* [Bitcoin-development] SPV clients and relaying double spends
@ 2014-09-26 2:02 Aaron Voisine
2014-09-26 2:07 ` Matt Whitlock
0 siblings, 1 reply; 10+ messages in thread
From: Aaron Voisine @ 2014-09-26 2:02 UTC (permalink / raw)
To: Bitcoin Development
There was some discussion of having nodes relay double-spends in order
to alert the network about double spend attempts.
A lot more users will be using SPV wallets in the future, and one of
the techniques SPV clients use to judge how likely a transaction is to
be confirmed is if it propagates across the network. I wonder if and
when double-spend relaying is introduced, if nodes should also send
BIP61 reject messages or something along those lines to indicate which
transactions those nodes believe to be invalid, but are relaying
anyway.
This would be subject to sybil attacks, as is monitoring propagation,
however it does still increase the cost of performing a 0 confirmation
double spend attack on an SPV client above just relaying double-spends
without indicating if a node believes the transaction to be valid.
Aaron Voisine
breadwallet.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:02 [Bitcoin-development] SPV clients and relaying double spends Aaron Voisine
@ 2014-09-26 2:07 ` Matt Whitlock
2014-09-26 2:12 ` Aaron Voisine
0 siblings, 1 reply; 10+ messages in thread
From: Matt Whitlock @ 2014-09-26 2:07 UTC (permalink / raw)
To: Aaron Voisine; +Cc: bitcoin-development
What's to stop an attacker from broadcasting millions of spends of the same output(s) and overwhelming nodes with slower connections? Might it be a better strategy not to relay the actual transactions (after the first) but rather only propagate (once) some kind of double-spend alert?
On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine wrote:
> There was some discussion of having nodes relay double-spends in order
> to alert the network about double spend attempts.
>
> A lot more users will be using SPV wallets in the future, and one of
> the techniques SPV clients use to judge how likely a transaction is to
> be confirmed is if it propagates across the network. I wonder if and
> when double-spend relaying is introduced, if nodes should also send
> BIP61 reject messages or something along those lines to indicate which
> transactions those nodes believe to be invalid, but are relaying
> anyway.
>
> This would be subject to sybil attacks, as is monitoring propagation,
> however it does still increase the cost of performing a 0 confirmation
> double spend attack on an SPV client above just relaying double-spends
> without indicating if a node believes the transaction to be valid.
>
> Aaron Voisine
> breadwallet.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:07 ` Matt Whitlock
@ 2014-09-26 2:12 ` Aaron Voisine
2014-09-26 2:16 ` Matt Whitlock
0 siblings, 1 reply; 10+ messages in thread
From: Aaron Voisine @ 2014-09-26 2:12 UTC (permalink / raw)
To: Matt Whitlock; +Cc: Bitcoin Development
Something like that would be a great help for SPV clients that can't
detect double spends on their own. (still limited of course to sybil
attack concerns)
Aaron Voisine
breadwallet.com
On Thu, Sep 25, 2014 at 7:07 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
> What's to stop an attacker from broadcasting millions of spends of the same output(s) and overwhelming nodes with slower connections? Might it be a better strategy not to relay the actual transactions (after the first) but rather only propagate (once) some kind of double-spend alert?
>
>
> On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine wrote:
>> There was some discussion of having nodes relay double-spends in order
>> to alert the network about double spend attempts.
>>
>> A lot more users will be using SPV wallets in the future, and one of
>> the techniques SPV clients use to judge how likely a transaction is to
>> be confirmed is if it propagates across the network. I wonder if and
>> when double-spend relaying is introduced, if nodes should also send
>> BIP61 reject messages or something along those lines to indicate which
>> transactions those nodes believe to be invalid, but are relaying
>> anyway.
>>
>> This would be subject to sybil attacks, as is monitoring propagation,
>> however it does still increase the cost of performing a 0 confirmation
>> double spend attack on an SPV client above just relaying double-spends
>> without indicating if a node believes the transaction to be valid.
>>
>> Aaron Voisine
>> breadwallet.com
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:12 ` Aaron Voisine
@ 2014-09-26 2:16 ` Matt Whitlock
2014-09-26 2:37 ` Aaron Voisine
2014-09-26 16:27 ` [Bitcoin-development] SPV clients and relaying double spends s7r
0 siblings, 2 replies; 10+ messages in thread
From: Matt Whitlock @ 2014-09-26 2:16 UTC (permalink / raw)
To: Aaron Voisine; +Cc: Bitcoin Development
Probably the first double-spend attempt (i.e., the second transaction to spend the same output(s) as another tx already in the mempool) would still need to be relayed. A simple "double-spend alert" wouldn't work because it could be forged. But after there have been two attempts to spend the same output, no further transactions spending that same output should be relayed, in order to prevent flooding the network.
On Thursday, 25 September 2014, at 7:12 pm, Aaron Voisine wrote:
> Something like that would be a great help for SPV clients that can't
> detect double spends on their own. (still limited of course to sybil
> attack concerns)
>
> Aaron Voisine
> breadwallet.com
>
>
> On Thu, Sep 25, 2014 at 7:07 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
> > What's to stop an attacker from broadcasting millions of spends of the same output(s) and overwhelming nodes with slower connections? Might it be a better strategy not to relay the actual transactions (after the first) but rather only propagate (once) some kind of double-spend alert?
> >
> >
> > On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine wrote:
> >> There was some discussion of having nodes relay double-spends in order
> >> to alert the network about double spend attempts.
> >>
> >> A lot more users will be using SPV wallets in the future, and one of
> >> the techniques SPV clients use to judge how likely a transaction is to
> >> be confirmed is if it propagates across the network. I wonder if and
> >> when double-spend relaying is introduced, if nodes should also send
> >> BIP61 reject messages or something along those lines to indicate which
> >> transactions those nodes believe to be invalid, but are relaying
> >> anyway.
> >>
> >> This would be subject to sybil attacks, as is monitoring propagation,
> >> however it does still increase the cost of performing a 0 confirmation
> >> double spend attack on an SPV client above just relaying double-spends
> >> without indicating if a node believes the transaction to be valid.
> >>
> >> Aaron Voisine
> >> breadwallet.com
> >
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:16 ` Matt Whitlock
@ 2014-09-26 2:37 ` Aaron Voisine
2014-09-26 3:34 ` Christophe Biocca
2014-09-28 2:55 ` Tom Harding
2014-09-26 16:27 ` [Bitcoin-development] SPV clients and relaying double spends s7r
1 sibling, 2 replies; 10+ messages in thread
From: Aaron Voisine @ 2014-09-26 2:37 UTC (permalink / raw)
To: Matt Whitlock; +Cc: Bitcoin Development
Of course you wouldn't want nodes to propagate alerts without
independently verifying them, otherwise anyone could just issue alerts
for every new transaction.
Aaron Voisine
breadwallet.com
On Thu, Sep 25, 2014 at 7:16 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
> Probably the first double-spend attempt (i.e., the second transaction to spend the same output(s) as another tx already in the mempool) would still need to be relayed. A simple "double-spend alert" wouldn't work because it could be forged. But after there have been two attempts to spend the same output, no further transactions spending that same output should be relayed, in order to prevent flooding the network.
>
>
> On Thursday, 25 September 2014, at 7:12 pm, Aaron Voisine wrote:
>> Something like that would be a great help for SPV clients that can't
>> detect double spends on their own. (still limited of course to sybil
>> attack concerns)
>>
>> Aaron Voisine
>> breadwallet.com
>>
>>
>> On Thu, Sep 25, 2014 at 7:07 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
>> > What's to stop an attacker from broadcasting millions of spends of the same output(s) and overwhelming nodes with slower connections? Might it be a better strategy not to relay the actual transactions (after the first) but rather only propagate (once) some kind of double-spend alert?
>> >
>> >
>> > On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine wrote:
>> >> There was some discussion of having nodes relay double-spends in order
>> >> to alert the network about double spend attempts.
>> >>
>> >> A lot more users will be using SPV wallets in the future, and one of
>> >> the techniques SPV clients use to judge how likely a transaction is to
>> >> be confirmed is if it propagates across the network. I wonder if and
>> >> when double-spend relaying is introduced, if nodes should also send
>> >> BIP61 reject messages or something along those lines to indicate which
>> >> transactions those nodes believe to be invalid, but are relaying
>> >> anyway.
>> >>
>> >> This would be subject to sybil attacks, as is monitoring propagation,
>> >> however it does still increase the cost of performing a 0 confirmation
>> >> double spend attack on an SPV client above just relaying double-spends
>> >> without indicating if a node believes the transaction to be valid.
>> >>
>> >> Aaron Voisine
>> >> breadwallet.com
>> >
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:37 ` Aaron Voisine
@ 2014-09-26 3:34 ` Christophe Biocca
2014-09-28 2:55 ` Tom Harding
1 sibling, 0 replies; 10+ messages in thread
From: Christophe Biocca @ 2014-09-26 3:34 UTC (permalink / raw)
To: Bitcoin Development
A lot of this discussion has already occured. Some code was even
merged into master, then reverted.
See:
https://github.com/bitcoin/bitcoin/issues/4550
https://github.com/bitcoin/bitcoin/pull/4570
It would probably be a good idea to start from that code, as it
addresses many of the possible pitfalls you've been discussing.
On Thu, Sep 25, 2014 at 10:37 PM, Aaron Voisine <voisine@gmail.com> wrote:
> Of course you wouldn't want nodes to propagate alerts without
> independently verifying them, otherwise anyone could just issue alerts
> for every new transaction.
>
> Aaron Voisine
> breadwallet.com
>
>
> On Thu, Sep 25, 2014 at 7:16 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
>> Probably the first double-spend attempt (i.e., the second transaction to spend the same output(s) as another tx already in the mempool) would still need to be relayed. A simple "double-spend alert" wouldn't work because it could be forged. But after there have been two attempts to spend the same output, no further transactions spending that same output should be relayed, in order to prevent flooding the network.
>>
>>
>> On Thursday, 25 September 2014, at 7:12 pm, Aaron Voisine wrote:
>>> Something like that would be a great help for SPV clients that can't
>>> detect double spends on their own. (still limited of course to sybil
>>> attack concerns)
>>>
>>> Aaron Voisine
>>> breadwallet.com
>>>
>>>
>>> On Thu, Sep 25, 2014 at 7:07 PM, Matt Whitlock <bip@mattwhitlock.name> wrote:
>>> > What's to stop an attacker from broadcasting millions of spends of the same output(s) and overwhelming nodes with slower connections? Might it be a better strategy not to relay the actual transactions (after the first) but rather only propagate (once) some kind of double-spend alert?
>>> >
>>> >
>>> > On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine wrote:
>>> >> There was some discussion of having nodes relay double-spends in order
>>> >> to alert the network about double spend attempts.
>>> >>
>>> >> A lot more users will be using SPV wallets in the future, and one of
>>> >> the techniques SPV clients use to judge how likely a transaction is to
>>> >> be confirmed is if it propagates across the network. I wonder if and
>>> >> when double-spend relaying is introduced, if nodes should also send
>>> >> BIP61 reject messages or something along those lines to indicate which
>>> >> transactions those nodes believe to be invalid, but are relaying
>>> >> anyway.
>>> >>
>>> >> This would be subject to sybil attacks, as is monitoring propagation,
>>> >> however it does still increase the cost of performing a 0 confirmation
>>> >> double spend attack on an SPV client above just relaying double-spends
>>> >> without indicating if a node believes the transaction to be valid.
>>> >>
>>> >> Aaron Voisine
>>> >> breadwallet.com
>>> >
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:16 ` Matt Whitlock
2014-09-26 2:37 ` Aaron Voisine
@ 2014-09-26 16:27 ` s7r
1 sibling, 0 replies; 10+ messages in thread
From: s7r @ 2014-09-26 16:27 UTC (permalink / raw)
To: Matt Whitlock, bitcoin-development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9/26/2014 5:16 AM, Matt Whitlock wrote:
> Probably the first double-spend attempt (i.e., the second
> transaction to spend the same output(s) as another tx already in
> the mempool) would still need to be relayed. A simple
> "double-spend alert" wouldn't work because it could be forged. But
> after there have been two attempts to spend the same output, no
> further transactions spending that same output should be relayed,
> in order to prevent flooding the network.
>
This sounds rational - is this already implemented nowadays or *SHOULD
BE* implemented to prevent this attack type in the future?
>
> On Thursday, 25 September 2014, at 7:12 pm, Aaron Voisine wrote:
>> Something like that would be a great help for SPV clients that
>> can't detect double spends on their own. (still limited of
>> course to sybil attack concerns)
>>
>> Aaron Voisine breadwallet.com
>>
>>
>> On Thu, Sep 25, 2014 at 7:07 PM, Matt Whitlock
>> <bip@mattwhitlock.name> wrote:
>>> What's to stop an attacker from broadcasting millions of
>>> spends of the same output(s) and overwhelming nodes with
>>> slower connections? Might it be a better strategy not to relay
>>> the actual transactions (after the first) but rather only
>>> propagate (once) some kind of double-spend alert?
>>>
>>>
>>> On Thursday, 25 September 2014, at 7:02 pm, Aaron Voisine
>>> wrote:
>>>> There was some discussion of having nodes relay
>>>> double-spends in order to alert the network about double
>>>> spend attempts.
>>>>
>>>> A lot more users will be using SPV wallets in the future,
>>>> and one of the techniques SPV clients use to judge how likely
>>>> a transaction is to be confirmed is if it propagates across
>>>> the network. I wonder if and when double-spend relaying is
>>>> introduced, if nodes should also send BIP61 reject messages
>>>> or something along those lines to indicate which
>>>> transactions those nodes believe to be invalid, but are
>>>> relaying anyway.
>>>>
>>>> This would be subject to sybil attacks, as is monitoring
>>>> propagation, however it does still increase the cost of
>>>> performing a 0 confirmation double spend attack on an SPV
>>>> client above just relaying double-spends without indicating
>>>> if a node believes the transaction to be valid.
>>>>
>>>> Aaron Voisine breadwallet.com
>>>
>
> ------------------------------------------------------------------------------
>
>
>
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS
> Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download
> White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with
> EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
>
>
_______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
- --
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUJZPVAAoJEIN/pSyBJlsRfgoIAI4x4qITdCDyYx/I1+z4eGz3
u7zDbVGQEPsUlrgEZLf503TNUIKmEgYQvgQDGEdOQk615XlkrTJeqt5oLh9DVJKj
TaXRqKgBp4iNd6BIIs1gKl0CzmH9sJ7U9ojhTS5aV7ZUhinO0WZlgISYaBZ3t9Kw
t//jb8QNLqISOeotiO9A2jb06UVRf9Gh0FUSBYTJ/st0UvLWt286zT+4XOaeVI/c
9I9nkTsd/jdw1Eorfcd5T8iHBORcdn9g+5+UpuXVq7d3KA5FA6oetzBVHgUfTMjF
q9LAe0W9IUVSiRj+wWvADzlxeUwWjsHnJDxdGihBg/g+k6SfPnOAxEC1UjCH+OU=
=kaIX
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] SPV clients and relaying double spends
2014-09-26 2:37 ` Aaron Voisine
2014-09-26 3:34 ` Christophe Biocca
@ 2014-09-28 2:55 ` Tom Harding
2014-09-28 5:15 ` [Bitcoin-development] replace-by-fee v0.9.3 release Peter Todd
1 sibling, 1 reply; 10+ messages in thread
From: Tom Harding @ 2014-09-28 2:55 UTC (permalink / raw)
To: Aaron Voisine; +Cc: Bitcoin Development
On 9/25/2014 7:37 PM, Aaron Voisine wrote:
> Of course you wouldn't want nodes to propagate alerts without
> independently verifying them
How would a node independently verify a double-spend alert, other than
by having access to an actual signed double-spend?
#4570 relays the first double-spend AS an alert. Running this branch on
mainnet, I have been keeping a live list of relayed double-spend
transactions at http://respends.thinlink.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bitcoin-development] replace-by-fee v0.9.3 release
2014-09-28 2:55 ` Tom Harding
@ 2014-09-28 5:15 ` Peter Todd
2014-09-28 17:03 ` Luke Dashjr
0 siblings, 1 reply; 10+ messages in thread
From: Peter Todd @ 2014-09-28 5:15 UTC (permalink / raw)
To: Tom Harding; +Cc: Bitcoin Development
[-- Attachment #1: Type: text/plain, Size: 1219 bytes --]
On Sat, Sep 27, 2014 at 07:55:44PM -0700, Tom Harding wrote:
> On 9/25/2014 7:37 PM, Aaron Voisine wrote:
> > Of course you wouldn't want nodes to propagate alerts without
> > independently verifying them
> How would a node independently verify a double-spend alert, other than
> by having access to an actual signed double-spend?
>
> #4570 relays the first double-spend AS an alert. Running this branch on
> mainnet, I have been keeping a live list of relayed double-spend
> transactions at http://respends.thinlink.com
Speaking of, I ported my replace-by-fee branch the recent v0.9.3
release: https://github.com/petertodd/bitcoin/tree/replace-by-fee-v0.9.3
I actually ported it a few days ago; that release has been running on a
half-dozen or so nodes right now for a few days with no issues.
The v0.9.3 release's scriptSig size limit increase adds a new category
of double-spending exploit. I'm not going to get time to add that
exploit to my replace-by-fee toolkit(1) for at least another week or so
though - pull-reqs accepted.
1) https://github.com/petertodd/replace-by-fee-tools
--
'peter'[:-1]@petertodd.org
0000000000000000084778cc7b7394a48d65c9451a59dcf98d0f1e1078f39c3a
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 650 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] replace-by-fee v0.9.3 release
2014-09-28 5:15 ` [Bitcoin-development] replace-by-fee v0.9.3 release Peter Todd
@ 2014-09-28 17:03 ` Luke Dashjr
0 siblings, 0 replies; 10+ messages in thread
From: Luke Dashjr @ 2014-09-28 17:03 UTC (permalink / raw)
To: bitcoin-development
On Sunday, September 28, 2014 5:15:53 AM Peter Todd wrote:
> On Sat, Sep 27, 2014 at 07:55:44PM -0700, Tom Harding wrote:
> > On 9/25/2014 7:37 PM, Aaron Voisine wrote:
> > > Of course you wouldn't want nodes to propagate alerts without
> > > independently verifying them
> >
> > How would a node independently verify a double-spend alert, other than
> > by having access to an actual signed double-spend?
> >
> > #4570 relays the first double-spend AS an alert. Running this branch on
> > mainnet, I have been keeping a live list of relayed double-spend
> > transactions at http://respends.thinlink.com
>
> Speaking of, I ported my replace-by-fee branch the recent v0.9.3
> release: https://github.com/petertodd/bitcoin/tree/replace-by-fee-v0.9.3
>
> I actually ported it a few days ago; that release has been running on a
> half-dozen or so nodes right now for a few days with no issues.
>
> The v0.9.3 release's scriptSig size limit increase adds a new category
> of double-spending exploit. I'm not going to get time to add that
> exploit to my replace-by-fee toolkit(1) for at least another week or so
> though - pull-reqs accepted.
>
> 1) https://github.com/petertodd/replace-by-fee-tools
Do you have or can you provide a version compatible with CPFP, such that a
child paying a higher fee trumps the parent's replacement?
Preferably something that will merge cleanly into 0.9.x-ljr :)
Luke
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-09-28 17:04 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-26 2:02 [Bitcoin-development] SPV clients and relaying double spends Aaron Voisine
2014-09-26 2:07 ` Matt Whitlock
2014-09-26 2:12 ` Aaron Voisine
2014-09-26 2:16 ` Matt Whitlock
2014-09-26 2:37 ` Aaron Voisine
2014-09-26 3:34 ` Christophe Biocca
2014-09-28 2:55 ` Tom Harding
2014-09-28 5:15 ` [Bitcoin-development] replace-by-fee v0.9.3 release Peter Todd
2014-09-28 17:03 ` Luke Dashjr
2014-09-26 16:27 ` [Bitcoin-development] SPV clients and relaying double spends s7r
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox