2023-11-21 A 0-yuan purchase incident occurred on the much-watched Atomics Market trading platform, which has caused Atomics Protocol and its trading platform Atomics Market to fall into trouble recently. A series of questions about the ARC-20 token have sparked widespread discussion and questioning.
Atomicals Protocol & Atomicals Market
Atomics Market is an ARC-20 trading market that uses Atomics Protocol for ARC-20 transactions (Atomics Market and Atomics Protocls are not the same company)
Atomics Market issued a document on the 21st stating that it discovered a PBST flaw in its trading process based on the Atomicals Protocol, causing users to suffer losses when trading atom tokens.
At the same time, Atomics Protocol issued an article on the 24th to counter Atomics Market’s remarks and pointed out that the cause of the problem was Atomics Market’s negligence in using SIGHASH_NONE to sign in transactions, putting its users at risk. Atomics Protocol stated and warned that Atomics Market should not use SIGHASH_NONE for signatures (it is worth noting that SatsX, which is also an Atomics trading platform, does not seem to have a similar situation)
After analysis, it was found that the root cause of the 0 yuan purchase was that Atomics Market incorrectly used SIGHASH_NONE (TX:1623bf2997cde779dd9e0e2c54b5f7f196f36826dcb689e41acd7fff27ec5c93) in PSBT.
Before we further analyze the reason, we need to understand some preliminary knowledge. This is because BTC does not use an account model like Ethereum.
Bitcoin Unspent Transaction Outputs (UTXOs) represent a specific portion of Bitcoin ownership. Unlike traditional systems that utilize accounts and balances, Bitcoin operates through these individual Bitcoin segments. Each UTXO is defined by a specific value and represents a different portion of the Bitcoin transferred in the transaction.
During the course of a transaction, UTXO is consumed and no longer exists. Therefore, this operation generates one or more new UTXOs. The collection of these UTXOs, called the UTXO set, is maintained and updated by all network nodes. This happens every time a new block handles transactions that generate and destroy UTXOs. The UTXO set plays a key role in enabling nodes to independently confirm the legitimacy of transactions and the Bitcoin they intend to spend.
Partially Signed Bitcoin Transactions (PSBT) is a protocol in the Bitcoin ecosystem designed to increase the ease of transmitting unsigned transactions, enabling multiple participants to sign a single transaction simultaneously.
PSBT (Partially Signed Bitcoin Transaction) provides utility in a variety of scenarios. Consider creating a CoinJoin transaction involving three people. During this process, each of the three participants sends a message to the central coordinator. The message contains details of the UTXO (Unspent Transaction Output) they wish to include in the CoinJoin. Additionally, each participant specifies the address to which their share of Bitcoin should be returned after the CoinJoin transaction is completed.
Whats the problem?
Atomics Protocol mentions that in a secure PBST exchange step, the seller signs a 2nd input containing ARC 20 Atomic and receives a 2nd output of the payment amount.
Once the seller needs to sign with SIGHASH_SINGLE - ANYONECANPAY, the buyer can add their input to receive funds and add the receiving address for their purchase of ARC 20 tokens.
Then, Atomics Market does not use SIGHASH_SINGLE in swap, but SIGHASH_NONE.
We can look at the difference between NONE and SINGLE:
Since Atomics Market uses NONE, only one input is signed, which means that only the number of tokens sold is verified. Failure to sign the output means that the received tokens are not verified. As a result, malicious users can buy the users tokens for 0 yuan without paying the tokens.
33, 000 $ATOM
Atomics Market promises to compensate users for their losses.
Project parties should conduct in-depth research on the protocols they rely on, products need to undergo sufficient testing and auditing, and pay attention to the protocols themselves and the recommendations of security agencies.
About MetaTrust Labs
MetaTrust Labs is a leading provider of Web3 artificial intelligence security tools and code audit services incubated by Nanyang Technological University in Singapore. We provide advanced AI solutions that empower developers and project stakeholders to secure Web3 applications and smart contracts. Our comprehensive services include AI security scanning, code auditing, smart contract monitoring and transaction monitoring. By integrating AI, we ensure a secure ecosystem and enhance trust between users and developers.