[Formatted version of this post is here: https://gist.github.com/kiminuo/cc2f19a4c5319e439fc7be8cbe5a39f9]
Hi all,
bitcoin:bc1qd4fxq8y8c7qh76gfnvl7amuhag3z27uw0w9f8p?amount=0.004&label=Kiminuo&message=Donation
Now
to make it easier, these URIs are typically clickable. Bitcoin wallets
register the "bitcoin" URI scheme so that a BIP21 URI is parsed and data
are pre-filled in a form to send your bitcoin to a recipient. Notably,
wallets do not send your bitcoin once you click a BIP21 URI, there is
still a confirmation step that requires user's attention. Very similar
experience is with a QR code that encodes a BIP21 URI where one just
scans a QR code and data is, again, pre-filled in a wallet's UI for your
convenience.
bitcoin:bc1qd4fxq8y8c7qh76gfnvl7amuhag3z27uw0w9f8p?amount=0.004&label=Kiminuo&message=Donation&amount=1.004
(note that the 'amount' parameter is specified twice)
Bitcoin
Core implements "the last value wins" behavior[^3] so amount=1.004 will
be taken into account and not "amount=0.004"[^4]. However, in general,
the fact that the same parameter can be specified multiple times can
lead to a confusion for users and developers[^1][^2]. In the worst case,
it might be exploited by some social engineering attempts by attempting
to craft a 'clever' BIP21 URI and exploting behavior of a particular
wallet software. For the record, I'm not aware that it actually happens,
so this is rather a concern.
The main question of this post is: Is it useful to allow specifying BIP21 parameters multiple times or is it rather harmful?
Regards,
K.
[^4]: You can test your wallet's behavior by scanning the last image here https://github.com/zkSNACKs/WalletWasabi/pull/10578#issue-1687564404 (or directly https://user-images.githubusercontent.com/58662979/265389405-16893ce8-7c19-4262-bb60-5fd711336685.png).