📅 Original date posted:2015-08-11
📝 Original message:
Hi,
This is probably just stating the obvious. Sometimes that's useful though,
and maybe this is one of those times!
When setting up a new channel with an untrusted counterparty, you will wait
for N confirmations of their anchor transactions. Further, N might be well
known and common amongst a lot of lightning hubs (if it's not, then it will
be hard to know how long setting up a channel will take). What if N is too
small, and I can afford to do a double-spend despite M (M > N)
confirmations as long as it gains me $X?
Then I do the following:
- I open one or more anonymous channels, capable of receiving at least $X
- I start the doublespend fork
- I then simultaneously construct multiple lightning channels, funding
them at $d each.
- I wait for N confirmations so my new channels are active.
- I quickly route multiple payments from my new channels to my anonymous
channels until I can't send anymore
- I publish the doublespending fork, so that my $d*n never got spent
- I close my original anonymous channels gaining $X <= $d*n
The only people worse off are the ones who opened the $d channels after N
confirmations -- any intermediary hubs are fine. Those hubs didn't have to
commit any funds to the new channels for the attack to work; the money they
lose was that in other channels they used to route my payments forwards.
With onion routing, none of the ripped off hubs need know where the money
ended up, so there's not a lot of potential to do iron pipe cryptography to
get your money back.
The only constraints here (I think) are:
- how many channels you can open in M-N blocks
- you have to have >$X funds available in the first place to commit to the
double spend
- how much capacity the lightning network actually has in routable bitcoin
If it costs 1.4*25*M bitcoin to mount a doublespend attack over M blocks
(ie bribing 67% of hashpower for the time it normally takes to do 2*M
blocks), and you can open 2000 channels per block, then that gives
X > 1.4*25*M
n < 2000*(M-N)
X < d*n = d*2000*(M-N)
1.4*25*M < X < d*2000*(M-N)
35/2000 * M < d * (M-N)
35/2000 * (1 + N/(M-N)) < d
Setting N = 12, M = 15 gives:
d = 35/2000 * (1+4) = 7/80
n = 6000
so you're putting up 525 bitcoin by flooding the blockchain with anchor
transactions, sending it to yourself over lightning, then doublespending
the original 525 btc at a cost of spending ~505 btc on hashpower. Expensive
($157k capital to make $6k profit), but still worthwhile (3.8% ROI in ~6
hours is 16% a day, or about 5e25 % annualised...)
Maybe if you make N depend on d you could mitigate this though -- something
like, if you to put "$d" on your side of the channel, you'll have to wait
for 5+(d*2000/25)*2 confirmations. So a $50 channel is d=.2 BTC, which is
~37 confirmations, or about 6 hours. Increasing the blocksize (number of
channels openable per block) or lowering the block reward (decreasing the
cost of a doublespend fork) increases the confirmations required though...
Cheers,
aj
--
Anthony Towns <aj at erisian.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150812/d8e1d102/attachment.html>;
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:44:00
in reply to nevent1q…y8us
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:44:00Event JSON
{
"id": "9683d3524551c75d7e8eb9b7c23fee4c8c11333c1b948d5ea0e0318bd1b77d0a",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686314640,
"kind": 1,
"tags": [
[
"e",
"1999e6e5c3a08701e87d0441d41428c5f7ec78e406b229c140e87687eb2b705a",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2015-08-11\n📝 Original message:\nHi,\n\nThis is probably just stating the obvious. Sometimes that's useful though,\nand maybe this is one of those times!\n\nWhen setting up a new channel with an untrusted counterparty, you will wait\nfor N confirmations of their anchor transactions. Further, N might be well\nknown and common amongst a lot of lightning hubs (if it's not, then it will\nbe hard to know how long setting up a channel will take). What if N is too\nsmall, and I can afford to do a double-spend despite M (M \u003e N)\nconfirmations as long as it gains me $X?\n\nThen I do the following:\n\n - I open one or more anonymous channels, capable of receiving at least $X\n - I start the doublespend fork\n - I then simultaneously construct multiple lightning channels, funding\nthem at $d each.\n - I wait for N confirmations so my new channels are active.\n - I quickly route multiple payments from my new channels to my anonymous\nchannels until I can't send anymore\n - I publish the doublespending fork, so that my $d*n never got spent\n - I close my original anonymous channels gaining $X \u003c= $d*n\n\nThe only people worse off are the ones who opened the $d channels after N\nconfirmations -- any intermediary hubs are fine. Those hubs didn't have to\ncommit any funds to the new channels for the attack to work; the money they\nlose was that in other channels they used to route my payments forwards.\n\nWith onion routing, none of the ripped off hubs need know where the money\nended up, so there's not a lot of potential to do iron pipe cryptography to\nget your money back.\n\nThe only constraints here (I think) are:\n\n - how many channels you can open in M-N blocks\n - you have to have \u003e$X funds available in the first place to commit to the\ndouble spend\n - how much capacity the lightning network actually has in routable bitcoin\n\nIf it costs 1.4*25*M bitcoin to mount a doublespend attack over M blocks\n(ie bribing 67% of hashpower for the time it normally takes to do 2*M\nblocks), and you can open 2000 channels per block, then that gives\n\n X \u003e 1.4*25*M\n n \u003c 2000*(M-N)\n\n X \u003c d*n = d*2000*(M-N)\n\n 1.4*25*M \u003c X \u003c d*2000*(M-N)\n 35/2000 * M \u003c d * (M-N)\n 35/2000 * (1 + N/(M-N)) \u003c d\n\nSetting N = 12, M = 15 gives:\n\n d = 35/2000 * (1+4) = 7/80\n n = 6000\n\nso you're putting up 525 bitcoin by flooding the blockchain with anchor\ntransactions, sending it to yourself over lightning, then doublespending\nthe original 525 btc at a cost of spending ~505 btc on hashpower. Expensive\n($157k capital to make $6k profit), but still worthwhile (3.8% ROI in ~6\nhours is 16% a day, or about 5e25 % annualised...)\n\nMaybe if you make N depend on d you could mitigate this though -- something\nlike, if you to put \"$d\" on your side of the channel, you'll have to wait\nfor 5+(d*2000/25)*2 confirmations. So a $50 channel is d=.2 BTC, which is\n~37 confirmations, or about 6 hours. Increasing the blocksize (number of\nchannels openable per block) or lowering the block reward (decreasing the\ncost of a doublespend fork) increases the confirmations required though...\n\nCheers,\naj\n\n-- \nAnthony Towns \u003caj at erisian.com.au\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150812/d8e1d102/attachment.html\u003e",
"sig": "88cfc4a489091c2265d7826ff647ae9ad281a1001f0dd3d660293af3183ed10661fed10b4898b4dabce93b8e19d325174142c8ba525d3d128881161a33d7de66"
}