From: Antoine Riard <antoine.riard@gmail•com>
To: Matt Morehouse <mattmorehouse@gmail•com>
Cc: Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
"lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists•linuxfoundation.org>,
security@ariard•me
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely
Date: Fri, 3 Nov 2023 05:27:54 +0000 [thread overview]
Message-ID: <CALZpt+EhE=06bg8eph0bJ+bGvoJFSCEkXwmegbUNQcLSr_ACuw@mail.gmail.com> (raw)
In-Reply-To: <CAGyamEXYJN0qGKzWPsN8-T1URqmeTbUH7JJjwuFKMHByCwEG3A@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3461 bytes --]
> The idea with package relay is that commitment transaction fees will
> be zero and that fees will always be paid via CPFP on the anchor
> output.
Yes, even if multiple commitment transactions are pre-signed with a RBF
range of more than zero, an attacker can always select the lowest fees
pre-signed states and adjust in consequence the CPFP paid, and then evict
out the bumping CPFP.
Le jeu. 2 nov. 2023 à 17:07, Matt Morehouse <mattmorehouse@gmail•com> a
écrit :
> On Thu, Nov 2, 2023 at 6:27 AM Peter Todd via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org> wrote:
> >
> > On Thu, Nov 02, 2023 at 05:24:36AM +0000, Antoine Riard wrote:
> > > Hi Peter,
> > >
> > > > So, why can't we make the HTLC-preimage path expire? Traditionally,
> we've
> > > tried
> > > > to ensure that transactions - once valid - remain valid forever. We
> do
> > > this
> > > > because we don't want transactions to become impossible to mine in
> the
> > > event of
> > > > a large reorganization.
> > >
> > > I don't know if reverse time-lock where a lightning spending path
> becomes
> > > invalid after a block height or epoch point solves the more advanced
> > > replacement cycling attacks, where a malicious commitment transaction
> > > itself replaces out a honest commitment transaction, and the
> > > child-pay-for-parent of this malicious transaction is itself replaced
> out
> > > by the attacker, leading to the automatic trimming of the malicious
> > > commitment transaction.
> >
> > To be clear, are you talking about anchor channels or non-anchor
> channels?
> > Because in anchor channels, all outputs other than the anchor outputs
> provided
> > for fee bumping can't be spent until the commitment transaction is
> mined, which
> > means RBF/CPFP isn't relevant.
>
> IIUC, Antoine is talking about a cycling attack of the commitment
> transaction itself, not the HTLC transactions. It seems possible for
> future (ephemeral) anchor channels in a world with package relay.
>
> The idea with package relay is that commitment transaction fees will
> be zero and that fees will always be paid via CPFP on the anchor
> output.
>
> Consider this scenario: Mallory1 -> Alice -> Mallory2.
> Mallory2 claims an HTLC from Alice off chain via the preimage. Alice
> attempts to claim the corresponding HTLC from Mallory1, but Mallory1
> refuses to cooperate. So Alice publishes her commitment transaction
> along with a CPFP on the anchor output. Mallory1 publishes her
> competing commitment transaction with a higher CPFP fee on the anchor
> output, thereby replacing Alice's package in the mempool. Mallory1
> then replacement-cycles the anchor output child transaction, causing
> her commitment transaction to lose its CPFP and the package feerate to
> go to zero, which is below the minimum relay fee. Thus, Mallory1's
> commitment transaction is also evicted from the mempool. Mallory1
> repeats this process every time Alice broadcasts her commitment, until
> the HTLC timeout expires. At that point the preimage path becomes
> unspendable, and Mallory1 can claim the HTLC via timeout at her
> leisure.
>
> >
> >
> > --
> > https://petertodd.org 'peter'[:-1]@petertodd.org
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists•linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4532 bytes --]
next prev parent reply other threads:[~2023-11-03 5:28 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 16:57 [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Antoine Riard
2023-10-16 19:13 ` Peter Todd
2023-10-16 22:10 ` Matt Morehouse
2023-10-17 1:11 ` Antoine Riard
2023-10-20 10:47 ` Peter Todd
2023-10-20 11:18 ` Jochen Hoenicke
2023-10-16 22:51 ` Olaoluwa Osuntokun
2023-10-17 7:21 ` [bitcoin-dev] [Lightning-dev] " ziggie1984
2023-10-17 10:34 ` ZmnSCPxj
2023-10-17 18:34 ` Antoine Riard
2023-10-20 10:31 ` Peter Todd
2023-10-20 11:03 ` Peter Todd
2023-10-20 18:35 ` Matt Morehouse
2023-10-20 21:05 ` Matt Corallo
2023-10-21 0:15 ` Peter Todd
2023-10-21 1:03 ` Matt Corallo
2023-10-21 1:25 ` Peter Todd
2023-10-21 1:55 ` Matt Corallo
2023-10-21 2:43 ` Peter Todd
2023-10-23 16:09 ` Matt Corallo
2023-10-17 17:47 ` Antoine Riard
2023-10-17 18:47 ` Antoine Riard
2023-10-18 0:17 ` Matt Corallo
2023-10-18 2:57 ` Antoine Riard
2023-10-19 8:12 ` Bastien TEINTURIER
2023-10-19 16:23 ` Matt Morehouse
2023-10-19 17:22 ` Antoine Riard
2023-10-19 17:53 ` Matt Morehouse
2023-10-19 19:33 ` Antoine Riard
2023-10-21 0:18 ` Olaoluwa Osuntokun
2023-11-17 22:36 ` Antoine Riard
2023-10-19 18:02 ` Matt Corallo
2023-10-20 6:56 ` [bitcoin-dev] " Antoine Riard
2023-10-21 20:05 ` Antoine Riard
2023-10-27 0:43 ` Peter Todd
2023-11-02 4:46 ` Antoine Riard
2023-10-21 0:09 ` [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely Peter Todd
2023-10-21 8:58 ` David A. Harding
2023-10-21 10:31 ` Peter Todd
2023-10-22 8:30 ` vjudeu
2023-10-23 11:10 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-10-23 15:45 ` Peter Todd
2023-11-02 5:24 ` [bitcoin-dev] " Antoine Riard
2023-11-02 6:26 ` Peter Todd
2023-11-02 17:07 ` Matt Morehouse
2023-11-03 5:27 ` Antoine Riard [this message]
2023-11-03 5:25 ` Antoine Riard
2023-11-04 7:26 ` Peter Todd
2023-11-06 18:45 ` Antoine Riard
2023-11-07 11:11 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-11-07 15:44 ` Antoine Riard
2023-11-08 0:51 ` [bitcoin-dev] " Peter Todd
2023-11-08 2:06 ` Peter Todd
2023-11-13 2:18 ` Antoine Riard
2023-11-14 19:50 ` Peter Todd
[not found] ` <CALZpt+H38cU9L8kq0mSYCDirzL39fxhdoz4pAPiS8dGJP8akKg@mail.gmail.com>
2023-11-15 17:53 ` [bitcoin-dev] Fwd: " Antoine Riard
2023-10-22 4:49 ` [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Nadav Ivgi
2023-10-23 8:49 ` David A. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALZpt+EhE=06bg8eph0bJ+bGvoJFSCEkXwmegbUNQcLSr_ACuw@mail.gmail.com' \
--to=antoine.riard@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=lightning-dev@lists$(echo .)linuxfoundation.org \
--cc=mattmorehouse@gmail$(echo .)com \
--cc=security@ariard$(echo .)me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox