Module 08

Multisig

OP_CHECKMULTISIG validates M-of-N signatures: M keys must sign, out of a set of N. It's the foundation of shared custody, exchange cold storage, and the Lightning Network's funding transactions.

0 / 4 sections

What you'll learn

→Read and write M-of-N OP_CHECKMULTISIG scripts
→Explain the historical off-by-one bug and why OP_0 is required
→Understand signature/pubkey ordering constraints
→Describe real-world multisig use cases: exchange cold storage, shared custody, Lightning

OP_CHECKMULTISIG

OP_CHECKMULTISIG reads its parameters from the stack in a specific order, from top to bottom:

NNumber of public keys

<pubkey_N> … <pubkey_1>N public keys

MNumber of required signatures

<sig_M> … <sig_1>M signatures

OP_0Dummy element (historical bug)

1-of-1 multisig

The simplest multisig: 1 sig required out of 1 key. Functionally equivalent to OP_CHECKSIG but more expensive.

Script

▶OP_0

<sig>71B

OP_1

<pubkey>33B

OP_1

OP_CHECKMULTISIG

Stack0 items

↑ top of stack

nothing here yet

press Step or Run to push an item

bottom

OP_0—Pushes an empty byte array (false / zero) onto the stack.

0 stepsReady

The dummy bug

There's a bug in the original Bitcoin implementation of OP_CHECKMULTISIG: it pops one extra element from the stack after reading all the signatures. This was never fixed — changing it would break consensus.

To work around it, every multisig script must begin with a dummy value. By convention this is OP_0. BIP 147 later mandated that this dummy must specifically be an empty array, closing a malleability vector.

Without the dummy — broken

Script

▶<sig>71B

OP_1

<pubkey>33B

OP_1

OP_CHECKMULTISIG

Stack0 items

↑ top of stack

nothing here yet

press Step or Run to push an item

bottom

0x304402200102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f2002202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f4001—Push 71 bytes onto the stack.

0 stepsReady

With OP_0 dummy — correct

Script

▶OP_0

<sig>71B

OP_1

<pubkey>33B

OP_1

OP_CHECKMULTISIG

Stack0 items

↑ top of stack

nothing here yet

press Step or Run to push an item

bottom

OP_0—Pushes an empty byte array (false / zero) onto the stack.

0 stepsReady

The dummy is consumed silently by the off-by-one. If you forget it, the script pops a real signature as the dummy and the check fails.

✦Real Bitcoin

Multisig on mainnet

2-of-3 multisig is the standard for exchange cold storage. Each key is held by a different HSM or person — no single point of failure can drain the funds. The Lightning Network's channel funding transactions are 2-of-2 multisig.

2-of-3 multisig

The most common real-world multisig is 2-of-3: three parties hold keys, any two can authorise a spend. This is used by exchanges for cold storage and by users who want a backup key.

In this simulator we only have one valid key pair, so we'll demonstrate with 2-of-2: two separate entries of the same test-vector signature. In production each signature would come from a different private key.

Script

▶OP_0

<sig>71B

OP_2

<pubkey>33B

OP_2

OP_CHECKMULTISIG

Stack0 items

↑ top of stack

nothing here yet

press Step or Run to push an item

bottom

OP_0—Pushes an empty byte array (false / zero) onto the stack.

0 stepsReady

Signatures and public keys are matched left-to-right in order. Sig 1 must match a pubkey that appears before the pubkey matched by Sig 2. Ordering matters.

Your turn

Challenge

1-of-1 multisig from scratch

Write a 1-of-1 OP_CHECKMULTISIG script from scratch: OP_0, then the test-vector signature, then OP_1, then the pubkey, then OP_1, then OP_CHECKMULTISIG. Leave 1 (true) on the stack.

Ctrl+Enter to check

← Home