policy: add checks for exact annex padding of simplicity programs

delta1 · delta1 · commit 4a9b55e9dae8 · 2026-03-13T15:07:43.000+02:00
diff --git a/src/policy/policy.cpp b/src/policy/policy.cpp
@@ -14,6 +14,12 @@
 #include <span.h>
 #include <chainparams.h> // Peg-out enforcement
 
+extern "C" {
+#include <simplicity/bounded.h>
+#include <simplicity/elements/cost.h>
+#include <simplicity/errorCodes.h>
+}
+
 // ELEMENTS:
 CAsset policyAsset;
 
@@ -274,6 +280,7 @@ bool IsWitnessStandard(const CTransaction& tx, const CCoinsViewCache& mapInputs)
         // Check policy limits for Taproot spends:
         // - MAX_STANDARD_TAPSCRIPT_STACK_ITEM_SIZE limit for stack item size
         // - No annexes
+        // ELEMENTS: allow annexes for simplicity transactions
         if (witnessversion == 1 && witnessprogram.size() == WITNESS_V1_TAPROOT_SIZE && !p2sh) {
             // Missing witness; invalid by consensus rules
             if (i >= tx.witness.vtxinwit.size()) {
@@ -282,8 +289,16 @@ bool IsWitnessStandard(const CTransaction& tx, const CCoinsViewCache& mapInputs)
             // Taproot spend (non-P2SH-wrapped, version 1, witness program size 32; see BIP 341)
             Span stack{tx.witness.vtxinwit[i].scriptWitness.stack};
             if (stack.size() >= 2 && !stack.back().empty() && stack.back()[0] == ANNEX_TAG) {
+                SpanPopBack(stack); // Ignore annex
+                const auto& control_block = SpanPopBack(stack);
+                if ((control_block[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSIMPLICITY) {
+                    // Annexes are allowed for Simplicity spends
+                    // checks for zero padding and exact size are done in ExactAnnexPadding
+                    return true;
+                } else {
                 // Annexes are nonstandard as long as no semantics are defined for them.
                 return false;
+                }
             }
             if (stack.size() >= 2) {
                 // Script path spend (2 or more stack elements after removing optional annex)
@@ -340,3 +355,92 @@ int64_t GetVirtualTransactionInputSize(const CTransaction& tx, const size_t nIn,
 {
     return GetVirtualTransactionSize(GetTransactionInputWeight(tx, nIn), nSigOpCost, bytes_per_sigop);
 }
+
+bool ExactAnnexPadding(const CTransaction& tx, const CCoinsViewCache& mapInputs, std::string& reason)
+{
+    if (tx.IsCoinBase())
+        return true;
+
+    for (unsigned int i = 0; i < tx.vin.size(); i++)
+    {
+        if (tx.witness.vtxinwit.size() <= i || tx.witness.vtxinwit[i].scriptWitness.IsNull())
+            continue;
+
+        const CTxOut &prev = tx.vin[i].m_is_pegin ? GetPeginOutputFromWitness(tx.witness.vtxinwit[i].m_pegin_witness) : mapInputs.AccessCoin(tx.vin[i].prevout).out;
+
+        CScript prevScript = prev.scriptPubKey;
+
+        // Skip P2SH
+        if (prevScript.IsPayToScriptHash())
+            continue;
+
+        int witnessversion = 0;
+        std::vector<unsigned char> witnessprogram;
+        if (!prevScript.IsWitnessProgram(witnessversion, witnessprogram))
+            continue;
+
+        // Only check taproot v1 spends
+        if (witnessversion != 1 || witnessprogram.size() != WITNESS_V1_TAPROOT_SIZE)
+            continue;
+
+        Span stack{tx.witness.vtxinwit[i].scriptWitness.stack};
+
+        // Check for annex
+        if (stack.size() < 2 || stack.back().empty() || stack.back()[0] != ANNEX_TAG)
+            continue;
+
+        const auto& annex = SpanPopBack(stack);
+
+        // Need at least 2 more elements (control block + script) for script path spend
+        if (stack.size() < 2)
+            continue;
+
+        const auto& control_block = SpanPopBack(stack);
+        if (control_block.empty())
+            continue;
+
+        // Only check Simplicity spends (leaf version 0xbe)
+        if ((control_block[0] & TAPROOT_LEAF_MASK) != TAPROOT_LEAF_TAPSIMPLICITY)
+            continue;
+
+        // All annex bytes after 0x50 tag must be zero
+        std::vector<unsigned char> zero_padding(annex.size(), 0);
+        zero_padding[0] = ANNEX_TAG;
+        if (annex != zero_padding) {
+            reason = "bad-annex-nonzero-padding";
+            return false;
+        }
+
+        // Annex padding must provide exactly the right budget for the program's cost bound.
+        // The program is the second-to-last stack item (after popping CMR script and control block).
+        if (stack.size() < 1)
+            continue;
+
+        SpanPopBack(stack); // drop the CMR
+        if (stack.size() < 1)
+            continue;
+
+        const auto& simplicity_program = SpanPopBack(stack);
+
+        // Compute the program's cost bound (in milli weight units)
+        simplicity_err error;
+        ubounded cost_bound;
+        if (!simplicity_elements_computeCostBound(&error, &cost_bound, simplicity_program.data(), simplicity_program.size())) {
+            reason = "bad-annex-compute-cost";
+            return false;
+        }
+
+        // Budget = serialized witness size + VALIDATION_WEIGHT_OFFSET
+        // cost_bound is in milliWU, budget is in WU
+        // For exact padding: budget must equal ceil(cost_bound / 1000)
+        int64_t required_budget = ((int64_t)cost_bound + 999) / 1000;
+        int64_t actual_budget = ::GetSerializeSize(tx.witness.vtxinwit[i].scriptWitness.stack, PROTOCOL_VERSION) + VALIDATION_WEIGHT_OFFSET;
+
+        if (actual_budget != required_budget) {
+            reason = "bad-annex-padding-size";
+            return false;
+        }
+    }
+
+    return true;
+}
diff --git a/src/policy/policy.h b/src/policy/policy.h
@@ -134,6 +134,13 @@ bool IsWitnessStandard(const CTransaction& tx, const CCoinsViewCache& mapInputs)
 */
 bool IsIssuanceInMoneyRange(const CTransaction& tx);
 
+/**
+* Check that Simplicity transactions have exact annex padding:
+* - Annex bytes (after 0x50 tag) must all be zero
+* - Annex must be exactly the right size for the program's cost bound
+*/
+bool ExactAnnexPadding(const CTransaction& tx, const CCoinsViewCache& mapInputs, std::string& reason);
+
 /** Compute the virtual transaction size (weight reinterpreted as bytes). */
 int64_t GetVirtualTransactionSize(int64_t nWeight, int64_t nSigOpCost, unsigned int bytes_per_sigop);
 int64_t GetVirtualTransactionSize(const CTransaction& tx, int64_t nSigOpCost, unsigned int bytes_per_sigop);
diff --git a/src/validation.cpp b/src/validation.cpp
@@ -1016,6 +1016,12 @@ bool MemPoolAccept::PreChecks(ATMPArgs& args, Workspace& ws)
     if (tx.HasWitness() && fRequireStandard && !IsWitnessStandard(tx, m_view))
         return state.Invalid(TxValidationResult::TX_WITNESS_MUTATED, "bad-witness-nonstandard");
 
+    // Check Simplicity transactions for exact annex padding
+    std::string annex_reason;
+    if (tx.HasWitness() && fRequireStandard && !ExactAnnexPadding(tx, m_view, annex_reason)) {
+        return state.Invalid(TxValidationResult::TX_NOT_STANDARD, annex_reason);
+    }
+
     int64_t nSigOpsCost = GetTransactionSigOpCost(tx, m_view, STANDARD_SCRIPT_VERIFY_FLAGS);
 
     // We only consider policyAsset
