Home » Blog » Why It's Still Necessary to Audit Bitcoin Ordinals (Even Though They Don't Have Smart Contracts)
Why It's Still Necessary to Audit Bitcoin Ordinals (Even Though They Don't Have Smart Contracts)
3202 ,8 tsuguA

Why It's Still Necessary to Audit Bitcoin Ordinals (Even Though They Don't Have Smart Contracts)

As Ordinals blaze a trail in the Bitcoin community, shattering daily inscription records, for instance, in April 2023 with a torrent of multimedia content, one can’t help but wonder: Amidst the buzz, are we overlooking the vulnerabilities? Is this groundbreaking innovation truly as safe and sound as it appears?

Bitcoin Ordinals, what is this?

A genuine and insightful approach to create non-fungible tokens in the Bitcoin Network. Bitcoin Ordinals provide a groundbreaking way to create NFTs, but there’s more to it. Let’s unpack the story by starting with some core concepts like the use of locker scripts, and then dive into the details.

A Bit of Code Mystery

What is Locker Script in UTXO? A locker script, or payee script, is a key part of Bitcoin’s transaction system. Imagine it as a lock that only opens with the right key, setting the rules for spending the bitcoins.

To unravel how locker scripts function in Bitcoin, let’s delve into a real-world scenario. Picture this: a transaction is posted in the Bitcoin network with a challenging script. This script is an open invitation to anyone who can solve it, allowing them to redeem money from the transaction.


This script is a challenge, and it’s obviously an invitation for those who can unlock it. Anyone who can solve it can redeem money from this transaction, or more specifically, from the safe under this locker script in the transaction.

Warning! Soon it’ll be a bit too technical but don’t afraid, we will explain it step by step.

Now, to understand this script, we must recognize that it’s a set of commands known as opcodes. Here’s a brief explanation of what each part does:

  • OP_2: Pushes the number 2 onto the stack. Note: Think of the stack as if it’s a pile of some random staff, where normally you can only see and interact with the item on top.
  • OP_DUP: Duplicates the top item on the stack.
  • OP_ADD: Adds the top two numbers on the stack together.
  • OP_8: Pushes the number 8 onto the stack.
  • OP_EQUALVERIFY: Verifies that the top two numbers are equal; if so, removes them from the stack.
  • OP_SUB: Subtracts the second-to-top stack item from the top stack item.
  • OP_2: Pushes the number 2 onto the stack.
  • OP_EQUAL: Checks if the top two stack items are equal.

The key or unlocker script that we want to figure out should be combined with this locker script and return TRUE after processing. That would mean that the unlocking was successful.

Let’s figure out the answer:

  • We start by pushing the number 2 onto the stack.
  • We duplicate it; our stack is now [2,2].
  • We add them together. The stack is now [4].
  • We need to add another 4 to this to make it 8, so our unlocking script should start with OP_4.
  • After adding, the stack becomes [8].
  • OP_8 OP_EQUALVERIFY confirms the top of the stack is 8 and pops it off. The stack is now empty.
  • OP_SUB will subtract the next value from the top value, so our unlocking script should end with OP_6 to make the subtraction result in 2.
  • Pushing 2 onto the stack and then checking equality with OP_EQUAL will give TRUE.
  • The correct unlocking script here would be: OP_4 OP_6.

Note: The actual money from the described transaction has already been redeemed.

In a classic locker script, things work a bit more straightforwardly, typically involving standard commands for checking a public key and signature, like

OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG. This simple script ensures that the spender owns the private key corresponding to the public key hash, effectively “unlocking” the Bitcoin for spending.

Now, what’s about Ordinals?

There are different locker scripts that provide flexibility and uniqueness in how you send or spend tokens, and if we want to pass some data there, we are going to use a specific opcode command OP_RETURN and then place the data, to create something we call NULL data locking scripts. They are essential for ordinals.

But what exactly are ordinals?

A novel development, ordinals are Bitcoin’s take on NFTs. Unlike other NFTs that store items as IPFS links, ordinals keep the actual item on the blockchain, aiming to reduce fees and energy consumption. They can hold various content types within the blockchain’s size constraints. And the term itself came from The Ordinals Project.

The Ordinals Project was introduced by Casey Rodarmor in January 2023, and soon enough Bitcoin Ordinals has become a buzzword. It allows satoshis to become unique and identified, just like NFTs. Thanks to the Taproot upgrade, Bitcoin developers were able to inscribe digital assets on the lowest denomination of Bitcoin, i.e., Satoshi. The process is known as inscription, and it enables the creation of Bitcoin NFTs.

Ordinals File Types

Let’s try to scan the Bitcoin chain’s transaction history. What can we see here? From alert scripts to image and video files, the diversity of content is massive. Here are some examples of file types found in SegWit items containing ordinals:

  • 10 occurrences of an empty string
  • 1 <script>alert(‘xss in content type’)</script>
  • 24167 application/json
  • 442976 image/png
  • … and many more, totaling 45 file types in 2518535 SegWit items.

Here’s where the real complexity lies.

From our previous discussions, it’s evident that sats locked under certain scripts can effectively act as unique tokens. They come with a side dish of block hash, transaction hash, trx index in block, and other metadata, in general — a precise location. Once they’re on the blockchain, they stay put. Sounds simple and safe, right? Well… Remember the file type that sneakily tried to alert a script vulnerability?

That’s the real iceberg under the calm water.

Let’s go though it step by step:

1. Content Storage: The script sig essentially acts as a storage box. While it’s a tad challenging to store malicious content there, it’s crucial not to underestimate the craftiness of hackers. Think of a scenario where a hacker alters your site and switches your ordinals’ addresses with their rogue versions — setting the stage for a potential xss attack, and this is just one of many examples. Confirming the authenticity of the tokens and their source becomes essential.

2. The Uploading Quandary: Uploading ordinals isn’t a walk in the park. In fact it requires a lot, even a full Bitcoin node! Most projects resort to no-code uploaders or some side-solutions for easing the process. It’s practical, but what’s going on under the hood? For instance, in traditional EVM, transferring ownership of a contract deployed by some third party can counteract some risks. With ordinals, on the other hand, it’s more than just owning the token. An unseen duplicate of your unique token might exist somewhere, or there might be glitches in the token locker script. The key? Know your tools or at least see an audit company’s stamp of approval on them.

3. Arbitrage: Since ordinals are arbitrary tokens, it’s vital to understand how they are utilized by arbitrary logic, as an example, in platforms like Stacks. Any misinterpretation in interactions can open the door to potential problems. Whether it’s mismatched expectations or unforeseen complexities in the interaction mechanisms, the space of arbitrage within ordinals demands close scrutiny and a keen understanding of the underlying mechanics.

It’s not just about crafting or owning the token; it’s about how that token behaves in a broader ecosystem. Inattention to these details could lead to unexpected risks and vulnerabilities. Make sure to engage with the token’s functionality with caution, clear comprehension, and the guidance of experts if necessary.

4. The Presentation & Client Logic: The endgame for these tokens? Showcase them to users for various purposes like trading on NFT marketplaces, integrating into DAO logic, or for in-game assets. Here’s where the nuances come in:

  • NFT Marketplaces: Without the crutch of smart contracts, the transaction routing becomes pivotal. How are BTC transactions being crafted and executed? Every step is a potential vulnerability.
  • DAO: DAOs have their unique challenges and vulnerabilities. Ensure that all aspects are examined for potential weak points that could be exploited by malicious actors.
  • Even Mobile Wallets! Many assume mobile apps provide robust security, but they can be prone to serious breaches. Whether it’s the mobile app running on an insecure device, communication to the backend being intercepted, or sending excessive data (including crucial information like private keys), all these facets need meticulous scrutiny. An overlooked loophole could turn into a disastrous security failure.

In conclusion, if you’re using ordinals to store media content, ensure the integrity of the data. Be selective and vigilant about the tools and platforms in your ecosystem. Seek audited certifications, especially if they aren’t readily presented.

Venturing into uncharted territories, like the evolving Bitcoin ordinal space, is thrilling. But remember, with pioneering comes the responsibility of navigating unforeseen challenges. Take that extra step for security, especially when the terrain is unfamiliar.

Stay vigilant, and stay safe.

We use cookies on our website to improve user experience and analyze website traffic. By clicking “Accept“, you agree to our website's cookie use as described in our Privacy Policy.