I am currently studying for an exam and reviewing a past one from the CS 251: Bitcoin and Crypto Currencies course in Stanford with the following question on transaction signing. I have written my answers afterwards and would appreciate it if you could feedback if this correct or if something would need to be considered differently:
Recall that a Bitcoin transaction has a set of input addresses and a set
of output addresses. Usually, each input address signs the entire transaction (minus the signatures) to
authorize payment. This signature type is called SIGHASH_ALL.
In this question we explore other signature types where only portions of the transaction are signed.
Some of these types are already supported by the Bitcoin network and some are new. Whenever a
Bitcoin node validates a transaction, it checks the signatures on exactly what was signed and rejects the
transaction if any of the signatures are invalid.
For each transaction signing method listed below, decide if an attacker can steal funds from an input
address of a transaction submitted to the Bitcoin network. If so, explain how; if not, explain why not.
A. The secret key of each input address is used to sign the entire Txin (the input part of the
transaction, minus the signatures) and nothing else. That is, the Txout (the output part of the
transaction) is not signed. (this signature type is called SIGHASH_NONE)
This is not secure since a miner could simply change the Txout and thus change the payment to his address.
B. The secret key of each input address is used to sign the entire Txout and nothing else.
Hint: consider an address C for which there are 50 valid UTXOs that each credit C with 2 BTC (so
that address C is worth 100 BTC). Is there a situation where a Bitcoin user can drain Bitcoin from
address C without the owner’s authorization?
I do not see a risk there since the Txout is secured and thus cannot be changed. It should not matter that the Txout is not secured as a whole.
C. Suppose there are two inputs and two outputs. The secret key of the first input is used to sign
the entire Txin and the first output UTXO, and nothing else. The secret key of the second input
is used to sign the entire Txin and the second output UTXO, and nothing else. (this signature
type is called SIGHASH_SINGLE)
I assume that the same issue can occur as for D that miners can add further outputs and thus make the transaction invalid. However, they should not be able to steel funds as each output is signed.
D. Suppose there are two inputs and two outputs. The secret key of the first input is used to sign
the first input in Txin and the first output UTXO, and nothing else. The secret key of the second
input is used to sign the second input Txin and the second output UTXO, and nothing else.
I assume that a miner could add additional in- and outputs to the transaction since it is not secured as a whole. However, he could not steal funds with this approach but only make a transaction invalid, e.g. by adding more outputs and thus having outputs>inputs.
Thank you very much in advance for your help! I would also appreciate hints if you just have an idea on one part.