The Off-by-One Bug
The Off-by-One Bug (The Dummy Value)
Bitcoin's multisig implementation contains one of the most famous "Bugs-turned-Consensus-Rules" in computer science. Because of an error in the original code for OP_CHECKMULTISIG, every multisig spend must include an extra, useless piece of data.
1. The Error
When Satoshi Nakamoto wrote the code for OP_CHECKMULTISIG, the function popped one too many items from the stack.
-
If you have a 2-of-3 multisig, the VM expects 2 signatures and 3 keys.
-
But the code logic has an "Off-by-One" error that causes it to look for 3 items to satisfy the signature requirement, even though only 2 are needed.
2. The Solution: The Dummy Value
To fix this without a hard-fork (which would have invalidated old transactions), the community decided to simply "Feed the bug."
-
Every ScriptSig for a multisig spend must start with a dummy value (usually
OP_0). -
The VM pops this
OP_0, throws it away, and then proceeds to verify the actual signatures.
3. The Multisig Unlocking Script
A 2-of-3 multisig spend looks like this:
OP_0 [Signature1] [Signature2]
If you forget the OP_0, the transaction will be rejected by the network because the VM will try to use Signature1 as the dummy value, leaving only one signature to satisfy a two-signature requirement.
4. Null Dummy Rule
To prevent miners from putting random data in this "Dummy" slot, a rule called NULLDUMMY was introduced. It requires that the dummy value must be exactly 0x00. Any other value will cause the transaction to be considered non-standard.
| Stack Item | Role |
|---|---|
| OP_0 | The Dummy (consumed by the bug) |
| Sig 1 | First real signature |
| Sig 2 | Second real signature |
In the next section, we will discuss the Consensus Limits of P2MS.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: