From: STEVEN SLATER <thugm501@gmail.com>
To: Murch <murch@murch.one>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] [BIP Draft] Dust UTXO Disposal Protocol
Date: Mon, 6 Apr 2026 19:11:49 +0100 [thread overview]
Message-ID: <CAP+9vXOVhnCC5fPjK1q9d_gL0+oHs1-Gk3p04=w90W6dW1PbcQ@mail.gmail.com> (raw)
In-Reply-To: <5028df3d-22ec-4a3e-9b54-64a4f1f0cefc@murch.one>
[-- Attachment #1: Type: text/plain, Size: 21531 bytes --]
Response to Feedback on Transaction Aggregation Proposal
Hi Murch,
Thank you for taking the time to review my proposal and for raising these
thoughtful points.
On the question of requiring an ash-output: I did consider the idea of
mandating it universally. The main trade-off is between simplicity in
aggregation and the overhead cost. A fixed 3‑byte addition per transaction
is relatively small, but when scaled across high‑volume usage it does
introduce measurable bloat. My current rationale was to avoid imposing that
cost on transactions that are unlikely to benefit from aggregation. That
said, I agree that in scenarios where feerates fluctuate significantly and
dust transactions linger in the mempool, a standardized ash-output could
make collapsing transactions more predictable and efficient. I’ll expand
the rationale to weigh the benefits of guaranteed collapsibility against
the marginal overhead, and outline conditions where the overhead is
justified.
Regarding incompatible outputs: you’re right that independent submissions
with conflicting outputs cannot be aggregated. My intent was to highlight
that aggregation works best when inputs are aligned, and that ash-output
could serve as a safeguard to preserve compatibility. I’ll clarify this
point further in the next revision.
Thank you also for the correction on feerate policy backports to Bitcoin
Core 29.1 and 28.3. I’ll update the proposal to reflect that users on those
branches will indeed propagate sub‑sat transactions.
I appreciate your constructive feedbackit helps sharpen the rationale and
ensures the proposal is practical for broader adoption. I’ll incorporate
these clarifications before submission.
Best regards,
Steven
On Mon, 6 Apr 2026, 5:26 pm Murch, <murch@murch.one> wrote:
> Hi bubb1es,
>
> I just skimmed your proposal and was considering the impact of the two
> possible output variants. As you mention in the description of the test
> cases, adding more inputs to a transaction would retain the output of
> the first transaction that appeared on the network. However, if two
> users independently submit transactions with incompatible outputs, third
> parties would not be able to aggregate those transactions into a single
> transaction.
>
> I was wondering whether you considered generally requiring the
> ash-output to ensure that transactions can always be collapsed. This may
> especially be attractive if feerates will be more dynamic in the future
> and dust disposal transactions linger in the mempool for a while.
>
> It probably comes down to how heavily this scheme will be used whether a
> general 3-byte overhead is justifiable to simplify aggregation. Either
> way, perhaps you could expound a bit on that trade-off in your rationale.
>
> Also, minor correction: the feerate policy change was backported to
> Bitcoin Core 29.1 and Bitcoin Core 28.3, so users running the latest
> releases of those major branches would also propagate sub-sat transactions.
>
> Otherwise, this proposal looks reasonable to me. Looking forward to your
> submission.
>
> Cheers,
> Murch
>
> On 2026-03-30 11:34, 'bubb1es' via Bitcoin Development Mailing List wrote:
> >
> > Hi, based on a topic I started on Delving <https://delvingbitcoin.org/t/
> > disposing-of-dust-attack-utxos/2215> I'd like to gather feedback from
> > this community for a BIP to standardize disposing of dust UTXOs by
> > spending their values to the fee of single OP_RETURN output transactions.
> >
> > Thanks in advance for taking your time to consider this proposal.
> >
> > ```
> > BIP: ?
> > Layer: Applications
> > Title: Dust UTXO Disposal Protocol
> > Authors: bubb1es <bubb1es71@proton.me>
> > harris <imtux2@proton.me>
> > Status: Draft
> > Type: Specification
> > Assigned: ?
> > License: CC0-1.0
> > Discussion: 2026-01-25: https://delvingbitcoin.org/t/disposing-of-dust-
> > attack-utxos/2215
> > Version: 0.1.0
> > ```
> >
> > ## Abstract
> >
> > This BIP specifies a standardized protocol for safely disposing of dust
> > UTXOs by spending them to an OP_RETURN output with the entire value
> > going to transaction fees. The protocol enables wallet software to
> > remove unwanted small-value UTXOs, particularly those received in dust
> > attacks, without creating new address linkages or degrading user
> > privacy. The specification includes transaction format requirements,
> > signature conventions enabling third-party batching, and validation
> > rules for compliant implementations.
> >
> > ## Motivation
> >
> > ### The Dust Attack Problem
> >
> > Dust attacks are a well-documented privacy threat where attackers send
> > small amounts of bitcoin to numerous addresses. When wallet software
> > later consolidates these dust UTXOs with non-dust UTXOs, the attacker
> > can analyze the blockchain to link previously unassociated addresses,
> > potentially deanonymizing users.
> >
> > The common solution to this issue is to "lock" dust UTXOs and never
> > spend them, but this creates its own problems:
> >
> > 1. **UTXO Set Bloat**: Unspent dust permanently occupies space in the
> > UTXO set that all full nodes must maintain.
> > 2. **Wallet Clutter**: Accumulated dust degrades wallet usability and
> > complicates coin selection.
> > 3. **Accidental Consolidation**: Users may inadvertently spend dust
> > during legitimate transactions, achieving the attacker's goal.
> > 4. **Lock Fragility**: Wallet software that "locks" dust UTXOs to
> > prevent spending provides only temporary protection; wallet migrations,
> > restores from seed phrases, software bugs, or inheritance scenarios can
> > inadvertently unlock dust, exposing users to the original attack.
> >
> > ### Why OP_RETURN Disposal
> >
> > Spending dust to an OP_RETURN output with the entire value going to fees
> > provides several benefits:
> >
> > 1. **No New UTXOs**: OP_RETURN outputs are provably unspendable and not
> > stored in the UTXO set.
> > 2. **No Address Linking**: Without a change output, there is no new
> > address to link.
> > 3. **Permanent Removal**: The dust UTXOs are removed from the user's
> > wallet entirely.
> > 4. **Miner Compensation**: OP_RETURN outputs are small, providing higher
> > transaction fee rates.
> > 5. **No Cost to Victims**: Dust attack UTXO values are used to pay for
> > their own disposal.
> >
> > ### Why Standardization
> >
> > A standardized protocol enables:
> >
> > 1. **Wallet Anonymity**: Transactions with a standard format cannot be
> > used to fingerprint the wallet software a user is running.
> > 2. **Third-Party Batching**: Multiple dust disposals can be combined
> > into single transactions, reducing overall block space consumption.
> > 3. **Best Practice Codification**: Ensures implementations follow
> > privacy-preserving best practices.
> > 4. **Easy Identification**: Chain analysis tools can use disposal
> > transactions to help trace the sources of dust attacks.
> >
> > ## Specification
> >
> > ### Transaction Format
> >
> > A compliant dust disposal transaction MUST satisfy all the following
> > requirements:
> >
> > #### Overall
> >
> > 1. The transaction MUST signal RBF replaceability (nSequence <
> 0xFFFFFFFE).
> > 2. The ntimelock MUST be set to block height 0.
> > 3. The fee rate MUST be at least 0.1 sat/vB.
> >
> > #### Outputs
> >
> > 1. The transaction MUST have exactly one output.
> > 2. The single output MUST be an OP_RETURN.
> > 3. The OP_RETURN data MUST be either:
> > - Empty: `0x6a 0x00` (OP_RETURN OP_0), or
> > - The ASCII string "ash": `0x6a 0x03 0x61 0x73 0x68` (OP_RETURN
> > OP_PUSHBYTES_3 "ash").
> >
> > The "ash" marker MUST be used when padding is needed to meet the 65 vB
> > minimum standard transaction size with a single witness input.
> > Implementations MUST prefer empty OP_RETURN data when the transaction
> > already meets minimum size requirements.
> >
> > #### Inputs
> >
> > 1. All inputs MUST use the signature hash type `SIGHASH_ALL |
> > SIGHASH_ANYONECANPAY` (0x81).
> > 2. For Taproot (P2TR) inputs using key-path spending, implementations
> > MUST explicitly append the signature hash type byte `SIGHASH_ALL |
> > SIGHASH_ANYONECANPAY` (0x81) to enable ANYONECANPAY semantics, as the
> > default sighash for Taproot (SIGHASH_DEFAULT, which omits the byte) does
> > not include ANYONECANPAY.
> > 3. All inputs must be confirmed in the blockchain at least one block
> deep.
> >
> > #### Fees
> >
> > 1. The entire input value MUST go to fees (output value is zero for
> > OP_RETURN).
> > 2. The transaction fee rate MUST be at least 0.1 sat/vB to meet minimum
> > relay requirements (Bitcoin Core 30.0+).
> > 3. The transaction fee rate MAY be higher based on the available dust
> > UTXO amounts and transaction size.
> >
> > ### Transaction Size
> >
> > 1. The transaction base size MUST be at least 65 bytes to meet Bitcoin
> > Core's minimum relay size standardness rule.
> > 2. If the transaction would otherwise be smaller than 65 bytes, the
> > OP_RETURN value "ash" as ASCII (UTF-8) bytes (0x61, 0x73, 0x68) MUST be
> > used to pad the transaction's size to 65 bytes.
> >
> > ### Address Consolidation Rules
> >
> > Implementations consolidating dust UTXOs for a single user (i.e., not
> > third-party batching services):
> >
> > - MUST NOT spend dust UTXOs that were sent to different addresses in the
> > same transaction.
> > - MUST NOT broadcast dust disposal transactions at the same time for
> > dust sent to different addresses.
> > - SHOULD spend dust UTXOs for dust sent to the same address in one
> > transaction.
> >
> > ### Batching Dust Disposal Transactions via RBF
> >
> > Multiple unconfirmed dust disposal transactions created by unrelated
> > entities MAY be batched into a single replacement transaction using
> > Replace-By-Fee (RBF). This is enabled by the inputs SIGHASH_ANYONECANPAY
> > signature type.
> >
> > In addition to standard RBF rules, batch dust disposal transactions must
> > follow all transaction construction requirements for non-batched dust
> > disposal transactions.
> >
> > #### Third-Party Batching
> >
> > A third-party batching service for dust disposal transactions could
> > compromise their users' privacy by collecting user-related network and
> > timing metadata. The best practice for these services is:
> >
> > 1. The service MUST NOT collect pre-signed inputs directly from wallet
> > users.
> > 2. The service SHOULD collect pre-signed inputs from the public bitcoin
> > network mempool.
> > 3. The service MAY add their own UTXO inputs to improve the batch
> > transaction's fee rate as long as all the requirements of this
> > specification are still followed.
> >
> > This mempool-based approach preserves user privacy while enabling
> > efficient batching:
> >
> > 1. Users broadcast their individual dust disposal transactions to the
> > network.
> > 2. Batching services monitor the mempool for compliant dust disposal
> > transactions.
> > 3. Services can combine unconfirmed transactions via RBF without knowing
> > user identities.
> >
> > ### Dust Threshold
> >
> > Implementations SHOULD allow users to configure their own dust threshold
> > based on:
> >
> > 1. The current and anticipated fee rates.
> > 2. The dust input script type, different types have different spending
> > costs.
> > 3. The varying amounts that may be used by dust attack initiators.
> >
> > A UTXO is generally considered dust if its value is less than the cost
> > to spend it at a reasonable fee rate, but any small UTXO value could be
> > used in a dust attack.
> >
> > ### Security Considerations
> >
> > #### Transaction Signing
> >
> > 1. **Key Security**: Signing dust disposal transactions requires signing
> > with the user's wallet private keys. This could be a risk for cold
> > storage wallets where the key or keys needed to sign are not easily
> > accessible.
> > 2. **Transaction Correctness**: Transaction signers must carefully
> > review and verify that only dust UTXOs are spent and no other inputs are
> > signed.
> >
> > #### Privacy Preservation
> >
> > 1. **Network surveillance**: Internet service providers and other
> > internet monitors may be able to determine the nodes that initially
> > broadcast a dust disposal transaction. If available the
> > `sendrawtransaction -privatebroadcast` RPC feature should be used
> > (available in [Bitcoin Core 31.0](https://github.com/bitcoin-core/
> > bitcoin-devwiki/wiki/31.0-Release-Notes-Draft#p2p-and-network-changes)).
> > 2. **Timing Analysis**: Users should be aware that the timing of dust
> > disposal transactions is publicly observable. Dust disposal transactions
> > should not be broadcast at the same time or on a predictable schedule.
> > 3. **Amount Analysis**: The specific dust amounts selected for dust
> > disposal if outside the norm may be used to fingerprint the wallet
> > creating the disposal transactions.
> >
> > ## Rationale
> >
> > ### Why Empty or "ash" OP_RETURN Data?
> >
> > 1. **Minimal Size**: Empty data (2 bytes: OP_RETURN OP_0) minimizes the
> > transaction size.
> > 2. **Standardization**: Consistent transaction construction eliminates
> > wallet fingerprinting.
> > 3. **Padding Option**: The "ash" string (5 bytes: OP_RETURN
> > OP_PUSHBYTES_3 "ash") provides a standardized way to meet the minimum
> > transaction size; e.g., for a single P2TR dust input.
> > 4. **Semantic Meaning**: The word "ash" metaphorically represents the
> > result of "burning" the dust.
> >
> > ### Why Per-Address Transactions?
> >
> > Consolidating dust from multiple addresses for the same wallet creates
> > the same privacy harm that dust attacks attempt to achieve. By requiring
> > wallet software to create separate transactions per address (by
> > default), the protocol ensures dust disposal doesn't harm privacy.
> >
> > ### Why 65 Byte Minimum?
> >
> > Bitcoin Core enforces a minimum transaction base size of 65 bytes as a
> > policy rule to prevent certain attack vectors. Compliant transactions
> > must meet this threshold to be relayed by standard nodes.
> >
> > ### Why 0.1 sat/vB Minimum Fee Rate?
> >
> > [Bitcoin Core 30.0](https://bitcoincore.org/en/releases/30.0/) reduced
> > the minimum relay fee rate to 0.1 sat/vB (1 sat/kvB). This allows dust
> > UTXOs to be disposed of economically even when their value is very
> > small. Implementations targeting earlier node versions may need higher
> > minimum fee rates.
> >
> > ### Why SIGHASH_ALL|ANYONECANPAY?
> >
> > The ANYONECANPAY flag allows additional inputs to be added to the dust
> > disposal transaction after signing. This provides several benefits:
> >
> > 1. **Batching**: Unrelated dust disposal transactions can be found in
> > the mempool and batched together via RBF.
> > 2. **User privacy**: Transactions shared via the public mempool do not
> > reveal user identity metadata.
> > 3. **Fee Bumping**: Additional inputs can be added by unrelated third
> > parties to increase the fee rate.
> >
> > ### Why nLockTime block height 0
> >
> > 1. **User privacy**: Using the same nLockTime for all dust disposal
> > transactions obscures when it was created.
> > 2. **Fee sniping**: The value of disposal transactions should be small
> > enough that fee sniping is not a concern.
> >
> > ## Backwards Compatibility
> >
> > This BIP introduces no changes to the Bitcoin consensus rules or peer-
> > to-peer protocol. All transactions conforming to this specification are
> > valid under existing consensus rules and can be relayed by nodes
> supporting:
> >
> > - OP_RETURN outputs (Bitcoin Core 0.9.0+)
> > - SIGHASH_ANYONECANPAY (original Bitcoin feature)
> > - 0.1 sat/vB minimum relay fee (Bitcoin Core 30.0+)
> > - Private transaction broadcast (Bitcoin Core 31.0+)
> >
> > Nodes running Bitcoin Core versions prior to 30.0 do not relay
> > transactions with fee rates below 1 sat/vB which could slow the relaying
> > of disposal transactions with lower fee rates.
> >
> > ## Reference Implementation
> >
> > A reference implementation is available at: https://github.com/
> > bubb1es71/ddust
> >
> > The implementation provides:
> > - Command-line tool for creating dust disposal transactions
> > - Automatic dust detection based on configurable thresholds
> > - Transaction batching via RBF
> > - Support for P2PKH, P2SH, P2WPKH, P2WSH, and P2TR input descriptors
> > - Integration with Bitcoin Core (version 30.0+) via RPC for syncing and
> > broadcasting transactions
> >
> > ## Test Cases
> >
> > The test cases below can be used to verify a wallet disposes of dust
> > UTXOs according to the specification in this BIP.
> >
> > ### List dust
> >
> > 1. Create payment addresses for multiple address types, send dust and
> > non-dust amounts to these addresses, verify that listing dust only
> > returns UTXOs at or below the configured dust threshold (e.g. 1000 sats).
> > 2. Create confirmed and unconfirmed dust UTXOs in the test wallet,
> > verify listing dust only returns the confirmed dust UTXOs.
> >
> > ### Spending dust
> >
> > All valid dust disposal transactions should be verified to be accepted
> > into the bitcoind (Bitcoin Core 30.0+) mempool.
> >
> > 1. Spending a single witness (Bech32m/P2TR) dust UTXO must produce a
> > dust disposal transaction with a single "ash" OP_RETURN output.
> > 2. Spending multiple dust UTXOs always produces a single empty OP_RETURN
> > output regardless of script type.
> > 3. Spending a single 2-of-2 P2SH multisig dust UTXO produces a single
> > empty OP_RETURN output.
> > 4. All dust UTXOs sent to the same address are disposed of in the same
> > transaction.
> > 5. Dust disposal transactions only include confirmed dust UTXOs.
> >
> > #### Example dust disposal transaction sizes
> >
> > | | P2PKH | P2SH (2-3) | P2WPKH | P2WSH (2-3) | P2TR |
> > |-------------------|-------|------------|--------|-------------|-------|
> > | Overhead (b) | 10 | 10 | 10 | 10 | 10 |
> > | Input (b) | 148 | 295 | 41 | 41 | 41 |
> > | OP_RETURN (b) | 11 | 11 | 14 | 14 | 14 |
> > | Base size (b) | 169 | 316 | 65 | 65 | 65 |
> > | Witness data (b) | 0 | 0 | 108 | 255 | 67 |
> > | Size (b) | 169 | 316 | 173 | 320 | 132 |
> > | Weight (wu) | 676 | 1264 | 370 | 517 | 329 |
> > | Virtual Size (vb) | 169 | 316 | 92.5 | 129.25 | 82.25 |
> >
> > #### Example dust disposal transaction fee rates (sats/vb)
> >
> > | Input Amount | P2PKH | P2SH (2-3) | P2WPKH | P2WSH (2-3) | P2TR |
> > |--------------|---------|------------|--------|-------------|-------|
> > | 294 | 1.74 | 0.93 | 3.18 | 2.27 | 3.57 |
> > | 300 | 1.78 | 0.95 | 3.24 | 2.32 | 3.65 |
> > | 325 | 1.92 | 1.03 | 3.51 | 2.51 | 3.95 |
> > | 330 | 1.95 | 1.04 | 3.57 | 2.55 | 4.01 |
> >
> > ### Batching dust disposal txs via RBF
> >
> > 1. Adding a Bech32m dust input to an unconfirmed disposal transaction
> > with a legacy dust input keeps the original single empty OP_RETURN
> output.
> > 2. Adding a Bech32m dust input to an unconfirmed disposal transaction
> > with a Bech32m dust input keeps the original single "ash" OP_RETURN
> output.
> > 3. Adding a new dust input to an unconfirmed disposal transaction
> > results in a new batch disposal transaction with a fee rate sufficient
> > for RBF.
> > 4. A new dust input that contributes an insufficient fee rate for RBF
> > with an existing unconfirmed disposal transaction is not batched with it.
> >
> > ## Related work
> >
> > * "dust-b-gone": https://github.com/petertodd/dust-b-gone
> > * "dusts": https://github.com/bubb1es71/dusts
> >
> > ## Changelog
> >
> > * **0.1.0** (2026-03-22):
> > * Initial draft of the BIP.
> >
> > ## Copyright
> >
> >
> > This document is licensed under the Creative Commons CC0 1.0 Universal
> > license.
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Bitcoin Development Mailing List" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to bitcoindev+unsubscribe@googlegroups.com
> > <mailto:bitcoindev+unsubscribe@googlegroups.com>.
> > To view this discussion visit https://groups.google.com/d/msgid/
> > bitcoindev/3b3328b8-bba4-4858-b53a-0e9b631044ffn%40googlegroups.com
> > <https://groups.google.com/d/msgid/bitcoindev/3b3328b8-bba4-4858-
> > b53a-0e9b631044ffn%40googlegroups.com?utm_medium=email&utm_source=footer
> >.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/5028df3d-22ec-4a3e-9b54-64a4f1f0cefc%40murch.one
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAP%2B9vXOVhnCC5fPjK1q9d_gL0%2BoHs1-Gk3p04%3Dw90W6dW1PbcQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 26585 bytes --]
next prev parent reply other threads:[~2026-04-06 21:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 18:34 'bubb1es' via Bitcoin Development Mailing List
2026-04-06 16:18 ` Murch
2026-04-06 18:11 ` STEVEN SLATER [this message]
2026-04-06 20:45 ` Murch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+9vXOVhnCC5fPjK1q9d_gL0+oHs1-Gk3p04=w90W6dW1PbcQ@mail.gmail.com' \
--to=thugm501@gmail.com \
--cc=bitcoindev@googlegroups.com \
--cc=murch@murch.one \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox