Proof of Burn Smart Contract

Hey guys!

Is there any smart contract yet where if you send a cardano/native asset to an address it becomes unspendable? I’d love to see if the community was able to create one.

Charles Hoskinson invited developers to do this challenge. Any update on that?


Do you believe someone will use it, if it exists?

I plan to if it exists! If not someone should get on it haha

Multiple contacts that have this behavior already exist without people knowing it. In general an utxo can be consumed at a script address if the validator allows it. This validation is dependent on the datum, redeemer and context of that transaction. Now if a contract always returns an error if no datum is provided (which almost all current contract do), then all validation fails and thus that utxo (that has no datum) is stuck for ever at that script address. For example, the lobster naming script address that counted the votes has multiple utxo’s that do not have a datum, while the validator needs a datum to validate true. This ada is in essention burnt. Now as I said, almost all current scripts have no implementation to claim an utxo that had an empty datum, so all those scripts can burn ada. Just send ada to the address with not datum :stuck_out_tongue: But a mention worthy script that never validates and has no other functionality besides burning tokens or ada is the always fails script.

No utxo’s at this address can ever be spend and there is no other functionality of the script address so it is easy to use for this purpose. I dont’s recomend bloating other script address with unclaimable utxo’s as they blur the real purpose of that contract.


In addition, one can see someone already burnt some ada at this alwaysfails script address.

Do I get a lobster NFT now?

1 Like

So you plan to burn your ADA tokens, if I understand correctly?

1 Like

cardano native assets, yes.

very informative, thanks! how about native assets? suppose we do not own the policy/it is now locked! but yet we’d like to send them to be inaccessible for eternity. would native assets apply to this case too?


Just send anything to the address, nothing is claimable. And please, generate the plutus contract yourself and generate the address yourself. Don’t trust my word for it. Besides, doing this is a good exercise to learn :slight_smile:


I think that Charles was referring to IOHK’s “Proof of Burn” paper, which actually is not a smart contract: instead it is an especially constructed address where it can be proven that no signing key exists, thus making unspendable any eUTxOs sent to that address. It has the added feature that one can generate the address from any metadata.

Here is Haskell code for creating such addresses, and here is an example transaction. In this example, the tag “Proof of Burn” is converted to the unspendable address addr1vyxdw4rlu6krp9fwgwcnld6y84wdahg585vrdy67n5urp9qlryntm.


i would love to learn, i would piggyback on this. but i wanna go at it myself. thank you for all the resources folks! cardano environment is amazing.


Ow that’s amazing. Of course I didn’t read the paper…

Hi I have a question about the paper and please correct me if I’m wrong. It look like the proof of unspendability, that is no tag can be derived that hashes to the perturbed hash is based in lemma 1, is not fully deterministic. This said something like, given such a perturbation the probability of finding such a corresponding tag is negligible. But I consider this not a closed proof, it is just a hard to calculate problem. Especially since the above always fails contract does ensure with certainty that it is unspendable. I must add to this that the given proof in the paper is blockchain agnostig, in that it assumes only some basic properties a chain which does not include, this such that a proper theory base is build for a bridge between networks.

1 Like

I don’t fully understand the paper yet, but I agree with your characterization of its non-determinism. Is it most accurate to say that the probability of spending from the address (i.e., finding a signing key) is vanishingly small? Is this more vanishingly small than guessing the signing key for the address corresponding to a regular Cardano key pair? Do there exist Cardano addresses that provably (in a deterministic sense) do not correspond to key pairs? In general, I suspect that many proofs involving hashing will be probabilistic and not closed.

In the practical Cardano context, it is interesting to contrast this with “always fails”: To prove that “always fails” does indeed always fail, would you have to prove the correctness of the Plutus implementation in cardano-node? To prove “proof of burn”, would you have to prove the correctness of transaction witnessing (i.e., the cryptographic primitives) in cardano-node? I’m not sure which is harder to prove, or indeed which have been proved already.

1 Like

I think so. I read some more on this topic online and I think that in the computer science literature is common to prove such properties up to a well defined bound. So nothing is completely secure but the degree of how secure it is can be quantified and be reasoned about. The writers of the paper do this for unspendability in definition 5.

I guess they are somewhat equivalent in the cardano way of creating addresses. What interests me the most about this question is that changing one bit of the hash does not guarantee the existence of a associated signing key (or plutus script). I think I read in a number theory book somewhere that hash function are not surjective. And intuitively that should be the case since otherwise this would impy a bijection (hash function are injective and thus would be bijective). This brings one to a proper proof of such a unspendable addresses. What one would like to show is given a hash algorithm (cardano uses blake2b) which points in the image are certainly not reached by the an hashed string.

I agree. As you say such a proof is only relavent up to the fault tolerance of any attack by an advesary on the network. Transaction can be forged on a blockchain if consensus is compromised, which on cardano can happen up to a well defined degree (IOHK actually quantified this in a paper I think).

I think the proof via the surjective property of such a hash function is the way to go. It is more mathematical and deterministic of nature. Besides even if the implementation of cardano is fully correct, the rigidity it is as good as the network/consensus it is run on.

1 Like

I stand corrected, I just found a source that says that any hash function will have collisions in the output. That is, there are multiple strings that hash to the same output (and thus not injective).

“The ideal situation is that every hashed value generated is really unique for each input value, but this is not possible. In the hash functions the possible hash values to be generated are finite, since they have a fixed output size and because the input size is theoretically infinite, by the Pigeonhole principle, there will be collisions with two distinct entries, resulting in the same hash.” 1

This still does not exclude the possibility of a probable unreachable point in the image.

1 Like

Another interesting question about the correspondence of hashes of scripts and their address is whether or not all possible scripts already exist and are “discovered”. And is it possible to create a self referential plutus script? see the Tupper’s Self-Referential Formula for this one.

1 Like

Thanks, @fermat, for the fascinating and very instructive information!

So it might be the case that the proof-of-burn algorithm, for some hash functions (perhaps like that of Cardano), might generate addresses that are not in the image of the hash function? and that a deterministic proof (based on the properties of the particular hash function) of that might be possible?

1 Like

Yes :grinning:, I fleetingly thought it would be cool to include the address of the tag in the tag itself (i.e., “This proof-of-burn tag has the address addr1vyxdw4rlu6krp9fwgwcnld6y84wdahg585vrdy67n5urp9qlryntm.”), but of course this is as difficult as finding a hash collision.

1 Like

To clear up the used hash functions in cardano. I found the following in the appendix of the Shelley ledger specification.

The hashing algorithm for all verification keys and multi-signature scripts is BLAKE2b-224. Ex-
plicitly, this is the payment and stake credentials (Figure 5), the genesis keys and their delegates
(Figure 11), stake pool verification keys (Figure 21), and VRF verification keys (Figure 20).
Everywhere else we use BLAKE2b-256. In the CDDL specification in Appendix D, hash28
refers to BLAKE2b-224 and and hash32 refers to BLAKE2b-256. 1

I tried looking up the haskell code in the Cardano.Api.Hash module but I got no usefull information about it.