From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 10956C0175; Wed, 22 Apr 2020 22:53:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 0CC6186722; Wed, 22 Apr 2020 22:53:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ua0EZpRjiCq6; Wed, 22 Apr 2020 22:53:42 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.as397444.net (mail.as397444.net [69.59.18.99]) by fraxinus.osuosl.org (Postfix) with ESMTPS id DFC7F865E0; Wed, 22 Apr 2020 22:53:41 +0000 (UTC) Received: from [IPv6:2620:6e:a007:235::1] (unknown [IPv6:2620:6e:a007:235::1]) by mail.as397444.net (Postfix) with ESMTPSA id 3850F232FBD; Wed, 22 Apr 2020 22:53:39 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Matt Corallo Mime-Version: 1.0 (1.0) Message-Id: <52DA8104-3E4E-450F-92A4-3970D1A31281@mattcorallo.com> Date: Wed, 22 Apr 2020 15:53:37 -0700 To: "David A. Harding" X-Mailer: iPhone Mail (17E262) Cc: Bitcoin Protocol Discussion , lightning-dev Subject: Re: [bitcoin-dev] RBF Pinning with Counterparties and Competing Interest X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Apr 2020 22:53:43 -0000 =EF=BB=BFHmm, that's an interesting suggestion, it definitely raises the bar= for attack execution rather significantly. Because lightning (and other sec= ond-layer systems) already relies heavily on uncensored access to blockchain= data, its reasonable to extend the "if you don't have enough blocks, aggres= sively query various sources to find new blocks, or, really just do it alway= s" solution to "also send relevant transactions while we're at it". Sadly, unlike for block data, there is no consensus mechanism for nodes to e= nsure the transactions in their mempools are the same as others. Thus, if yo= u focus on sending the pinning transaction to miner nodes directly (which is= n't trivial, but also not nearly as hard as it sounds), you could still pull= off the attack. However, to do it now, you'd need to wait for your counterparty to broadcast the corresponding timeout transactio= n (once it is confirmable, and can thus get into mempools), turning the whol= e thing into a mempool-acceptance race. Luckily there isn=E2=80=99t much cos= t to *trying*, though it=E2=80=99s less likely you=E2=80=99ll succeed. There are also practical design issues - if you=E2=80=99re claiming multiple= HTLC output in a single transaction the node would need to provide reject m= essages for each input which is conflicted, something which we=E2=80=99d nee= d to think hard about the DoS implications of. In any case, while it=E2=80=99s definitely better than nothing, it=E2=80=99s= unclear if it=E2=80=99s really the kind of thing I=E2=80=99d want to rely o= n for my own funds. Matt > On 4/22/20 2:24 PM, David A. Harding wrote: >> On Mon, Apr 20, 2020 at 10:43:14PM -0400, Matt Corallo via Lightning-dev w= rote: >> A lightning counterparty (C, who received the HTLC from B, who >> received it from A) today could, if B broadcasts the commitment >> transaction, spend an HTLC using the preimage with a low-fee, >> RBF-disabled transaction. After a few blocks, A could claim the HTLC >> from B via the timeout mechanism, and then after a few days, C could >> get the HTLC-claiming transaction mined via some out-of-band agreement >> with a small miner. This leaves B short the HTLC value. >=20 > IIUC, the main problem is honest Bob will broadcast a transaction > without realizing it conflicts with a pinned transaction that's already > in most node's mempools. If Bob knew about the pinned transaction and > could get a copy of it, he'd be fine. >=20 > In that case, would it be worth re-implementing something like a BIP61 > reject message but with an extension that returns the txids of any > conflicts? For example, when Bob connects to a bunch of Bitcoin nodes > and sends his conflicting transaction, the nodes would reply with > something like "rejected: code 123: conflicts with txid 0123...cdef". > Bob could then reply with a a getdata('tx', '0123...cdef') to get the > pinned transaction, parse out its preimage, and resolve the HTLC. >=20 > This approach isn't perfect (if it even makes sense at all---I could be > misunderstanding the problem) because one of the problems that caused > BIP61 to be disabled in Bitcoin Core was its unreliability, but I think > if Bob had at least one honest peer that had the pinned transaction in > its mempool and which implemented reject-with-conflicting-txid, Bob > might be ok. >=20 > -Dave