https://github.com/bitjson/cashtokens/blob/54ea2d20e7576379a4f1783613c393ae3660ec68/readme.md#technical-summary

I think the term "category" is something confusing.
In the document it would seem that the terms "token" and "category" are used interchangeably.
It seems to me that the use of the term "token" is much more accepted by the community of smart contract developers.

While this is implicit because of the fact that SIGHASH_FORKID is always required after August 2017, it would be nice to also see this in the specification as an explicitly stated thing.

This would avoid some implementations from e.g. forgetting to check that this flag must be active and somehow accepting "old" blocks that were invalid but that happened to use 0x20 -- this concern I have is imaginary really because we checkpoint in our nodes but -- just in case, it is worth mentioning in the spec.

The spec states;

The SIGHASH_UTXOS and SIGHASH_ANYONECANPAY types must not be used together; if a signature in which both flags are enabled is encountered during VM evaluation, an error is emitted (evaluation fails).

First of all, this should likely not be validatd in the VM, but before. But the real reason I'm opening this issue is because I don't think this should be a consensus rule. It feels very much like a standardness rule. Falls much more in line with the kind of checks that happen there anyway.

Disambiguate from cryptographic commitment which means hash of a message: https://en.wikipedia.org/wiki/Commitment_scheme#Bit-commitment_in_the_random_oracle_model

In this proposal, the NFT can carry an arbitrary user-set message, it doesn't have to be a hash of something although the covenant may require it to be.

With some tweaks, this can be adapted from Group v6.1

Rationale: https://bitcoincashresearch.org/t/chip-2022-02-cashtokens-token-primitives-for-bitcoin-cash/725/16

Input format

• transaction inputs
  • input 0
    • previous output transaction hash, 32 raw bytes
    • previous output index, 4-byte uint
    • unlocking script length, compact variable length integer
    • unlocking script
      • OPTIONAL: PFX_TOKEN_GENESIS, 1-byte constant 0xEF
        • token genesis hash type, 1-byte
        • token genesis has_nonfungible, 1-byte
        • token genesis commitment length, compact variable length integer
        • token genesis commitment, 0-40 raw bytes
        • token genesis amount, compact variable length integer
      • real unlocking script, variable number of raw bytes
    • sequence number, 4-byte uint
  • ...
  • input N

Note: same 0xEF codepoint can be used because it's another context - exclusive to inputs.

Genesis category ID derivation

categoryGenID == Hash(categoryGenPreimage), where:

• Hash is the double SHA-256 hash function, and
• categoryGenPreimage is byte concatenation of:
  1. Hash of the input's:
     - prevout transaction hash,
     - prevout index;
  2. Byte concatenation of genesis input parameters:
     - hash type,
     - has_nonfungible,
     - commitment length,
     - commitment,
     - amount;
  3. If hashType == 0x01 then append the double SHA-256 of the whole prevout UTXO serialization

Note: the input prefix will NOT be part of signature preimage, and doesn't need to be. See notes on malleability here.

Token logic validation

Add both the input's prevout token (if present) and the input-generated token to the input side tally of the transaction and enforce token logic over the sums all the same.

Introspection

In Script VM context, same codepoint 0xEF can be used to encode OP_INPUTTOKENGENESIS which would return concatenation of genesis parameters.

OP_UTXO... introspection opcodes will return the prevout's token if present, NOT the genesis one created with the input.

I already implemented this as types (2) and type (3). You just randomly changed it here without any discussion, rationale, and/or warning. It just creates extra work.

5f24bb6#diff-5a831ea67cf5cf8703b0de46901ab25bd191f56b320053be9332d9a3b0d01d15R424

Please revert the types to 0x2 and 0x3 as before. Thank you.

Suggested rationale

Wallet Address Type

Because we require transactions involving categorized outputs to be signed using modified signing serialization, funds unintentionally sent to non-upgraded wallets can't be accidentally lost and will be recoverable by importing the recipient's wallet into upgraded software.

The existing CashAddress standard supports extending the address through the use of a type bit, which could be used to indicate wallet support for receiving tokens:

Encoding the size of the hash in the version field ensure that it is possible to check that the length of the address is correct.

Type bits	Meaning	Version byte value
0	P2KH	0
1	P2SH	8

Further types will be added as new features are added.

However we expect that, over time, most wallets will support receiving and sending tokens.
Introducing two more address types just to signal readiness to receive tokens would only have a temporary benefit, while the cost of having to maintain two more address encodings would be permanent.

Therefore, we do NOT recommend a new address type.

Risks - Wrong Wallet Implementation

If a wallet would obtain a categorized output but be unable to spend it, then it could cause it to temporarily become unusable until the issue is resolved.

This could happen in two ways:

1. Non-upgraded and badly implemented wallet registering a categorized output as one of its own, which is unlikely and has been discussed;
2. Upgraded wallet having a bug in transaction building, which can be expected since bugs happen, and not all wallets pass through the same quality assurance processes.

Burning funds by non-upgraded wallets will not be possible since they wouldn't be able to produce a valid signature, and it would at worst result in temporary loss of service - users unable to send their funds until the issue is resolved.
The same would hold for upgraded wallets that are upgraded but have a bug that would prevent them from producing valid transactions.

The riskiest class of bugs is that of an upgraded wallet able to produce signatures but failing to properly account amounts to create categorized "change" outputs that would capture amounts not intended to be spent.
This risk was already present with pure BCH wallet implementations, where the result would be a donation to miners in form of fees.
With this proposal, the risk applies the same to token amounts - but instead of being donated they'd be burned.

This is a risk external to protocol development, and the only mitigation available is to write good documentation and suggest using wallet software that has good quality-assurance processes.
Since most popular wallets have proper processes in place and upgrades are reviewed and tested by multiple developers, we consider this risk to be low.

https://github.com/bitjson/cashtokens/blob/20528415173fa67c519c11565c6bb3400ad4c6c7/readme.md?plain=1#L504

Should this not be "output at the index" instead of "output spent by that input"?

From #24 (comment)

E.g. even if we had a simple OP_OUTPUT_TOKEN_CAPABILITY that accepted an index and returned one of these above numbers (0, 3, 7, 15), while many contracts would be written to validate results by direct comparison ( OP_OUTPUT_TOKEN_CAPABILITY <3> OP_EQUAL), almost all byte-efficient contracts with multiple codepaths (based on capability) would be broken unpredictably: a contract might perform some validation for <=3, some for 7, and an OP_ELSE branch for the 15. If an upgrade slips a new 14 result into the set of possible results, it breaks the API used by that contract and produces a serious vulnerability.

This problem is not giving me rest. I first thought, well, if we make it so that new values are properly ordered, like if 14 is more restrictive than 7 and less restrictive than 15 then it should be no problem right? After all - it would not enable users to do new things. Well...

There's another class of problems: it could break public covenants. Imagine that anyone can access some covenant placed on immutable NFT (0x03) and then we enable making the Script field immutable too (0x01). What if the public covenant relies on updating the contract's locking script with each tick, and requires "capability > 0" and then we enable 0x01 someone comes and slips in the 0x01 and breaks the contract by essentially terminating it because it would not be allowed to change its own locking script anymore.

As you suggested, solution would be to define a new codepoint for the new behavior, so existing categories would continue to operate under rules that were in force when they were created. Interaction between old/new could also be troublesome if same introspection opcodes would be used for both, so what could we do?

How about defining the OP*CATEGORY to also return the PFX byte, the returned stack item would then be: PFX+ID+[nft_capability].

Also, imagine if in the future we define some scheme for fractional sats, like another PFX but without the ID, then we could probably use the same Script API (introspection opcodes) to interact with both CashTokens2.0 and some FracSats upgrade, the OP*CATEGORY would return 1-byte value for FracSats.

Actually, because CashTokens are first - they don't need to return the PFX+ID, plain ID is enough, but some later upgrade would have to somehow expose to the Script API that it's not the same thing as CashTokens2.0, or it would need to define new introspection opcodes...

just some thoughts about strategy to upgrade

Summary

BIP69 sorts outputs in a txn lexicographically by:

• amount
• scriptPubKey

A specification of how to sort the new txouts with tokens in them may be warranted.

Suggestion

Since token data conceptually doesn't live inside scriptPubKey (except for serialization but NOT on the application layer), it is onerous and a performance hit for implementations e.g. BCHN to re-serialize the token data just for bip69 txn sorting.

BIP69's philosophy is to sort by "cheapest to compare first". As such this is how I am currently sorting token outputs in BCHN:

• amount
• scriptPubKey
• tokenData

Where tokenData sorts as follows:

    return std::tie(amount, capability, commitment, id) < std::tie(o.amount, o.capability, o.commitment, o.id);

Additionally, if all things are equal, txouts with no token data should sort before txouts with token data.

I politely suggest that maybe you should specify the above as the BIP69 sort order for Cash Token txouts.

Non canonically encoded CompactSize should be rejected as parse failure.

What is a canonically encoded CompactSize? Let's say you want to encode 40 (0x28). You have 4 options about how to encode it, but only one of them is canonical (it must be the minimally encoded representation, basically):

• 0x28 <-- canonical
• 0xfd2800 <-- not canonical (wastes space)
• 0xfe28000000 <-- again, non-canonical (wastes space)
• 0xff2800000000000000 <-- ditto

Proposed specification for the format, implements everything talked about in #27 #25 #24 #23

Because nft_commitment and ft_amount will be optional, then we get a more compact encoding for 0. So ft_amount==0 will be disallowed because 0-value FT will be encoded by absence of HAS_FT_AMOUNT format flag so parsers can know to skip the ft_amount. Similarly, nft_commitment_length==0 is disallowed because zero-byte commitment will be encoded by absence of HAS_NFT_COMMITMENT format flag so parsers can skip both nft_commitment_length and nft_commitment.

S1 Transaction Format Changes

Definitions

We define transaction output prefix byte that will indicate presence of optional category output annotation:

• OUTPUT_PREFIX_BYTE_CATEGORY = 0xd0.

We define the maximum length for NFT messages:

• MAX_SERIALIZED_NFT_COMMITMENT_LENGTH = 40.

S1.1 Transaction Outputs

If OUTPUT_PREFIX_BYTE_CATEGORY byte is encoded at index 0 of a transaction outputs's locking script serialization then it will mark the start of a data structure that will encode the output category annotation.
The whole annotation, including the prefix byte, will be removed from the locking script before handing it to Script VM:

<satoshi value><locking script length> [OUTPUT_PREFIX_BYTE_CATEGORY <category data>] <real locking script>.

Category output annotation is defined as:

OUTPUT_PREFIX_BYTE_CATEGORY <category_id> <token_format | nft_capability> [<nft_commitment_length><nft_commitment>] [ft_amount]

where:

• category_id - a 32-byte value
• token_format | nft_capability - a 1-byte value containing 2 fields where they are deserialized as:
  • token_format = serialized_byte & 0xf0 and
  • nft_capability = serialized_byte & 0x0f
• nft_commitment_length - a compact-size uint value that may encode a 1, 2, 4, or 8 byte uint, skip if token_format & HAS_NFT_COMMITMENT == 0
• nft_commitment - byte array of nft_message_length bytes, skip if (token_format & HAS_NFT_COMMITMENT == 0) || (nft_commitment_length == 0)
• ft_amount - a compact-size uint value that may encode a 1, 2, 4, or 8 byte uint, skip if token_format & HAS_FT_AMOUNT == 0

Bit flags that indicate presence of optional fields are defined as:

• HAS_NFT = 0x40,
• HAS_NFT_COMMITMENT = 0x20,
• HAS_FT_AMOUNT = 0x10.

Not all combinations will be allowed.

If token_format == 0x00 then the transaction shall fail immediately. (REQ-1.1.1.)

If (token_format & HAS_NFT == 0) && (token_format & HAS_NFT_COMMITMENT != 0) then the transaction shall fail immediately. (REQ-1.1.2.)

These two requirements leave us with 5 allowed values for token_format, listed in table below.

If token_format & HAS_NFT == 0 then nft_capability MUST be 0. (REQ-1.1.3.)

If token_format & HAS_NFT > 0 then nft_capability MUST be one of allowed values:

• NFT_IMMUTABLE = 0x00,
• NFT_MUTABLE = 0x01,
• NFT_MINT = 0x02.

(REQ-1.1.4.)

When combined into the serialized byte, there will be 13 allowed states for the byte, as listed in table below.

When encoded, value of ft_amount must obey these limits: minimum value of 1 and maximum value of 9223372036854775807 (0xffffffffffffff7f). (REQ-1.1.5.)

When encoded, value of nft_commitment_length must obey these limits: minimum value of 1 and maximum value of MAX_SERIALIZED_NFT_COMMITMENT_LENGTH. (REQ-1.1.6)

The annotation SHALL NOT count against length limits placed on locking script. (REQ-1.1.7)

The spec today says this: (Reserved Supply)

A token category's reserved supply is the sum – at a particular moment in time – of tokens held in reserve by the issuing entity. This is the portion of the supply which the issuer represents as "not in circulation".

The reserved supply of a fungible token category can be computed by retrieving all UTXOs which contain token prefixes matching the category ID, removing provably-destroyed outputs (spent to OP_RETURN outputs), and summing the amounts held in prefixes which have either the minting or mutable capability.

This raises several questions;

1. as the decision of what part of the supply constitutes 'reserved' is squarely put on the plate of the issuer, how is it possible to make an algorithm for this? That algo is at best a heuristic, and doesn't feel like it belongs in a spec.
2. We talk about provably destroyed outputs using op_returns. An op-return output is defined as starting with op_return. Yet cashtokens do the same, right? Doesn't that mean that they are mutualy incompatible?
   Notice that for cashtokens you don't need op_returns to burn as the difference between input and output just goes poof anyway.
3. what is a mutuble fungible token? In this context we are talking about a fungible token, we should count this by checking outputs that have the minting or mutable capability. Why would a fungible token ever have a mutable capability flag set?

In the "valid" json test vectors there are broken tests. Specifically the second and third test have a typo in the expected category id (does not match the serialized token data).

https://github.com/bitjson/cashtokens/blob/54ea2d20e7576379a4f1783613c393ae3660ec68/readme.md#transaction-output-data-model

Nit: The range of valid integers for "amount" should be correctly specified.
I understand that it is [1, 9223372036854775807] (using square brackets as is common to define closed intervals).

Perhaps the most important is:

• Why 0 (zero) is not a valid amount?
• Why is 9223372036854775807 the largest amount allowed?

Please see this note: https://github.com/mit-dci/cash-disclosure/blob/master/bitcoin-cash-disclosure-04252018.txt

Are any current transactions on-chain using 0x20?

I suggest this in conjunction with #47 .

This idea came up as part of discussion in #41 here: #41 (comment)

Note that if we move the capability byte to come right after the TOKEN_PREFIX, as the first thing we read (rather than category-id being the first thing we read, as specified currently), then this buys us a great deal of headroom and freedom to be able to completely extend or redo the token data serialization format in the future. Since the capability byte has free bits in it, we could potentially use some of those bits (if set) to indicate a completely different serialization code path for some hypothetical future extended token serialization format.

This suggestion directly contradicts issue #41 and PR #43.

If this suggestion were implemented it would simplify and/or reduce the "urgency" and/or criticality of #44, #45 and #46.

Suggestion Summary

I think it’s not a great idea for prefix byte to do double duty with the introspection opcode OP_UTXOTOKENAMOUNT. We need to make the TOKEN_PREFIX be a unique codepoint that is otherwise an invalid opcode. See discussion starting with my comment here: #41 (comment)

Suggest: 0xbf as the token prefix .

Additionally: Post-activation, we should disallow the creation of locking scripts that start with 0xbf but fail to parse as token data -- to save potential headaches in the future should we somehow loosen the serialization rules or otherwise modify them for the token data.

Rationale

While implementing #41, I noticed a couple of corner cases arise if we have the PREFIX_BYTE do double-duty as an op-code.

• It means that we need to be very careful about what is a consensus failure and what is a serialization failure.
  • This is because if we fail to parse a byte stream as token data (i.e. a serialization failure), the byte stream just ends up entirely put into the beginning of a scriptPubKey (locking script) of an output. And entirely different consensus rules now apply to that data, as opposed to an output containing token data. Thus, it puts a lot of burden on this specification to clearly delineate what is a parse error versus what is disallowed for consensus. See issue #44
• What's more, some locking scripts may unintentionally get "parsed" as token data when they intended to just have 0xd0 be their first op-code (very rare corner case, requires miners to mine these, but the fact that this is possible is troubling).... This "quirk" thus makes some subset of the set of all possible theoretical locking scripts beginning with 0xd0 impossible to construct.

If we use a unique codepoint that does no double-duty as an op-code (and is a disabled code-point otherwise),.. the above caveats completely evaporate.

Update: This has been implemented already here: https://gitlab.com/bitcoin-cash-node/bitcoin-cash-node/-/merge_requests/1580/diffs?commit_id=874f825c8f33b19327cf6c55b62782b62548215f

Why have you chosen 0xef for SPECIAL_TOKEN_PREFIX ?
Maybe I'm missing something obvious, but couldn't it have been 0xfe ?

We don't have enough room in 1 byte to encode everything (FT/NFT + NFT capabilities + message length) so something must spill over to some other byte. Since message is specific to NFTs that opt to use it, then maybe only message-carrying NFTs should have to be burdened with that extra byte instead of burdening outputs that don't even use the feature.

Output format:

<categoryID><tokenOutputType>[amount][<message_length><message>]

Use bit flags to encode fundamental token types using 2 highest bits of the tokenOutputType, and 3 more bits to encode NFT type:

• HAS_FUNGIBLE_TOKENS = 0x80,
• HAS_NON_FUNGIBLE_TOKEN = 0x40,
• NFT_MINT = 0x20,
• NFT_MUTABLE = 0x10,
• NFT_HAS_MESSAGE = 0x08.

This issue assumes #41 will be implemented.

If a locking script starts with PREFIX_BYTE (0xd0) it is currently unspendable. Post-activation should the locking script happen to parse as token data, it would remain unspendable as per the spec, and is considered a pre-activation token forgery output (PATFO). However, what do we do with locking scripts starting with 0xd0 but that fail to parse as token data? As per #41 we allow these if created post-activation.

I suggest we also allow them if created pre-activation! Why? This is the most natural thing to do. And it also matches the behavior of other op-codes we added since 2022 (such as native-introspection), where previously-unspendable non-standard locking scripts now become spendable.

The spec needs to be clear on this edge case.

Hey Jason, what's your view on these edge cases:

FT Amount 0

If we allow 0-amount FTs that would be consistent with satoshi amounts, and would allow a way to "stamp" some data even if the category is FT-only, like a 0-amount OP_RETURN. Only a FT could emit 0-amount UTXOs, a non-FT NFT could not.

NFT message NULL and EMPTY

• No message = NULL (only ID + token_type encoded)
• Message of 0-length = EMPTY (only ID + token_type encoded)
• Message of >=1 length = the message (ID + token_type + nft_message field)

With your composite ID||type introspection opcode you could distinguish between NULL and EMPTY, and it could be usable as a free "bool" to be purposed by the contract. Toggling it would of course require mutable(edit) capability.

In reference to: https://github.com/bitjson/cashtokens/blob/master/readme.md#sighash_utxos

Rationale:

• This is a complex change
• Breaking it out into a separate CHIP allows for separate testing
  • Why? implementation requires some significant changes to codebase, to how node signs, etc. In general signing doesn't take all the input coins as input to the sign functions.
• By breaking it out as a separate chip more focus can be placed on it and it can be studied and tested more carefully
• CashTokens is already a huge change, tacking this on as a "hey by the way" is rather significant and not ideal.

This is a follow-up to #25 .

Using native introspection, it's currently impossible to differentiate an NFT_Immutable with a 0-byte commitment and an NFT_Fungible. Both return the exact same thing forOP_OUTPUTTOKENCOMMITMENT and OP_OUTPUTTOKENCATEGORY (and the UTXO counterpart opcodes).

Both return a categoryId without the 0x11 byte (or 0x0 byte) appended (as per latest spec).

There is no way for a contract to differentiate the two. Suggest: making NFT_Immutable append the 0x11 byte anyway, to differentiate it from a FT.

The current implementation of DSProofs will not be able to encapsulate the hash of the UTXOs for the proof. As such, DSProofs will not be possible to protect and/or provide a proof for an input that is double-spent using SIGHASH_UTXOS.

This caveat needs to be mentioned in the spec. Ultimately, the DSProof spec needs to be expanded to cover the additional hash preimage data that must be shared as part of a DSProof. (Namely, the hash of the utxos).

In other protocols (ERC-20, for example) it is common when creating a token, to be able to define the amount of decimal digits to represent the amounts to the user.
How do we achieve the same with CashTokens?

The document starts with a listing of all technical terms used in the document. It currently limits itself to terms unique to cashtokens and I think that it would be useful to expand that to terms that are not so well known but required to understand cashtokens.

Specifically I would like to see a description of:

• Covenants
• Commitment

I learned about covenants from a high level overview quite some time ago and while they are not really mentioned in the spec, I believe they are crucial because they really are the glue that holds the different ingredients together.

I honestly still am fuzzy on commitments. The examples didn't really explain, instead they just used. So I guess they assume you already know how cashfusion is using commitments.

A little 2 paragraph technicall (can't stress this enough, this should no be fuzzy) description of each would be really a nice addition.

These two definitions seem to be contradictory:

The capability of the NFT held in this output: none, mutable, or minting. This field is omitted if no NFT is present.

The reserved supply of a fungible token category can be computed by retrieving all UTXOs which contain token prefixes matching the category ID, removing provably-destroyed outputs (spent to OP_RETURN outputs), and summing the amounts held in prefixes which have either the minting or mutable capability.

Cashtokens are gearing up to be awesome and likely will enable a large number of very interesting usecases that frankly are unique in any decentralized system.

Why I'm writing here is to also take a look at the usecases that SLP is currently very successful at and make sure those are not forgotten and support is the best it can be.

To take one great example; olicrypto. This is an SLP token which is openly traded and all the technicals are she pays divident to investors (example). Technicals are trivially supported in cashtokens. Except that it has a user-visible name. A URL and some other details that are important for the usability of the token and for the trading in a decentralized manner.

"Simple" traded tokens may be a good way to make the point, but even more advanced tokens will benefit from meta-data like which date the token was started, what the maximum number of fungible tokens are and more details.

Genesis transaction

All the above examples revolve around information that is (or can be) stored on the genesis transaction. The start of one specific cashtoken.

So, lets look at how we can get hold of that transaction based on anyone looking at any cashtoken transaction. This starts with the fact that the token has a 'category', which is intentionally a copy from a TXID. So we can start with that transaction.

Unfortunately, by looking up that transaction we don't actually find the genesis. The genesis is the one that spends from the "category = txid". And in blockchain that link is not stored. Additionally, there is no limit to how old that transaction can be when the genesis is created. It could be from years before the actual token is minted.

We need to either use a indexer server, but that makes things much more complex and costly and we learned from SLP that its easy to assume they will keep on being maintained while reality is much more harsh and bleak. Or an alternative path to our genesis tx is to use BIP 37, which is using bloom filters and merkleblock. The problem with that is we would need to ask a full node to filter every single block in sequence. Which, at best, severely limits the full nodes from serving better deserving SVP wallets. Its also slow and thus not very UX friendly.

Rationale

So, I understand the reason why the current design was picked. The simplest solution which uses the best f both worlds; a txid as a unique ID for a category (avoiding risk of duplicates) but not in the same transaction in order to allow the setup script for a token to actually include the category in its script. Can't include your own TXID in the same transaction, so a previd it became.

So, we have today:

Tx-k: the txid setting transaction.
Tx-g: a coin genesis transaction.

With the problem that there is no link from the first to the second.

Suggestion

In a sentence: to merge those two into one. At least for many simpler usecases.

So, for simple usecase you just end up with:

Tx-g: a coin genesis transaction. Its txid is the coin category.

This would be enough to do all the things that SLP supports today. It can have an op_return output that is specified much like SLP does today. And most important, all transactions ever transacting this token will refer to its txid and most full nodes will be happy to serve a single transaction based on its txid.

But you'll find there is a need to do more things because cashtokes are just too cool (read: powerful). How would that work?

A setup where multiple tokens are working together works best by them being supplied with their details all in different outputs of the same transaction. For that, you'd need something like this;

Tx-g1: genesis transaction for token 1. Output script is a simple p2pkh. (mutable enabled!)
Tx-gn: genesis transaction for token n. Output script is a simple p2pkh.

Tx-start: transaction that spends all genesis tokens and initializes them in its outputs.

Those could all be broadcast at the same time, no problem there. In practically all topic this is just as flexible as the current design, it really is only a small refactor that makes the worst case slightly more expensive at the benefit of allowing a whole range of new features that SLP users are used to.

One detail that makes sense to mention is that likely the easiest way to differentiate a genesis is if we were to decide to lists its own category as zeros. This is cheap to check during validation, really at worst just as expensive as the check we need now.

That would be a really strong advantage for those currently on SLP.

• mutable capability is encoded as 0x01
• minting capability is encoded as 0x02

What about none? Is it 0x00?

So currently codepoint 0xef (the proposed PREFIX_TOKEN) is invalid, but it can peacefully exist so long as it never gets executed (e.g. can be in a branch that never is executed).

However, after upgrade, PREFIX_TOKEN (0xef) always yields a script error for any scripts it lives-in, even in unexecuted branches From the spec:

Name	Codepoint	(Opcode-Equivalent) Description
PREFIX_TOKEN	0xef (239)	Error, even when found in an unexecuted conditional branch. (May occur before an output's locking bytecode to indicate locked tokens.)

If we do end up going with this spec -- I feel this is a potential "gotcha" that really needs to emphasized. It could cause a subtle chain split exploit if some nodes with miner hash ever follow different rules. I feel that this rule is so subtle there is a high risk for a dev to miss it (I almost did!).

Maybe I am just being paranoid but: I almost want to propose that we eliminate the requirement that any script containing this codepoint be deemed invalid... in light of that gotcha. I.e. it can exist so long as it is never executed (as is the case now).

Or do you feel it's better for this codepoint to become super-verboten (the same as DISABLED opcodes are now) after upgrade? Do you feel it adds benefits to do this?

Thoughts on this?

@zander brought up that a two-stage activation might allow us to clean up any "pre-activation token-forgery outputs" before tokens are activated, e.g.:

At block N, outputs beginning with PREFIX_TOKEN become effectively OP_TRUE, while new token encodings are validated properly (but minting tokens is still useless, as the output can be spent by anyone). At block N+X, spending validation activates.

Opening an issue to explore if this strategy would allow us to simplify the upgrade logic that will ultimately remain in node implementations.

@thesquaregroot identified an ambiguity in the spec we need to be sure is handled explicitly: any locking bytecode can begin with 0xd0 (OP_UTXOTOKENAMOUNT), even for outputs that do not themselves contain tokens. There are many useful covenants that might begin with OP_UTXOTOKENAMOUNT, and those outputs may or may not also carry tokens.

I overlooked this in the current version of the CHIP. I'll clarify the spec to ensure starting with 0xd0 isn't assumed to make the output invalid, and I've added this to the set of test vectors that will be in the next release. 👍

Since it's liable to cause confusion. Note the bitcoin cash docs also use the term VarInt incorrectly. VarInt != CompactSize.

VarInt is used internally by the Core line of BCH nodes (Flowee, BCHN, BU) to save txos to the db and for other internal things.

CompactSize is what you meant in the spec.

Note that the Bitcoin Core docs about their txn serialization format etc make this distinction and call it a compactsize (and not a VarInt).

The addition of SIGHASH_UTXOS would break double-spend proofs for inputs signed with this sighash type. I say "break" in that DSPs as currently specified and implemented cannot capture all the information needed to prove a double-spend, if one of the conflicting inputs was spent using the proposed SIGHASH_UTXOS.

This is because the proofs don't encapsulate all of the UTXOs used in the conflicting txn. In fact, a node may even lack those UTXOs altogether. All the proof really encapsulates is information about the spent UTXO that conflicts, not all of the UTXOs in a conflicting txn. This was ok previous to the addition of SIGHASH_UTXOS since before signing never involved examining all of the other coins in a txn.

The addition of SIGHASH_UTXOS to BCH would thus drastically weaken the utility of DSPs unless the DSP specification were also expanded somehow. But even if the specification were expanded, it's not clear to me that such a proof would be possible since nodes may lack the UTXOs that a conflicting txn is referring to, thus making the proofs potentially impossible to both construct and verify.

Thus, an attacker can double-spend using the proposed SIGHASH_UTXOS and nobody would ever get an alert that such a txn were double-spent, thus weakening the utility of Double-Spend proofs.

Just opening an issue to track a change discussed here:

This is a great point, thanks for noticing @im_uname! As @bitcoincashautist mentioned, requiring OP_RETURN for token destruction makes cleaning up “token dust” much more expensive than some sort of SIGHASH_TOKEN. A signing serialization type flag also simplifies away the awkward destruction policy difference between fungible or immutable tokens and minting or mutable tokens (where the former currently cannot be implicitly destroyed, but the later can).

In fact, to prevent offline signers from being mislead by omitting token information in signing requests, we also need to add the token information directly to the signing serialization. Maybe we include the full contents of the token output prefix (same encoding) after value in the algorithm for SIGHASH_TOKEN signatures?

If you’d be interested in sending a PR, I’d definitely appreciate it! (I’m also happy to write the update or any relevant rationale, just let me know what you’re interested in doing.)

The Shared Codepoint for All Tokens rationale was written for a pre-release iteration of the CHIP and has gotten progressively weaker. (Now that we're reusing the token inspection operation codepoints to indicate a token prefix, additional encodings do not "cost" instruction set codepoints.)

I'm starting to think that rather than the sort of compound encoding we're currently using (PREFIX_TOKEN <category_id> <has_nft> [commitment_length commitment] <ft_amount>), we should use multiple prefixes to avoid the 0x00 placeholders being used.

So we'd have encodings for each of:

1. Only fungible tokens – e.g. PREFIX_FUNGIBLETOKENS <category_id> <ft_amount>
2. Only a nonfungible token – e.g. PREFIX_NONFUNGIBLETOKEN <category_id> <capability> <commitment_length> [commitment]
3. Both – e.g. PREFIX_TOKENS <category_id> <capability> <ft_amount> <commitment_length> [commitment]

This saves 1 byte per output when encoding only fungible tokens or only a nonfungible token (likely far more common than instances where both types are held), and it makes the encodings themselves simpler: there's no "empty NFT" or "zero FTs" state, and the presence of FTs and NFTs can always be determined by only the prefix.

Previously I'd thought that a shared prefix would make adding support to indexers slightly simpler, but in reality, indexers will almost certainly "translate" token encodings for their database; the encoding of tokens in transactions should just focus on being as simple and efficient as possible.

Use bit flags to encode fundamental token types using 2 highest bits of the tokenOutputType:

• FUNGIBLE_TOKENS = 0x80,
• NON_FUNGIBLE_TOKEN = 0x40.

Encode NFT type using the remaining 6 bits, counting in reverse from the maximum value:

• Minting NFT: b0111 1111 (0x7F)
• Mutable NFT: b0111 1110 (0x7E)
• Immutable NFT: b0111 1101 (0x7D)

If the output also encodes a fungible token amount then the highest bit will be toggled:

• FT + minting NFT: b1111 1111 (0xFF)
• FT + mutable NFT: b1111 1110 (0xFE)
• FT + immutable NFT: b1111 1101 (0xFD)

This still lets you specify the length of the message field using the 0-0x7C range (while masking the highest 2 bits when reading the length) but lets us omit the FT amount field when the output encodes only the NFT.

"If the UTXO includes a non-fungible token with a zero-byte commitment, push 0x00. If the UTXO does not include a non-fungible token, push a 0 (VM Number)."

If we encode a 1-byte commitment that encodes a commitment[0]=0x00 it would result in the same 0x00 value being pushed to the stack.

Suggestion: push an empty stack item in both no-NFT and no-commitment cases, and the user should check the capability to distinguish no-NFT from no-commitment.

Here: https://github.com/bitjson/cashtokens#transaction-output-data-model

The word "undefined" has a specific meaning in many languages or systems (such as in mathematics or in C++) to indicate something that should NEVER happen or that is invalid in some way (e.g. "division by zero is undefined"). The meaning of that word in your section is different from that (you mean to say, it can be missing or null).

I suggest a different word or a different phrase to capture that idea so as to avoid confusion.

If pure BCH are 546, tokens should be 798

These all came from my comments as TODOs and I want to enumerate them here. We should make sure the spec clearly makes the following points (if it doesn't already):

• Standardness changes. Care must be taken that standardness is respected pre-activation (all PATFOs or even any txn locking script blobs starting with 0xef should remain non-standard pre-activation).
  • Post-activation, standardness rules change. Any token-containing input or output is now standard (even PATFOs are now standard, although they fail evaluation later in the pipeline regardless). Unparseables starting with 0xef continue to remain non-standard.
• Failure to parse -> keep bytes in scriptPubKey. Failure to parse a token should stuff all the bytes in the blob including the leading 0xef back into the scriptPubKey, and tokenData should remain null. (Thus making this output unspendable).
• BIP69 sorting. Should specify BIP69 sorting of TX Outs containing token data, sort order was:
  • (a.nValue, a.scriptPubKey) < (b.nValue, b.scriptPubKey) <-- lexicographical compare
  • It should become:
    • (a.nValue, a.scriptPubKey, a.tokenData) < (b.nValue, b.scriptPubKey, b.tokenData) <-- lexicographical compare
      • a.tokenData < b.tokenData can be expanded to lex compare as follows:
        • (a.tokenData.amount, a.tokenData.bitfield, a.tokenData.commitment, a.tokenData.id) < (b.tokenData.amount, b.tokenData.bitfield, b.tokenData.commitment, b.tokenData.id)

Just to leave some notes here about our last discussion

it's about something like OP_GETGENESISINPUT
it should tell you: if the input that has index0 prevout is actually used for genesis or not
and if used: what's the total amount of FT being made
without that you have to check all outputs and see if they match against some input's txid

Jason:

If you see a really important use case here that's worth the increased protocol complexity, I'd encourage you to write an example that is as concise as possible to demonstrate the issue. I'll have to think more about it but my first impression is that you're wanting a specific built-in aggregation operation: https://gitlab.com/GeneralProtocols/research/chips/-/blob/master/CHIP-2021-02-Add-Native-Introspection-Opcodes.md#exclusion-of-aggregation-operations – there's a near infinite space of these, and most may never be definable as protocol-level builtins. Bounded loops might be a simpler option to enable any kind of aggregation at the contract level: https://github.com/bitjson/bch-loops

And my response:

that's right, it's a specific aggregation operation, but it's only so because your genesis input is kind of a singularity (defines only category_id, initial state undefined) that can create anything with the new categoryID on output end
and it's an aggregate you already must have in the cache in order to validate the tx

In addition, just to further clarify, we can think of genesis inputs as having a "virtual" state. Genesis input only allows a category to be created and sets the ID, but it doesn't initialize the category's token state - that's what the first batch of outputs does.
Normally transactions are introducing some state on the inputs, saying how the state will change, and recording the new state on the outputs. Because a token genesis creates tokens "from nothing" there's no input state, but there is the initial state which can be seen as "virtual" state of the input.

Here's how I'd define the virtual state of the genesis input:

• categoryID - prevout.txid, empty stack item if input not used for genesis
• ft_amount - sum of all of the category's outputs ft_amount, empty stack item if FT not used (could still be a genesis)
• nft_capability - logical sum of all the category's output's nft_capability, the minimum capability that would be required to produce the outputs, e.g. if outputs have mint or multiple messages then mint, if they have only 1 message and mutable then mutable, if none then none, for case of cloneable, if one output has cloneable and other has edit, then the virtual input would be a mint. If no NFT, then empty.
• nft_message - in case of immutable capability, return the first (and only) nft message, else empty.. or it could return the 1st message anyway

As a concept I think this is closer to OP_ACTIVEBYTECODE than aggregate (even though it needs aggregation under the hood).

Use case: you want to code a contract that requires you to create an immutable NFT with a particular nft message, how do you do that? With the genesis opcode it's as simple as verifying that some other pre-existing NFT on the input (prevout) is immutable. Wihout that - you have to inspect ALL outputs of the TX and check that the genesis input didn't create anything other than a single immutable NFT.

The opcodes that start with "OP_UTXOTOKEN" caused me to get really confused for a while. There instantly was a thought towards the utxo-set, but that doesn't make sense. That is global info. Even "local" info makes it hard to figure out what an indexed utxo is..

Reading further I think what you named the utxo here is essentially the 'prev-out'. The previous-transaction's output.

Maybe to make it more understandable to most people a rename towards something like this makes sense?

OP_PREVOUT_TOKENCATEGORY and OP_OUTPUT_TOKENCATEGORY ? (repeat pattern for all opcodes described in this chip)

Its about readability and consistency, the numbers won't change.

For example, from the spec right now:

A token prefix encoding no tokens (both has_nft and amount are 0x00) is invalid.

Is this parseable but invalid consensus-wise? Or is this a lower-level parse failure (which leads to the byte blob assigned all to scriptPubKey)? This distinction is now important since @bitjson plans on implementing #41 in the spec.

There are other such examples in the spec where it's unclear if parse failure or if token consensus failure.

The text states;

hashUtxos is inserted in the signing serialization algorithm immediately following hashPrevouts. hashUtxos is a 32-byte double SHA256 of the serialization of all UTXOs spent by the transaction's inputs (concatenated in input order).

Specifically the part "serialization of all UTXOs" is a problem, as that is not technically a field in Bitcoin full node software. I expect actual fields there (probably a subset of the input: https://flowee.org/docs/spec/blockchain/transaction/#transaction-input)

I've had a chat with Calin, the length limit should be independent of Script length instead of eating into the Script limit with token data, much less mess, and 520 is a sane limit since anything above that would be unusable by contracts. If a future hard-fork adjusts the limit of stack items, then it will be an opportunity to adjust this in the same go.

With that outputs could have full 10,000b of Script + UTXO state (satoshi amount, token annotation)

see here: https://gitlab.com/bitcoin-cash-node/bitcoin-cash-node/-/merge_requests/1580/diffs?commit_id=cc3a38ca01a09427b9fc217692b19cea638730d5

NFT Type

Categorized outputs may encode one of 5 NFT states:

• NFT_NULL = 0x00, (b00000000)
• NFT_TRANSFER = 0x3F, (b00111111) ("no capability", "immutable")
• NFT_EDIT = 0x7F, (b10111111) ("mutable")
• NFT_CLONE = 0xBF, (b01111111)
• NFT_MINT = 0xFF. (b11111111)

All other values are reserved and reading a reserved value will immediately fail the transaction.

The same codepoint can be defined across 3 contexts: input's unlocking script prefix, Script VM, output's locking script prefix.

We can use the same 0xef for a Script VM opcode, and in another issue I had proposed to use in the input to declare a category's initialization state, and in the Script VM to access that state.

It got me thinking, could we contain the proposal to using up just 1 codepoint by making introspection opcodes pop 2 stack values, one for the index, other for the property being read. This would make the opcode more expensive but on the other hand we could avoid having to slice the capability off the categoryID opcode, and instead have a mode for obtaining it directly.

Summary of Suggestion

I suggest we kill two birds with one stone and just change the prefix to bch: for mainnet and tbch: for testnets and scalenet. Perhaps also rbch: for regtest (although we can just leave regtest as bchreg: if we wanted to since regtest is not used to send funds to anybody ever.. and if it is, those funds are ephemeral anyway). This in effect allows us to not eat up 2 out of 16 type positions for signaling token support.

EDIT: Since testnet coins are "worthless", there is no need to go with tbch: for testnet and we should continue to just use bchtest: for testnet, to keep things as simple as possible.

Please note that simply changing the prefix string to bch: does end up affecting how the final address is encoded (since it is used to encode and calculate the checksum). So it would be sufficient to ensure upgraded software fails to send tokens to un-upgraded software to simply change the prefix. (We would of course still support the old prefix).

For those worried that changing the prefix is not "harsh" enough: I believe it really is. Do note that changing the prefix changes the encoding because the prefix string is used to calculate how the checksum looks. So a different prefix for the same payload yields a different address string. Moreover, we can state as a requirement for the cashaddr spec that the new bch: prefix can only be used for wallets that are upgraded and are token-aware. It would be a violation of upgrade9 rules and/or the cashaddr spec to deviate from this.

Rationale

1. There has been discussion in the past that bitcoincash: is too long and bch: is far better. Bitcoin Core went with bc1: after all. Our cashaddress prefix is too huge!!
2. We only get 4 bits for the type in cashaddr encoding. That's 16 possible values. We already use 2 of them for p2sh and p2pkh. The spec proposes eating up 2 more for token-aware-p2sh and token-aware-p2pkh. This is 12.5% of the possible remaining values eaten up here. We only have 12 out of 16 left over.
3. Technically speaking these aren't new "types". I believe the intention of the "type" field was not in this spirit.
4. Changing the prefix to indicate token support has the added benefit that it is more human-friendly and naive-one-off-script-friendly. The changed prefix affects only the last group of 8 characters in the qp3rsz... address string. In this way, it's far easier for humans and for naive software to map the same set of token aware bch: and "legacy" bitcoincash: addreses to each other. Even visually you can scan your wallet and notice that basically the same address qpcal1n...uuvxzprz is now also starting with qpcal1n... and it just has a different suffix. This is much more "human-friendly" IMHO. (For an example: Consider how simpleledger: addresses vs bitcoincash: addresses in Electron Cash SLP look almost the same so it's easier on human eyes just scanning their addresses visually).