From: Jochen Hoenicke <hoenicke@gmail•com>
To: ZmnSCPxj <ZmnSCPxj@protonmail•com>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>
Cc: "lightning-dev@lists•linuxfoundation.org"
<lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Lightning - Is HTLC vulnerable? And mention of Channel Factories
Date: Wed, 15 Jul 2020 17:23:24 +0200 [thread overview]
Message-ID: <CANYHNmL2NR-+s6Z+VsUE=8U49F4dfeXwbgXWwh4O8RnZ2dZctA@mail.gmail.com> (raw)
In-Reply-To: <CfSfVLj40qBl-ygOD-toPfDmJrLMTyP19sCLqFSe-aK7GQAjwmtAo6EznQ4VgzPKlIHpmnORP5-18hVW7Wh_Z0FwPZ9isT2wkIORMaMq55o=@protonmail.com>
[-- Attachment #1: Type: text/plain, Size: 4105 bytes --]
On Tue, 14 Jul 2020 at 16:42, ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Good morning Mr. Lee,
>
> > Sorry. Re-sending with correction to CC bitcoin-dev
> >
> > I am sorry if this was already brought up in previous threads. If I know
> > lightning network correctly then HTLC is used to enforce settlements on
> > blockchain if there is a dispute. Could a person lose money if their HTLC
> > does not get confirmed in the timeframe or if an older HTLC gets
> > confirmed first? I see different ways this could happen.
> >
> > One, if the blockchain is very saturated with other transactions. The
> > reason we need lightning network is why it might have troubles with
> > settlements?
>
> This could happen, but the entire exercise is to move transactions off the
> blockchain, precisely to lower this risk.
>
> Otherwise, transfers onchain will take a long time.
> In practice, a long time to settle a payment will invalidate many
> real-world economic exchanges anyway (consider paying for food at a
> restaurant --- if your payments take days to settle, the food has gotten
> stale before the restaurant receives payment and releases your food).
> Thus, if an onchain transfer takes a long time to settle, there is already
> risk of economic loss present.
>
> By moving activity offchain, we reduce pressure onchain and improve
> settlement speeds on both offchain and onchain, reducing risk of economic
> loss due to delay.
>
>
> > Two, competition from a different conflicting HTLC. A newer
> > HTLC might not get confirmed before an older HTL.
>
> I cannot make sense of this.
>
> You cannot create conflicting HTLCs.
>
Correct. Removing or Creating an HTLC is something that both channel
partners need to agree on. They may create multiple pending HTLCs as long
as there are enough funds, but creating conflicting HTLCs is not possible.
> >
> > I found out about a recent attack technique that sounds like it might be
> > similar called "flood and loot".
>
> Roughly, my understanding of Flood and Loot is to make a lot of
> uneconomically tiny HTLCs going through a target victim forwarding node.
> You make circular routes going from your own node back to yourself.
> Then you refuse to actually claim the HTLCs sent back to yourself.
>
No, the way I understand it is that an attacker, say Malleroy, routes a lot
of medium sized HTLC payments from his node to his node via a victim node,
say Alice's, and possibly other nodes.
Then Malleroy *accepts* the payments by publishing the hash on the
receiving end, so he gets all the sent funds on his receiving channel.
Malleroy's receiving node behaves completely honestly, and nobody can prove
that it belongs to the attacker.
Finally when Alice claims her HTLC by presenting the hash, Malleroy just
ignores the claim. Now Alice, the victim, is forced to close the channel
to prevent the HTLC to timeout. If Malleroy does it with multiple victims
at exactly the same time, they will all compete with each other. The
victims cannot increase the fee for the HTLC claiming transaction, because
they are the ones who force-closed the channel. CPFP doesn't work, because
their ultimate output is CLTV'd. As soon as the HTLC timeouts Malleroy can
claim the still pending HTLCs using an RBF transaction.
So it is Alice who has to force close, which puts her at a big disadvantage.
Malleroy will have to pay the lightning fees, but they are negligible. The
fee for the on-chain force-close transaction (with the HTLC outputs) is
paid by whoever opened the channel. AFAIK the fee for the HTLC resolving
transactions is paid by whoever claims the HTLC. In this scenario it is
paid from Alice's money. If Malleroy opened the channel, he risks losing
some funds to on-chain fees. On the other hand the one who pays the fee
controls the fee. He could negotiate a very low fee (say a cent per HTLC),
when the network is idle and then wait for a natural congestion before
starting the attack, giving him a low risk with high success probability.
Every HTLC he can claim after timeout is profit.
Regards,
Jochen
[-- Attachment #2: Type: text/html, Size: 4930 bytes --]
prev parent reply other threads:[~2020-07-15 15:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <f0372f8eec5878fd919b654db76aeff7.squirrel@giyzk7o6dcunb2ry.onion>
2020-07-14 2:58 ` Mr. Lee Chiffre
2020-07-14 14:42 ` ZmnSCPxj
2020-07-15 15:23 ` Jochen Hoenicke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANYHNmL2NR-+s6Z+VsUE=8U49F4dfeXwbgXWwh4O8RnZ2dZctA@mail.gmail.com' \
--to=hoenicke@gmail$(echo .)com \
--cc=ZmnSCPxj@protonmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=lightning-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox