here's a curious mempool mystery 🕵️‍♂️👀
someone made a bunch of transactions like this in recent months, "stealing" insecure brc-20 transfer inscriptions to sub-dust outputs
these transactions should be non-standard, but they're reliably mined by both Mara and Antpool & Friends
the original transactions (pre-RBF) look like this:
a fairly ordinary brc-20 transfer, sending the inscription to a dust utxo, with an additional input to pay fees and an additional output for change, all owned by the same address.
peeking inside the original inscription input, you'll notice something rather odd.
although the witness includes what looks very much like a normal taproot schnorr signature, the locking script doesn't actually include a checksig operation to validate it!
without the corresponding pubkey, I can't verify whether this is actually a signature or just 64 bytes of random witness data, but it certainly looks like one.
the missing OP_CHECKSIG in the locking script means that the subsequent RBF transaction is able to spend the same output by replacing that witness item with a single random byte (saving some extra weight!)
but what's even the point? the input was already dust, so the RBFer only extracted 200 sats.
you might assume they're stealing the BRC-20 tokens themselves (which do apparently have some non-trivial value), but BRC-20 transfers don't work that way.
(and, sure enough, BRC-20 indexers like Unisat show these as failed transfers/sends, because the RBFer's address has insufficient balance to fund the operation)
so maybe that's the point? is this a clever way to cancel a BRC-20 transfer in the mempool mid-execution?
...probably not...
someone wanting to do that could simply not spend the inscription output in the first place. and relying on a non-standard RBF would be very unreliable.
our final clue is that the sub-dust outputs are usually consolidated alongside a couple of swept lightning anchors to make them slightly more economical.
the destination address of these consolidations is a prolific lightning sweeper, doing several hundred lightning anchor consolidation transactions per month.
sweeping an insecure input is very much like sweeping a lightning anchor (neither is signed, so they can be spent by anyone)
so they've probably either equipped their bot to automatically detect and steal unsigned inputs in general, or are deliberately trolling this BRC-20 user.
the most interesting part of the mystery is the nonstandard sub-dust outputs.
afaik Antpool & Friends don't (intentionally) accept these transactions p2p.
which suggests the sweeper either has a special relationship, or managed to "hack" these transactions into their mempool.
7.75K
61
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.