(tl;dr Ideally network mempools should be an efficient marketplace leading
to discovery of best-feerate blockspace demand by miners. It's not due to
current anti-DoS rules assumptions and it's quite harmful for shared-utxo
protocols like LN)

Hello all,

Lightning security model relies on the unilateral capability for a channel
participant to confirm transactions, like timing out an outgoing HTLC,
claiming an incoming HTLC or punishing a revoked commitment transaction and
thus enforcing onchain a balance negotiated offchain. This security model
is actually turning back the double-spend problem to a private matter,
making the duty of each channel participant to timely enforce its balance
against the competing interest of its counterparties. Or laid out
otherwise, contrary to a miner violating a consensus rules, base layer
peers don't care about your LN node failing to broadcast a justice
transaction before the corresponding timelock expiration (CSV delay).

Ensuring effective propagation and timely confirmation of LN transactions
is so a critical-safety operation.  Its efficiency should be always
evaluated with regards to base layer network topology, tx-relay propagation
rules, mempools behaviors, consistent policy applied by majority of nodes
and ongoing blockspace demand. All these components are direct parameters
of LN security. Due to the network being public, a malicious channel
counterparty do have an incentive to tweak them to steal from you.

The pinning attacks which have been discussed since a few months are a
direct illustration of this model. Before digging into each pinning
scenario, few properties of the base layer components should be evocated
[0].

Network mempools aren't guaranteed to be convergent, the local order of
events determines the next events accepted. I.e Alice may observe tx X, tx
Y, tx Z and Bob may observe tx Z, tx X, tx Y. If tx Z disable-RBF and tx X
try to replace Z, Alice accepts X and Bob rejects it. This divergence may
persevere until a new block.

Tx-relay topology can be observed by spying nodes [1]. An attacker can
exploit this fact to partition network mempools in different subset and
hamper propagation across them of same-spending output concurrent
transactions. If subset X observes Alice commitment transaction and subset
Y observes Bob commitment transaction, Alice's HTLC-timeout spending her
commitment won't propagate beyond the X-Y set boundaries. An attacker can
always win the propagation race through massive connections or bypassing
tx-relay privacy timers.

Miners mempools are likely identifiable, you could announce a series of
conflicting transactions to different subsets of the network and observe
"tainted" block composition to assign to each subset a miner mempool. I'm
not aware of any research on this, but it sounds plausible to identify all
power-miner mempool, i.e the ones likely to mine a block during the block
delay of the timelock you're looking to exploit. If you can't bid a
transaction in such miner mempools your channel state will stale and your
funds may be in danger.

### Scenario 1) HTLC-Preimage Pinning

As Matt previously explained in his original mail on RBF-pinning, a
malicious counterparty has an interest to pin a low-feerate HTLC-preimage
transaction in some network mempools and thus preventing a honest
HTLC-timeout to confirm. For details, refer to Optech newsletter [2].

This scenario doesn't bear any risk to the attacker, is easy to execute and
has double-digit rate of success. You don't assume network topologies
manipulation, mempools partitions or LN-node-to-full-node mapping [3] That
said this should be solved by implementing and deploying anchor outputs,
which effectively allows a party to unilaterally bump feerate of its
HTLC-timeout transactions.

### The Anchor Output Proposal

Anchor Output proposal is a current spec object implemented by the LN dev
community, it introduces the ability to _unilaterally_ and _dynamically_
bump feerate of any commitment transaction. It also opened the way to bump
local 2nd-stage transactions.

Beyond solving scenario 1), it makes LN node safe with regards to
unexpected mempool congestion. If your commitment transaction is stucking
in network mempools you can bump its feerate by attaching a CPFP on the new
`to_local` anchor. If the remote commitment gets stuck in network mempools,
you're able to bump it by attaching a CPFP on the `to_remote` anchor. This
should keep your safe against an unresponsive or lazy counterparty in case
of onchain funds to claim.

IMO, it comes with a trade-off as it introduces a mapping oracle, i.e a
linking vector between a LN node and its full-node. In this case, a spying
node may establish a dummy, low-value channel with a probed LN node, break
it by broadcasting thousands of different versions of the (revoked)
commitment and observes which one broadcast a CPFP first on the p2p layer.
Obviously, you can mitigate it by not chasing after low-value HTLC, but
that is a small risk of money loss. As of today,  this oracle can be seen
as acceptable as we have other ones and we may get rid of it in the future.

### Scenario 2a) Revoked Commitment Transaction Pinning

Digging further, we found that there are more concerning scenarios of
pinning, at the commitment-tx level. At a period of low-feerate, a
malicious party incessantly updates a channel until to obtain ~10k revoked
commitment transactions.

At a period of mempool-congestion, by having setup a fine-grained
`dust_limit_satoshis` and at same-time circulary routing HTLCs, our
malicious party can inflate absolute fee of its own commitment bounded
while breaking channel in the middle of an update sequence, ensuring it has
a higher-fee than the commitment of the honest counterparty. As channel
opener, the attacker has the amplitude of malleating the victim's
commitment such to keep it equal or under revoked feerate.

Then our malicious party broadcast to each base layer public peer one of
the revoked commitment transactions, that way partitioning the network
mempools in 10k subset. Even assuming anchor output a honest LN node won't
be able to confirm the remote commitment through a CPFP, this one failing
to cross subset boundaries, the parent txid being different at each.

Broadcasting the honest commitment transaction will fail, its feerate being
known and malleable it won't RBF already-in-mempool remote commitment
transactions. This prevents an honest party to timely timeout an outgoing
HTLC or an incoming HTLC.

This scenario does bear a low-risk to the attacker, is easy to execute and
has a likely double-digit rate of success once you tune feerate
malleability. You assume mempools partitions but not any network topologies
discovery. We underscore there is no current p2p/mempool mechanism to learn
about conflicting transactions, even learning about near-topology conflicts
don't guarantee you that a propagation path is uniform to make your CPFP
successful.

### Scenario 2b) Previous-Latest Commitment Transaction Pinning

A variant of commitment-tx pinning is to rely only on valid commitment
transactions. Channel update sequence not being atomic, you can legally own
2 valid commitment transactions. An attacker can successfully map a
LN-node's full-node and such, announce one of them and the other one to the
rest of the network. A honest peer will fail to leverage the `to_remote`
anchor output as its CPFP won't propagate again over network mempools
partitions.

This scenario doesn't bear a risk to the attacker, is medium to execute and
has a likely double-digit rate of success. You assume mempools partitions
and inter-layer mapping. How hard is it to map a LN-node to a full-node ?
Actually you can use the fact that a LN-node's full-node is monitoring the
mempool for a preimage of interest and observe the announcement of such
preimage on the offchain layer. As post-anchor HTLC-Success transactions
are malleable you can once again create mass-conflicts to isolate the
full-node and improve the probe with high certainty.

### Where Package Relay helps

Solving scenario 2a) and 2b) in the most efficient way is likely to require
package relay support on the Core side. Package relay would extend the
notion of a mempool package (topologically ordered bundles of transactions)
to introduce a new class of p2p traffic. So far its implementation has been
delayed due to refactoring mempool internals, ensuring a DoS-robust design
and a p2p PR pipeline already congested.

Once deployed, a LN node would be able to join a commitment transaction and
a CPFP together and make them evaluated atomically by network mempools such
to evict any malicious remote commitment assuming a higher feerate.

### Scenario 3) Network-Topology-Aware Pinning for Propagation Obstruction

Let's assume the following base layer tx-relay topology:

                Alice ---> Bob ---> Caroll

Alice wants to send her package relay to Caroll the miner to get her
commitment transaction confirmed. A malicious counterparty could throw
remote commitment W in Bob mempool and remote commitment X in Caroll
mempool. Transaction W would be attached to a high-fee CPFP Y. Transaction
X would be attached to a low-fee CPFP Z such that X pins in Caroll mempool.
CPFP Y and CPFP Z would be crafted such as both incorporating a conflicting
parent to prevent Bob and Caroll mempool convergence. It looks like the
following:

Bob's mempool:
tx W ---> tx Y
parent 1 ---> tx Y

Caroll's mempool:
tx X ---> tx Z
parent 2 ---> tx Z

Bob's mempool would announce and send package "tx W + tx Y + parent 1" to
Caroll's one and due to parent 1 and parent 2 spending the same output
package would be rejected. High-fee package W will prevent Alice to
successfully broadcast her package to Caroll. This fee can be higher than
the maximum one that Alice would pay to confirm her transaction, as due to
conflicts, it won't be _effectively_ paid by the malicious counterparty.

This scenario does bear a risk to the attacker only if miner mempools
haven't been well-mapped and high-fee package leak into them, is hard to
execute but has a likely double-digit rate of success. It assumes mempool
partitions, network topology knowledge and inter-layer mapping.

### Current Mempool Design Flaws in the lights of Contracting Applications
with Competing Interests

Scenario 3) does illustrate a current flaw of mempool with regards to
contracting applications with competing interests. A counterparty can
leverage network propagation rules to prevent miners' mempools to discover
the best feerate package and thus not having to pay the real fee price to
successfully obstrucate broadcast of honest package relay spending the same
output.

These network propagation rules, namely RBF opt-in, have been designed to
protect network mempools against any DoS but don't protect a single-party
against its shared-utxo co-owners. Amending these rules to enable
mempool-convergence based on feerate will enable a honest bid market for
contracting applications and ensure network-wise higher feerate. Getting
this right will require significant study as you may allow total mempool
fees to decrease when the transactions are near the bottom of the mempool.
At first sight, it sounds incentives-compatible, as miner a) gets the
highest fee bid b) an attacker does have to compete on feerate to attempt
stealing.

Assuming a basic package relay to evict low-feerate malicious commitment,
an alternative proposal could be to introduce outbound tx-relay peers
rotation to sweep and reach ~80% of the network in less than HTLC
timelocks.  Your LN node's full node will _probabilistically_ connect to a
miner mempool and announce to it the best feerate package. Making the
tx-relay topology more dynamic would make it harder for an attacker to make
package obstruction effective. IMHO, it sounds easier on the
engineering-side, but likely worse for privacy due to the aggressive
broadcast pattern.

Another alternative could be to have more ad hoc privacy-preserving
redundant tx-broadcast.

A fourth proposal, Matt's one, is to design some blind-CPFP package relay
with a pointer to original funding outpoint to rebind on-the-flight but it
does assume noinput.

### Conclusion

To the best of my knowledge, assuming mempools congestion levels we have
seen in the past months, currently deployed LN peers aren't secure against
scenario 2a) and 2b) to any motivated attackers with a decent knowledge of
both layers. Further, ensuring scenario 3) security requires heavy,
long-term work at the base layer.

IMO, we should a) go forward with anchor proposal implementation, it comes
with trade-off but enables mempool-congestion safety, b) work on package
relay to solve commitment-level pinning, c) study best base layer mechanism
to ensure best feerate package discovery by any miner's mempools and d) in
the meanwhile increase delta and deadline timelocks.

Thoughts ?

Thanks to Matt and t-bast for conversations.

Cheers,

Antoine

[0] For newcomers, see also t-bast's great piece on LN's transactions :
https://github.com/t-bast/lightning-docs/blob/master/lightning-txs.md

[1] And current state of opinions is obfuscating tx-relay topology is a
hard problem
https://github.com/bitcoin/bitcoin/pull/15759#issuecomment-480398802

[2]
https://bitcoinops.org/en/newsletters/2020/04/29/#new-attack-against-ln-payment-atomicity

[3] Obviously all these scenarios do have a setup cost scoping channel
opening onchain fees and
rebalancing but it's order(s) of magnitude lower if you can steal from
meaningful channels.