pub fn shielded_withdrawal_extra_sighash_data(
output_script: &[u8],
unshielding_amount: u64,
core_fee_per_byte: u32,
pooling: Pooling,
) -> Vec<u8> ⓘExpand description
Builds the transparent extra_data bound into a ShieldedWithdrawal’s platform
sighash, with the byte layout
output_script || unshielding_amount (u64 LE) || core_fee_per_byte (u32 LE) || pooling (u8).
Every field here is written verbatim by the transformer into the queued withdrawal
document that constructs the Core asset-unlock TxOut. Binding all of them into the
Orchard sighash means the binding signature authorizes them: since ShieldedWithdrawal
has no identity-key signature and no address-witness check, the Orchard signature is
the only authorization boundary, so a relay or block proposer cannot malleate
core_fee_per_byte (or pooling, were it ever unpinned from Never) — e.g. flip a
user’s core_fee_per_byte = 1 to a much larger Fibonacci value to redirect the
withdrawn amount into L1 miner fees — without invalidating the proof.
The signing (client/builder) and verifying (consensus) sides MUST produce identical bytes, so both call this single function.
The layout places the variable-length output_script first with no length prefix. This
is unambiguous only because validate_structure runs before proof verification and pins
output_script to a canonical, fixed-length P2PKH (25 bytes) or P2SH (23 bytes); the
remaining fields are fixed-width, so the preimage is well-defined for every accepted
transition. If that script-shape restriction is ever relaxed, add a length prefix here.