Hello Dave and list,
Thanks for your quick answers!
The attacker would be broadcasting the latest
state, so the honest counterparty would only need to send one blind
child.
Exactly, if the attacker submits an outdated transaction he would be shooting himself in the foot,
as we could claim the revocation paths when seeing the transaction in a block and get all the
channel funds (since the attacker's outputs will be CSV-locked).
The only way your Bitcoin peer will relay your blind child
is if it already has the parent transaction.
That's an excellent point that I missed in the blind CPFP carve-out trick! I think this makes the
blind CPFP carve-out quite hard in practice (even using getdata - thanks for detailing that option)...
In the worst case scenario where most miners' mempools contain the attacker's tx and the rest of
the network's mempools contains the honest participant's tx, I think there isn't much we can do.
We're simply missing information, so it looks like the only good solution is to avoid being in that
situation by having a foot in miners' mempools. Do you think it's unreasonable to expect at least
some LN nodes to also invest in running nodes in mining pools, ensuring that they learn about
attackers' txs and can potentially share discovered preimages with the network off-chain (by
gossiping preimages found in the mempool over LN)? I think that these recent attacks show that
we need (at least some) off-chain nodes to be somewhat heavily invested in on-chain operations
(layers can't be fully decoupled with the current security assumptions - maybe Eltoo will help
change that in the future?).
Thank you for your time!
Bastien