Hi Yuval,


> Since the absolute fee amount is already committed to by the provided

> (`SIGHASH_ALL`) signatures but the total transaction weight is not,
Mallory can

> broadcast any valid signatures up to the maximum standard weight and
minimum

> relay fees, or in collusion with a miner, up to consensus limits.

>

> This effectively steals a fee from Alice et al, as their signatures do not

> commit to a feerate directly or indirectly.


From what I understand, there are many inputs for the coinjoin transaction,
the latest signer provides an inflated witness downgrading the multi-party
transaction feerate. It doesn't sound to me a fee siphoning as occurring
with loose malleability [0], rather another case of transaction-relay
jamming where the adversary's goal is to slow down the confirmation of the
transaction to waste everyone timevalue.


I think the issue has already been mentioned to advocate updating Core's
mempool acceptance policy, and allows wtxid-replacement [1]. There is also
a description available here [2].


To mitigate, among the peer-to-peer style of mitigations, one is of course a
reputation strategy or monetary strategy, where the asymmetries in
counterparties reputation are compensated with out-of-band
fees/credentials. I don't think increasing adversary costliness is that
efficient as there is a scaling effect (e.g the feerate of the previous
transaction can be used to feed N outputs for N dissociated attack
contexts). Signature ordering supposes also a reputation basis, and it
doesn't exclude giving a transaction construction edge to the reputational
counterparty (e.g a LSP "promising" a dual-funding UTXO to X distinct
participant, picking up the first to yield back a signature).


Best,

Antoine


[0]
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-September/002796.html

[1] https://github.com/bitcoin/bitcoin/pull/19645

[2]
https://gist.github.com/ariard/7e509bf2c81ea8049fd0c67978c521af#witness-malleability

Le mar. 7 févr. 2023 à 02:59, Yuval Kogman via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> a écrit :

> ## Summary
>
> Since Taproot (more generally any kind of MAST) spends have variable size
> which
> depends on the path being used, the last such input to be signed in a
> multiparty
> transaction can always use a larger than estimated signature to unfairly
> extract
> a fee contribution from the other parties to the transaction (keeping the
> absolute fees the same and reducing the feerate for the transaction).
>
> ## Attack Scenario
>
> Alice et al wish to perform a multiparty transaction, such as a CoinJoin or
> lightning dual funding at a relatively high feerate.
>
> Mallory has a P2TR output with a large script spend path, e.g. an ordinal
> inscription commitment transaction output.
>
> Mallory registers this coin as an input into the multiparty transaction
> with a
> fee obligation calculated on the basis of a key spend. When all other
> participants have provided signatures, the script spend path can be used.
>
> Since the absolute fee amount is already committed to by the provided
> (`SIGHASH_ALL`) signatures but the total transaction weight is not,
> Mallory can
> broadcast any valid signatures up to the maximum standard weight and
> minimum
> relay fees, or in collusion with a miner, up to consensus limits.
>
> This effectively steals a fee from Alice et al, as their signatures do not
> commit to a feerate directly or indirectly.
>
> ## Mitigations
>
> ### RBF
>
> All parties could negotiate a (series of) transaction(s) ahead of time at a
> lower feerate, giving a lower bound minimum feerate that Mallory can force.
>
> ### Minimum Weight Before Signing
>
> Enforcing a minimal weight for all non-witness data in the transaction
> before
> the transaction is considered fully constructed can limit the
> effectiveness of
> this attack, since the difference between the predicted weight and the
> maximum
> weight decreases.
>
> ### Trusted Coordinator
>
> In the centralized setting if BIP-322 ownership proofs are required for
> participation and assuming the server can be trusted not to collude with
> Mallory, the server can reject signatures that do not exercise the same
> spend
> path as the ownership proof, which makes the ownership proof a commitment
> to the
> spend weight of the input.
>
> ### Reputation
>
> Multiparty protocols with publicly verifiable protocol transcripts can be
> provided as weak evidence of a history of honest participation in
> multiparty
> transactions.
>
> A ring signature from keys used in the transaction or its transcript
> committing
> to the new proposed transaction can provide weak evidence for the honesty
> of the
> peer.
>
> Such proofs are more compelling to an entity which has participated in
> (one of)
> the transcripts, or proximal transactions. Incentives are theoretically
> aligned
> if public coordinators publish these transcripts as a kind of server
> reputation.
>
> ### Increasing Costliness
>
> A minimum feerate for the previous transaction or a minimum confirmation
> age
> (coindays destroyed implies time value, analogous to fidelity bonds) can be
> required for inputs to be added, in order to make such attacks less
> lucrative
> (but there is still a positive payoff for the attacker).
>
> ### Signature Ordering
>
> Signatures from potentially exploitative inputs can be required ahead of
> legacy
> or SegWit v0 ones. The prescribed order can be determined based on
> reputation or
> costliness as described in the previous paragraphs.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>