On Tue, Jun 23, 2020 at 03:47:56PM +0300, Stanga via bitcoin-dev wrote: > On Tue, Jun 23, 2020 at 12:48 PM ZmnSCPxj wrote: > > * Inputs: > > * Bob 1 BTC - HTLC amount > > * Bob 1 BTC - Bob fidelity bond > > > > * Cases: > > * Alice reveals hashlock at any time: > > * 1 BTC goes to Alice > > * 1 BTC goes to Bob (fidelity bond refund) > > * Bob reveals bob-hashlock after time L: > > * 2 BTC goes to Bob (HTLC refund + fidelity bond refund) > > * Bob cheated, anybody reveals both hashlock and bob-hashlock: > > * 2 BTC goes to miner > > > > [...] > > The cases you present are exactly how MAD-HTLC works. It comprises two > contracts (UTXOs): > * Deposit (holding the intended HTLC tokens), with three redeem paths: > - Alice (signature), with preimage "A", no timeout > - Bob (signature), with preimage "B", timeout T > - Any entity (miner), with both preimages "A" and "B", no timeout > * Collateral (the fidelity bond, doesn't have to be of the same amount) > - Bob (signature), no preimage, timeout T > - Any entity (miner), with both preimages "A" and "B", timeout T I'm not these are safe if your counterparty is a miner. Imagine Bob offers Alice a MAD-HTLC. Alice knows the payment preimage ("preimage A"). Bob knows the bond preimage ("preimage B") and he's the one making the payment and offering the bond. After receiving the HTLC, Alice takes no action on it, so the timelock expires. Bob publicly broadcasts the refund transaction with the bond preimage. Unbeknownst to Bob, Alice is actually a miner and she uses her pre-existing knowledge of the payment preimage plus her received knowledge of the bond preimage to privately attempt mining a transaction that pays her both the payment ("deposit") and the bond ("collateral"). Assuming Alice is a non-majority miner, she isn't guaranteed to succeed---her chance of success depends on her percentage of the network hashrate and how much fee Bob paid to incentivize other miners to confirm his refund transaction quickly. However, as long as Alice has a non-trivial amount of hashrate, she will succeed some percentage of the time in executing this type of attack. Any of her theft attempts that fail will leave no public trace, perhaps lulling users into a false sense of security. -Dave