📅 Original date posted:2016-02-08
📝 Original message:
CJP <cjp at ultimatestunts.nl> writes:
>> See:
>>
>> https://github.com/ElementsProject/lightning/blob/master/doc/deployable-lightning.pdf
>
> Sorry for replying to a very old e-mail, but I've finally had a really
> close look at this, and the way I see it, there could be a potential
> problem.
>
> Suppose Eve (E) has two channels with Alice (A). She intends to steal
> funds from Alice. This is what she does:
>
> She performs a payment to herself, routed through Alice with the two
> channels. When the funds are locked in the two channels, she is supposed
> to reveal the transaction R value as a payee, but she doesn't. So, the
> transaction times out on both channels, leading to a channel update on
> both: the HTLCs are removed, reverting back to the original situation.
>
> The following actions primarily take place on the channel where Eve was
> on the RECEIVING side of the transaction. First, Eve spends all her
> coins on that channel, e.g. by sending them to herself on the other
> channel. This way, she doesn't risk losing them.
>
> Next, on the channel where Eve was on the RECEIVING side of the
> transaction, Eve signs and broadcasts the version of the commit
> transaction that contained the HTLC. Of course, since revocation
> pre-images have been exchanged, Alice can immediately spend the HTLC,
> using either the HTLC-TIMEOUT & SIG-PAYER clause or the REVOCATION-E &
> SIG A clause. However, this is not guaranteed to work: Eve has the
> transaction R value, so Eve can *also* try to spend it, using the
> R-VALUE & SIG-PAYEE clause. In fact, since Eve knows sooner about the
> commit transaction than Alice, Eve is more likely to be the first to
> spend the HTLC, especially when Alice is offline for a moment (Eve can
> know that).
For this reason, the rule is that all outputs to A in A's commit
transaction must be delayed (via OP_CSV). This includes HTLC outputs.
Referring to Appendix A of the paper, under "HTLC Receiver Redeemscript"
(since Alice offers Eve the HTLC, Eve is B):
HTLC Receiver Redeemscript
OP_HASH160 OP_DUP Replace top element with two copies of its hash
<R-HASH> OP_EQUAL B redeeming the contract, using R preimage?
OP_IF
<DELAY> OP_CHECKSEQUENCEVERIFY Delay gives A enough
time to use revocation if it has it.
OP_2DROP Drop extra hash and delay from the stack
<KEY-B> Pay to B
OP_ELSE
<COMMIT-REVOCATION-HASH> OP_EQUAL If the commit
has been revoked.
OP_NOTIF If not, you need to wait for timeout.
<HTLC-TIMEOUT> OP_CHECKLOCKTIMEVERIFY OP_DROP
Ensure (absolute) time has passed.
OP_ENDIF
<KEY-A> Pay to A
OP_ENDIF
OP_CHECKSIG Verify A or B's signature is correct.
Here you can see the CSV delay on the "using R preimage" path.
I have a subtler suggestion, though: perhaps we should OP_CSV delay all
the non-revocation paths in HTLCs and in the straight payment outputs.
Otherwise, if you want to do a unilateral close, there's some game
theory as you'd rather convince the other side to do it so your own
funds aren't locked up. Delaying all non-revocation paths makes it an
arbitrary choice.
I know Joseph will have some thoughts about that :)
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:45:43
in reply to nevent1q…gkxs
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:45:43Event JSON
{
"id": "3793efe31180370066a07fd3819533dfc6b42145fdb594beafd4e7d352c77a44",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314743,
"kind": 1,
"tags": [
[
"e",
"e609322adc5b84dc120717551ac8a2dd6bcabfc3f848155987a060fa1e2e4ea0",
"",
"root"
],
[
"e",
"f4d0166c7b4867252ba83139018fb741aed33a957f09b25dbb1d2dea6c3e750b",
"",
"reply"
],
[
"p",
"880fa8c3080c3bd98e574cfcd6d6f53fd13e0516c40ea3f46295438b0c07bdf5"
]
],
"content": "📅 Original date posted:2016-02-08\n📝 Original message:\nCJP \u003ccjp at ultimatestunts.nl\u003e writes:\n\u003e\u003e See:\n\u003e\u003e \n\u003e\u003e https://github.com/ElementsProject/lightning/blob/master/doc/deployable-lightning.pdf\n\u003e\n\u003e Sorry for replying to a very old e-mail, but I've finally had a really\n\u003e close look at this, and the way I see it, there could be a potential\n\u003e problem.\n\u003e\n\u003e Suppose Eve (E) has two channels with Alice (A). She intends to steal\n\u003e funds from Alice. This is what she does:\n\u003e\n\u003e She performs a payment to herself, routed through Alice with the two\n\u003e channels. When the funds are locked in the two channels, she is supposed\n\u003e to reveal the transaction R value as a payee, but she doesn't. So, the\n\u003e transaction times out on both channels, leading to a channel update on\n\u003e both: the HTLCs are removed, reverting back to the original situation. \n\u003e\n\u003e The following actions primarily take place on the channel where Eve was\n\u003e on the RECEIVING side of the transaction. First, Eve spends all her\n\u003e coins on that channel, e.g. by sending them to herself on the other\n\u003e channel. This way, she doesn't risk losing them.\n\u003e\n\u003e Next, on the channel where Eve was on the RECEIVING side of the\n\u003e transaction, Eve signs and broadcasts the version of the commit\n\u003e transaction that contained the HTLC. Of course, since revocation\n\u003e pre-images have been exchanged, Alice can immediately spend the HTLC,\n\u003e using either the HTLC-TIMEOUT \u0026 SIG-PAYER clause or the REVOCATION-E \u0026\n\u003e SIG A clause. However, this is not guaranteed to work: Eve has the\n\u003e transaction R value, so Eve can *also* try to spend it, using the\n\u003e R-VALUE \u0026 SIG-PAYEE clause. In fact, since Eve knows sooner about the\n\u003e commit transaction than Alice, Eve is more likely to be the first to\n\u003e spend the HTLC, especially when Alice is offline for a moment (Eve can\n\u003e know that).\n\nFor this reason, the rule is that all outputs to A in A's commit\ntransaction must be delayed (via OP_CSV). This includes HTLC outputs.\n\nReferring to Appendix A of the paper, under \"HTLC Receiver Redeemscript\"\n(since Alice offers Eve the HTLC, Eve is B):\n\nHTLC Receiver Redeemscript\n OP_HASH160 OP_DUP Replace top element with two copies of its hash\n \u003cR-HASH\u003e OP_EQUAL B redeeming the contract, using R preimage?\n OP_IF\n \u003cDELAY\u003e OP_CHECKSEQUENCEVERIFY Delay gives A enough\n time to use revocation if it has it.\n OP_2DROP Drop extra hash and delay from the stack\n \u003cKEY-B\u003e Pay to B\n OP_ELSE\n \u003cCOMMIT-REVOCATION-HASH\u003e OP_EQUAL If the commit\n has been revoked.\n OP_NOTIF If not, you need to wait for timeout.\n \u003cHTLC-TIMEOUT\u003e OP_CHECKLOCKTIMEVERIFY OP_DROP\n Ensure (absolute) time has passed.\n OP_ENDIF\n \u003cKEY-A\u003e Pay to A\n OP_ENDIF\n OP_CHECKSIG Verify A or B's signature is correct.\n\nHere you can see the CSV delay on the \"using R preimage\" path.\n\nI have a subtler suggestion, though: perhaps we should OP_CSV delay all\nthe non-revocation paths in HTLCs and in the straight payment outputs.\nOtherwise, if you want to do a unilateral close, there's some game\ntheory as you'd rather convince the other side to do it so your own\nfunds aren't locked up. Delaying all non-revocation paths makes it an\narbitrary choice.\n\nI know Joseph will have some thoughts about that :)\n\nCheers,\nRusty.",
"sig": "5baceb1b9abf1736684f2c46034f0354c01bba9daec3f7d590459446c12a214c6c21e3732cc26dad46ba8b05b5eb4abc97db299404c29d5fc1d5d4646a288400"
}