From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: "David A. Harding" <dave@dtrt•org>
Cc: Matan Yehieli <matany@campus•technion.ac.il>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
Itay Tsabary <sitay@campus•technion.ac.il>
Subject: Re: [bitcoin-dev] MAD-HTLC
Date: Sat, 04 Jul 2020 21:05:34 +0000 [thread overview]
Message-ID: <iywK1t3ddjnrn5h4bhLTHNJdKJpCjn9PmuI4eueLw_QOEgEovahDvdbm4gd74roj5eq5KT6b2oXRCNdi8omn0E4pTaRL_wxpOxvifY2l5wE=@protonmail.com> (raw)
In-Reply-To: <20200628164132.mmpimgcrxpai2gnb@ganymede>
Good morning Dave,
> > > - Inputs:
> > > - Bob 1 BTC - HTLC amount
> > > - Bob 1 BTC - Bob fidelity bond
> > > - Cases:
> > > - Alice reveals hashlock at any time:
> > > - 1 BTC goes to Alice
> > > - 1 BTC goes to Bob (fidelity bond refund)
> > > - Bob reveals bob-hashlock after time L:
> > > - 2 BTC goes to Bob (HTLC refund + fidelity bond refund)
> > > - Bob cheated, anybody reveals both hashlock and bob-hashlock:
> > > - 2 BTC goes to miner
> > >
> > > [...]
> >
> > The cases you present are exactly how MAD-HTLC works. It comprises two
> > contracts (UTXOs):
> >
> > - Deposit (holding the intended HTLC tokens), with three redeem paths:
> > - Alice (signature), with preimage "A", no timeout
> > - Bob (signature), with preimage "B", timeout T
> > - Any entity (miner), with both preimages "A" and "B", no timeout
> > - Collateral (the fidelity bond, doesn't have to be of the same amount)
> > - Bob (signature), no preimage, timeout T
> > - Any entity (miner), with both preimages "A" and "B", timeout T
>
> I'm not these are safe if your counterparty is a miner. Imagine Bob
> offers Alice a MAD-HTLC. Alice knows the payment preimage ("preimage
> A"). Bob knows the bond preimage ("preimage B") and he's the one making
> the payment and offering the bond.
>
> After receiving the HTLC, Alice takes no action on it, so the timelock
> expires. Bob publicly broadcasts the refund transaction with the bond
> preimage. Unbeknownst to Bob, Alice is actually a miner and she uses her
> pre-existing knowledge of the payment preimage plus her received
> knowledge of the bond preimage to privately attempt mining a transaction
> that pays her both the payment ("deposit") and the bond ("collateral").
>
> Assuming Alice is a non-majority miner, she isn't guaranteed to
> succeed---her chance of success depends on her percentage of the network
> hashrate and how much fee Bob paid to incentivize other miners to
> confirm his refund transaction quickly. However, as long as Alice has a
> non-trivial amount of hashrate, she will succeed some percentage of the
> time in executing this type of attack. Any of her theft attempts that
> fail will leave no public trace, perhaps lulling users into a false
> sense of security.
This note seems to have gotten missed in discussion.
Another note is that from what I can tell, the preimages "A" and "B" can be provided by any miner.
If the fund value plus the collateral is large enough, it may incentivize competing miners to reorg the chain, redirecting the funds of the MAD-HTLC to themselves, rather than advance the blockchain state, at least until alternative transctions bump their fees up enough that the collateral + fund is matched.
This may not apply to Lightning at least if you do not go beyond the Wumbo limit, but *could* apply to e.g. SwapMarket, if it uses MAD-HTLCs.
Regards,
ZmnSCPxj
next prev parent reply other threads:[~2020-07-04 21:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABT1wW=X35HRVGuP-BHUhDrkBEw27+-iDkNnHWjRU-1mRkn0JQ@mail.gmail.com>
2020-06-23 6:41 ` Stanga
2020-06-23 9:48 ` ZmnSCPxj
2020-06-23 12:47 ` Stanga
2020-06-23 13:18 ` Stanga
2020-06-25 1:38 ` ZmnSCPxj
2020-06-25 3:26 ` Nadav Ivgi
2020-06-25 4:04 ` ZmnSCPxj
2020-06-25 4:35 ` Nadav Ivgi
2020-06-25 13:12 ` Bastien TEINTURIER
2020-06-28 16:41 ` David A. Harding
2020-07-04 21:05 ` ZmnSCPxj [this message]
2020-06-28 12:15 ` David A. Harding
2020-06-29 11:57 ` Tejaswi Nadahalli
2020-06-29 18:05 ` ZmnSCPxj
2020-06-30 6:28 ` Stanga
2020-06-30 6:45 ` Tejaswi Nadahalli
2020-07-01 16:58 ` ZmnSCPxj
2020-07-02 12:22 ` Tejaswi Nadahalli
2020-07-02 16:06 ` ZmnSCPxj
2020-07-03 9:43 ` Tejaswi Nadahalli
2020-07-03 10:16 ` ZmnSCPxj
2020-07-03 10:44 ` Tejaswi Nadahalli
[not found] ` <CAF-fr9Z7Xo8JmwtuQ7LE3k1=er+p7s9zPjH_8MNPwbxAfT1z7Q@mail.gmail.com>
2020-07-03 12:38 ` ZmnSCPxj
[not found] ` <CAF-fr9YhiOFD4n8rGF-MBkWeZmzBWfOJz+p8ggfLuDpioVRvyQ@mail.gmail.com>
2020-07-04 20:58 ` ZmnSCPxj
2020-07-05 9:03 ` Stanga
2020-07-06 11:13 ` Tejaswi Nadahalli
2020-07-02 12:39 ` Tejaswi Nadahalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='iywK1t3ddjnrn5h4bhLTHNJdKJpCjn9PmuI4eueLw_QOEgEovahDvdbm4gd74roj5eq5KT6b2oXRCNdi8omn0E4pTaRL_wxpOxvifY2l5wE=@protonmail.com' \
--to=zmnscpxj@protonmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=dave@dtrt$(echo .)org \
--cc=matany@campus$(echo .)technion.ac.il \
--cc=sitay@campus$(echo .)technion.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox