From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XFC7q-0000D3-Vc for bitcoin-development@lists.sourceforge.net; Thu, 07 Aug 2014 01:04:15 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.112 as permitted sender) client-ip=62.13.148.112; envelope-from=pete@petertodd.org; helo=outmail148112.authsmtp.co.uk; Received: from outmail148112.authsmtp.co.uk ([62.13.148.112]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1XFC7p-0008DA-Ek for bitcoin-development@lists.sourceforge.net; Thu, 07 Aug 2014 01:04:14 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt17.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s771474l022440; Thu, 7 Aug 2014 02:04:07 +0100 (BST) Received: from localhost.localdomain (ns308995.ip-94-23-241.eu [94.23.241.205]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7713sQx072694 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 7 Aug 2014 02:04:03 +0100 (BST) Date: Thu, 7 Aug 2014 01:03:50 +0000 From: Peter Todd To: bitcoin-development@lists.sourceforge.net Message-ID: <20140807010350.GC9272@localhost.localdomain> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="32u276st3Jlj2kUU" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: bab0158b-1dce-11e4-b396-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdgUUGUATAgsB AmIbW1ZeUFl7WWU7 Yg5PbwZDYE5PQQdq VVdMSlVNFUsrBhsA BV1/Ghl1dQNPfDBx ZU5rXT4JDRZ6dEN1 EFNVQT5TeGZhPWQC AkNRcR5UcAFPdx8U a1UrBXRDAhxwHgsD PzgaGQEWGxh0AQJt azBFIEIOW09DHzgk WgwZVRkoJgUMWzk6 JB9O X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 94.23.241.205/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1XFC7p-0008DA-Ek Subject: [Bitcoin-development] SIGHASH_ANYONECANPAY extra inputs DoS attack X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2014 01:04:15 -0000 --32u276st3Jlj2kUU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline tl;dr: Transactions with SIGHASH_ANYONECANPAY-using inputs can be DoS attacked by attackers adding extra inputs to them that make the fee/byte paid unfavorable to miners, while still being high enough to be relayed. While just a nuisance DoS attack, this is a serious obstacle towards using ANYONECANPAY. Background: What uses ANYONECANPAY? ----------------------------------- 1) Crowdfunds/assurance contracts: e.g. Hearn's upcoming Lighthouse, as well as Armory's implementation. 2) Fee bumping: receiver or sender can add inputs w/ ANYONECANPAY to get a tx confirmed without the (expensive) overhead of a second CPFP tx. 3) Privacy: inputs are more deniable in some cases, e.g. dust used for fees, which anyone could have added. 4) Replace-by-fee scorched earth: best implementations(1) depend on fee bumping. Partial defense: replace-by-fee ------------------------------- The attacker's modified transaction will usually, but not always, be replaced by the intended one as the latter will have higher fees. However replace-by-fee implementations must charge adequately for network bandwidth consumed, so there will be edge-cases where the replacement does not happen. Transaction fee/byte optimization --------------------------------- Each input that does not use SIGHASH_ALL can be evaluated in terms of whether or not it increases the fees/byte paid by the transaction. Thus we can optimize a transaction to pay the highest fees/byte by doing the following: def optimize_tx(tx): tx2 = CTransaction(vin=[], vout=tx.vout, nLockTime=tx.nLockTime) for txin in : if : continue if : prev_fee_per_byte = tx2.fees / len(tx2.serialized()) tx2.vin.append(txin) if tx2.fees / len(tx2.serialized()) < prev_fee_per_byte: # adding txin decreased fees/byte tx2.vin.pop() return tx2 else: tx2.vin.append(txin) return tx Essentially txin's that reduce the profitability of the transaction are dropped, including the attacker's added txins. Meanwhile txins that increase the profitability can be added by anyone. 1) "[Bitcoin-development] Replace-by-fee scorched-earth without child-pays-for-parent", Apr 28th 2014, Peter Todd, https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg05211.html --32u276st3Jlj2kUU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJT4tB0AAoJEH+rEUJn5PoEG/kH/2WZsBsdwjtplpPpf/Wv7VKM uN0wrkXiaboYHMoCw5qXXgl+ehvMeDq3OBh1pweQN4XJbJKcyMt5OwbFD5eS/bCh ZzssZcXvlMNYZKRYWnrSXfdm/CLD6DrhhG2Qj2oxpUpWzoVbFvC89JFbsdO4BwgA SKDS486j6zzirG2reaJwqU+uMipQZW9aOg4aHP0jqCvY4OsC4hNHr3W7PZLIBJ0y M0HoECI+WHEvEUFkmJsjHRmNbrAkEtzlp8vA/xqly2CTWaXeLaM3bPAACUzKNe8/ trLWclZpgvjDMQmw+OsCWZ56Ytl6P0pORO4gZIW9rUsxd9OnVAoXbafBcpyGoBE= =VC4C -----END PGP SIGNATURE----- --32u276st3Jlj2kUU--