Hi Zeeman,

> Neither can Bob replace-recycle out the commitment transaction itself, because the commitment transaction is a single-input transaction, whose sole input requires a signature from

> Bob and a signature from Carol --- obviously Carol will not cooperate on an attack on herself.

The replacement cycling happens on the commitment transaction spend itself, not the second stage, which is effectively locked until block 100.

If the commitment transaction is pre-signed with 0 sat / vb and all the feerate / absolute fee is provided by a CPFP on one of the anchor outputs, Bob can replace the CPFP itself. After replacement of its child, the commitment transaction has a package feerate of 0 sat / vb and it will be trimmed out of the mempool.

This is actually the scenario tested here on the nversion = 3 new mempool policy branch (non-deployed yet):

https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2

As of today commitment transactions might not propagate if dynamic mempool min fee is above pre-signed commitment transaction, which is itself unsafe. I think this behavior can currently be opportunistically exploited by attackers.

In a post-package relay world, I think this is possible. And that replacement cycling attacks are breaking future dynamic fee-bumping of pre-signed transactions concerns me a lot.

Best,

Antoine

Le mar. 7 nov. 2023 à 11:12, ZmnSCPxj <ZmnSCPxj@protonmail.com> a écrit :

Good morning Antoine,

> Once the HTLC is committed on the Bob-Caroll link, Caroll releases the preimage off-chain to Bob with an `update_fulfill_htlc` message, though Bob does _not_ send back his signature for the updated channel state.
>
> Some blocks before 100, Caroll goes on-chain to claim the inbound HTLC output with the preimage. Her commitment transaction propagation in network mempools is systematically "replaced cycled out" by Bob.

I think this is impossible?

In this scenario, there is an HTLC offered by Bob to Carol.

Prior to block 100, only Carol can actually create an HTLC-success transaction.
Bob cannot propagate an HTLC-timeout transaction because the HTLC timelock says "wait till block 100".

Neither can Bob replace-recycle out the commitment transaction itself, because the commitment transaction is a single-input transaction, whose sole input requires a signature from Bob and a signature from Carol --- obviously Carol will not cooperate on an attack on herself.

So as long as Carol is able to get the HTLC-success transaction confirmed before block 100, Bob cannot attack.
Of course, once block 100 is reached, `OP_EXPIRE` will then mean that Carol cannot claim the fund anymore.

Regards,
ZmnSCPxj