its burn-all / giveaway-all clauses, then if it produces a 64 byte transaction by mistake, it's recoverable.

But a SIGHASH_ALL could get stuck (can't be confirmed, can't be modified). And IIUC with OP_CTV even a SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, once committed inside a CTV tree, can't be modified.

- Sjors

[Chris Stewart]

Hi Sjors,

Sorry to be a bit pedantic here, but I think this distinction is important. Are you referring to a pre-SegWit transaction or a SegWit transaction? It’s crucial to analyze these separately, as SegWit was designed to solve transaction malleability, which affects how we assess backward compatibility concerns when disallowing 64-byte transactions.

In the future, it would be helpful to explicitly specify “pre-segwit” or “segwit” when discussing potential transactions. In my draft BIP, I differentiate between these two types when evaluating the backward compatibility risks of disallowing 64-byte transactions. Additionally, as I mentioned earlier (and as I believe Jeremy has also raised concerns about), there are potential future compatibility issues with segwit transactions.

I'll take a closer look at the Stack Exchange examples and share my thoughts there when I have a bit of time.

Thanks for diving into this in detail—I really appreciate it.

- Chris

[Sjors Provoost]

Hi Chris,

Sorry for the confusion. I meant SegWit.

I believe that 64 byte pre-SegWit transactions are always malleable, because there's no space for a signature in the scriptSig. But with SegWit the scriptSig is empty, there could a SIGHASH_ALL signature in the witness.

- Sjors

> Op 28 mrt 2025, om 14:54 heeft Chris Stewart <stewart....@gmail.com> het volgende geschreven:
>
> Hi Sjors,

[er...@voskuil.org]

Hi Jeremy,

> I'm also personally strongly against removing 64-byte transactions. It's a wart
> in how transactions work, and future upgrades (especially around tx
> programmability) might integrate very poorly with this kind of edge condition.

I tend to agree. This kind of discontinuity always comes back to bite eventually. That concern should not be dismissed so casually.

But more to the point, it does not solve any of the problems that were originally provided as justification, apart from making it slightly simpler to implement an SPV wallet (no need to get the coinbase tx). This was discussed at very great length here and on delving by myself and others, and I believe that it was fully accepted that the only justification is this SPV question. There are no issues of security or performance for any code, and not even a code simplification for a node. It's a new consensus rule that creates this discontinuity - only to make an SPV wallet very slightly easier to implement. There is no other benefit whatsoever. I want to emphasize this because in the discussion it still seems that people may be holding on to the idea that it provides some other benefit - it doesn't. If people agree that this is a worthwhile trade, I'm not going to lose any sleep over it. But I don't like seeing arguments about consensus being based on implementation details - especially when they are flawed. It feels very much to me that this is what got this issue going (the several rejected arguments about node performance and simplification), and may be in part what's still driving it.

I ACK the single activation concept, but don't accept that a rule should be deployed that would not stand on its own justification.

Also, I do appreciate the work that Antoine and others have done on the set of issues overall.

Best,
Eric

> 1. Timewarp attack mitigation
>
> 2. Worst-case block validation constraints
>
> 3. Disallowing 64-byte transactions
>
> 4. Avoiding duplicate transactions

> <mailto:bitcoindev+...@googlegroups.com> .

> To view this discussion visit

> https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-
> 279173a440f3n%40googlegroups.com
> <https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-
> 279173a440f3n%40googlegroups.com?utm_medium=email&utm_source=fo
> oter> .

[Sjors Provoost]

On Fri, Mar 28, 2025, at 20:53, er...@voskuil.org wrote:
> Hi Jeremy,
>
>> I'm also personally strongly against removing 64-byte transactions. It's a wart

[...]

> But more to the point, it does not solve any of the problems that were
> originally provided as justification, apart from making it slightly
> simpler to implement an SPV wallet (no need to get the coinbase tx).

It's important to keep in mind that "SPV wallet" also includes any kind of automated bridge that requires knowledge of Bitcoin transaction inclusion. What's simple to implement in a rust-bitcoin wallet may be extremely hard in a smart contract. Or maybe it's indeed trivial.

It could be a useful illustration if someone implements such a bridge using any of the proposed covenant op codes, and shows the difference in complexity between having the 64 byte limit and not having it.

I do agree that people should read these other threads to form an opinion on the topic. And the BIP should point to these threads if it doesn't already.

- Sjors

[Anthony Towns]

On Sat, Mar 29, 2025 at 12:02:32PM +0100, Sjors Provoost wrote:
> On Fri, Mar 28, 2025, at 20:53, er...@voskuil.org wrote:
> > But more to the point, it does not solve any of the problems that were
> > originally provided as justification, apart from making it slightly
> > simpler to implement an SPV wallet (no need to get the coinbase tx).
> It's important to keep in mind that "SPV wallet" also includes any kind of automated bridge that requires knowledge of Bitcoin transaction inclusion. What's simple to implement in a rust-bitcoin wallet may be extremely hard in a smart contract. Or maybe it's indeed trivial.
>
> It could be a useful illustration if someone implements such a bridge using any of the proposed covenant op codes, and shows the difference in complexity between having the 64 byte limit and not having it.

I think it's almost certainly easy to just avoid being concerned with 64
byte transactions for a bridge:

* for txs moving value off of bitcoin, the bridge will certainly want
the funds secured in some output, so that will naturally be more than
4 bytes;

* for txs moving value back to bitcoin, there'll usually be two outputs
(one for amount being moved, one for change), and almost always, the
recipient of the funds will want them secured; either of which gives
a more than 64 byte tx. it's only if the bridge explicitly supports
burning funds (entirely, or to fees) and is precisely burning a full
utxo with no change; but in that case the bridge can just require
the output be an op_return that pushes three or more bytes of data.

* additionally, if the bridge doesn't manage fees in-band (with bridged
funds), but does it out of band via a p2a output, that also ensures
that none of its txs will be 64 bytes.

Similar consideraions mostly apply to SPV wallets as well -- if you're
trying to trick someone into believing they've received some funds, you'll
need to supply a tx that includes an output that matches their wallet,
which will be more than 4 bytes, so won't match a 64-byte tx; and if
you're trying to trick them into thinking they've burnt some of their
funds, you'll need to get a "64-bit tx" that includes a txid/vout pair
that matches one of their utxos, which is roughly a 256-bit collision,
so should be cryptographically hard...

Cheers,
aj

[er...@voskuil.org]

> Hi Eric,
>
> Thanks for chiming in.

Certainly, thank you as well for your work on this.

> > This kind of discontinuity always comes back to bite eventually. That concern
> should not be dismissed so casually.
>

> I don't think i've dismissed your concern when you brought this up last year. In
> fact i link to my summary of arguments on both sides of this debate in the BIP:
> https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/41.

You have been fair. I don't mean to imply that you dismissed the points I raised. But it doesn't seem to me that this discontinuity has been given much weight. This was the issue that Jeremy raised.

>>> It's a wart in how transactions work, and future upgrades (especially around tx programmability) might integrate very poorly with this kind of edge condition.

From my experience every condition magnifies complexity over time. We are talking about moving a condition from SPV clients into consensus.

> > But more to the point, it does not solve any of the problems that were
> originally provided as justification, apart from making it slightly simpler to
> implement an SPV wallet (no need to get the coinbase tx).
>

> I did provide an incorrect motivation at some point (caching), and appreciate
> your correction on this. But the main original motivation for invalidating 64
> bytes transactions was always to get rid of the footgun for SPV verifiers...

This thread contains the technical discussion on the question:
https://groups.google.com/g/bitcoindev/c/CAfm7D5ppjo/m/MsOdTqYyCwAJ

Your early response to my query listed:
(1) make node invalidity caching more performant.
(2) preclude the need for SPV clients to get the coinbase proof.
(3) "Finally, it would get rid of a large footgun in general. Certainly, unique block hashes would be a useful property for Bitcoin to have. It's not far-fetched to expect current or future Bitcoin-related software to rely on this."

The tradeoff was described as:
"Outlawing 64-bytes transactions is also a very narrow and straightforward change, with trivial confiscatory effect as any 64-bytes transactions would either be unspendable or an anyone-can-spend. Therefore i believe the benefits of making them illegal outweigh the costs."

I realize there was a lot of subsequent discussion , and that you accepted that 1 and 3 would not in fact be benefits of the fork. But the third objective was not limited to caching. One of my concerns was that people were being influenced by these objectives that would not in fact be achieved or even advanced.

> And as Sjors points out SPV verifiers shouldn't be reduced to only SPV wallets.

Let's say SPV clients. I wasn't making an intentional distinction except between consensus and non-consensus code.

> > If people agree that this is a worthwhile trade, I'm not going to lose any sleep
> over it.
>

> This is my position and the reason why i included it in my BIP. Of course
> introducing this discontinuity is pretty ugly. I just believe it's less bad than
> keeping the weakness that 64 bytes transaction introduce.
>
> I am also not married to the idea. In fact, i think it's one of the less important
> fixes from the proposal. But as things stand i think it's preferable to include it.
> Of course i am happy to reconsider in the face of new arguments and/or data.
>
> Best,
> Antoine

Best,
Eirc

> On Friday, March 28th, 2025 at 3:53 PM, er...@voskuil.org <er...@voskuil.org>

> https://groups.google.com/d/msgid/bitcoindev/065901dba01b%242164fff
> 0%24642effd0%24%40voskuil.org.

[Antoine Poinsot]

Jeremy,

Thanks for your recommendations. I suggest you lead by example.

"Discussed at length" is not about me. My hastily sharing mistaken results [0] a week ago shouldn't obscure the fact that 64 bytes transactions have been studied and generally considered harmful since at least 2017 [1], almost a decade ago.

Regarding your other questions i don't think you, of all people, are in a position of taking this moral high ground and interrogating tone when it comes to consulting industry stakeholders at large about a consensus change.

That said, i (as well as others) have in fact been discussing Consensus Cleanup with some miners (hashers as well as pools) for a while. I intend to share some testing results soon.

Antoine

[0] https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/82

[1] https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-279173a440f3n%40googlegroups.com.

[Antoine Poinsot]

Hi Eric,

Thanks for chiming in.

> This kind of discontinuity always comes back to bite eventually. That concern should not be dismissed so casually.

I don't think i've dismissed your concern when you brought this up last year. In fact i link to my summary of arguments on both sides of this debate in the BIP: https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/41.

> But more to the point, it does not solve any of the problems that were originally provided as justification, apart from making it slightly simpler to implement an SPV wallet (no need to get the coinbase tx).

I did provide an incorrect motivation at some point (caching), and appreciate your correction on this. But the main original motivation for invalidating 64 bytes transactions was always to get rid of the footgun for SPV verifiers. For instance see Matt's original BIP: https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki#discussion.

And as Sjors points out SPV verifiers shouldn't be reduced to only SPV wallets.

> If people agree that this is a worthwhile trade, I'm not going to lose any sleep over it.

This is my position and the reason why i included it in my BIP. Of course introducing this discontinuity is pretty ugly. I just believe it's less bad than keeping the weakness that 64 bytes transaction introduce.

I am also not married to the idea. In fact, i think it's one of the less important fixes from the proposal. But as things stand i think it's preferable to include it. Of course i am happy to reconsider in the face of new arguments and/or data.

Best,
Antoine

On Friday, March 28th, 2025 at 3:53 PM, er...@voskuil.org <er...@voskuil.org> wrote:

>
>

> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/065901dba01b%242164fff0%24642effd0%24%40voskuil.org.