afilini
commented
6 years ago After working on this for a while, we came to the conclusion that it would be too hard to make sign-to-contract work with multisigs. It could still be an option for single sigs though.
As stated in the
protocol specification, in case of multisig addresses spending funds it's necessary that all the required signatures agree and include the same commitment.Assuming that all the signers check the previous signatures, this allows the last signer to effectively burn all the tokens linked to the UTXO being spent by signing the transaction without the same commitment and broadcasting it to the network.
To overcome this issue my proposal is to ask the signers to sign just the proof first and add all these signatures in a "witness area" of the proof itself. Later, they will all sign the transaction and add the commitment to this proof. In this way, even if only one of the signers adds the commitment in its transaction signature, this is enough to prove that all the party agreed on the proof he owns, since he can also show all the signatures.
This will obviously increase the size of all the proofs coming from multisig addresses, but right now I don't see any other way to fix this. Any ideas?