Re: [bitcoindev] A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: "David A. Harding" <dave@dtrt•org>
To: Peter Todd <pete@petertodd•org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core
Date: Fri, 19 Jul 2024 20:41:07 -1000	[thread overview]
Message-ID: <c6593662694f9d4a4fe999dd432f87ff@dtrt.org> (raw)
In-Reply-To: <Zpk7EYgmlgPP3Y9D@petertodd.org>

On 2024-07-18 05:56, Peter Todd wrote:
> I disclosed it to the bitcoin-security mailing list as a test: does
> Bitcoin Core actually care about free relay attacks?

They do.  Several free relay attacks that were present in earlier
versions of Bitcoin were eliminated in later versions.  New proposals
are evaluated for their potential to create new permanent free relay
vectors.  The discovery of free relay is almost always reason enough to
reject a proposal.

The free relay attack you describe in your email and the type of free
relay enabled by your replace-by-feerate (RBFr) proposal can allow an
attacker to 10x to 100x the amount of bandwidth used network wide by
relay nodes for a cost of $10,000 to $50,000 a day (or, as you mention,
effectively for free if they were going to send a bunch of transactions
anyway).

I cannot imagine what would make you think that protocol developers are
not concerned about attacks that could drive large numbers of relay
nodes off the network for a cost easily affordable to any well-funded
adversary.

In this case, you've found a specific instance (full-RBF vs signaled
RBF) of a well-known general problem (optional policies leading to
mempool inconsistencies, allowing free relay) and appear to be arguing
that devs don't care about free relay because they refused to reverse a
previous decision (to not change the RBF configuration default) that has
been hotly debated multiple times.

An alternative interpretation is that they (1) do care about free relay,
(2) recognize that solving free relay is a hard problem that requires
research and development, and (3) refuse to be forced into restarting
debate on an already overdiscussed issue that gets nobody closer to
fundamental solutions.

> I believe the authors of that BIP are fully aware of the fact that
> "free" relay is an unavoidable problem, making their rational for
> TRUC/V3 bogus

Differences in node policy leading to mempool inconsistencies (which
allows free relay) is a well known problem that's the result of Bitcoin
being an open protocol based on free/libre software (two things I think
we all want).  Many protocol developers have attempted to address the
problem over the years, most recently just a few months ago with an
updated proposal for using weak blocks as a first step to address
"diverging mempool policies".[1]

A currently unsolved problem is not necessarily an unavoidable problem
and it seems reasonable to me for devs to be skeptical of proposals like
RBFr that add to the list of things that enable free relay.

> I believe the authors of [BIP431...] don't want to admit that they've
> wasted a large amount of engineering time on a bad proposal.

You've previously argued against designing contract protocols to depend
CPFP-style fee bumping for their offchain transactions, however that is
what is widely used by LN today and it appears to be what LN and other
offchain protocol developers want to use in the future.  If we accept
that, at least for the purposes of argument, what can we do to improve
CPFP fee bumping for LN?

All we really need at this point is to enable package relay so that
parent transactions are no longer subject to a dynamic mempool minimum
when they're bundled with a high-feerate child.  Preliminary support for
that should be released in the next major version of Bitcoin Core, with
improved support being worked on for later releases.

Package relay is the only thing we need at this point because the
existing LN protocol makes use of CPFP carve-out, which minimizes
transaction pinning issues.

However, another substantial Bitcoin Core improvement, cluster mempool,
is incompatible with CPFP carve-out.  TRUC is an alternative to CPFP
carve-out that is easy to reason about, easy to use, more general in
nature (good news for newer contract protocols), and which can possibly
be automatically applied to existing LN onchain transactions, allowing
cluster mempool to be deployed ASAP without requiring any significant
changes to anyone else's software.

As you've shown[2], the main downside of TRUC transactions (if we're
going to depend on CPFP-style fee bumping anyway) is that users of TRUC
transactions who have a malicious counterparty might need to pay a
slightly higher onchain feerate than they would need to pay under the
same situation with CPFP carve-out.  However, the increase is small
enough that most honest parties should be able to afford it, so there's
no incentive for a counterparty to do it.  I don't think we need to be
overly concerned about large numbers of LN users suddenly performing a
malicious action that does not benefit them and does not put the network
at risk.

The alternative to TRUC that you've proposed is replace-by-feerate
(RBFr).  This is also compatible with existing LN transactions and it's
conceptually super simple (I assume the code is too), which is
wonderful.  However, it's downsides are:

1. It fundamentally enables a significant amount of free relay.  I'll
    sketch a super basic attack at the end of this email that costs 0.55
    BTC per day ($67,000 USD) to 100x the amount of bandwidth used by
    relay nodes.  I'm sure more efficient attacks are possible.

    An attacker who is able to consume an excessive amount of relay node
    bandwidth at relatively low cost may be able to create both
    short-term and long-term problems for all Bitcoin users.  If the
    created problems result in a rapid increase in user feerates, then
    free relay attacks become cheaper due to low feerate transactions
    being automatically evicted from the bottom of the mempool.

2. It may allow empting the mempool at relatively low cost.  An attacker
    sending just 750 transactions at the top mempool feerate can
    guarantee eviction of every honest user's transactions.  The attacker
    can then replace 300 MB of transactions with a single 43,179 vbyte
    transaction.  Even if the replacement transaction pays 100
    sats/vbyte, when you compare that to the 1,000,000 vbytes of
    next-block transactions each miner lost, the miner is only earning an
    effective feerate of 4.3 sats/vbyte.

    Further, it's easy to imagine situations where evicting
    time-sensitive transactions from mempools might allow theft of funds
    in excess of a few thousand dollars (my immediate thoughts go to
    situations involving watchtowers).

3. Limiting the worst-case free relay and excessive mempool eviction
    requires additional rules (e.g. one-shot RBFr) that are challenging
    to implement and analyze at present, as several devs have noted[3].
    Both implementation and analysis should become much easier if cluster
    mempool is deployed (also noted by devs), but the deployment of
    cluster mempool requires removal of CPFP carve-out, and removal of
    CPFP carve-out requires either the upgrade of thousands of LN nodes
    and channels or a drop-in solution (ideally one that can be analyzed
    independently from cluster mempool, like TRUC).

To me, TRUC seems like an excellent approach.  It's something that can
be evaluated independently of cluster mempool but which can help allow
that deployment to proceed (in addition to the other previously
described benefits that TRUC brings).

There have already been multiple public discussions about how improved
RBF policies can be implemented once cluster mempool is available, many
of which bring us closer to something like RBFr in a way that's easier
to prove won't enable free relay, and perusing that seems to me like a
productive outlet if you are interested.

> this is quite an odd case of Core politics

I began writing this reply to force me to examine your claims for
myself.  You have a long history of noticing things other people missed.
I was worried that some compelling point of yours was being ignored as
the result of past controversies.

After several hours of writing and thinking, I don't see any problems
with the current approach using TRUC or with the general lack of
interest in RBFr solutions at this time.  I've tried to explain how I
arrived at my conclusions at each step and I welcome any corrections.

Thanks,

-Dave

[1] https://delvingbitcoin.org/t/second-look-at-weak-blocks/805
[2] 
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-December/022211.html
[3] 
https://bitcoinops.org/en/newsletters/2024/02/07/#proposal-for-replace-by-feerate-to-escape-pinning

---
A simple free relay attack using RBFr

## Constants

100,000 vbytes == ~400,000 bytes
   A 1-input, 1-output P2TR scriptpath spend with the maximum amount
   of witness data allowed by Bitcoin Core defaults

111 vbytes == 162 bytes
   A 1-input, 1-output P2TR keypath spend

## Attack

- Attacker obtains 500,000 UTXOs

- For each UTXO

   - At the dynamic mempool minimum, broadcasts a 100,000 vbyte (400,000
     byte) transacton.

   - Waits for it to propagate.

   - At 1.25x the dynamic mempool minimum, broadcasts a RBFr replacement
     that is 111 vbytes (162 bytes).

## Analysis

- At 162 bytes each, 500,000 transactions is 81 MB.  I think that will
   fit in a default-sized mempool.

- The total amount of transaction data relayed is 500_000 * (400_000 +
   162), or about 200 GB.

- The typical daily bandwidth requirement of a blocks-only node is
   roughly 2.5 MB * 144, or about 0.36 GB per day.  Ideally a relaying
   node is about the same due to compact blocks, but realistically, it's
   a small multiple of that.  Call it 2 GB per day.

   - This implies the attack push each RBFr relay node to use 100x a
     non-RBFr relay node.

- At 111 vbytes each, 500,000 transactions is 55.5 million vbytes.  At
   my nodes current mempoolminfee (1 sat/vb), that's 55.5 million sats,
   or 0.55 BTC (about $37,000 USD).

- This analysis ignores the cost of obtaining the UTXOs and possibly
   later consolidating them, but it also ignores some easy optimizations
   such as batching the replacements.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/c6593662694f9d4a4fe999dd432f87ff%40dtrt.org.

next prev parent reply	other threads:[~2024-07-20  6:45 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-18 15:56 Peter Todd
2024-07-18 23:04 ` [bitcoindev] " Antoine Riard
2024-07-19  1:05   ` Peter Todd
2024-07-19 13:52     ` Antoine Riard
2024-07-19 14:38       ` Peter Todd
2024-07-19 23:58         ` Antoine Riard
2024-07-20  0:46           ` 'Ava Chow' via Bitcoin Development Mailing List
2024-07-21  2:06             ` Antoine Riard
2024-07-21 20:17               ` 'Ava Chow' via Bitcoin Development Mailing List
2024-07-22  1:59                 ` 'Anonymous User' via Bitcoin Development Mailing List
2024-07-24  0:44                   ` Antoine Riard
2024-07-24  0:35                 ` Antoine Riard
2024-07-19 12:41 ` /dev /fd0
2024-07-19 23:56   ` Antoine Riard
2024-07-20  5:57     ` /dev /fd0
2024-07-20 15:08       ` Peter Todd
2024-07-21  2:13         ` Antoine Riard
2024-07-21  6:16         ` /dev /fd0
2024-07-21  2:12       ` Antoine Riard
2024-07-19 18:26 ` [bitcoindev] " Murch
2024-07-20 14:10   ` Peter Todd
2024-07-20  6:41 ` David A. Harding [this message]
2024-07-20 15:03   ` Peter Todd
2024-07-20 15:30     ` Peter Todd
2024-07-21 15:35     ` David A. Harding
2024-07-21 20:25       ` Peter Todd
2024-07-24  0:38       ` Antoine Riard
2024-07-21  2:10   ` Antoine Riard
2024-07-22 15:10     ` Peter Todd
2024-07-24  0:41       ` Antoine Riard
2024-07-22 11:45   ` [bitcoindev] RBFR makes the CPFP carve-out obsolete with cluster mempool, without upgrading LN nodes; TRUC/V3 does not Peter Todd
2024-07-22 16:43     ` David A. Harding
2024-07-22 20:06       ` Peter Todd
2024-07-22 22:08         ` David A. Harding
2024-07-23 11:29           ` Peter Todd
2024-07-24  0:42           ` Antoine Riard
2024-07-22 17:13   ` [bitcoindev] A "Free" Relay Attack Taking Advantage of The Lack of Full-RBF In Core Peter Todd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c6593662694f9d4a4fe999dd432f87ff@dtrt.org \
    --to=dave@dtrt$(echo .)org \
    --cc=bitcoindev@googlegroups.com \
    --cc=pete@petertodd$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox