CVE-2024-38365 public disclosure (btcd `FindAndDelete` bug)

The discussion revolves around the functionality of FindAndDelete in the context of Bitcoin scripting, specifically clarifying that it does not alter the script being executed but rather modifies a copy for the purpose of committing to it in the sighash. This process involves the removal of stack elements such as so and pubkey following the execution of OP_CHECKSIG or OP_CHECKMULTISIG, which consume these elements. The conversation further addresses a misunderstanding regarding the extent of data push removal by FindAndDelete and its btcd equivalent, removeOpcodeByData. Initially, there was confusion over the description that suggested removeOpcodeByData would eliminate any data push from the executed script. However, this removal is clarified to only halt on the currently executed OP_CHECKSIG, without impacting subsequent data pushes within the script.

Additionally, there's an acknowledgment of the complexity surrounding the functionality of btcd's removeOpcodeByData and its deviations from expected behavior. The individual has conducted extensive checking and re-testing of OP_CODESEPARATOR behaviors, especially when used to spend SigVersion::Base in 27.x peers, discovering some interesting behaviors. These findings are deemed significant enough to be shared privately, indicating nuanced insights into the operation and potential implications of OP_CODESEPARATOR in specific contexts.