Introduction
You’ll have heard about re-enabling OP_CAT as a possible improve for bitcoin’s script language. Relying on the place you get your information OP_CAT has been referred to as “solely 10 traces of code”, “one of the best ways to allow experimentation with covenants”, “too highly effective”, “harmful and resulting in miner centralization”, or “assured to result in a contentious smooth fork”. I will make the case that each one of those views are mistaken. OP_CAT may be very helpful, can be utilized as a covenant, and never (alone) the very best subsequent transfer for bitcoin. Nothing extra, and nothing much less.
To make that case, I will discover a number of (apparently disjoint) subjects, a few of which had been new to me just a few brief months in the past. I will try to organize this in a approach that gives the required background in a single place.
How and What OP_CAT Does
Introspection with CAT
Let’s sort out the burning query that many have when first uncovered to OP_CAT. How can just a few traces of code that mix two gadgets from the stack into one (A B CAT -> AB) presumably allow something attention-grabbing? Andrew Poelstra has eloquently defined in latest interviews, and I posted a foolish and transient clarification:
Bitcoin is a bit bizarre, so it could actually additionally cut up issues. Then SHA256 lets us undo hashes. Then as a result of cryptography is simply math and we all know tips on how to grind, CAT lets us extract a hash from a signature verification. And consequently we are able to examine something hashed inside a signature…
— Rearden 🍯🦡 🦢 | embrace forks (@reardencode) Might 17, 2024
As a result of bitcoin script is strictly a verification language, every opcode can be utilized in ahead or reverse. A script might be given a hash and require a preimage, or given a preimage and require a hash utilizing OP_SHA256. This perception provides us the primary two elements of how OP_CAT covenants work.
If a bitcoin script may get entry to a hash of the transaction it is verifying, it may require that the spend stack present the hash preimage, cut up in no matter approach the script requires, after which validate any specific a part of that preimage. That is precisely what a covenant is – validating part of the transaction spending some bitcoin.
That is nice, however bitcoin does not have an opcode like OP_TXHASH to provide the script entry to the transaction’s hash. Right here, we make the most of the BIP340 Schnorr signature verification equation to require that the consumer present the hash. If the consumer supplies a price that will probably be a sound transaction hash if the script concatenates the byte 0x00 to the tip of it, that worth will even be part of a sound BIP340 signature (with sure different parameters mounted) if the script concatenates the byte 0x01 to it.
Combining these strategies, permits OP_CAT to examine any a part of its spending transaction that may be signed, and even to look again at its mum or dad transactions in some restricted methods. With some cautious codecraft, one can construct Purrfect Vaults, CatVM, and extra.
Different makes use of for CAT
However we should not. Constructing these items with OP_CAT ends in troublesome to take care of abominations. As a substitute, we must always use OP_CAT for what it is good for, and there is loads of that: It permits the equal of OP_CHECKSEPARATESIG, checking Merkle inclusion proofs, combining information for signature verification with OP_CHECKSIGFROMSTACK, and extra.
Issues with CAT
Now that we all know what CAT does, what’s the issue? Why have folks (myself included) mentioned that it is a harmful beast? Utilizing the introspection method described above, CAT permits two particular constructions: Hashrate escrows, and (supposedly) automated market makers (AMMs). Till not too long ago, each of those had been thought of important dangers of bringing centralizing MEV to bitcoin.
MEV, MEVil and Miner Centralization
The time period MEV (Miner Extractable Worth) is a bit complicated. Within the plainest interpretation it could embrace transaction charges, which after all we would like paid to miners to assist make sure the safety of bitcoin lengthy into the long run. MEV is mostly used to imply extra worth that miners can extract from their blocks past the charges seen on the general public relay community. This might come within the type of out of band funds, miners collaborating in contracts and reordering transactions in ways in which favor themselves, and even outright theft of products and companies by miners mining blocks that reorg and double spend a confirmed fee to a service provider. All of those types of MEV might be thought of usually dangerous for the individuals within the community, because the miners are utilizing their place within the community to their very own profit on the expense of different community individuals. Nonetheless, MEV alone doesn’t current a systemic downside by driving miner centralization, solely a neighborhood downside for the particularly impacted individuals.
MEVil is a time period that’s generally used for MEV which drives miner centralization – I favor the time period centralizing MEV and can use it going ahead. A number of issues are crucial to alter MEV into centralizing MEV:
It have to be sufficiently troublesome to extract that an open supply block template builder can not moderately extract itThe complete worth extractable should develop with a miner’s bitcoin hash rateThe extractable worth should justify the price of extraction
If all of those necessities are met then solely a sufficiently giant miner could have the motivation to start extracting the MEV. As soon as they do, they may have the ability to outpace their smaller friends’ progress because of the extra income extracted. The extra expensive the MEV is to extract (as much as the purpose the place it isn’t price it for any miner) the more serious the centalizing strain it creates.
Avoiding centralizing MEV then is (in a way) easy: Be certain that no matter alternatives for MEV exist on bitcoin are both really easy to extract that everybody does it or value extra to extract than they’re price (both as a result of they’re so small or as a result of they’re so expensive).
For extra data, try @TheBlueMatt’s latest put up.
Hashrate Escrows (née Drivechains)
A few years in the past (earlier than the Lightning Community or concepts like Ark, Timeout Bushes, roll-ups, BitVM, or CatVM) sidechains had been thought of the last word scaling resolution for bitcoin. The concept was conceptually easy: bitcoin blocks should keep restricted in measurement for all the same old decentralization causes, however we are able to connect sidechains to bitcoin and people can have sooner blocks, greater blocks, extra computation, or no matter. In observe, nonetheless, implementing sidechains was not really easy. Bitcoin’s closing settlement is basically tied to proof of labor, an unfalsifiable value to reorder transactions, how does a sidechain inherit that? Additionally, how can bitcoin be transferred to and from the sidechain? The most effective identified proposal to reply these two questions is known as Drivechains (BIPs 300 and 301). I will not bore you with the small print of Drivechains, however suffice it to say, there are solely two outcomes of such sidechain methods: Both they’re comparatively unused (and subsequently ineffective) or they’re extensively used and develop into a de facto block measurement enhance for bitcoin. A de facto block measurement enhance of this kind is a type of centralizing MEV the place solely bigger miners will have the ability to cheaply take part within the extra income alternatives provided by the doubtless giant and sophisticated sidechain blocks.
Hashrate escrows, which might be constructed with OP_CAT, are one small a part of the Drivechains proposals. It is a system of proscribing withdrawals from sidechains through the use of a counter whose worth can solely be modified by miners, begins at a excessive worth, and should attain zero earlier than a sidechain withdrawal might be processed. That is claimed to be a “trustless” switch out from a sidechain, however truly creates a federation of miners with management of all bitcoin held in sidechains.
Because the improvement of the Drivechains proposals, it has develop into (to our detriment) widespread to check with any proposal which can be utilized to create a withdrawal predicated on a miner-controlled counter as “Drivechains”. Hopefully it clear at this level why this inappropriate shorthand is unhelpful – Drivechains are both nugatory or harmful, however hashrate escrows are merely a solution to switch management the end result of some transaction to the implicit federation of miners.
Tokens and AMMs
Tokens
For causes that can by no means be completely clear to me, people love an excellent token (or a nasty token or actually simply tokens). Practically from the start of bitcoin there was speak of tips on how to embed different tokens into the protocol, from Coloured Cash and Counterparty, to the newer Taproot Belongings and Runes. All of those protocols have one factor in widespread: They require an exterior index of bitcoin transactions that both has information of exterior information or processes information from the sequence of bitcoin transactions to be able to decide the transformations of tokens throughout the protocol. The salient level for this text is that bitcoin locking scripts are utterly unaware of the existence of the tokens, and even bitcoin nodes that validate transactions are unaware of the tokens (i.e. even when a bitcoin locking script had full entry to the entire bitcoin UTXO set, it couldn’t uncover the state of any of those tokens).
Automated Market Makers (AMMs)
On different blockchain methods it’s common for contracts often called AMMs for use to (for instance) peg the ratio between two tokens by shopping for and promoting at a hard and fast value. The foundations that may be encoded in an AMM are past the scope of this text. Suffice it to say that AMMs create big alternatives for MEV and due to the non-public trade relationships wanted to maximise the returns on that MEV additionally centralizing MEV. This has usually been used as an argument in opposition to constructing extra expressive bitcoin scripts – we genuinely do wish to keep away from exposing the bitcoin community to the vagaries of centralizing MEV. Nonetheless, as I’ve described above there merely is not any sensible approach for bitcoin scripts, regardless of how expressive, to guage the state of any token apart from bitcoin. Bitcoin scripts can not find a uncommon sat. They cannot discover a Rune stability. They cannot determine a Taproot Asset.
With out entry to any details about the disposition of non-bitcoin property, your entire idea of a bitcoin script primarily based AMM ceases to make sense. Token places might be attested to by a signature from an oracle, however oracle attestations don’t make an AMM. They can be utilized to facilitate particular guide trades, however not a sturdy automated system. Furthermore, such an oracle-based system may very well be constructed in the present day with no adjustments to bitcoin.
Conclusion
As you’ll be able to hopefully see, CAT just isn’t such a frightful beast. It is not likely a lot of a beast in any respect. It has neither infinite functionality nor magical powers. It is just a bit opcode that may be very useful. The one factor we in all probability wish to keep away from is activating OP_CAT with out one other solution to do transaction introspection, corresponding to OP_TXHASH, OP_TX, or each. Even enabling it with LNHANCE is an enchancment on OP_CAT alone as a result of it reduces the scale and complexity of the scripts wanted to realize many OP_CAT introspection protocols.
I feel at this level, the "CAT introduces infinite every little thing" has been lowered to ~nothing.It introduces useful introspection in a shitty approach that no one ought to use. To assist folks not use it, we must always allow CAT together with TXHASH or comparable.https://t.co/nvnxYn66Um https://t.co/1Ag5TwjuUw
— Rearden 🍯🦡 🦢 | embrace forks (@reardencode) Might 17, 2024
It is a visitor put up by Brandon Black. Opinions expressed are completely their very own and don’t essentially mirror these of BTC Inc or Bitcoin Journal.
