On Wed, Nov 08, 2023 at 12:51:31AM +0000, Peter Todd via bitcoin-dev wrote:
> > In a post-package relay world, I think this is possible. And that
> > replacement cycling attacks are breaking future dynamic fee-bumping of
> > pre-signed transactions concerns me a lot.
> 
> Well the answer here is pretty clear: v3 package relay with anchors is broken.

BTW a subtlety of this that may not be obvious is that in v3 package relay,
with zero value outputs, the outputs must be spent in the same package. Thus
_unlike_ existing anchor-using transactions, there would be only one anchor
output on the commitment transaction.

In existing anchor output transactions, this type of attack wouldn't work as
when broadcasting the transaction, Alice would be spending her anchor output,
which Bob can't double spend. But that doesn't work in v3, which intends to
limit UTXO growth by requiring that anchors be spent in the same package. Thus
unlike existing anchor outputs, an anchor would be truly a OP_1 output without
a signature, and thus belong to either Alice nor Bob uniquely.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org