public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Morehouse <mattmorehouse@gmail•com>
To: Peter Todd <pete@petertodd•org>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Cc: security@ariard•me,
	"lightning-dev\\\\@lists.linuxfoundation.org"
	<lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely
Date: Thu, 2 Nov 2023 17:07:39 +0000	[thread overview]
Message-ID: <CAGyamEXYJN0qGKzWPsN8-T1URqmeTbUH7JJjwuFKMHByCwEG3A@mail.gmail.com> (raw)
In-Reply-To: <ZUNBHsw2BldPLvPc@petertodd.org>

On Thu, Nov 2, 2023 at 6:27 AM Peter Todd via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> On Thu, Nov 02, 2023 at 05:24:36AM +0000, Antoine Riard wrote:
> > Hi Peter,
> >
> > > So, why can't we make the HTLC-preimage path expire? Traditionally, we've
> > tried
> > > to ensure that transactions - once valid - remain valid forever. We do
> > this
> > > because we don't want transactions to become impossible to mine in the
> > event of
> > > a large reorganization.
> >
> > I don't know if reverse time-lock where a lightning spending path becomes
> > invalid after a block height or epoch point solves the more advanced
> > replacement cycling attacks, where a malicious commitment transaction
> > itself replaces out a honest commitment transaction, and the
> > child-pay-for-parent of this malicious transaction is itself replaced out
> > by the attacker, leading to the automatic trimming of the malicious
> > commitment transaction.
>
> To be clear, are you talking about anchor channels or non-anchor channels?
> Because in anchor channels, all outputs other than the anchor outputs provided
> for fee bumping can't be spent until the commitment transaction is mined, which
> means RBF/CPFP isn't relevant.

IIUC, Antoine is talking about a cycling attack of the commitment
transaction itself, not the HTLC transactions.  It seems possible for
future (ephemeral) anchor channels in a world with package relay.

The idea with package relay is that commitment transaction fees will
be zero and that fees will always be paid via CPFP on the anchor
output.

Consider this scenario:  Mallory1 -> Alice -> Mallory2.
Mallory2 claims an HTLC from Alice off chain via the preimage.  Alice
attempts to claim the corresponding HTLC from Mallory1, but Mallory1
refuses to cooperate.  So Alice publishes her commitment transaction
along with a CPFP on the anchor output.  Mallory1 publishes her
competing commitment transaction with a higher CPFP fee on the anchor
output, thereby replacing Alice's package in the mempool.  Mallory1
then replacement-cycles the anchor output child transaction, causing
her commitment transaction to lose its CPFP and the package feerate to
go to zero, which is below the minimum relay fee.  Thus, Mallory1's
commitment transaction is also evicted from the mempool.  Mallory1
repeats this process every time Alice broadcasts her commitment, until
the HTLC timeout expires.  At that point the preimage path becomes
unspendable, and Mallory1 can claim the HTLC via timeout at her
leisure.

>
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


  reply	other threads:[~2023-11-02 17:07 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-16 16:57 [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Antoine Riard
2023-10-16 19:13 ` Peter Todd
2023-10-16 22:10   ` Matt Morehouse
2023-10-17  1:11   ` Antoine Riard
2023-10-20 10:47     ` Peter Todd
2023-10-20 11:18       ` Jochen Hoenicke
2023-10-16 22:51 ` Olaoluwa Osuntokun
2023-10-17  7:21 ` [bitcoin-dev] [Lightning-dev] " ziggie1984
2023-10-17 10:34   ` ZmnSCPxj
2023-10-17 18:34     ` Antoine Riard
2023-10-20 10:31     ` Peter Todd
2023-10-20 11:03       ` Peter Todd
2023-10-20 18:35         ` Matt Morehouse
2023-10-20 21:05           ` Matt Corallo
2023-10-21  0:15             ` Peter Todd
2023-10-21  1:03               ` Matt Corallo
2023-10-21  1:25                 ` Peter Todd
2023-10-21  1:55                   ` Matt Corallo
2023-10-21  2:43                     ` Peter Todd
2023-10-23 16:09                       ` Matt Corallo
2023-10-17 17:47   ` Antoine Riard
2023-10-17 18:47     ` Antoine Riard
2023-10-18  0:17 ` Matt Corallo
2023-10-18  2:57   ` Antoine Riard
2023-10-19  8:12     ` Bastien TEINTURIER
2023-10-19 16:23   ` Matt Morehouse
2023-10-19 17:22     ` Antoine Riard
2023-10-19 17:53       ` Matt Morehouse
2023-10-19 19:33         ` Antoine Riard
2023-10-21  0:18           ` Olaoluwa Osuntokun
2023-11-17 22:36             ` Antoine Riard
2023-10-19 18:02     ` Matt Corallo
2023-10-20  6:56 ` [bitcoin-dev] " Antoine Riard
2023-10-21 20:05   ` Antoine Riard
2023-10-27  0:43     ` Peter Todd
2023-11-02  4:46     ` Antoine Riard
2023-10-21  0:09 ` [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely Peter Todd
2023-10-21  8:58   ` David A. Harding
2023-10-21 10:31     ` Peter Todd
2023-10-22  8:30   ` vjudeu
2023-10-23 11:10   ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-10-23 15:45     ` Peter Todd
2023-11-02  5:24   ` [bitcoin-dev] " Antoine Riard
2023-11-02  6:26     ` Peter Todd
2023-11-02 17:07       ` Matt Morehouse [this message]
2023-11-03  5:27         ` Antoine Riard
2023-11-03  5:25       ` Antoine Riard
2023-11-04  7:26         ` Peter Todd
2023-11-06 18:45           ` Antoine Riard
2023-11-07 11:11             ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-11-07 15:44               ` Antoine Riard
2023-11-08  0:51             ` [bitcoin-dev] " Peter Todd
2023-11-08  2:06               ` Peter Todd
2023-11-13  2:18                 ` Antoine Riard
2023-11-14 19:50                   ` Peter Todd
     [not found]                     ` <CALZpt+H38cU9L8kq0mSYCDirzL39fxhdoz4pAPiS8dGJP8akKg@mail.gmail.com>
2023-11-15 17:53                       ` [bitcoin-dev] Fwd: " Antoine Riard
2023-10-22  4:49 ` [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Nadav Ivgi
2023-10-23  8:49   ` David A. Harding

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGyamEXYJN0qGKzWPsN8-T1URqmeTbUH7JJjwuFKMHByCwEG3A@mail.gmail.com \
    --to=mattmorehouse@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=lightning-dev@lists$(echo .)linuxfoundation.org \
    --cc=pete@petertodd$(echo .)org \
    --cc=security@ariard$(echo .)me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox