Re: [bitcoin-dev] V3 Transactions are still vulnerable to significant tx pinning griefing attacks

[Peter Todd <pete@petertodd.org>]

[-- Attachment #1: Type: text/plain, Size: 1783 bytes --]

On Wed, Dec 20, 2023 at 07:13:22PM +0000, Gloria Zhao wrote:
> The "damage" of the pin can quantified by the extra fees Alice has to pay.
> 
> For a v3 transaction, Mallory can attach 1000vB at 80sat/vB. This can
> increase the cost of replacement to 80,000sat.
> For a non-v3 transaction, Mallory can attach (101KvB - N) before maxing out
> the descendant limit.
> Rule #4 is pretty negligible here, but since you've already specified
> Alice's child as 152vB, she'll need to pay Rule #3 + 152sats for a
> replacement.
> 
> Let's say N is 1000vB. AFAIK commitment transactions aren't usually smaller
> than this:

You make a good point that the commitment transaction also needs to be included
in my calculations. But you are incorrect about the size of them.

With taproot and ephemeral anchors, a typical commitment transaction would have
a single-sig input (musig), two taproot outputs, and an ephemeral anchor
output.  Such a transaction is only 162vB, much less than 1000vB.

In my experience, only a minority of commitment transactions that get mined
have HTLCs outstanding; even if there is an HTLC outstanding, that only gets us
up to 206vB.

> > Mallory can improve the efficiency of his griefing attack by attacking
> multiple
> > targets at once. Assuming Mallory uses 1 taproot input and 1 taproot
> output for
> > his own funds, he can spend 21 ephemeral anchors in a single 1000vB
> > transaction.
> 
> Note that v3 does not allow more than 1 unconfirmed parent per tx.

Ah, pity, I had misremembered that restriction as being removed, as that is a
potentially significant improvement in scenarios where you need to do things
like deal with a bunch of force closes at once.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]