Analysis of Atomicals Market's 0 yuan purchase event

Contributed by Daniel Tan and Source: MetaTrust Labs

01 Summary

2023-11-21 The much-talked-about Atomicals Market trading platform has a 0 yuan purchase incident, which has caused Atomicals Protocol and its trading platform Atomicals Market to fall into a storm recently. A series of questions about the ARC-20 token have sparked widespread discussion and questioning.

Atomicals Protocol & Atomicals Market

Atomicals Market is an ARC-20 marketplace that uses the Atomicals Protocol for ARC-20 transactions (Atomicals Market and Atomicals Protocls are not the same company)

Atomicals Market posted on the 21st that it found a PBST flaw in its Atomicals Protocol-based trading process, resulting in users experiencing losses when trading the atom token.

At the same time, Atomicals Protocol countered Atomicals Market’s remarks in a post on the 24th, pointing out that the cause of the problem was Atomicals Market’s negligence, using SIGHASH_NONE to sign transactions, putting its users at risk. Atomicals Protocol has stated and warned that the Atomicals Market should not use SIGHASH_NONE for signing (it is worth noting that SatsX, which is also an Atomicals trading platform, does not appear to be in a similar situation)

After analysis, it was found that the root cause of the 0 yuan purchase was that Atomicals Market incorrectly used SIGHASH_NONE in PSBT (TX:1623bf2997cde779dd9e0e2c54b5f7f196f36826dcb689e41acd7fff27ec5c93)

02 Prerequisites

Before we go any further, it’s important to know a few things because BTC doesn’t use an account model like Ethereum.

UTXO

Bitcoin Unspent Transaction Output (UTXO) represents a specific portion of Bitcoin ownership. Unlike traditional systems that utilize accounts and balances, Bitcoin operates through these separate Bitcoin sections. Each UTXO is defined by a specific value that represents the different parts of the Bitcoin that are transferred in the transaction.

Over the course of a transaction, the UTXO is consumed and no longer exists. As a result, this operation generates one or more new UTXOs. A collection of these UTXOs, known as UTXO sets, is maintained and updated by all network nodes. This happens whenever a new block processes transactions that generate and eliminate UTXOs. UTXO sets play a key role in enabling nodes to independently confirm the legitimacy of transactions and the bitcoins they intend to spend.

PSBT

Partially Signed Bitcoin Transactions (PSBT) is a protocol in the Bitcoin ecosystem that aims to improve the convenience of transmitting unsigned transactions, enabling multiple participants to sign a single transaction at the same time.

PSBT (Partially Signed Bitcoin Transaction) offers utility in a variety of scenarios. Consider creating a CoinJoin transaction involving three people. During this process, each of the three participants sends a message to the central coordinator. The message contains the details of the UTXO (unspent transaction output) that they wish to include in CoinJoin. In addition, each participant specifies the address to which their share of Bitcoin should be returned after the CoinJoin transaction is completed.

03 What’s the problem?

Atomicals Protocol mentions that in a secure PBST exchange step, the seller signs the 2nd input containing the ARC20 Atomical and the 2nd output containing the payment amount.

Sellers need to use SIGHASH_SINGLE | ONCE ANYONECANPAY IS SIGNED, BUYERS CAN ADD THEIR INPUTS TO GET THE FUNDS AND ADD THE RECEIVING ADDRESS THEY WILL RECEIVE TO BUY ARC20 TOKENS.

Then, instead of using SIGHASH_SINGLE in the swap, Atomicals Market uses SIGHASH_NONE.

WE CAN TAKE A LOOK AT THE DIFFERENCES BETWEEN NONE AND SINGLE:

Since Atomicals Market uses NONE, only one input is signed, which means that only the number of tokens sold is verified. Whereas the output is not signed, it means that the received tokens are not verified. As a result, malicious users can buy users’ tokens without paying tokens.

04 Asset Loss

33,000 $ATOM

05 Subsequently

Atomicals Market promises to compensate users for their losses.

06 Security Recommendations

The project team should have an in-depth study of the protocols relied upon, and the product needs to be adequately tested and audited, paying attention to the protocols themselves as well as the recommendations of the security agencies.