UniSat Marketplace will reopen on Thursday, April 27th, 2023.
It’s an experimental test lasting for 14 days (or shorter if it goes well), available to users who have held a UniSat OG Pass for a certain period of time (500 confirmations) with the purpose of further enhancing the service’s usability and robustness through high-intensity testing.
We will gradually invite more users in the subsequent day-to-day version updates by considering the number of UniSat Points that users have. Please note that for each use of UniSat Inscribe to create an inscription (including TRANSFER minting in UniSat Wallet), the UniSat Points of your connected address will be incremented by one.
We may interrupt, update, and maintain the service at any time during the restricted access period as needed.
We will not disclose the process and details of the attack in this announcement but only focus on the issue itself. UniSat Marketplace allows unconfirmed TRANSFER inscriptions to be listed without specific verification in certain circumstances, which makes the system vulnerable to fraud when the listed inscription eventually becomes invalid.
Block confirmation is the most crucial factor here.
UniSat Marketplace aims to shorten the waiting time from inscribing to listing to greatly improve user experience. However, we failed to achieve this goal as attackers bypassed the current incomplete verification mechanism.
The root cause of this issue is that brc-20 does not utilize Bitcoin’s native UTXO mechanism. Instead, it constructs a sophisticated transfer system through text on the inscription, which neither possesses the natural anti-double spending feature delivered by UTXO, nor guarantees the parent-child transaction behavioral consistency through the UTXO spending chain.
In Bitcoin transactions, parent-child transactions are ‘physically’ linked through UTXO, while in brc-20 transfers, they are ‘logically’ connected through text.
This issue demonstrates that although brc-20 is theoretically complete, there are still many situations that need to be handled appropriately in practice. This is also the reason why we decided to maintain cautious and relatively strict entry conditions during the subsequent experimental testing.
70 transactions related to the attack involve 52 accounts, among which 19 accounts have not contacted us through Discord yet.
Please contact us promptly and cooperate with us to verify the relevant transaction details.
April 25th, 2023
UniSat Marketplace Incident Report
A few hours ago, UniSat Marketplace, which just launched, experienced a large number of double-spend attacks due to a vulnerability in our codebase. During our testing last week, we simulated different approaches to double-spend attacks and made improvements and enhancements to the code. Unfortunately, certain problems were still exposed in the initial public version.
Currently, we have preliminary investigation results, and out of all 383 transactions, 70 transactions have been identified as affected. We will further investigate in the next few days and compensate users who are determined to be associated with the incident for their losses.
If you believe your order has been affected, please open a ticket on and provide as much relevant information (including wallet address and screenshots) as possible about the transactions involved. We may ask for more information in the coming hours, so please check the ticket status regularly.
We will compensate all affected users at a certain time in the coming days and conduct a comprehensive inspection and consolidation of the issues that have been exposed.
Please understand that brc-20 is still very young and there have been numerous issues identified and resolved in the past 30 days. As the first brc-20 wallet provider and the first marketplace provider, UniSat is constantly facing numerous issues and moving forward with your full support.
The subsequent opening time will be updated here.
April 24th, 2023