On Fri, Jun 19, 2020 at 09:44:11AM +0200, Bastien TEINTURIER via Lightning-dev wrote: > The gist is here, and I'd appreciate your feedback if I have wrongly > interpreted some of the ideas: > https://gist.github.com/t-bast/22320336e0816ca5578fdca4ad824d12 Quoted text below is from the gist: > The trick to protect against a malicious participant that broadcasts a > low-fee HTLC-success or Remote-HTLC-success transaction is that we can > always blindly do a CPFP carve-out on them; we know their txid I think you're assuming here that the attacker broadcast a particular state. However, in a channel which potentially had thousands of state changes, you'd have to broadcast a blind child for each previous state (or at least each previous state that pays the attacker more than the latest state). That's potentially thousands of transactions times potentially dozens of peers---not impossible, but it seems messy. I think there's a way to accomplish the same goal for less bandwidth and zero fees. The only way your Bitcoin peer will relay your blind child is if it already has the parent transaction. If it has the parent, you can just request it using P2P getdata(type='tx', id=$txid).[1] You can batch multiple txid requests together (up to 50,000 IIRC) to minimize overhead, making the average cost per txid a tiny bit over 36 bytes. If you receive one of the transactions you request, you can extract the preimage at no cost to yourself (except bandwidth). If you don't receive a transaction, then sending a blind child is hopeless anyway---your peers won't relay it. Overall, it's hard for me to guess how effective your proposal would be at defeating the attack. I think the strongman argument for the attack would be that the attacker will be able to perform a targeted relay of their outdated state to just miners---everyone else on the network will receive the counterparty's honest final-state close. Unless the counterparty happens to have a connection to a miner's node, the counterparty will neither be able to CPFP fee bump nor use getdata to retrieve the preimage. It seems to me it's practical for a motivated attacker to research which IP addresses belong to miners so that they can target them, whereas honest users won't practically be able to do that research (and, even if they could, it would create a centralizing barrier to new miners entering the market if users focused on maintaining connections to previously-known miners). -Dave [1] You'd have to be careful to not attempt the getdata too soon after you think the attacker broadcast their old state, but I think that only means waiting a single block, which you have to do anyway to see if the honest final-commitment transaction confirmed. See https://github.com/bitcoin/bitcoin/pull/18861