* Re: [bitcoin-dev] bitcoin-dev Digest, Vol 91, Issue 5
[not found] <mailman.15.1670068802.22993.bitcoin-dev@lists.linuxfoundation.org>
@ 2022-12-05 17:26 ` John Carvalho
2022-12-06 4:06 ` Antoine Riard
0 siblings, 1 reply; 2+ messages in thread
From: John Carvalho @ 2022-12-05 17:26 UTC (permalink / raw)
To: bitcoin-dev, antoine.riard
[-- Attachment #1: Type: text/plain, Size: 6394 bytes --]
Antoine,
> In the direction of removing the current option from Bitcoin Core, I think
> the prerequisite to address are the qualification of enough economic flows
> at risk and the presence of a sizable loss in miners income.
Are such prerequisites for feature removal published somewhere? I don't see
any reason why removing a controversial change should be harder than adding
one. Generally, it is impossible to definitively attribute any change in
network condition to one thing in such a complex system, and also difficult
to know how much time is required to express negative effects. The whole
argument here is to prevent disruption of the status quo that has lasted
the whole history of Bitcoin, to avoid taking a speculative risk that
full-RBF, at the expense of zero-conf, is maybe better for miners... or
something.
Further, I feel the mempoolfullrbf feature was rushed through while this
controversy was growing, specifically to attempt to achieve this imaginary
protection of "sorry, that ship has sailed" which indicates an agenda that
is counter to greater social consensus and status quo. We should not
incentivize such behavior further by allowing this sort of feature
sainthood.
Beyond that, I think there is still the open question if we (we, as the
> Bitcoin protocol development community, with all its stakeholders) should
> restrain user choice in policy settings in the name of preserving mining
> income and established use-case stability.
Removing the mempoolfullrbf feature is the opposite of restraining user
choice.
First, any incentivized user can still create and distribute patches for
any given mempool policy, regardless of whether we remove the feature from
Core, but it is important to note that extremely few have felt the need to
do so in the past.
Second, the very debate here is about how it is mempoolfullrbf that removes
the user choice of zero-conf services. With a first-seen policy in place,
users have *more* options, and Bitcoin is thus more useful, and thus more
valuable to everyone. This is evident in that the feature of full-rbf is
that it overrides any ability for users to signal intent of how they wish
their transaction to be handled by nodes and miners. This is useful info to
miners, as they make more money by facilitating use cases than by
fee-minimizers painting everything as RBF. User-signaling is a useful
feature for the mempool, full-RBF removes that feature.
Third, when Bitcoin Core adds special support for specific policies, it
positions itself as a political authority and influencer. It is not Core's
place to support one subjective policy more than another, particularly when
it conflicts with years of status quo and breaks the current user space,
and likely resulting in more doublespent user experiences.
To recall, the original technical motivation of this option, and the wider
> smoother deployment was to address a DoS vector affecting another class of
> use-case: multi-party transactions like coinjoin and contracting protocols
> like Lightning [2] [3]. All of them expect to generate economic flows and
> corresponding mining income. Since then, alternative paths to solve this
> DoS vector have been devised, all with their own trade-offs and conceptual
> issues [4] [5].
I am particularly skeptical that users sending Bitcoin to themselves
(coinjoin) could ever be more incentive-compatible than fast-paced commerce
& priority competition. I am also skeptical that mempoolfullrbf actually
solves LN risks any better than opt-in RBF by default by LN implementations
and wallets.
Further, zero-conf support reduces friction for LN adoption by allowing us
to make instant, seamless UX within wallets when onboarding, rebalancing,
and splicing.
--
John Carvalho
CEO, Synonym.to <http://synonym.to/>
>
> Date: Fri, 2 Dec 2022 17:35:39 -0500
> From: Antoine Riard <antoine.riard@gmail•com>
> To: Bitcoin Protocol Discussion
> <bitcoin-dev@lists•linuxfoundation.org>
> Subject: [bitcoin-dev] Fwd: [Opt-in full-RBF] Zero-conf apps in
> immediate danger
> Message-ID:
> <
> CALZpt+HFFwY4XECNZj3XLqnaumPeDjrwvnCsRa3vsGQfuXn8wA@mail•gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Daniel,
>
> >From my understanding of GAP600, you're operating a zero-conf risk
> analysis
> business, which is integrated and leveraged by payment processors/liquidity
> providers and merchants. A deployment of fullrbf by enough full-node
> operators and a subset of the mining hashrate would lower the cost of
> double-spend attack by lamda users, therefore increasing the risk exposure
> of your users. This increased risk exposure could lead you to alter the
> acceptance of incoming zero-conf transactions, AFAICT in a similar
> reasoning as exposed by Bitrefill earlier this year [0].
>
> About the statistics you're asking for considerations, few further
> questions, on those 1.5M transactions per month, a) how many are
> Bitcoin-only (as I understand to be multi-cryptocurrencies), b) how many
> are excluded from zeroconf due to factors like RBF, long-chain of
> unconfirmed ancestors or too high-value and c) what has been the average
> feerate (assuming a standard size of 200 bytes) ?
>
> My personal position on fullrbf is still the same as expressed in #26525
> [1]. As a community, I think we still don't have conceptual consensus on
> deploying full-rbf, nor to remove it. In the direction of removing the
> current option from Bitcoin Core, I think the prerequisite to address are
> the qualification of enough economic flows at risk and the presence of a
> sizable loss in miners income. Beyond that, I think there is still the open
> question if we (we, as the Bitcoin protocol development community, with all
> its stakeholders) should restrain user choice in policy settings in the
> name of preserving mining income and established use-case stability.
>
> To recall, the original technical motivation of this option, and the wider
> smoother deployment was to address a DoS vector affecting another class of
> use-case: multi-party transactions like coinjoin and contracting protocols
> like Lightning [2] [3]. All of them expect to generate economic flows and
> corresponding mining income. Since then, alternative paths to solve this
> DoS vector have been devised, all with their own trade-offs and conceptual
> issues [4] [5].
>
> Best,
> Antoine
>
[-- Attachment #2: Type: text/html, Size: 8093 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bitcoin-dev] bitcoin-dev Digest, Vol 91, Issue 5
2022-12-05 17:26 ` [bitcoin-dev] bitcoin-dev Digest, Vol 91, Issue 5 John Carvalho
@ 2022-12-06 4:06 ` Antoine Riard
0 siblings, 0 replies; 2+ messages in thread
From: Antoine Riard @ 2022-12-06 4:06 UTC (permalink / raw)
To: John Carvalho; +Cc: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 14171 bytes --]
Hi John,
Thanks for expressing your thoughts on the current state of
`-mempoolfullrbf`, from the perspective of a merchant and zero-conf
proponent. First and foremost, we're dealing with a nuanced and rich topic,
implying not only the inner workings of Bitcoin Core mempool policy rules,
the current topology of the peer-to-peer network and transactions
propagation across it, the miner block construction strategy, but even
further the consequences on multiple class of use-cases such as on-chain
payments, Ligthning and coinjoins.
In the present case, and as always, I'm only speaking for myself, based on
my years-long experience contributing to Bitcoin Core, the wider Lightning
ecosystem and few other open-source projects. While there is a
self-awareness of the scope of my statements expressed in one of my (rough)
domains of expertise, as usual I invite anyone to reason by oneself and
check my saying for opinions and wrongs.
That disclaimer said, in matters of feature removal, to the best of my
knowledge the Bitcoin Core's "decision-making" process should be followed
like any other code change, as documented by the CONTRIBUTING.md [0]. In
the conceptual appreciation of the change in soundness, of course the
ecosystem impacts or utility are lawfully decision grounds, as we've done
in the past for many Lightning/L2-related PRs.
W.r.t `mempoolfullrbf`, it has been argued on one-side it would a benefit
for some wallets usage (i.e replace non-signaling transactions from legacy
software [1]) and multi-party applications/ contracting protocols (i.e
remove a DoS vector [2]). On the other hand, it would change the security
model expectations of the 0confs operators. Whatever the evaluation one can
have of the soundness of those expectations, I think there is a lowering of
the technical bar one should reach to accomplish a double-spend.
During the last months of discussions, we had a mempool policy design
philosophy proposed aiming to accommodate all the Bitcoin use-cases alive
on the network, under the conditions they're not harming the network
interests [3]. Under this paradigm, we could have a policy regime for each
use-case, and we can devise another special rule to solve the DoS vector
affecting multi-party applications/contracting protocols have been proposed
[4].
With that in consideration, there is still the open question if this
mempool policy design philosophy proposed is sound enough in face of miner
incentives and won't generate asymmetries in mining incomes. Not only now,
but also in a future world where fee reward is most of miners income. To
the best of my understanding, there isn't an established and practical
model of miner incentives, at least among the Bitcoin Core developers. To
underscore, from my perspective this is where the conceptual discussion is
blocked, and where it would be opportune to spend time and energy on.
Anyone is invited to contribute on that front.
Zooming out, I believe the lack of current fullrbf hashrate shouldn't be a
disqualification that this mempool policy rule is not miner incentive
compatible. In the realm of science, the value of a model is its
performance to predict events, even if with a macro-system like Bitcoin
mining it might take years for the empirical confirmation to happen (namely
the exhaustion of mining reward). As we're seeing in physics, some lessons
of Einstein's general relativity expressed in the 1900 were only confirmed
by observation of solar eclipse in 1919.
In the meantime, as `mempoolfullrbf` is altering the security expectations
of the 0conf operators and on the other side the Lightning/coinjoins folks
have expressed low sensibility to the DoS vector [5], following a "first,
do not harm" philosophy, I think as an ecosystem we're better off to remove
the "risk-induction" `mempoolfullrbf` feature. Renewing here my position
previously expressed in #26438 [6] and #26525 [7].
Qualifying the existence of a harm in the eyes of the community, I think
this is valuable to have more merchants/services operators producing
effective usage data, from the past years, as Bitrefill has done as an
example [8]. Minding the lack of a verifiable process to attest the
authenticity of such merchant claims raises a methodological issue in the
discussion (and we could so in the future with cool ZKPs based on on-chain
data!)
Of course, I think we shouldn't lose sight of the existence of a
`mempoolfullrbf` patch, now widely disseminated across the ecosystem could
lead to a situation where only a minority of node operators using it would
damage the safety of the 0confs use-case. There is not that much the
Bitcoin Core project could do in that regard. While I think the project
aims to maximize the safety of the peer-to-peer network as a design
principle, including when we might have to restrain user choice, policy
rules are "soft" rules and the autonomy to modify them is only a function
of one's technical ability.
On the qualification of the Bitcoin Core as a political process, I think
this is an ignorance of the practice of day-to-day Core's process, where
the best code and reasonings are winning based on scientific and
engineering standards, even if we've always had a margin of improvements.
People are striving their best to ensure we follow an idea meritocracy
according to best open-source practice, and I think the project (and
Bitcoin itself in its 10+ years of history) wouldn't have survived so far
if it has been otherwise.
Finally, I can understand we have no economical data yet for the
multi-party funded and p2p coinjoins use-cases, as the specification
enabling them is still WIP and have not been implemented by all LN
softwares. I also fully understand the skepticism on how mempoolfullrbf
would solve a DoS vector for LN multi-party funded transactions, even if
I've done my best to describe the issue previously. I'm staying available
to demonstrate the pinning against a mainnet LN dual-funding flow if that
would convince you further, and then explain how the wide deployment of
mempoolfullrbf would block the DoS. I agree with you that instant channel
opening or splicing is very valuable, but there are a lot of additional
solutions that operators could deploy to have more fine-grained
risk-management.
All that said, I appreciate when anyone in the community raises the voice
to check-and-balance the work of Bitcoin Core contributors, this is really
needed for the health of the development process, as long as it's done in a
respectful and patient way.
Sincerely,
Antoine
[0] https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md
[1] https://github.com/bitcoin/bitcoin/pull/26438#issuecomment-1304370679
[2]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033.html
[3]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021135.html
[4]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021144.html
[5]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021183.html
[6] https://github.com/bitcoin/bitcoin/pull/26438#issuecomment-1305042950
[7] https://github.com/bitcoin/bitcoin/pull/26525#issuecomment-1319499006
[8] https://github.com/bitcoin/bitcoin/pull/26525#issuecomment-1332823282
Le lun. 5 déc. 2022 à 12:26, John Carvalho <john@synonym•to> a écrit :
> Antoine,
>
>
>> In the direction of removing the current option from Bitcoin Core, I
>> think the prerequisite to address are the qualification of enough economic
>> flows at risk and the presence of a sizable loss in miners income.
>
>
> Are such prerequisites for feature removal published somewhere? I don't
> see any reason why removing a controversial change should be harder than
> adding one. Generally, it is impossible to definitively attribute any
> change in network condition to one thing in such a complex system, and also
> difficult to know how much time is required to express negative effects.
> The whole argument here is to prevent disruption of the status quo that has
> lasted the whole history of Bitcoin, to avoid taking a speculative risk
> that full-RBF, at the expense of zero-conf, is maybe better for miners...
> or something.
>
> Further, I feel the mempoolfullrbf feature was rushed through while this
> controversy was growing, specifically to attempt to achieve this imaginary
> protection of "sorry, that ship has sailed" which indicates an agenda that
> is counter to greater social consensus and status quo. We should not
> incentivize such behavior further by allowing this sort of feature
> sainthood.
>
> Beyond that, I think there is still the open question if we (we, as the
>> Bitcoin protocol development community, with all its stakeholders) should
>> restrain user choice in policy settings in the name of preserving mining
>> income and established use-case stability.
>
>
> Removing the mempoolfullrbf feature is the opposite of restraining user
> choice.
>
> First, any incentivized user can still create and distribute patches for
> any given mempool policy, regardless of whether we remove the feature from
> Core, but it is important to note that extremely few have felt the need to
> do so in the past.
>
> Second, the very debate here is about how it is mempoolfullrbf that
> removes the user choice of zero-conf services. With a first-seen policy in
> place, users have *more* options, and Bitcoin is thus more useful, and thus
> more valuable to everyone. This is evident in that the feature of full-rbf
> is that it overrides any ability for users to signal intent of how they
> wish their transaction to be handled by nodes and miners. This is useful
> info to miners, as they make more money by facilitating use cases than by
> fee-minimizers painting everything as RBF. User-signaling is a useful
> feature for the mempool, full-RBF removes that feature.
>
> Third, when Bitcoin Core adds special support for specific policies, it
> positions itself as a political authority and influencer. It is not Core's
> place to support one subjective policy more than another, particularly when
> it conflicts with years of status quo and breaks the current user space,
> and likely resulting in more doublespent user experiences.
>
> To recall, the original technical motivation of this option, and the wider
>> smoother deployment was to address a DoS vector affecting another class of
>> use-case: multi-party transactions like coinjoin and contracting protocols
>> like Lightning [2] [3]. All of them expect to generate economic flows and
>> corresponding mining income. Since then, alternative paths to solve this
>> DoS vector have been devised, all with their own trade-offs and conceptual
>> issues [4] [5].
>
>
> I am particularly skeptical that users sending Bitcoin to themselves
> (coinjoin) could ever be more incentive-compatible than fast-paced commerce
> & priority competition. I am also skeptical that mempoolfullrbf actually
> solves LN risks any better than opt-in RBF by default by LN implementations
> and wallets.
>
> Further, zero-conf support reduces friction for LN adoption by allowing us
> to make instant, seamless UX within wallets when onboarding, rebalancing,
> and splicing.
>
> --
> John Carvalho
> CEO, Synonym.to <http://synonym.to/>
>
>
>
>>
>> Date: Fri, 2 Dec 2022 17:35:39 -0500
>> From: Antoine Riard <antoine.riard@gmail•com>
>> To: Bitcoin Protocol Discussion
>> <bitcoin-dev@lists•linuxfoundation.org>
>> Subject: [bitcoin-dev] Fwd: [Opt-in full-RBF] Zero-conf apps in
>> immediate danger
>> Message-ID:
>> <
>> CALZpt+HFFwY4XECNZj3XLqnaumPeDjrwvnCsRa3vsGQfuXn8wA@mail•gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi Daniel,
>>
>> >From my understanding of GAP600, you're operating a zero-conf risk
>> analysis
>> business, which is integrated and leveraged by payment
>> processors/liquidity
>> providers and merchants. A deployment of fullrbf by enough full-node
>> operators and a subset of the mining hashrate would lower the cost of
>> double-spend attack by lamda users, therefore increasing the risk exposure
>> of your users. This increased risk exposure could lead you to alter the
>> acceptance of incoming zero-conf transactions, AFAICT in a similar
>> reasoning as exposed by Bitrefill earlier this year [0].
>>
>> About the statistics you're asking for considerations, few further
>> questions, on those 1.5M transactions per month, a) how many are
>> Bitcoin-only (as I understand to be multi-cryptocurrencies), b) how many
>> are excluded from zeroconf due to factors like RBF, long-chain of
>> unconfirmed ancestors or too high-value and c) what has been the average
>> feerate (assuming a standard size of 200 bytes) ?
>>
>> My personal position on fullrbf is still the same as expressed in #26525
>> [1]. As a community, I think we still don't have conceptual consensus on
>> deploying full-rbf, nor to remove it. In the direction of removing the
>> current option from Bitcoin Core, I think the prerequisite to address are
>> the qualification of enough economic flows at risk and the presence of a
>> sizable loss in miners income. Beyond that, I think there is still the
>> open
>> question if we (we, as the Bitcoin protocol development community, with
>> all
>> its stakeholders) should restrain user choice in policy settings in the
>> name of preserving mining income and established use-case stability.
>>
>> To recall, the original technical motivation of this option, and the wider
>> smoother deployment was to address a DoS vector affecting another class of
>> use-case: multi-party transactions like coinjoin and contracting protocols
>> like Lightning [2] [3]. All of them expect to generate economic flows and
>> corresponding mining income. Since then, alternative paths to solve this
>> DoS vector have been devised, all with their own trade-offs and conceptual
>> issues [4] [5].
>>
>> Best,
>> Antoine
>>
>
[-- Attachment #2: Type: text/html, Size: 16696 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-06 4:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <mailman.15.1670068802.22993.bitcoin-dev@lists.linuxfoundation.org>
2022-12-05 17:26 ` [bitcoin-dev] bitcoin-dev Digest, Vol 91, Issue 5 John Carvalho
2022-12-06 4:06 ` Antoine Riard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox