Hello Dave and list, Thanks for your quick answers! The attacker would be broadcasting the latest > state, so the honest counterparty would only need to send one blind > child. > Exactly, if the attacker submits an outdated transaction he would be shooting himself in the foot, as we could claim the revocation paths when seeing the transaction in a block and get all the channel funds (since the attacker's outputs will be CSV-locked). The only way your Bitcoin peer will relay your blind child > is if it already has the parent transaction. > That's an excellent point that I missed in the blind CPFP carve-out trick! I think this makes the blind CPFP carve-out quite hard in practice (even using getdata - thanks for detailing that option)... In the worst case scenario where most miners' mempools contain the attacker's tx and the rest of the network's mempools contains the honest participant's tx, I think there isn't much we can do. We're simply missing information, so it looks like the only good solution is to avoid being in that situation by having a foot in miners' mempools. Do you think it's unreasonable to expect at least some LN nodes to also invest in running nodes in mining pools, ensuring that they learn about attackers' txs and can potentially share discovered preimages with the network off-chain (by gossiping preimages found in the mempool over LN)? I think that these recent attacks show that we need (at least some) off-chain nodes to be somewhat heavily invested in on-chain operations (layers can't be fully decoupled with the current security assumptions - maybe Eltoo will help change that in the future?). Thank you for your time! Bastien Le ven. 19 juin 2020 à 22:53, David A. Harding a écrit : > On Fri, Jun 19, 2020 at 03:58:46PM -0400, David A. Harding via bitcoin-dev > wrote: > > I think you're assuming here that the attacker broadcast a particular > > state. > > Whoops, I managed to confuse myself despite looking at Bastien's > excellent explainer. The attacker would be broadcasting the latest > state, so the honest counterparty would only need to send one blind > child. However, the blind child will only be relayed by a Bitcoin peer > if the peer also has the parent transaction (the latest state) and, if > it has the parent transaction, you should be able to just getdata('tx', > $txid) that transaction from the peer without CPFPing anything. That > will give you the preimage and so you can immediately resolve the HTLC > with the upstream channel. > > Revising my conclusion from the previous post: > > I think the strongman argument for the attack would be that the attacker > will be able to perform a targeted relay of the low-feerate > preimage-containing transaction to just miners---everyone else on the > network will receive the honest user's higher-feerate expired-timelock > transaction. Unless the honest user happens to have a connection to a > miner's node, the user will neither be able to CPFP fee bump nor use > getdata to retrieve the preimage. > > Sorry for the confusion. > > -Dave >