Why Nostr? What is Njump?
2023-06-19 17:42:20
in reply to

Bastien TEINTURIER [ARCHIVE] on Nostr: 📅 Original date posted:2023-05-10 🗒️ Summary of this message: A proposal to ...

📅 Original date posted:2023-05-10
🗒️ Summary of this message: A proposal to lock UTXOs after tx_completes have been exchanged to prevent double-spending in 0-conf channels, but it may not work for splicing.
📝 Original message:
Hey Matt, Zman,

> I propose that we DO lock our UTXOs after tx_completes have been
> exchanged IF we are the only contributor. We don't have to worry
> about liquidity griefing in this case, since the peer has no
> tx_signatures to withhold from us.

While this is true for dual funding, this isn't true for splicing, where
we need the remote `tx_signatures` to spend the channel's current
funding output. But it's not an issue, the untrusted peer will send
their `tx_signatures` first (since they're not contributing to the
transaction) and we can `TryLock()` once we receive that.

> Your proposal basically means "do not dual-fund 0-conf".
> You might as well use the much simpler openv1 flow in that case, just
> because it is simpler.

I also thought that this was the easy way out, but I was hoping we could
do better. The issue with that option (using v1 with locks for 0-conf,
and v2 with soft locks for non 0-conf) is that we need to implement that
soft lock mechanism (we cannot simply rely on bitcoin core, which only
supports hard locks) or use separate bitcoin core wallets for 0-conf and
non 0-conf.

But there is probably no free lunch here! And anyway, this post was also
made to raise awareness for implementers to make sure they don't end up
accidentally double-spending 0-conf channels when implementing dual
funding.

Thanks,
Bastien

Le mer. 10 mai 2023 à 02:07, ZmnSCPxj <ZmnSCPxj at protonmail.com> a écrit :

> Good morning Matt, and t-bast,
>
> Your proposal basically means "do not dual-fund 0-conf".
> You might as well use the much simpler openv1 flow in that case, just
> because it is simpler.
>
> Regards,
> ZmnSCPxj
>
>
>
>
> Sent with Proton Mail secure email.
>
> ------- Original Message -------
> On Tuesday, May 9th, 2023 at 5:38 PM, Matt Morehouse <
> mattmorehouse at gmail.com> wrote:
>
>
> > Hi Bastien,
> >
> > In general, 0-conf is only safe when WE are the only contributor to
> > the channel, otherwise the peer could double spend us.
> >
> > The problem you seem to be describing is that we might double-spend
> > ourselves if we don't lock our 0-conf UTXOs at some point. I propose
> > that we DO lock our UTXOs after tx_completes have been exchanged IF we
> > are the only contributor. We don't have to worry about liquidity
> > griefing in this case, since the peer has no tx_signatures to withhold
> > from us. Of course, the opportunistic upgrade of a regular channel to
> > 0-conf won't work -- we need a way to differentiate 0-conf channels
> > prior to UTXO selection, so that we don't reuse soft-locked UTXOs.
> >
> > All together, what I propose is:
> >
> > 1) If the channel type has option_zeroconf, select UTXOs that are not
> > soft locked.
> > 2) If the peer adds any inputs to the funding transaction, abort
> > (0-conf is unsafe for us in this case).
> > 3) After tx_complete exchange, TryLock() our UTXO inputs and abort if
> > already locked.
> > 4) Broadcast funding transaction and begin using the 0-conf channel.
> >
> > I think this at least enables the common use case for 0-conf: LSPs can
> > use their own funds to open 0-conf channels for clients.
> >
> > - Matt
> >
> >
> >
> >
> > On Sat, May 6, 2023 at 3:16 AM Bastien TEINTURIER bastien at acinq.fr
> wrote:
> >
> > > Good morning list,
> > >
> > > One of the challenges created by the introduction of dual funded
> > > transactions [1] in lightning is how to protect against liquidity
> > > griefing attacks from malicious peers [2].
> > >
> > > Let's start by reviewing this liquidity griefing issue. The dual
> funding
> > > protocol starts by exchanging data about the utxos each peer adds to
> the
> > > shared transaction, then exchange signatures and broadcast the
> resulting
> > > transaction. If peers lock their utxos as soon as they've decided to
> add
> > > them to the shared transaction, the remote node may go silent. If that
> > > happens, the honest node has some liquidity that is locked and
> unusable.
> > >
> > > This cannot easily be fixed by simply unlocking utxos after detecting
> > > that the remote node is fishy, because the remote node would still have
> > > succeeded at locking your liquidity for a (small) duration, and could
> > > start other instances of that attack with different node_ids.
> > >
> > > An elegant solution to this issue is to never lock utxos used in dual
> > > funded transactions. If a remote node goes silent in the middle of an
> > > instance of the protocol, your utxos will automatically be re-used in
> > > another instance of the protocol. The only drawback with that approach
> > > is that when you have multiple concurrent instances of dual funding
> with
> > > honest peers, some of them may fail because they are double-spent by
> one
> > > of the concurrent instances. This is acceptable, since the protocol
> > > should complete fairly quickly when peers are honest, and at worst, it
> > > can simply be restarted when failure is detected.
> > >
> > > But that solution falls short when using 0-conf, because accidentally
> > > double-spending a 0-conf channel (because of concurrent instances) can
> > > result in loss of funds for one of the peers (if payments were made on
> > > that channel before detecting the double-spend). It seems like using
> > > 0-conf forces us to lock utxos to avoid this issue, which means that
> > > nodes offering 0-conf services expose themselves to liquidity griefing.
> > >
> > > Another related issue is that nodes that want to offer 0-conf channels
> > > must ensure that the utxos they use for 0-conf are isolated from the
> > > utxos they use for non 0-conf, otherwise it is not possible to properly
> > > lock utxos, because of the following race scenario:
> > >
> > > - utxoA is selected for a non 0-conf funding attempt and not locked
> > > (to protect against liquidity griefing)
> > > - utxoA is also selected for a 0-conf funding attempt (because it is
> > > found unlocked in the wallet) and then locked
> > > - the funding transaction for the 0-conf channel is successfully
> > > published first and that channel is instantly used for payments
> > > - the funding transaction for the non 0-conf channel is then published
> > > and confirms, accidentally double-spending the 0-conf channel
> > >
> > > This can be fixed by using a "soft lock" when selecting utxos for a non
> > > 0-conf funding attempt. 0-conf funding attempts must ignore soft locked
> > > utxos while non 0-conf funding attempts can (should) reuse soft locked
> > > utxos.
> > >
> > > In eclair, we are currently doing "opportunistic" 0-conf:
> > >
> > > - if we receive `channel_ready` immediately (which means that our peer
> > > trusts us to use 0-conf)
> > > - and we're the only contributor to the funding transaction (our peer
> > > doesn't have any input that they could use to double-spend)
> > > - and the transaction hasn't been RBF-ed yet
> > >
> > > Then we immediately send `channel_ready` as well and start using that
> > > channel (because we know we won't double spend ourselves). This is nice
> > > because it lets us use 0-conf in a way where only one side of the
> > > channel needs to trust the other side (instead of both sides trusting
> > > each other).
> > >
> > > Unfortunately, we cannot do that anymore when mixing 0-conf and non
> > > 0-conf funding attempts, because the utxos may be soft locked,
> > > preventing us from "upgrading" to 0-conf.
> > >
> > > You have successfully reached the end of this quite technical post,
> > > congrats! My goal with this post is to gather ideas on how we could
> > > improve that situation and offer good enough protections against
> > > liquidity griefing for nodes offering 0-conf services. Please share
> > > your ideas! And yes, I know, 0-conf is a massive implementation pain
> > > point that we would all like to remove from our codebases, but hey,
> > > users like it ¯\(ツ)/¯
> > >
> > > Cheers,
> > > Bastien
> > >
> > > [1] https://github.com/lightning/bolts/pull/851
> > > [2] https://github.com/lightning/bolts/pull/851#discussion_r997537630
> > > _______________________________________________
> > > Lightning-dev mailing list
> > > Lightning-dev at lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
> >
> > _______________________________________________
> > Lightning-dev mailing list
> > Lightning-dev at lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230510/1e7a1a83/attachment.html>;
Author Public Key
npub17fjkngg0s0mfx4uhhz6n4puhflwvrhn2h5c78vdr5xda4mvqx89swntr0s