search

bitcoinjs / bitcoinjs-lib

A javascript Bitcoin library for node.js and browsers.
MIT License
5.65k stars 2.09k forks source link

Migrating from bitcoin.TransactionBuilder to bitcoin.psbt #1613

Closed deceive3w closed 4 years ago

deceive3w commented 4 years ago

I have been using bitcoin.TransactionBuild and its working fine, did i have to change to bitcoin.psbt ? since we are doesn't have rawTransaction its hard to build bitcoin.psbt because need nonWitnessUtxo / witnessUtxo.

junderw commented 4 years ago

If you use segwit, you don't need the rawTransaction at all.

It is a good reason to start using only segwit.

deceive3w commented 4 years ago

i am using for doge coin, doge coin is non segwit

junderw commented 4 years ago

Well, the reason why Psbt requires the nonWitnessUtxo for non-segwit is because the old way (TransactionBuilder) is extremely dangerous (especially if you use an external service to get your utxo info)... We accepted that danger because you can mitigate that danger by always getting UTXO data from a full node YOU control. But now Psbt requires the previous transaction so you can 100% confirm the value of the UTXO you are spending.

We are considering adding an unsupported method for disabling the check for nonWitnessUtxo. (basically, a small part of Psbt that you would need to intentionally break to stop the validation) which should be in before TransactionBuilder is removed.

junderw commented 4 years ago

https://github.com/bitcoinjs/bitcoinjs-lib/pull/1563/commits/0c52803ba1fe5ae8dd3b84ad50bd84b0878d17de

Here's the commit which is currently in an open pull request, basically in order to skip the check you would need to edit a private internal variable (which in TypeScript will force // @ts-ignore and in JavaScript force you do modify psbt.__CACHE.__UNSAFE_SIGN_NONSEGWIT = true which will make anyone reviewing your code say "UMMMMM WHAT DOES THIS MEAN!?!?!?" :+1:

deceive3w commented 4 years ago

Sorry i am didn't understand using external service to get UTXO is dangerous?. if the UTXO is not valid the transaction is got rejected

junderw commented 4 years ago

value.

If I am a miner, and I run some explorer "A"

I can lie to you:

utxo1 actually is 10 BTC, but I say it is 9 BTC.

you sign utxo1 and make change output assuming it is 9 BTC.

you broadcast to my explorer

I mine your tx.

I steal 1 BTC in fees.

deceive3w commented 4 years ago

Thanks you very much, i am testing it in test net and its so dangerous since we are using public explorer. Glad you tell to me