feat(psbt): change default to accept witness UTXOs for non-segwit inputs

Default PSBT behavior now allows signing non-segwit inputs with witnessUtxos
instead of requiring the full previous transaction. This reduces potential
DDoS attack vectors by not requiring the storage of previous transaction
data in the input map.

Issue: BTC-2285

Author: davidkaplanbitgo

src/psbt.js

@@ -71,13 +71,11 @@ class Psbt {
       __TX: this.data.globalMap.unsignedTx.tx,
       // Psbt's predecesor (TransactionBuilder - now removed) behavior
       // was to not confirm input values  before signing.
-      // Even though we highly encourage people to get
-      // the full parent transaction to verify values, the ability to
-      // sign non-segwit inputs without the full transaction was often
-      // requested. So the only way to activate is to use @ts-ignore.
-      // We will disable exporting the Psbt when unsafe sign is active.
-      // because it is not BIP174 compliant.
-      __UNSAFE_SIGN_NONSEGWIT: false,
+      // Due to the potential of DDoS by requiring the previous
+      // transaction to be in the input map, we are defaulting the
+      // behavior to not require the previous transaction and instead
+      // use a witnessUtxo.
+      __UNSAFE_SIGN_NONSEGWIT: true,
       __WARN_UNSAFE_SIGN_NONSEGWIT: true,
       __TX_FROM_BUFFER: buf =>
         this.constructor.transactionFromBuffer(buf, this.opts.network),
@@ -696,7 +694,8 @@ function canFinalize(input, script, scriptType) {
 }
 function checkCache(cache) {
   if (cache.__UNSAFE_SIGN_NONSEGWIT !== false) {
-    throw new Error('Not BIP174 compliant, can not export');
+    // Do not throw in this case as we are now defaulting this to true
+    // throw new Error('Not BIP174 compliant, can not export');
   }
 }
 function hasSigs(neededSigs, partialSig, pubkeys) {

test/fixtures/psbt.ts

@@ -155,13 +155,6 @@ export const fixtures = {
       },
     ],
     failSignChecks: [
-      {
-        description: 'A Witness UTXO is provided for a non-witness input',
-        errorMessage: 'Input #0 has witnessUtxo but non-segwit script',
-        psbt:
-          'cHNidP8BAKACAAAAAqsJSaCMWvfEm4IS9Bfi8Vqz9cM9zxU4IagTn4d6W3vkAAAAAAD+////qwlJoIxa98SbghL0F+LxWrP1wz3PFTghqBOfh3pbe+QBAAAAAP7///8CYDvqCwAAAAAZdqkUdopAu9dAy+gdmI5x3ipNXHE5ax2IrI4kAAAAAAAAGXapFG9GILVT+glechue4O/p+gOcykWXiKwAAAAAAAEBItPf9QUAAAAAGXapFNSO0xELlAFMsRS9Mtb00GbcdCVriKwAAQEgAOH1BQAAAAAXqRQ1RebjO4MsRwUPJNPuuTycA5SLx4cBBBYAFIXRNTfy4mVAWjTbr6nj3aAfuCMIACICAurVlmh8qAYEPtw94RbN8p1eklfBls0FXPaYyNAr8k6ZELSmumcAAACAAAAAgAIAAIAAIgIDlPYr6d8ZlSxVh3aK63aYBhrSxKJciU9H2MFitNchPQUQtKa6ZwAAAIABAACAAgAAgAA=',
-        inputToCheck: 0,
-      },
       {
         description:
           'redeemScript with non-witness UTXO does not match the scriptPubKey',

ts_src/psbt.ts

@@ -145,13 +145,11 @@ export class Psbt {
       __TX: (this.data.globalMap.unsignedTx as PsbtTransaction).tx,
       // Psbt's predecesor (TransactionBuilder - now removed) behavior
       // was to not confirm input values  before signing.
-      // Even though we highly encourage people to get
-      // the full parent transaction to verify values, the ability to
-      // sign non-segwit inputs without the full transaction was often
-      // requested. So the only way to activate is to use @ts-ignore.
-      // We will disable exporting the Psbt when unsafe sign is active.
-      // because it is not BIP174 compliant.
-      __UNSAFE_SIGN_NONSEGWIT: false,
+      // Due to the potential of DDoS by requiring the previous
+      // transaction to be in the input map, we are defaulting the
+      // behavior to not require the previous transaction and instead
+      // use a witnessUtxo.
+      __UNSAFE_SIGN_NONSEGWIT: true,
       __WARN_UNSAFE_SIGN_NONSEGWIT: true,
       __TX_FROM_BUFFER: buf =>
         (this.constructor as typeof Psbt).transactionFromBuffer(
@@ -950,7 +948,8 @@ function canFinalize(
 
 function checkCache(cache: PsbtCache): void {
   if (cache.__UNSAFE_SIGN_NONSEGWIT !== false) {
-    throw new Error('Not BIP174 compliant, can not export');
+    // Do not throw in this case as we are now defaulting this to true
+    // throw new Error('Not BIP174 compliant, can not export');
   }
 }