We solved a P2SH transaction puzzle and redeemed Bitcoin
This is a success story about how we solved a transaction puzzle and collected a small sum of Bitcoin, all details included. Pay-to-script-hash (P2SH) are the most fascinating and curious kind of Bitcoin transactions.
They allow Bitcoins to be sent to the hash of a script, and such public addresses are easily recognized as they begin with a “3”, instead of legacy addresses that always begin with a “1”. (Native segwit addresses that begin with “bc1” are beyond the scope and limitation of this short write-up.)
The most intriguing aspect with P2SH addresses is that only their hashes and thus not their full script are revealed – until someone spends from such an address, we will get to that part shortly – in order for them to be valid. In other words, P2SH addresses can be seen as Bitcoin mystery boxes, as no one can know anything about their underlying scripts, which can be anywhere from super standard to extraordinarily complex and unique, and must furthermore comply with a large set of rules, of which some make a lot of sense, and some are just plain weird.
Bear in mind that every Bitcoin address is in fact a script, a programming language in itself, a piece of code, and that in order to spend from an address the script must be evaluated (or executed, if you will), and together with its inputs return “TRUE” and a clean stack. Of course, you don’t need to learn or know any of these terms and be a programmer to use Bitcoin; this is what wallet software is for, doing the coding for you and creating, broadcasting, and receiving transactions.
Some of us, however, like to take a peek under the hood, which is basically what this webpage is all about – pushing the envelope to see what we can learn and not the least, try and lay our hands on some Bitcoin. So-called transaction puzzled are therefore perfect targets, as they are meant to be hacked and swept by the person who solves the riddle.
Let’s cut straight to the chase and talk about how a P2SH is constructed. Bitcoin script is the underlying language, and it is a set of a smaller number of so-called opcodes. For example, “OP_1” is an opcode that means “push the number 1 onto the stack”, no more and no less. In fact, this single opcode can be used as a P2SH address – and it has been! But beware that doing so isn’t very clever for any other purpose than experimenting, as this will yield an “anyone can spend”-address, since it doesn’t ask for any signature or input of any kind. Whenever evaluated it will return a single positive integer stack, which in this programming language equals “TRUE”, and is therefore spendable. The hexadecimal code for OP_1 is “51”, and with a couple of lines of Python
>>> import binascii, hashlib, base58
>>> script = '51'
>>> base58.b58encode_check(binascii.unhexlify('05'+ hashlib.new('ripemd160', hashlib.sha256(binascii.unhexlify(script)).digest()).hexdigest())).decode()
'3MaB7QVq3k4pQx3BhsvEADgzQonLSBwMdj'
we can swiftly derive the public address 3MaB7QVq3k4pQx3BhsvEADgzQonLSBwMdj, which at the time of writing has been used 790 times.
It is difficult to imagine a simpler transaction puzzle than this, and it is not far-fetched to assume that at least a few incoming transactions to this address are mistakes due to programming errors. If you poke around some, it seems like any incoming transaction is swept literally the same minute it arrives, so we can safely assume this is a favorite address for blockchain bots.
How we found Bitcoin
Now onto our own finding. We played around with simple scripts, calculated their corresponding P2SH addresses, and looked them up on the blockchain. Much to our surprise, one of our first candidates gave a hit! By “hit” we mean an address with an unspent balance.
The script we came up with is
OP_1 OP_1 OP_EQUAL
which may be interpreted as “push the number 1 onto the stack, then push another number 1 onto the stack, and finally verify that the numbers are equal.” A mathematician would translate it to the equation “1 = 1 <=> TRUE”. The hexadecimal code for this not-so-brilliant script is “515187”, and by using the same Python code, we get 3PybRJKLVW9wcBWuBVfZitwcucMmKRB8Nx, which was funded 10 times with 546 satoshis each on April 1st this year. April fools’?
Amazingly, today almost four months later, no one had claimed it.
Constructing valid Bitcoin transactions is not always the easiest thing, and P2SH addresses like these, for which the signature script is identical to the script for the address itself, cannot be controlled by Bitcoin Core (confirmed by a developer here). So, we had to fire up our magic weapon – Notepad++ – and assemble the transaction manually (maybe the topic for a future post).
This post is not about how Bitcoin transactions are constructed but pay attention to two things: The transaction needs no signing (the script does not ask for one), in fact, it cannot be signed as there is no private key involved, and therefore the second you spend from the address, you give away the full solution, the sigscript, on the blockchain. So, such addresses are immediately “burned”. For this specific address, you only need to push “515187” to spend from it. For the protocol, here is the complete raw transaction we threw together:
0000403515187ffffffff124827559bb2965752dd80777ede14c42c79c489fea2c6c4a50129548b/
89a8d1080000000403515187ffffffff124827559bb2965752dd80777ede14c42c79c489fea2c6c/
4a50129548b89a8d1070000000403515187ffffffff124827559bb2965752dd80777ede14c42c79/
c489fea2c6c4a50129548b89a8d1060000000403515187ffffffff124827559bb2965752dd80777/
ede14c42c79c489fea2c6c4a50129548b89a8d1050000000403515187ffffffff124827559bb296/
5752dd80777ede14c42c79c489fea2c6c4a50129548b89a8d1040000000403515187ffffffff124/
827559bb2965752dd80777ede14c42c79c489fea2c6c4a50129548b89a8d1030000000403515187/
ffffffff124827559bb2965752dd80777ede14c42c79c489fea2c6c4a50129548b89a8d10200000/
00403515187ffffffff124827559bb2965752dd80777ede14c42c79c489fea2c6c4a50129548b89/
a8d1010000000403515187ffffffff124827559bb2965752dd80777ede14c42c79c489fea2c6c4a/
50129548b89a8d1000000000403515187ffffffff016c1100000000000017a9146b1420fe590900/
a50e9b7ba697854c44d808e4e58700000000
Look for instances of “515187” if you want to decipher it! We could broadcast the transaction in Bitcoin Core with the “sendrawtransaction” command in the console. It is in our humble opinion a little strange that you cannot create these transactions in the GUI client software, but you can use it to broadcast them, and they pass all tests and propagate fast through the network. But hey, we can live with that for now. Maybe in an upcoming version?
Finally, the evidence. Here is the transaction that shows that every satoshi (minus an unusually generous transaction fee) was sent to this page’s address.
We enjoyed cracking this nut and collecting the coins. What do you think? The blockchain is full of these little puzzles if you take the time to look for them. Will you give it a go and try it yourself?
One more thing!
Consider the donation address at the bottom of the page. We re-invest all contributions into new projects for btcleak.com. Help us create new content and remain ad-free forever. Thank you.
I love reading your articles. Makes me want to keep learning code.
If I ever redeem some Btc I’m throwing some your way.
Keep up the great work
I’d love to see a more detailed guide about how you created the transaction. For example, how did you push an unsigned transaction without getting a “scriptsig-not-pushonly” error?
can you show us the redeem script? and how you ‘calculate’ to make ‘formula’
big thanks for attention
i have address coresponded to redeem script that contain unspent and some outputs. if you help me im swear ill will tips you alot.
I know how to do it. Mail me 09retry_jovial@icloud.com