Part V · Special Transactions Chapter 15

OP_RETURN: Data on the Blockchain

"The OP_RETURN change creates a provably-prunable output, to avoid data storage schemes—some of which were already deployed—that were storing arbitrary data such as images as forever-unspendable TX outputs, bloating bitcoin's UTXO database."Bitcoin Core 0.9.0 Release Notes, March 19, 2014

The blockchain is a ledger, not a filing cabinet. Every byte stored on-chain is replicated across tens of thousands of nodes, validated by every full node forever, and can never be deleted. Yet from Bitcoin's earliest days, people have found ways to embed arbitrary data alongside financial transactions—love notes, political statements, images, and entire protocols.

The question was never whether people would embed data on-chain. They were already doing it before Bitcoin Core 0.9.0—hiding messages in fake addresses, stuffing data into multisig scripts, and creating forever-unspendable outputs that bloated every node's UTXO set. The question was whether to provide a clean, prunable channel for data, or force it underground where it does more damage.

OP_RETURN was Bitcoin's answer: a designated opcode that makes an output provably unspendable. Nodes can safely prune OP_RETURN outputs from their UTXO set—the data is stored in the blockchain history but doesn't consume memory in the critical set of spendable coins.

Our specimen is a declaration of love, etched permanently into block 308,570 on a summer day in 2014.

15.1The Specimen

Txid:

8bae12b5f4c088d940733dcd1455efc6a3a69cf9340e17a981286d3778615684

FieldValueNotes
Block308,570June 30, 2014
Version1Legacy
Inputs1P2PKH (uncompressed key)
Outputs2OP_RETURN + P2PKH change
OP_RETURN data19 bytes"charley loves heidi"
Total size254 bytesLegacy format (no witness)
Weight1,016 WU\(254 \times 4\) (all non-witness)
Fee20,000 sats78.7 sat/byte

15.2The OP_RETURN Output

The heart of this transaction is Output 0—the OP_RETURN:

OP_RETURN Output Anatomy

00 00 00 00 00 00 00 00

15

6a

13

63 68 61 72 6c 65 79 20 6c 6f 76 65 73 20 68 65 69 64 69

00...008 bytesValue: 0 sats
151 byteScript length: 21 bytes
6a1 byteOP_RETURN
131 byteOP_PUSHBYTES_19
63...6919 bytes"charley loves heidi" (ASCII)

15.2.1The Zero Value

An OP_RETURN output always carries zero satoshis. Any value assigned to it would be permanently destroyed—the output can never be spent. While Bitcoin consensus allows non-zero OP_RETURN values (they're simply burned), Core's dust rule explicitly exempts unspendable outputs, so even a non-zero-value OP_RETURN output relays — the sats are simply destroyed.

15.2.2The Opcode

OP_RETURN (0x6a) immediately terminates script execution with failure. When the Script interpreter encounters this opcode, it does not evaluate any further bytes—the script fails unconditionally. This makes the output provably unspendable: no combination of witness data, scriptSig, or future opcodes can ever satisfy a script that begins with OP_RETURN.

Provably Unspendable = Prunable

Because no valid spending transaction can ever reference an OP_RETURN output, full nodes can safely prune these outputs from their UTXO set. The transaction remains in the blockchain history (and is replicated by all archival nodes), but the output never occupies space in the critical in-memory set of spendable coins. This is the key insight: OP_RETURN is cheaper for the network than alternatives like fake addresses, because fake addresses create UTXO entries that can never be cleaned up.

The pruning is literally two lines of Bitcoin Core. First, the predicate — a method on CScript defined in src/script/script.h:

/**
 * Returns whether the script is guaranteed to fail at execution,
 * regardless of the initial stack. This allows outputs to be pruned
 * instantly when entering the UTXO set.
 */
bool IsUnspendable() const
{
    return (size() > 0 && *begin() == OP_RETURN)
        || (size() > MAX_SCRIPT_SIZE);
}

A script is "unspendable" iff its first byte is OP_RETURN (0x6a) or it exceeds the 10,000-byte MAX_SCRIPT_SIZE limit. Second, the enforcement — in CCoinsViewCache::AddCoin from src/coins.cpp, the function that inserts a new output into the in-memory UTXO cache:

void CCoinsViewCache::AddCoin(const COutPoint &outpoint,
                              Coin&& coin,
                              bool possible_overwrite) {
    assert(!coin.IsSpent());
    if (coin.out.scriptPubKey.IsUnspendable()) return;
    // ... otherwise insert coin into the cache ...
}

That third line is the whole point: if the scriptPubKey is unspendable, AddCoin simply returns without doing anything. The OP_RETURN output was seen by every node and its data is recorded in the blockchain forever, but it never entered the UTXO set — the "provably prunable" property promised by the 0.9.0 release notes, delivered in a single early return.

15.2.3The Data Payload

After OP_RETURN, the remaining bytes are arbitrary data. The Script interpreter never evaluates them—it already failed at the OP_RETURN. The push opcode (0x13 = push 19 bytes) is a convention, not a requirement: nodes parse it as valid Script syntax, but the bytes after OP_RETURN are effectively opaque data.

Our specimen's 19 bytes decode to ASCII:

636861726c6579206c6f766573206865696469
charley loves heidi

A love note, immortalized across every Bitcoin full node on Earth.

15.3The Data Limit

OP_RETURN's data capacity has evolved through three stages:

VersionDateDefault -datacarriersize
0.9.0March 201440 bytes (first standardization)
0.11.0+July 201583 bytes (\(\approx\)80 bytes of data)
30.0October 10, 2025100,000 bytes (effectively removed; see §15.3.1)

From 2015 through 2025, the default cap was a relay policy, not a consensus rule. Miners could include OP_RETURN outputs of any size in their blocks—but standard Bitcoin Core nodes would not relay transactions with OP_RETURN data exceeding 83 bytes (the total scriptPubKey size, including the opcode and push bytes).

Policy \(\neq\) Consensus

Many features described in this book are relay policies—rules that nodes enforce when deciding which transactions to forward to peers—rather than consensus rules. OP_RETURN's datacarrier limit, the "dust" threshold, and opt-in RBF signaling are all relay policies, not protocol law. The distinction matters: a miner can include a 1,000-byte OP_RETURN in a block under any Bitcoin Core version, and every node will accept it. The v30 change (below) is a change to defaults, not to what the protocol permits.

15.3.1Bitcoin Core 30: Opening Door 3

On October 10, 2025, Bitcoin Core 30.0 raised the default -datacarriersize from 83 to 100,000 bytes (effectively removing the limit, since a transaction would hit the block weight limit first) and allowed multiple OP_RETURN outputs per transaction—with the 100 kB applying to the aggregate size of their scriptPubKeys. Operators who preferred the old behavior could set -datacarriersize=83. The pull request that shipped (#32406) followed an earlier, more radical proposal (#32359) that had been debated on the mailing list, BitcoinTalk, and Delving Bitcoin since April 2025.

The change was politically charged precisely because it looked like surrender to on-chain data carriers. The strongest defense came from a framing developed by the BitcoinTalk user d5000 and echoed by Greg Maxwell: the question isn't whether data lands on-chain—the bytes are valid Bitcoin and there's no way to prevent them—but through which door it enters.

Door 1
Fake Public Keys
Fake P2PK / P2WSH outputs encoding data as pretend keys or script hashes. Appear spendable to every node. Enter the UTXO set permanently — cannot be pruned at any layer. Most harmful by far.
Door 2
Taproot Witness (Inscriptions)
Data embedded in a Taproot script-path witness via OP_FALSE OP_IF envelopes. Creates a small UTXO entry (~43 bytes). Witness data is theoretically prunable but no Bitcoin client has ever implemented selective witness pruning. Moderate, persistent harm.
Door 3
OP_RETURN
Data in a provably unspendable output. Never enters the UTXO set. On archive nodes the raw bytes sit in blk*.dat; on pruned nodes they are deleted with the block. Least harmful.

The argument for opening Door 3 is that an artificially narrow Door 3 doesn't stop data storage—it merely redirects embedders through Doors 1 and 2, both of which cost the network more. Before v30, data carriers that wanted to write more than 80 bytes had exactly two options: impersonate a key (Door 1, permanent UTXO pollution) or use an inscription envelope (Door 2, witness-discount-subsidized and never actually pruned in practice). Neither is cleaner than OP_RETURN. Greg Maxwell's framing on the April 2025 mailing-list thread put it bluntly: the 80-byte limit was "actively harmful" because "overly restrictive relay rules create serious collateral damage"—OP_RETURN data is "completely prunable and pruned," but the substitutes are not.

The counter-argument, voiced most persistently by BitcoinTalk user pooya87 and others, is that the limit worked empirically—"most spam respects the 80-byte boundary"—and that removing it signals institutional acceptance of on-chain non-monetary use. Chapter 19 revisits this tension from the Ordinals side, where Door 2 is the dominant pattern.

The Missing Door: Witness Pruning

The Three Doors framework reveals a gap in Bitcoin's tooling. Door 2 is theoretically prunable—the witness commitment in the coinbase transaction (§14.4.3) allows a node to verify that witness data existed even after the witness itself has been deleted. The witness discount introduced by SegWit was partly justified by this prunability. But no one has formally proposed "witness pruning" as a BIP or implemented it in any mainline client. The discount exists; the pruning capability it was priced on does not. Until selective witness pruning is built, Door 2 data imposes the full storage burden on every archive node and every new node performing initial block download—despite being architecturally deletable.

15.4Before OP_RETURN: Creative Abuses

OP_RETURN solved a problem that was already entrenched. Before 2014, data-embedding schemes used two techniques that were far worse for the network:

15.4.1Fake Addresses

The simplest trick: encode 20 bytes of arbitrary data as a fake Hash160 in a P2PKH output: OP_DUP OP_HASH160 <20 bytes of data> OP_EQUALVERIFY OP_CHECKSIG

This creates a valid-looking P2PKH output that no one can ever spend (no key hashes to that value). But unlike OP_RETURN, nodes cannot prune it—the output appears spendable, so it sits in the UTXO set forever, consuming memory on every full node.

15.4.2Multisig Data Embedding

More sophisticated: encode data in the public key slots of a bare multisig output. A 1-of-3 multisig can carry \(3 \times 33 = 99\) bytes of data disguised as compressed public keys: OP_1 <33B data> <33B data> <33B data> OP_3 OP_CHECKMULTISIG

Again, the output is unspendable (no corresponding private keys), but it pollutes the UTXO set. This was the technique used by early Counterparty transactions.

The Blockchain as Public Record

The impulse to inscribe permanent records on Bitcoin predates OP_RETURN by years. The Bitcoin blockchain contains the WikiLeaks Cablegate archive (embedded in 2011 using transaction metadata), tributes to the deceased, marriage proposals, and the complete text of Satoshi's whitepaper (reassembled from multi-signature outputs). OP_RETURN did not enable this impulse—it merely channeled it into a form less harmful to the network.

15.5Protocols Built on OP_RETURN

OP_RETURN's 80 bytes of structured data became the foundation for several major protocols:

15.5.1Omni Layer and USDT (2013–2025)

The Omni Layer — originally Mastercoin, one of the very first "smart contract" proposals for Bitcoin, launched in 2013 and rebranded in 2014 — used OP_RETURN to embed token operations: issuance, transfer, and decentralized-exchange offers. Every Omni transaction was a perfectly ordinary Bitcoin transaction carrying a specially formatted OP_RETURN output. The payload began with the 4-byte marker 6f6d6e69 ("omni" in ASCII), followed by a 2-byte message version, a 2-byte transaction type, and type-specific fields encoding the token ID, amount, and metadata.

Because Omni reused Bitcoin addresses to identify token holders, a token transfer also needed to name the recipient somehow. The convention: the transaction's first non-OP_RETURN output went to the recipient's Bitcoin address as a dust output (typically 546 sats, the minimum relayable value for legacy P2PKH at the time). Omni-aware wallets watched for those dust-plus-OP_RETURN patterns and updated their off-chain token ledger accordingly; Bitcoin itself knew nothing of USDT — it only saw an ordinary transaction moving a trivial amount of BTC with an arbitrary data output attached.

From 2014 through the late 2010s, USDT on Omni was the most common OP_RETURN protocol on Bitcoin. At its peak it drove a significant fraction of Bitcoin's transaction count and fee revenue, and the Omni Layer was frequently cited as proof that OP_RETURN could anchor a serious economic protocol. Then two forces eroded it. First, as Bitcoin's fees rose with each cycle of congestion, moving $100 of USDT across a protocol whose settlement cost had ballooned to $5 or $20 became economically absurd compared to the same transfer on Tron (sub-cent fees) or Ethereum L2s (a few cents). Second, Tether itself began issuing USDT on a widening list of faster, cheaper chains — TRC-20 on Tron became the dominant venue, with ERC-20 on Ethereum, SPL on Solana, and Jetton on TON close behind.

Specimen: the genesis of USDT — txid 5ed3694e…dd53f

The very first Tether ever minted — origin point of a token that would later exceed $100 billion in circulation — was embedded in Bitcoin block 324,140 on October 6, 2014 at 16:39 UTC. Issuer address 3MbYQMMmSkC3AgWkj9FMo5LsPTW1zBTwXL, asset ID 31 in Omni's registry, initial supply 100 tokens (then named "USTether"; renamed to Tether/USDT the following month).

The rich irony of this specimen: it does not use OP_RETURN. The Omni payload is spread across three 1-of-3 bare multisig outputs, with the "signer" public keys serving as 32-byte data buckets — the older Class B Omni encoding scheme that §15.4.2 describes as one of the "creative abuses" OP_RETURN was designed to replace. OP_RETURN had been standardized by Bitcoin Core 0.9.0 seven months earlier, but Omni's reference implementation still emitted Class B transactions for the genesis mint because the multisig path was battle-tested while Class C (OP_RETURN) was still being rolled out. By late 2015, Omni had migrated to Class C as the default, and nearly every subsequent USDT transfer — for the next decade, until the September 2025 freeze — carried the 6f6d6e69-prefixed payload in a single OP_RETURN output. But the very first one, the transaction that brought the modern stablecoin into existence, was encoded in fake multisig keys.

The Sunset (2023–2025) and Tether's Return via Taproot Assets

The Omni era ended in two acts:

So in 2026, "USDT on Omni" is a historical artifact. The bulk of USDT in circulation lives on Tron (TRC-20, by far the largest venue), Ethereum (ERC-20), Solana (SPL), and TON (Jetton), with smaller issuance on a handful of other chains.

Tether's return to Bitcoin, when it came, did not pass through Omni or any other OP_RETURN-based layer. In 2025, Tether committed to issuing USDT on Bitcoin via the Lightning Network, using Taproot Assets (Lightning Labs' protocol, formerly named Taro). Taproot Assets issues tokens through the Taproot output structure from Chapter 12 rather than through OP_RETURN data, relying on off-chain Merkle-sum trees instead of on-chain per-transfer data. The architectural shift is clarifying: Omni put the full ledger on-chain in OP_RETURN bytes; Taproot Assets commits only roots on-chain and lets Lightning handle transfer volume. The economic pressure that killed Omni — cost-per-transfer — is answered by moving settlement off the base layer entirely.

Even as a dead protocol, Omni is instructive. It was the first real stress test of "Bitcoin as a platform for things other than BTC payments" — and it ran for roughly a decade as a functioning, audited, institutionally-trusted settlement rail. Every subsequent on-chain data protocol on Bitcoin (Counterparty, OpenTimestamps, Ordinals, Runes, Taproot Assets) traces some ancestry back to the design choices Mastercoin made in 2013: piggy-back on Bitcoin's security, keep consensus untouched, put protocol state in OP_RETURN or in a derived commitment. The Omni Layer's demise is a verdict on its fit with Bitcoin's fee market, not on that core idea.

15.5.2OpenTimestamps

OpenTimestamps — announced by Peter Todd on October 4, 2016 — aggregates thousands of timestamp requests into a single Merkle tree, then commits the root hash to the blockchain via one OP_RETURN output. A single 32-byte Merkle root can commit an unlimited number of documents to a specific point in time. The public calendar servers (alice, bob, finney) pay the Bitcoin fees themselves, so timestamping is free for end users.

To verify a timestamp, the service provides a Merkle proof: the sequence of sibling hashes from the document's leaf to the on-chain root. Anyone can independently verify the proof in \(O(\log n)\) hash operations — an elegant use of OP_RETURN's limited space.

Specimen: a live calendar commit — txid b0b3e833…5797

Pulled directly from Peter Todd's alice.btc.calendar.opentimestamps.org "Latest mined transactions" list. The entire Merkle tip is one 32-byte push, and this single output is the only piece of cryptographic content in the transaction — everything else is Bitcoin's normal transaction envelope.

6a 20 849d838a3086c228fc83bf00544ced9faa961e0473b148d19bff1190b59de786

The story this specimen tells is the entire pitch of the protocol. One 32-byte value in a 43-byte output — 172 WU on-chain — that's the total footprint. Behind it may sit tens of thousands of hashed documents: PhD theses, legal contracts, source-code commits, journalist leaks, academic preprints, someone's signed will. Each document's owner holds only a small Merkle proof (a logarithmic sequence of sibling hashes) that terminates at this root. Nine years after launch, the calendar servers have been running continuously, producing roughly one commit per tip aggregation, quietly anchoring an arbitrary volume of provable-existence claims into Bitcoin's block headers. OpenTimestamps is the cleanest possible use of OP_RETURN: one output, maximum leverage, zero UTXO impact.

15.5.3Counterparty

Counterparty (launched 2014 via a "proof-of-burn" where participants sent BTC to the unspendable address 1CounterpartyXXXXXXXXXXXXXXXUWLpVr in exchange for XCP tokens) encodes asset creation, transfers, and decentralized-exchange operations in OP_RETURN data. After decryption, the payload begins with the 8-byte marker 434e545250525459 ("CNTRPRTY" in ASCII) followed by a type byte and operation-specific fields — enabling an entire asset layer on Bitcoin without any consensus changes.

A small technical wrinkle: Counterparty XORs its OP_RETURN data with a key derived from the first input's txid (an ARC4 stream seeded from the reversed prev-output hash). This obfuscation was added to keep Counterparty payloads from being flagged by spam filters or block explorers that grep for literal prefix strings. It means you cannot find Counterparty transactions by searching the blockchain for CNTRPRTY — you have to decrypt each candidate OP_RETURN before the marker becomes visible.

Specimen: the first Rare Pepe ever — txid 4c9d2979…4405

Bitcoin block 428,919, mined September 9, 2016. Issuer address 1GQhaWqejcGJ4GhQar7SjcCfadxvf5DNBD. Asset name RAREPEPE, supply 300 (non-divisible), description "The most rare pepe that has ever existed", pointing to a JSON metadata file at myrarepepe.com.

The OP_RETURN payload (encrypted):

6a 4c 4f 49eb7480d93721f4831a86cb0b4472d1debfddfaf97b62369cc6d2124814005c3caaed364ff463782d52d2ea855ba21094bf86bf7ef67f1c80c4b08bfd2fad8fb4b63030443b0e6a030c4fd9d68a9a

This was among the earliest NFTs on any blockchain — predated by only a handful of experiments such as Quantum on Namecoin (2014) — and it came fifteen months before Ethereum's CryptoKitties and more than a year before the ERC-721 standard. The card — a hand-drawn portrait of Dorian Nakamoto (the Newsweek-misidentified "Satoshi") rendered in Pepe-green with red lips — launched the Rare Pepe phenomenon, which spanned 36 series and over 1,700 distinct cards over the next two years. Individual Nakamoto Cards have since sold for upwards of $500,000 on secondary markets. The entire on-chain footprint of this pivotal moment in digital-art history is 79 bytes of encrypted OP_RETURN data. The art itself was never on-chain — only a pointer to a JSON file at myrarepepe.com, which preserved the image hash. A decade of NFT culture descends from that one 79-byte push.

15.5.4Witness Commitment

As we saw in Chapter 14, every modern coinbase transaction contains a SegWit witness commitment in an OP_RETURN output with the magic prefix aa21a9ed. This 4-byte tag identifies the output as the witness commitment: miners include it in one coinbase output on every block that contains SegWit transactions, and the 32 bytes that follow are the commitment hash over all witness data in the block (BIP 141). This is perhaps the most critical use of OP_RETURN in Bitcoin: it binds witness data to the block header, ensuring that stripping witness data invalidates the commitment.

Specimen: the SegWit activation block's coinbase — block 481,824, coinbase txid da917699…68b3

Block 481,824, mined August 24, 2017 at 01:57 UTC by BTCC — the Chinese mining pool then run by Bobby Lee — was the block at which Segregated Witness locked into full consensus enforcement. Every full node running SegWit-ready software began rejecting blocks that violated BIP 141 from this height forward. The coinbase is a historical artifact in two distinct ways at once.

First, the OP_RETURN witness commitment — the pattern every post-2017 block carries:

6a 24 aa21a9ed 6c3c4dff76b5760d58694147264d208689ee07823e5694c4872f856eacf5a5d8

Second — and richer — the coinbase scriptSig itself tells a political story. Decoding the ASCII bytes at the end of the scriptSig: 2f425443432f20537570706f7274202f4e59412f = /BTCC/ Support /NYA/. The "NYA" is the New York Agreement, the controversial May 2017 pact signed by a consortium of miners and businesses committing to activate SegWit and execute a 2-megabyte hard-fork blocksize increase within six months. BTCC's scriptSig message is both a celebration (SegWit is activating this very block) and a political declaration (we still expect the blocksize hard fork to follow).

That second half never happened. The SegWit2x hard fork was abandoned in November 2017 after sustained community opposition, and the "/NYA/" signaling in BTCC's coinbase became a relic of a commitment the industry walked back. The first half — the SegWit witness commitment in the OP_RETURN — now appears in literally every Bitcoin block. One block-level artifact encodes both the feature that succeeded and the failed hard-fork that was supposed to accompany it. The consensus-invariant lived; the political deal did not.

15.6OP_RETURN vs. Witness Embedding

For the decade between v0.11 and v30, OP_RETURN carried at most 80 bytes of data and cost 4 WU per byte (non-witness). The Taproot upgrade (Part IV) opened a different channel for data: the witness field, where data costs only 1 WU per byte. That witness discount is the foundation of the Ordinals inscription protocol (Chapter 19). Since v30, Door 3 has been effectively uncapped, but the cost-per-byte asymmetry remains:

OP_RETURN (post v30)Witness embedding
Maximum data~100 kB default, block-weight-bound in practice~400 kB (block weight)
Cost per byte4 WU1 WU
UTXO impactNone (prunable, not in UTXO set)UTXO entry for the output carrying the witness (~43 B)
Use caseProtocol tags, hashes, commitmentsImages, media, code

Ordinals inscriptions use an OP_FALSE OP_IF … OP_ENDIF envelope in the witness, storing content types and data as push operations inside a dead code branch. Because witness data is discounted 4:1, a single inscription can embed 400 KB of data at one-quarter the cost of equivalent non-witness storage. Chapter 19 examines this mechanism in detail.

15.7Weight Analysis

Our specimen is a legacy transaction (no SegWit marker/flag, no witness). All bytes are non-witness data:

ComponentBytesNotes
Version4 B
Input count1 B
Input (txid + vout + scriptSig + seq)180 B32+4+1+139+4
Output count1 B
Output 0 (OP_RETURN)30 B8+1+21
Output 1 (P2PKH change)34 B8+1+25
Locktime4 B
Total254 BAll non-witness
Weight1,016 WU\(254 \times 4\)
vsize254 vB\(= 1,016 / 4\)

The OP_RETURN output contributes 30 bytes (120 WU) to the transaction. Of those, 21 bytes are the scriptPubKey (OP_RETURN + push opcode + 19 bytes of ASCII data), and the rest is the 8-byte zero value and 1-byte script length.

The Uncompressed Key Tax

Our specimen uses a 65-byte uncompressed public key, which was still common in mid-2014. A compressed key (33 bytes) would save 32 bytes in the scriptSig, reducing the total from 254 to 222 bytes. The OP_RETURN output itself (30 bytes) is only 12% of the transaction—the uncompressed key is the real space consumer. Modern wallets exclusively use compressed keys (or Taproot's 32-byte x-only keys), making this inefficiency a relic of early Bitcoin.

15.8What We Learned

15.8.1Looking Ahead

OP_RETURN and data embedding are atemporal—they exist across every era of Bitcoin. Chapter 16 introduces a different dimension of transaction anatomy: time. Timelocks make transactions programmable in time, enabling everything from delayed payments to Lightning Network channels.

Exercises

Litmus (L)

  1. What does OP_RETURN do when the Script interpreter encounters it?
  2. Why does an OP_RETURN output always carry zero satoshis?
  3. What is the maximum OP_RETURN data size in bytes? Is this a consensus rule or a relay policy?
  4. Why is OP_RETURN better for the network than embedding data in fake P2PKH addresses?
  5. Decode the ASCII message from the hex bytes: 63 68 61 72 6c 65 79 20 6c 6f 76 65 73 20 68 65 69 64 69.

Hands-On (H)

  1. Parse our specimen's OP_RETURN output byte by byte. Identify the value, script length, opcode, push length, and data. Verify the script length matches the actual byte count.
  2. Compute the fee rate for our specimen. Given 254 bytes, weight 1,016 WU, and fee 20,000 sats, express the fee in both sat/byte and sat/WU.
  3. Construct a raw OP_RETURN scriptPubKey for the message "Hello, Bitcoin!" (15 ASCII characters). Write the complete hex including the opcode and push byte.
  4. Our specimen uses an uncompressed public key (65 bytes). If a compressed key (33 bytes) were used instead, what would be the new scriptSig length, total transaction size, and weight?

Proofs and Reasoning (P)

  1. Explain why embedding data in fake P2PKH addresses is "more expensive" for the network than OP_RETURN, even though the on-chain size may be similar. Consider UTXO set growth, node memory, and initial block download.
  2. The OP_RETURN relay limit is 83 bytes for the entire scriptPubKey. What is the maximum number of ASCII characters that can fit in a single OP_RETURN output? Account for the OP_RETURN byte and the push opcode(s).
  3. Could a miner include an OP_RETURN output with 1,000 bytes of data in a valid block? Would other nodes accept it? Would other nodes relay transactions with such outputs? Explain the distinction.

Connections (C)

  1. Omni Layer. Explain how USDT transfers worked on the Omni protocol (2014–2025). What went in the OP_RETURN, and why did the transaction also need a small "dust" output to the recipient? Then: why did USDT migrate off Omni to chains like Tron and Ethereum, and why did Tether choose Taproot Assets on Lightning instead of resurrecting an OP_RETURN-based layer when it returned to Bitcoin?
  2. OpenTimestamps. How does OpenTimestamps use a single 32-byte OP_RETURN payload — a bare Merkle root — to timestamp thousands of documents? What cryptographic structure makes this possible?

Bridge (B)

  1. Chapter 19 covers Ordinals inscriptions, which embed data in the witness rather than in OP_RETURN. Why does the witness discount make this economically viable for large data (images, media)? What is the approximate maximum inscription size?
  2. The Runes protocol (Chapter 20) uses OP_RETURN with a specific tag (OP_PUSHNUM_13). Why would a new protocol choose OP_RETURN over witness embedding? What advantages does OP_RETURN offer for structured, small-payload protocols?

Solutions

L1. OP_RETURN immediately terminates script execution with failure. The script is unconditionally invalid, making the output provably unspendable. No combination of input data can ever satisfy a script beginning with OP_RETURN.

L2. Any satoshis sent to an OP_RETURN output are permanently destroyed—the output can never be spent, so the value is irrecoverable. While consensus allows non-zero values (they're simply burned), relay policy does not forbid them (the dust rule exempts unspendable outputs) — setting the value to zero simply avoids destroying bitcoin.

L3. The maximum scriptPubKey size for a standard OP_RETURN is 83 bytes (relay policy in Bitcoin Core, set by MAX_OP_RETURN_RELAY). This is not a consensus rule—miners can include larger OP_RETURN outputs in blocks, and all nodes will accept those blocks as valid. However, transactions with OP_RETURN scriptPubKeys exceeding 83 bytes will not be relayed by standard nodes.

L4. OP_RETURN outputs are provably unspendable, so nodes can prune them from the UTXO set. Fake P2PKH addresses create outputs that appear spendable (the node cannot know the Hash160 is fake), so they remain in the UTXO set forever, consuming memory on every full node. OP_RETURN explicitly marks data outputs as non-financial, allowing the network to handle them efficiently.

L5. Reading each hex byte as ASCII: 63=c, 68=h, 61=a, 72=r, 6c=l, 65=e, 79=y, 20=(space), 6c=l, 6f=o, 76=v, 65=e, 73=s, 20=(space), 68=h, 65=e, 69=i, 64=d, 69=i. The message is: "charley loves heidi".

H1. Output 0:

Script length check: \(1 + 1 + 19 = 21\) bytes = 0x15.

H2. Fee rate: \(20,000 / 254 = 78.7\) sat/byte. In weight units: \(20,000 / 1,016 = 19.7\) sat/WU. Since this is a legacy transaction (no witness), the sat/byte and sat/vB rates are identical, and the sat/WU rate is exactly one-quarter of the sat/byte rate.

H3. "Hello, Bitcoin!" = 15 ASCII characters. Hex encoding:

48 65 6c 6c 6f 2c 20 42 69 74 63 6f 69 6e 21

The complete scriptPubKey: 6a (OP_RETURN) + 0f (push 15 bytes) + the 15 data bytes:

6a 0f 48 65 6c 6c 6f 2c 20 42 69 74 63 6f 69 6e 21

Total: 17 bytes.

H4. With a compressed key: scriptSig = \(1 + 72 + 1 + 33 = 107\) bytes (vs 139 with uncompressed). Savings: 32 bytes. New total: \(254 - 32 = 222\) bytes. New weight: \(222 \times 4 = 888\) WU (vs 1,016). New vsize: 222 vB.

P1. On-chain, both approaches use a similar number of bytes. But the critical difference is in the UTXO set—the in-memory database of all spendable outputs. An OP_RETURN output is provably unspendable, so nodes prune it immediately. A fake P2PKH output is indistinguishable from a real one, so it must be stored in the UTXO set forever (or until a spending transaction proves it's been claimed—which, for a fake address, is never).

The UTXO set must fit in RAM for fast validation. As of 2024, it contains 170 million entries totaling 7 GB. Every fake address adds one entry that can never be removed. Over time, this accumulates into a permanent tax on every full node. During IBD (initial block download), these fake UTXOs are created, indexed, and stored just like real ones—wasting disk I/O and memory that OP_RETURN avoids entirely.

P2. The 83-byte limit applies to the entire scriptPubKey: OP_RETURN (1 byte) + push opcode(s) + data. There are two cases:

The maximum is therefore 80 ASCII characters, achieved with OP_PUSHDATA1.

P3. Yes, a miner can include a 1,000-byte OP_RETURN in a valid block. The OP_RETURN data limit is a relay policy, not a consensus rule. Every node will accept the block as valid because no consensus rule restricts OP_RETURN size (beyond the overall block weight limit of 4,000,000 WU).

However, standard nodes will not relay transactions with OP_RETURN scriptPubKeys exceeding 83 bytes. The miner would have to create the transaction themselves and include it directly in their block template. This is why the relay policy is often called "soft" enforcement—it controls propagation, not validity.

C1. An Omni/USDT transfer (while the protocol was active) was a standard Bitcoin transaction with three components: (1) an input spending the sender's BTC, (2) an OP_RETURN output containing the Omni payload (6f6d6e69 prefix + 2-byte version + 2-byte transaction type + token ID + amount), and (3) a small "dust" output (546 sats) to the recipient's Bitcoin address.

The dust output was necessary because Omni used Bitcoin addresses to identify token holders. The OP_RETURN encoded the transfer instruction ("send 100 USDT from address A to address B"), but Omni-aware wallets needed to know which Bitcoin output corresponded to the recipient. The convention: the first non-OP_RETURN output was the recipient. The dust amount was the minimum value Bitcoin Core would relay (below the dust threshold, nodes rejected the transaction as spam).

Why the migration. The Omni approach piggy-backed on Bitcoin's security and decentralization, but it also inherited Bitcoin's fee market. As median Bitcoin fees rose from cents to dollars and occasionally tens of dollars per transaction, a protocol that billed a full Bitcoin transaction's worth of fees for every stablecoin transfer became uneconomic for everyday use. Tron's TRC-20 USDT settled in seconds for sub-cent fees; Ethereum's ERC-20 and L2s offered programmability Omni could never match. Tether halted new Omni issuance on August 17, 2023, and froze the remaining supply on September 1, 2025.

Why Taproot Assets, not a new OP_RETURN layer. When Tether returned to Bitcoin in 2025, it chose the Lightning Network via Taproot Assets rather than another OP_RETURN protocol. The reason is the same economic pressure that killed Omni: base-layer per-transfer cost. OP_RETURN writes a full Bitcoin transaction per token transfer — fine for issuance and anchoring, ruinous for payment volume. Taproot Assets commits only token-tree roots on-chain (via the Taproot output structure from Chapter 12) and lets Lightning carry the per-payment traffic off-chain, bringing stablecoin-grade UX to a Bitcoin rail without putting every transfer in an OP_RETURN.

C2. OpenTimestamps uses a Merkle tree. Each document submitted for timestamping is hashed, and all hashes become leaves in a binary Merkle tree. The single root hash (32 bytes) is embedded in an OP_RETURN output. With a 32-byte root, a tree of depth \(d\) can timestamp \(2^d\) documents. A tree of depth 20 timestamps over 1 million documents in one OP_RETURN.

To prove a document was timestamped, the service provides a Merkle proof: the sequence of sibling hashes from the document's leaf to the root. Anyone can independently verify the proof against the on-chain root in \(O(\log n)\) hash operations. This is the same structure Bitcoin uses for transaction Merkle trees in block headers.

B1. Witness data costs 1 WU per byte, while non-witness data (including OP_RETURN) costs 4 WU per byte. For a 100 KB image: via OP_RETURN, it would cost \(100,000 \times 4 = 400,000\) WU (10% of block weight); via witness, only \(100,000 \times 1 = 100,000\) WU (2.5% of block weight). The 4:1 cost advantage makes witness embedding economically viable for large data.

The maximum inscription size is bounded by the block weight limit: \(4,000,000\) WU minus the minimum transaction overhead. Since witness data costs 1 WU/byte, the theoretical maximum approaches 400 KB. In practice, inscriptions are slightly smaller to leave room for the transaction structure and other block transactions.

B2. OP_RETURN is superior for structured, small-payload protocols like Runes because: (1) the data is in the non-witness portion, making it visible in the stripped transaction (no witness needed to read it); (2) the long-standing 80-byte default (pre-30.0) is sufficient for protocol headers, token IDs, and amounts; (3) OP_RETURN is a well-established standard supported by all node software; (4) it doesn't require Taproot or SegWit—any transaction version can include it. Witness embedding is better for large opaque data (images, media), but for small structured protocol messages, OP_RETURN is simpler, more universal, and more explicit.

← Ch. 14 Ch. 16 →