diff --git a/project3/report3.pdf b/project3/report3.pdf
index 8355cad..b400ba6 100644
Binary files a/project3/report3.pdf and b/project3/report3.pdf differ
diff --git a/project3/report3.tex b/project3/report3.tex
index b05be33..b2a165b 100644
--- a/project3/report3.tex
+++ b/project3/report3.tex
@@ -136,7 +136,42 @@ address even though the timelock is way in the future. \textbf{This exercise is
 considered solved if your UTXO for exercise C is spent in a transaction with one
 output, which gives Dave 4000 satoshis as P2PKH.}
 
+\begin{minted}[frame=lines,framesep=2mm,bgcolor=LightGray,fontsize=\footnotesize,linenos]{text}
+OP_DUP OP_HASH160
+OP_PUSHBYTES_20 <dave_pk_hash>
+OP_EQUALVERIFY OP_CHECKSIGVERIFY
+OP_IF
+  OP_PUSHBYTES_3 fbd42f OP_CLTV
+  OP_DROP OP_DUP OP_HASH160
+  OP_PUSHBYTES_20 <dave_pk_hash>
+OP_ELSE
+  OP_SHA256
+  OP_PUSHBYTES_32 <hash_lock>
+  OP_EQUAL OP_2DUP OP_HASH160
+  OP_PUSHBYTES_20 <irrelevant_hash>
+  OP_2ROT OP_DUP OP_DUP
+OP_ENDIF
+OP_EQUALVERIFY OP_CHECKSIGVERIFY
+OP_2DROP OP_DROP OP_NOT
+\end{minted}
+The script provided to us contains a bug where the \texttt{OP\_EQUAL} opcode is
+used but the return value is never checked (line 11). Unlocking the script
+before the locktime has expired is thus possible without knowing the preimage of
+the hash in line 10. The value on the stack is hashed with \texttt{SHA256} and
+compared with the hash lock. Execution of the script continues regardless of the
+outcome of this comparison. If the \texttt{OP\_EQUAL} opcode is replaced with
+\texttt{OP\_EQUALVERIFY}, the script will halt if the comparison fails,
+restoring intended behavior.
 
+The following unlocking script allows successful spending of the output:
+\begin{minted}[frame=lines,framesep=2mm,bgcolor=LightGray,fontsize=\footnotesize,linenos]{text}
+<sig_dave>
+<id_dave.pk.to_hex()>
+OP_0
+OP_0
+<sig_dave>
+<id_dave.pk.to_hex()>
+\end{minted}
 
 \section*{Work distribution}
 %Fill in here an overview on which group member participated in which task and