Hi Peter,
> The marginal cost to an attacker who was planning on broadcasting B anyway is
> fairly small, as provided that sufficiently small fee-rates are chosen for A_n,
> the probability of A_n being mined is low. The attack does of course require
> capital, as the attacker needs to have UTXO's of sufficient size for A_n.
I think an attacker does not necessarily need to have a UTXO's of sufficient size for A_n.
One could reuse feerate ascending old LN states, where the balance on latest states is
in favor of your counterparty. So it might be a lower assumption on attacker ressources,
you only needs to have been _allocate_ a shared-UTXO in the past.
> The larger the mempool size limit, the more
> effective the attack tends to be. Similarly, the attack is more effective with
> a larger size difference between A and B. Finally, the attack is more effective
> with a smaller minimum incremental relay fee, as more individual versions of
> the transaction can be broadcast for a given fee-delta range.
I think the observation on larger the mempool size, more effective the attack tends
to come as a novel insight to me. Naively, in a world where the future blockspace
demand is uncertain, miners have an incentive to scale up their mempool size limit.
As such, holding a cache of non-mined low-feerates transactions. The type of bandwidth,
denial-of-service described sounds effectively to affect more full-nodes with large
mempools. Fair point, it's expected they have more bandwidth ressources available too.
> Of course, this attack can be parallelized, with many non-conflicting A_n
> chains at once. Depending on P2P topology, maximum bandwidth may be consumable
> by broadcasting multiple _conflicting_ A's to different nodes at once², a
> fairly obvious attack that I (and probably others) have already disclosed.
Yes, if I remember correctly bandwidth wasting attacks by exploiting RBF propagation
asymmetries were considered in 2021 when an automatic mempool rebroadcasting implementation
was proposed in Bitcoin Core. And alternatively, I echoed mempool partitioning concerns
during the tx-relay workshops on IRC in the same year of 2021, notably how you can use
to increase pinning attacks odds of success (assuming time-sensitive nodes e.g LN have
a single local mempool).
Commenting on this, do we have a free-relay attack variant where an attacker with reasonable
visibility on the transaction-relay network could exploit propagation asymmetries due to
*_INVENTORY_BROADCAST_INTERVAL and re-inject A_n traffic in a targeted fashion ?
I don't think it's worst than the parallelization you're describing, it's just another approach.
> Requiring replacements to increase the fee-rate by a certain ratio would also
> mitigate the attack. However doing so would break a lot of wallet software that
> bumps fees by values equal or close to the minimum relay fee.
I think there is still the open questions of the economic relevance of replace-by-fee if
the local mempool is completely empty. Here a miner is optimizing to maximize absolute
fee as a transaction replaced by a higher-feerate, lower fee is less interesting if you have
less than 1 MB virtual bytes / 4 MB WU.
> Ironically, the existence of this attack is an argument in favor of
> replace-by-fee-rate. While RBFR introduces a degree of free-relay, the fact
> that Bitcoin Core's existing rules *also* allow for free-relay in this form
> makes the difference inconsequential.
Back on the point where an attacker ability to provoke bandwidth DoS in considerations
of the UTXO-amount available, a minimal absolute fee as a proof of owning some UTXO
amount could be still maintained (or maybe after a _bounded_ number of replacement under
a given block period).
We studied proof-of-UTXO ownership as a p2p DoS mitigation approach in the past with Gleb:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-November/002884.html
Best,
Antoine
Le lundi 18 mars 2024 à 13:24:12 UTC, Peter Todd a écrit :
RBF Rule #6 requires that a replacement transaction have a fee-rate higher than
the fee-rate of all conflicting transactions. This rule aligns economic
incentives, as in most circumstances miners earn more money by mining a higher
fee-rate transaction than a lower fee-rate transaction, even if the absolute
fee paid by the replacement is more.
While RBF Rule #6 was implemented as part of my original Full-RBF opt-in
pull-req¹, it was mistakenly left out of BIP-125, which was written later by
Harding. Thus it's often forgotten in analysis of RBF.
Rule #6 creates a path dependency: the order in which replacement transactions
are received determines which transactions are ultimately accepted. This
creates an opportunity for free-relay, as follows:
1. Create two transactions, A and B, where A is a large, low fee-rate, high
absolute fee, transaction, and B is a small, high fee-rate, low absolute fee
transaction.
2. Broadcast A and B to different nodes simultaneously.
3. Nodes that receive A first will not replace A with B, because B pays a lower
fee, violating RBF Rule #3. Notes that receive B first, will not replace B with
A, because A has a lower fee-rate, violating RBF Rule #6.
4. Create A_1, a transaction with the same (large) size as A, but paying a
slightly higher fee (and thus fee-rate). Nodes that received A first will
replace A with A_1, consuming bandwidth. These nodes will also broadcast A_1 to
peers who have B, consuming their bandwidth even though they reject A_1.
5. Repeat until A_n has a fee-rate high enough to have a non-trivial risk of
being mined. Or B is mined, invalidating all A_n.
The marginal cost to an attacker who was planning on broadcasting B anyway is
fairly small, as provided that sufficiently small fee-rates are chosen for A_n,
the probability of A_n being mined is low. The attack does of course require
capital, as the attacker needs to have UTXO's of sufficient size for A_n.
The attack is most effective in cases where fee-rates have a significant slope
to them, with the minimum relay fee being small compared to the competitive fee
to get into the next block. The larger the mempool size limit, the more
effective the attack tends to be. Similarly, the attack is more effective with
a larger size difference between A and B. Finally, the attack is more effective
with a smaller minimum incremental relay fee, as more individual versions of
the transaction can be broadcast for a given fee-delta range.
Of course, this attack can be parallelized, with many non-conflicting A_n
chains at once. Depending on P2P topology, maximum bandwidth may be consumable
by broadcasting multiple _conflicting_ A's to different nodes at once², a
fairly obvious attack that I (and probably others) have already disclosed.
# Mitigations
Replace-by-Fee-Rate mitigates the attack, by limiting the possible range of
fee-rate delta. For example, in Libre Relay, which does replace-by-fee-rate at
a fee-rate ratio of >= 2x, if A starts at 3sat/VB, the attacker can only do 2
cycles of the attack as a B >= 6sat/VB will simply replace A.
The attack itself is arguably an economic exploit: *because* Bitcoin Core
doesn't yet implement replace-by-fee-rate, nodes who accepted A first, are
wasting their bandwidth relaying variations on A that are clearly less
desirable to miners than B. An economically rational miner would just mine B
right now, and the fact that _other_ economically rational miners would mine B
just strengthens the case for mining B now. Indeed, real-world measurements of
replace-by-fee-rate have found that (most likely) due to mempool
inconsistencies, roughly half or more³ of RBFR replacements are mined already.
Requiring replacements to increase the fee-rate by a certain ratio would also
mitigate the attack. However doing so would break a lot of wallet software that
bumps fees by values equal or close to the minimum relay fee.
# Related Attacks
Rule #6 is just one of many ways to achieve the same effect: getting a miner to
invalidate a set of large transactions, wasting bandwidth. For example, miners
who accept payment for guaranteeing that a specific transaction gets mined also
make this kind of attack possible.
# Discussion
Ironically, the existence of this attack is an argument in favor of
replace-by-fee-rate. While RBFR introduces a degree of free-relay, the fact
that Bitcoin Core's existing rules *also* allow for free-relay in this form
makes the difference inconsequential.
# Disclosure
This issue was disclosed to bitcoin-security first. I received no objections to
making it public. All free-relay attacks are mitigated by the requirement to at
least have sufficient funds available to allocate to fees, even if the funds
might not actually be spent.
# References
1) https://github.com/bitcoin/bitcoin/pull/6871
2) https://petertodd.org/2024/one-shot-replace-by-fee-rate#the-status-quo
3) https://petertodd.org/2024/replace-by-fee-rate-success-rate
--
https://petertodd.org 'peter'[:-1]@petertodd.org
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/0a377ddb-b001-41ba-9208-27b3fa059bb5n%40googlegroups.com.