The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32379.

Reviews

See the guideline for information on the review process.
A summary of reviews will appear here.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #32421 (test: refactor: overhaul (w)txid determination for CTransaction objects by theStack)
• #32317 (kernel: Separate UTXO set access from validation functions by TheCharlatan)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

This may however cause issues for orphan resolution in adversarial situations, since fetching the parent is done using its txid. Greg Sanders pointed out to me on IRC this could be an issue for package relay.

Just want to point out this is one of the motivations for (real) package relay, so we can get rid of txid-based fetching. https://github.com/bitcoin/bips/blob/master/bip-0331.mediawiki#handle-orphans-better

Today however, you'd be able to block (opportunistic) "package relay" by sending the parent witness-stripped first.

🐙 This pull request conflicts with the target branch and needs rebase.

It took me a while to remember the context here, since we had those discussions offline. I'll try to put a short summary here for anybody else who did not participate in those discussions or doesn't remember the details.

The current behaviour in master is the following. Upon Script validation failure of an unconfirmed transaction:

If the transaction has no witness attached, Script validation will be performed a second and third time to detect whether it is spending a witness program:

This 3-step logic was introduced along with Segwit in 8b49040, to avoid adding the txid of transactions with a mutated witness to the reject filter. This was changed in #8525, after which witness transactions which failed validation were never added to the reject filter at all. This is because it would otherwise trivial for an attacker to hinder the propagation of a witness transaction until wtxid-relay (see #8279).

The witness malleation issue was fixed with wtxid-relay in #18044, since at this point inserting the wtxid of a rejected transaction in the reject filter won't prevent the same transaction with a different (valid) witness to be accepted in the future (if it is announced on wtxid relay connection). However, this 3-step script validation logic was still necessary until the network was mostly upgraded to wtxid relay. This is because otherwise one malicious peer could still interfere with the honest transaction relay of all txid-relay peers. The attack is as follows:

• An honest node has N txid-relay peers and one malicious wtxid-relay peer (the malicious peer can be wtxid or txid it doesn't matter).
• A valid witness transaction is broadcast. Before any of its honest txid-relay peers sends the valid witness transaction to the node, the malicious peer sends it after stripping its witness.
• The honest node now has the wtxid of the witness-stripped transaction, i.e. the txid of the transaction, in its reject filter. Any honest txid-relay peer trying to announce the valid witness transaction will hit the reject filter.

This is not a concern anymore because wtxid-relay was released on 2021-01-15 with 0.21.0. Nowadays, virtually all connections on the network are wtxid-relay. Therefore we can get rid of performing 3 times the expensive Script validation on non-witness transactions relayed to us for ~free. This is the argument made by OP.

However, this is not the full story. Since wtxid-relay was introduced a new form of dependency on "txid-based transaction resolution" was introduced with 1p1c package relay (h/t @instagibbs and @glozow). It is still possible for a malicious peer to interfere with parent resolution in this case. That is, if this resolution checks the reject filter, which @glozow shared a branch to stop doing: #32379 (review).

Therefore this change is in the end a tradeoff between getting rid of the 3x script validation and being able to cache rejected parents in 1p1c.

This doesn't fully fix the fact that 1p1c is disrupted, because the parent is still not requested (its txid is AlreadyHave).

Couldn't AlreadyHave() be tweaked to optionally not look up the reject filter similarly to include_reconsiderable:

It seems like a smaller change than not checking the reject filter anymore for parent resolution, so we might as well do both so as to not affect 1p1c behaviour at all?

Since wtxid-relay was introduced a new form of "txid-based transaction resolution" was introduced with 1p1c package relay

No, txid-based orphan resolution has been around for many years - I think before segwit. Opportunistic 1p1c just submits the parent and child together when the parent arrives.

Yes what i meant is "we now rely on something else for which it's pretty bad if one peer can block us from seeing a transaction". Changed the wording, thanks.

Couldn't AlreadyHave() be tweaked to optionally not look up the reject filter:

I assume you mean just for the check that filters getdatas. That means we'll then request transactions we've already rejected (we don't know whether this is an orphan resolution or a normal tx). Although maybe that won't lead to too many redownloads in practice, since the filter will still exist at inv receipt. Or maybe we also skip when the getdata is of type txid? Will have a think.

Thanks for writeup @darosior 👍

This is not a concern anymore because wtxid-relay was released on 2021-01-15 with 0.21.0. Nowadays, virtually all connections on the network are wtxid-relay.

Digging out some things from my (faint) memory, there was also some discussion about whether it's problematic if some service uses txid-based relay and an attacker tries to censor their transactions by sending everybody witness stripped versions ahead of time. I think we concluded that this level of attack (where attacker is the first person to hear about it AND manages to frontrun every single connection made by the victim) is out of scope.

Yes, especially if we consider the costs to mitigating this. We shouldn't impose to all Bitcoin nodes on the network to perform 3 times expensive Script validation just for some company that 1) doesn't want to update their service to wtxid-relay after 5 years* while 2) running the risk of a somewhat sophisticated attack.

* If this is released in 30.0, by the time most nodes on the network upgrade it will have been more than 5 years since wtxid-relay was released.

Following up, this branch removes the logic to halt orphan-processing when there are rejected parents, and removes rejection cache checking by txid altogether. It also adds a new delay for peers that don't support BIP 339 (distinct from the delay for requests by txid): https://github.com/glozow/bitcoin/tree/2025-07-wtxid-only-rej It should be sufficient to address the 1p1c issue.

There is a theoretical bandwidth increase from redownloading transactions, but my guess is it's minimal. Nonsegwit transactions, peers that don't support BIP 339, and rejections in general should be fairly rare. I'll use this branch to gather some data on how big these numbers actually are and get back to you?

I ran the above patch for a while and added logging to collect some stats and see how much more redownloading we’d do. TLDR it seems like we can definitely go ahead with it.

Caveats: Traffic has been very low so I set my mempool expiry to 1 hour to try to induce more orphan-fetching. I’m a default policy node so I don’t really expect to be relayed many transactions I’ll reject. There isn’t much opportunity to test reconsiderable rejections right now because of how low transaction traffic is.

My stats in the last 7 days*:

• 100% of my peers have supported wtxidrelay
• 2,482,307 of 2,650,818 (93.64%) of transactions I accepted to my mempool had witnesses.
• 99,900 out of 2,740,857 (3.64%) of the GETDATAs I sent were by txid (we can infer that 100% of these are orphan parent fetching since all my peers were wtxidrelay).
• Out of the 64,832 orphans I saw, I didn’t see any of their parents in the RecentRejects filter. So I kept all of them (which means these changes didn’t affect the number of orphans I kept).
• I sent 99,900 requests for 36,319 unique parents. Of the 33,242 transactions I received, 96.20% of them had witnesses and 91.53% were accepted to mempool.

The impact of this patch is that we’ll redownload a transaction that is (1) nonsegwit (2) when we are requesting by txid (in practice, always orphan resolution) and (3) we’ve already rejected it.
I don’t have meaningful stats on rejections, but nonsegwit orphan parents were 0.047% of the transactions I downloaded - a couple dozen per day. The fRejectedParents logic seems to have very little benefit.

Can this be closed?

I was waiting to see the outcome of #33066 to see what to do of this, but i'm happy to close and reopen if necessary. 🤷‍♂️