On Fri, Jul 14, 2017 at 12:20 AM, Dan Libby via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
On 07/13/2017 03:50 PM, Hampus Sjöberg wrote:
> 2. Avoid any chain of transaction that contains a SegWit transaction

sounds good, though I'm unclear on how exactly to achieve (2) given that
any party I have ever transacted with (or otherwise knows an address of
mine) can send me coins at any time.  So it seems the only possible way
to be certain is to run a node that has never published an address to a
3rd party.  Is that accurate?

You would also have to ensure that everyone you give your addresses to follows the same rule.  As time passes, there would be fewer and fewer people who have "clean" outputs.

From the perspective of old nodes, segwit looks like lots of people are transferring money to "anyone-can-spend" outputs.  This outputs are completely unprotected.  Literally, anyone can spend them.  (In practice, miners would spend them, since why would they include a transaction that sends "free money" to someone else).

If you run an old node, then someone could send you a transaction that only spends segwit outputs and you would think it is a valid payment.

Imagine that there are only 3 UTXOs (Alice, Bob and Carl have all the Bitcoins). 

UTXO-1:  Requires signature by Alice (legacy output)

UTXO-2: Anyone can pay (but is actually a segwit output that needs to be signed by Bob)

UTXO-3: Anyone can pay (but is actually a segwit output that needs to be signed by Carl)

Only Bob can spend UTXO-2, since it needs his signature.

Anyone could create a transaction that spends UTXO-2 and it would look good to all legacy nodes.  It is an "anyone can spend" output after all.

However, if they submit the transaction to the miners, then it will be rejected, because according to the new rules, it is invalid (it needs to be signed by Bob). 

Once a soft fork goes through, then all miners will enforce the new rules.

A miner who added the transaction to one of his blocks (since it is valid under the old rules) would find that no other miners would accept his block and he would get no fees for that block.  This means that all miners have an incentive to upgrade once a soft fork activates.

His block would be accepted by legacy nodes, for a short while.  However, since 95% of the miners are on the main chain, their chain (which rejects his block) would end up the longest.

If you are running a legacy client when a soft fork comes in, then you can be tricked with "zero confirm" transactions.  The transaction will look good to you, but will be invalid under the new rules.  This makes your client think you have received (a lot of) money, but in practice, the transaction will not be accepted by the miners.


Another thing that could be done is to modify my own node so that it
actually rejects such tx, but then I have modified consensus rules
myself, thus defeating the goal of remaining with status-quo rules, and
anyway the rest of the network would accept the tx.  I guess the benefit
is that I could be certain of the remaining funds I have.

If you wanted, you could mark any transaction that has a segwit looking output as "dirty" and then all of its descendants as dirty.

However, pretty quickly, only a tiny fraction of all bitcoins would be clean.

I suppose that it would be possible without modifying any rule to
construct a "certain balance" and an "uncertain balance".

Right.

I think a reasonably compromise would be to assume that all transactions buried more than a few hundred blocks deep are probably ok.  Only segwit looking outputs would be marked as "uncertain".