miniscript: the 'd:' wrapper must not be 'u'

The value it leaves on the stack depends on the last element on the
stack. However, we can't make sure this element is OP_1 (which would
give us the 'u' property) without the MINIMALIF rule.
MINIMALIF is only policy for P2WSH, therefore giving 'd:' the 'u'
property breaks consensus soundness: it makes it possible (by consensus
but not policy) for instance to satisfy a thresh() without satisfying
at least k of its subs.

This bug was found and reported by Andrew Poelstra.

1 files changed, 2 insertions, 1 deletions

diff --git a/src/script/miniscript.cpp b/src/script/miniscript.cpp
index d0bb937885..019f02f159 100644
--- a/src/script/miniscript.cpp
+++ b/src/script/miniscript.cpp
@@ -116,7 +116,8 @@ Type ComputeType(Fragment nodetype, Type x, Type y, Type z, const std::vector<Ty
             "e"_mst.If(x << "f"_mst) | // e=f_x
             (x & "ghijk"_mst) | // g=g_x, h=h_x, i=i_x, j=j_x, k=k_x
             (x & "ms"_mst) | // m=m_x, s=s_x
-            "nudx"_mst; // n, u, d, x
+            // NOTE: 'd:' is not 'u' under P2WSH as MINIMALIF is only a policy rule there.
+            "ndx"_mst; // n, d, x
         case Fragment::WRAP_V: return
             "V"_mst.If(x << "B"_mst) | // V=B_x
             (x & "ghijk"_mst) | // g=g_x, h=h_x, i=i_x, j=j_x, k=k_x