More moronic behaviour from the Binance casino:

Give them a taproot withdrawal address, they *literally change the address*, just changing the segwit version from 1 to 0, (valid because P2WSH length) because ... lol?

People sometimes say 'why do you care if the exchange does shitcoins?'. This is why. They just burned ~7.5K of this guy's money. He'll probably get it back because they're so rich they don't care, but he'll have to argue with them first.

· · Web · 3 · 6 · 9

Customer "support":

Address where the permanently destroyed money went:

In 2017/2018 I got very militant about calling Coinbase traitors and incompetent and scumbags and so on; they all out attacked Bitcoin.
This kind of behaviour is a bit different: it only indicates they care so little that one dumbass decision from one noob backend engineer ('oh, if I replace p with q, it works!!') is the level of attention they pay to Bitcoin.

@waxwing how would this not affect checksum? Couldn't this be considered a single-char change?

@waxwing Unless they decode it and then ignore the version and hardcode it to 0. Wow... I can totally see an engineer doing that.

@jb55 yeah, good Q.


It's 'human readable part', then 'version byte', then 'bech32 of witness program', where the third part gets the checksum property of the bech32 encoding. Why version byte isn't included in this encoding, and therefore in the checksum, (which after all is not relevant on-chain), I don't know. Maybe there's an obvious answer.

Perhaps the same reason the human readable part isn't included: to make it readable to the naked eye. (q vs p, here).

The witness version is part of the checksum, they simply ignored the checksum, it seems. The data part, witness version+witness program, is checksummed.

@kalle @jb55

yeah I was just about to say, after looking at it again - my bad.

If you look, they actually swapped out the checksum. I'm not sure if this is worse or better!

The original address was bc1pfdjlc5p92pxzvacgc5nhn3vgtt54e98472ymxgtejaa0ttdx8lkqzn304u

The paid-to address was bc1qfdjlc5p92pxzvacgc5nhn3vgtt54e98472ymxgtejaa0ttdx8lkqgy3xdq

@kalle @jb55

It does seem utterly bizarre, but the "logic" must have been something like: "we'll take the scriptPubKey and change its version from 1 to 0, then our software spits out a valid segwit address".

@waxwing @kalle wouldn't the logic be: "oh hey we supported taproot by implementing bech32m", then they simply decode the payload (valid checksum): "oh look 32 bytes, this must be a p2wsh output", and they go ahead and create one of those?

@jb55 @kalle yes in this case they started with an address, given to them by a user (not a tx from the blockchain) so they'd have had to decode from bech32m first, you're right. But every detail we point out like this just makes it crazier that they did it...

@waxwing @kalle @jb55 I don't know if you know but there are viruses what track your clipboard for crypto addresses and switch it for the attacker's address. Also. Binance is a shit. Good place for the #bitcoinsners guys.

@ChYJtNvw @kalle @jb55

Look at the image I attached in the second post. They deliberately did this, i.e. "converted" (their own word) a bc1p address for a bc1q address.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!