Security News
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
@interlay/bitcoin-spv-sol
Advanced tools
bitcoin-spv
is a collection of Solidity libraries for working with Bitcoin
transactions in Solidity contracts. Basically, these tools help you parse,
inspect, and authenticate Bitcoin transactions.
It is extremely easy to write insecure code using these libraries. We do not recommend a specific security model. Any SPV verification involves complex security assumptions. Please seek external review for your design before building with these libraries.
ValidateSPV#prove
no longer require the leaf or root hashStarting from version 1.1.0
, required solidity compiler (solc
) version is
at least 0.5.10
.
An SPV interaction has two players: a prover and a verifier. The prover submits an SPV proof, and the verifier checks it.
The proof must contain several elements: a transaction, an inclusion proof, and a header chain. For convenience and gas minimization, we have a standard format for these:
vin
vout
While the prover is off-chain, and makes Ethereum transactions, the verifier is
implemented as a solidity contract that validates proofs contained in those
transactions. The verifier must set one parameter on-chain: the required total
work, expressed as accumulated difficulty. The verifier sums difficulty across the header chain by measuring the work in its component headers.
In addition, the verifier may set any number of other acceptance constraints
on the proof. E.g. the contract may check that the vout
contains an
output paying at least 30,000 satoshi to a particular scriptPubkey
.
1.0.0 was accessible only by the EVM's DELEGATECALL
. For v2.0.0 we give you
the option to use DELEGATECALL
or to compile the library methods into your
contract.
Compiling them in will save several hundred gas per invocation. That's
significant for higher-level functions like prove
in ValidateSPV
. But it
does add additional deployment cost to your contracts.
If you're using the Delegate, make sure to add a linking step to your deployment scripts. :)
Usage Example:
import {BTCUtils} from "./contracts/BTCUtils.sol";
import {BTCUtilsDelegate} from "./contracts/BTCUtilsDelegate.sol";
contract CompilesIn {
using BTCUtils for bytes;
function multiHash(bytes memory _b) {
return keccak256(_b.hash256()); // Compiled In
}
}
contract DelegateCalls {
using BTCUtilsDelegate for bytes;
function multiHash(bytes memory _b) {
return keccak256(_b.hash256()); // DELEGATECALL
}
}
contract MixedAccess {
function multiHash(bytes memory _b) {
return keccak256(BTCUtils.hash256(_b)); // Compiled In
}
function multiHashWithDelegate(bytes memory _b) {
return keccak256(BTCUtilsDelegate.hash256(_b)); // DELEGATECALL
}
}
Contract | Version | Solc | Main | Ropsten |
---|---|---|---|---|
ValidateSPV | 1.0.0 | v0.4.25 | 0xaa75a0d48fca26ec2102ab68047e98a80a63df1d | 0x112ef10aef3bde1cd8fd062d805ae8173ec36d66 |
BTCUtils | 1.0.0 | v0.4.25 | 0xD0d4EA34e4a5c27cA40e78838a4Ed5C1bB033BbC | 0x7a79d4112d79af980e741e0b10c47ffa543cc93a |
BytesLib | 1.0.0 | v0.4.25 | 0x302A17fcE39E877966817b7cc5479D8BfCe05295 | 0xcc69fec9ba70d6b4e386bfdb70b94349aff15f53 |
ValidateSPV | 1.1.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
BTCUtils | 1.1.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
BytesLib | 1.1.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
ValidateSPV | 2.0.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
BTCUtils | 2.0.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
BytesLib | 2.0.0 | v0.5.10 | NOT YET DEPLOYED | NOT YET DEPLOYED |
By default, you must run an instance of ganache-cli
(or some other ganache
VM) when running tests.
$ npm run compile # truffle compile
$ npm run test # truffle test
$ npm run coverage
FAQs
bitcoin SPV proofs in Solidity
We found that @interlay/bitcoin-spv-sol demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.