Introduction
You might have heard about re-enabling OP_CAT as a possible improve for bitcoin’s script language. Relying on the place you get your information OP_CAT has been known as “solely 10 strains of code”, “one of the best ways to allow experimentation with covenants”, “too highly effective”, “harmful and resulting in miner centralization”, or “assured to result in a contentious smooth fork”. I’ll make the case that every one of those views are mistaken. OP_CAT may be very helpful, can be utilized as a covenant, and never (alone) the perfect subsequent transfer for bitcoin. Nothing extra, and nothing much less.
To make that case, I’ll discover a number of (apparently disjoint) matters, a few of which had been new to me a couple of brief months in the past. I’ll attempt to organize this in a means that gives the mandatory background in a single place.
How and What OP_CAT Does
Introspection with CAT
Let’s deal with the burning query that many have when first uncovered to OP_CAT. How can a couple of strains of code that mix two gadgets from the stack into one (A B CAT -> AB) probably allow something attention-grabbing? Andrew Poelstra has eloquently defined in current interviews, and I posted a foolish and transient clarification:
Bitcoin is a bit bizarre, so it will possibly additionally cut up issues. Then SHA256 lets us undo hashes. Then as a result of cryptography is simply math and we all know the right way to grind, CAT lets us extract a hash from a signature verification. And because of this we will examine something hashed inside a signature…
— Rearden 🍯🦡 🦢 | embrace forks (@reardencode) Might 17, 2024
As a result of bitcoin script is strictly a verification language, every opcode can be utilized in ahead or reverse. A script will be given a hash and require a preimage, or given a preimage and require a hash utilizing OP_SHA256. This perception offers us the primary two elements of how OP_CAT covenants work.
If a bitcoin script may get entry to a hash of the transaction it is verifying, it may require that the spend stack present the hash preimage, cut up in no matter means the script requires, after which validate any specific a part of that preimage. That is precisely what a covenant is – validating part of the transaction spending some bitcoin.
That is nice, however bitcoin would not have an opcode like OP_TXHASH to provide the script entry to the transaction’s hash. Right here, we reap the benefits of the BIP340 Schnorr signature verification equation to require that the person present the hash. If the person gives a worth that can be a legitimate transaction hash if the script concatenates the byte 0x00 to the top of it, that worth may even be part of a legitimate BIP340 signature (with sure different parameters fastened) if the script concatenates the byte 0x01 to it.
Combining these methods, allows OP_CAT to verify any a part of its spending transaction that may be signed, and even to look again at its dad or mum transactions in some restricted methods. With some cautious codecraft, one can construct Purrfect Vaults, CatVM, and extra.
Different makes use of for CAT
However we should not. Constructing these items with OP_CAT ends in troublesome to take care of abominations. As a substitute, we must always use OP_CAT for what it is good for, and there is loads of that: It allows the equal of OP_CHECKSEPARATESIG, checking Merkle inclusion proofs, combining knowledge for signature verification with OP_CHECKSIGFROMSTACK, and extra.
Issues with CAT
Now that we all know what CAT does, what’s the issue? Why have individuals (myself included) stated that it is a harmful beast? Utilizing the introspection method described above, CAT allows two particular constructions: Hashrate escrows, and (supposedly) automated market makers (AMMs). Till just lately, each of those had been thought of vital dangers of bringing centralizing MEV to bitcoin.
MEV, MEVil and Miner Centralization
The time period MEV (Miner Extractable Worth) is a bit complicated. Within the plainest interpretation it could embody transaction charges, which after all we would like paid to miners to assist make sure the safety of bitcoin lengthy into the long run. MEV is usually used to imply extra worth that miners can extract from their blocks past the charges seen on the general public relay community. This might come within the type of out of band funds, miners taking part in contracts and reordering transactions in ways in which favor themselves, and even outright theft of products and companies by miners mining blocks that reorg and double spend a confirmed cost to a service provider. All of those types of MEV will be thought of typically unhealthy for the contributors within the community, because the miners are utilizing their place within the community to their very own profit on the expense of different community contributors. Nonetheless, MEV alone doesn’t current a systemic downside by driving miner centralization, solely an area downside for the particularly impacted contributors.
MEVil is a time period that’s typically used for MEV which drives miner centralization – I desire the time period centralizing MEV and can use it going ahead. A number of issues are obligatory to vary MEV into centralizing MEV:
- It have to be sufficiently troublesome to extract that an open supply block template builder can’t moderately extract it
- The full worth extractable should develop with a miner’s bitcoin hash charge
- The extractable worth should justify the price of extraction
If all of those necessities are met then solely a sufficiently massive miner could have the inducement to start extracting the MEV. As soon as they do, they’ll be capable of outpace their smaller friends’ development due to the extra income extracted. The extra pricey the MEV is to extract (as much as the purpose the place it isn’t price it for any miner) the more serious the centalizing stress it creates.
Avoiding centralizing MEV then is (in a way) easy: Make sure that no matter alternatives for MEV exist on bitcoin are both really easy to extract that everybody does it or price extra to extract than they’re price (both as a result of they’re so small or as a result of they’re so pricey).
For extra info, try @TheBlueMatt‘s current publish.
Hashrate Escrows (née Drivechains)
A few years in the past (earlier than the Lightning Community or concepts like Ark, Timeout Timber, roll-ups, BitVM, or CatVM) sidechains had been thought of the final word scaling resolution for bitcoin. The thought was conceptually easy: bitcoin blocks should keep restricted in dimension for all the standard decentralization causes, however we will connect sidechains to bitcoin and people can have quicker blocks, larger blocks, extra computation, or no matter. In observe, nonetheless, implementing sidechains was not really easy. Bitcoin’s ultimate settlement is basically tied to proof of labor, an unfalsifiable price to reorder transactions, how does a sidechain inherit that? Additionally, how can bitcoin be transferred to and from the sidechain? The very best identified proposal to reply these two questions known as Drivechains (BIPs 300 and 301). I will not bore you with the main points of Drivechains, however suffice it to say, there are solely two outcomes of such sidechain programs: Both they’re comparatively unused (and subsequently ineffective) or they’re extensively used and develop into a de facto block dimension improve for bitcoin. A de facto block dimension improve of this kind is a type of centralizing MEV the place solely bigger miners will be capable of affordably take part within the extra income alternatives provided by the doubtless massive and sophisticated sidechain blocks.
Hashrate escrows, which will be constructed with OP_CAT, are one small a part of the Drivechains proposals. It is a system of proscribing withdrawals from sidechains through the use of a counter whose worth can solely be modified by miners, begins at a excessive worth, and should attain zero earlier than a sidechain withdrawal will be processed. That is claimed to be a “trustless” switch out from a sidechain, however really creates a federation of miners with management of all bitcoin held in sidechains.
For the reason that improvement of the Drivechains proposals, it has develop into (to our detriment) widespread to check with any proposal which can be utilized to create a withdrawal predicated on a miner-controlled counter as “Drivechains”. Hopefully it clear at this level why this inappropriate shorthand is unhelpful – Drivechains are both nugatory or harmful, however hashrate escrows are merely a technique to switch management the result of some transaction to the implicit federation of miners.
Tokens and AMMs
Tokens
For causes that may by no means be fully clear to me, people love a great token (or a nasty token or actually simply tokens). Almost from the start of bitcoin there was discuss of the right way to embed different tokens into the protocol, from Coloured Cash and Counterparty, to the more moderen Taproot Belongings and Runes. All of those protocols have one factor in widespread: They require an exterior index of bitcoin transactions that both has information of exterior knowledge or processes knowledge from the sequence of bitcoin transactions with the intention to decide the transformations of tokens inside the protocol. The salient level for this text is that bitcoin locking scripts are utterly unaware of the existence of the tokens, and even bitcoin nodes that validate transactions are unaware of the tokens (i.e. even when a bitcoin locking script had full entry to the whole bitcoin UTXO set, it couldn’t uncover the state of any of those tokens).
Automated Market Makers (AMMs)
On different blockchain programs it is not uncommon for contracts referred to as AMMs for use to (for instance) peg the ratio between two tokens by shopping for and promoting at a set value. The foundations that may be encoded in an AMM are past the scope of this text. Suffice it to say that AMMs create large alternatives for MEV and due to the non-public trade relationships wanted to maximise the returns on that MEV additionally centralizing MEV. This has typically been used as an argument towards constructing extra expressive bitcoin scripts – we genuinely do need to keep away from exposing the bitcoin community to the vagaries of centralizing MEV. Nonetheless, as I’ve described above there merely isn’t any sensible means for bitcoin scripts, irrespective of how expressive, to judge the state of any token aside from bitcoin. Bitcoin scripts can’t find a uncommon sat. They cannot discover a Rune stability. They cannot establish a Taproot Asset.
With out entry to any details about the disposition of non-bitcoin belongings, your entire idea of a bitcoin script primarily based AMM ceases to make sense. Token areas will be attested to by a signature from an oracle, however oracle attestations don’t make an AMM. They can be utilized to facilitate particular handbook trades, however not a sturdy automated system. Furthermore, such an oracle-based system may very well be constructed right this moment with no modifications to bitcoin.
Conclusion
As you’ll be able to hopefully see, CAT isn’t such a frightful beast. It is probably not a lot of a beast in any respect. It has neither infinite functionality nor magical powers. It is just a bit opcode that may be very useful. The one factor we most likely need to keep away from is activating OP_CAT with out one other technique to do transaction introspection, equivalent to OP_TXHASH, OP_TX, or each. Even enabling it with LNHANCE is an enchancment on OP_CAT alone as a result of it reduces the scale and complexity of the scripts wanted to realize many OP_CAT introspection protocols.
I feel at this level, the "CAT introduces infinite every thing" has been diminished to ~nothing.
It introduces useful introspection in a shitty means that no person ought to use. To assist individuals not use it, we must always allow CAT together with TXHASH or related.https://t.co/nvnxYn66Um https://t.co/1Ag5TwjuUw
— Rearden 🍯🦡 🦢 | embrace forks (@reardencode) Might 17, 2024
It is a visitor publish by Brandon Black. Opinions expressed are fully their very own and don’t essentially replicate these of BTC Inc or Bitcoin Journal.