OP_CHECKMULTISIG

OP_CHECKMULTISIG (opcode 0xae) implements classic m-of-n multisignature validation in legacy Bitcoin Script. It reads a public-key count n and n public keys, then a signature count m and m signatures, and returns true only if every supplied signature matches a distinct key, evaluated in order. This single opcode powered the original Pay-to-Multisig (P2MS) and many P2SH multisig wallets before Taproot.

The off-by-one bug

The original implementation pops one more element off the stack than it strictly needs. To prevent the script from failing, spenders must prepend a throwaway “dummy” element at the bottom of the signature list. Because that extra value was unconstrained, it became a transaction-malleability vector. BIP 147's NULLDUMMY consensus rule fixed this by requiring the dummy to be an empty byte array (OP_0); anything else now makes the script evaluate to false.

Why Tapscript retired it

OP_CHECKMULTISIG does not bind specific signatures to specific keys until runtime, forcing a combinatorial matching search. That defeats Schnorr batch verification, so Tapscript (BIP 342) disables it entirely and replaces its functionality with the batch-friendly OP_CHECKSIGADD.

Understanding this opcode clarifies why post-Taproot multisig looks different on-chain. It pairs naturally with the other verification primitives covered in OP_CHECKSIG, and its sigop cost is one reason the modern sigop budget matters.