Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2020-02-28 📝 Original message: Anthony Towns <aj at ...
📅 Original date posted:2020-02-28
📝 Original message:
Anthony Towns <aj at erisian.com.au> writes:
> Aside from those philosophical complaints, seems to me the simplest
> attack would be:
>
> * route 1000s of HTLCs from your node A1 to your node A2 via different,
> long paths, using up the total channel capacity of your A1/A2 nodes,
> with long timeouts
> * have A2 offer up a transaction claiming that was the channel
> close to A3; make it a real thing if necessary, but it's probably
> fake-able
> * then leave the HTLCs open until they time out, using up capacity
> from all the nodes in your 1000s of routes. For every satoshi of
> yours that's tied up, you should be able to tie up 10-20sat of other
> people's funds
>
> That increases the cost of the attack by one on-chain transaction per
> timeout period, and limits the attack surface by how many transactions
> you can get started/completed within whatever the grace period is, but
> it doesn't seem a lot better than what we have today, unless onchain
> fees go up a lot.
Interestingly, I think your "reverse commitment signing" proposal would
mean the close tx will have the HTLC within it, so this attack is not
possible? (Modulo handling dust HTLCs, which won't show up in the
commitment tx).
Previously I suggested the node simply send a (signed) list of up to N
additional HTLCs (this reduces batching to N, so make it at least 16).
This is gossiped, and if you get conflicting versions, the channel break
is considered invalid, so (as always) the previous channel has to break.
>> > A->B: here's a HTLC, locked in
>> > B->C: HTLC proposal
>> > C->B: sure: updated commitment with HTLC locked in
>> > B->C: great, corresponding updated commitment, plus revocation
>> > C->B: revocation
>> Interesting; this adds a trip, but not in latency (since C can still
>> count on the HTLC being locked in at step 3).
>> I don't see how it helps B though? It still ends up paying A, and C
>> doesn't pay anything?
>
> The updated commitment has C paying B onchain; if B doesn't receive that
> by the time the grace period's about over, B can cancel the HTLC with A,
> and then there's statemachine complexity for B to cancel it with C if
> C comes alive again a little later.
I thought C paid per unit time, so it wouldn't pay up-front? You're
suggesting it pays the max in the commitment, and then it gets some back
in the normal case of things going right?
>> It forces a liveness check of C, but TBH I dread rewriting the state
>> machine for this when we can just ping like we do now.
>
> I'd be surprised if making musig work doesn't require a dread rewrite
> of the state machine as well, and then there's PTLCs and eltoo...
Hmm, PTLCs and eltoo don't. Musig requires some mods to the protocol,
but the state machine changes are trivial.
>> >> There's an old proposal to fast-fail HTLCs: Bob sends an new message "I
>> >> would fail this HTLC once it's committed, here's the error"
>> > Yeah, you could do "B->C: proposal, C->B: no way!" instead of "sure" to
>> > fast fail the above too.
>> > And I think something like that's necessary (at least with my view of how
>> > this "keep the HTLC open" payment would work), otherwise B could send C a
>> > "1 microsecond grace period, rate of 3e11 msat/minute, HTLC for 100 sat,
>> > timeout of 2016 blocks" and if C couldn't reject it immediately would
>> > owe B 50c per millisecond it took to cancel.
>> Well, surely grace period (and penalty rate) are either fixed in the
>> protocol or negotiated up-front, not per-HTLC.
>
> I think the "keep open rate" should depend on how many nodes have
> already been in the route (the more hops it's gone through, the more
> funds/channels you're tying up by holding onto the HTLC, so the more
> you should pay), while the grace period should depend on how many nodes
> there are still to go in the route (it needs to be higher to let each of
> those nodes deduct their delta from it). So I think you *should* expect
> those to change per HTLC than you're forwarding, as those factors will
> be different for different HTLCs.
In theory, but I could lie about both, and it's very undesirable to
communicate these things anyway. I think it might make it worse, not
better, than having a fixed (per-msat?) rate.
Cheers,
Rusty.
Published at
2023-06-09 12:58:59Event JSON
{
"id": "32a7c33d9371bd550e4f1e638e9ee6d3272e84b6b9c5693a78a66aec631c1a86",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315539,
"kind": 1,
"tags": [
[
"e",
"45cf63b0d2d71c68e5ad79035b26c58f0d0a7f08c912c1e3fb49d13bc9edb573",
"",
"root"
],
[
"e",
"b739c7a63ff2b1468ca239e183c390d4f1cbd7c771dbc179387a5d26aa4cd52b",
"",
"reply"
],
[
"p",
"f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab"
]
],
"content": "📅 Original date posted:2020-02-28\n📝 Original message:\nAnthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e Aside from those philosophical complaints, seems to me the simplest\n\u003e attack would be:\n\u003e\n\u003e * route 1000s of HTLCs from your node A1 to your node A2 via different,\n\u003e long paths, using up the total channel capacity of your A1/A2 nodes,\n\u003e with long timeouts\n\u003e * have A2 offer up a transaction claiming that was the channel\n\u003e close to A3; make it a real thing if necessary, but it's probably\n\u003e fake-able\n\u003e * then leave the HTLCs open until they time out, using up capacity\n\u003e from all the nodes in your 1000s of routes. For every satoshi of\n\u003e yours that's tied up, you should be able to tie up 10-20sat of other\n\u003e people's funds\n\u003e\n\u003e That increases the cost of the attack by one on-chain transaction per\n\u003e timeout period, and limits the attack surface by how many transactions\n\u003e you can get started/completed within whatever the grace period is, but\n\u003e it doesn't seem a lot better than what we have today, unless onchain\n\u003e fees go up a lot.\n\nInterestingly, I think your \"reverse commitment signing\" proposal would\nmean the close tx will have the HTLC within it, so this attack is not\npossible? (Modulo handling dust HTLCs, which won't show up in the\ncommitment tx).\n\nPreviously I suggested the node simply send a (signed) list of up to N\nadditional HTLCs (this reduces batching to N, so make it at least 16).\nThis is gossiped, and if you get conflicting versions, the channel break\nis considered invalid, so (as always) the previous channel has to break.\n\n\u003e\u003e \u003e A-\u003eB: here's a HTLC, locked in\n\u003e\u003e \u003e B-\u003eC: HTLC proposal\n\u003e\u003e \u003e C-\u003eB: sure: updated commitment with HTLC locked in\n\u003e\u003e \u003e B-\u003eC: great, corresponding updated commitment, plus revocation\n\u003e\u003e \u003e C-\u003eB: revocation\n\u003e\u003e Interesting; this adds a trip, but not in latency (since C can still\n\u003e\u003e count on the HTLC being locked in at step 3).\n\u003e\u003e I don't see how it helps B though? It still ends up paying A, and C\n\u003e\u003e doesn't pay anything?\n\u003e\n\u003e The updated commitment has C paying B onchain; if B doesn't receive that\n\u003e by the time the grace period's about over, B can cancel the HTLC with A,\n\u003e and then there's statemachine complexity for B to cancel it with C if\n\u003e C comes alive again a little later.\n\nI thought C paid per unit time, so it wouldn't pay up-front? You're\nsuggesting it pays the max in the commitment, and then it gets some back\nin the normal case of things going right?\n\n\u003e\u003e It forces a liveness check of C, but TBH I dread rewriting the state\n\u003e\u003e machine for this when we can just ping like we do now.\n\u003e\n\u003e I'd be surprised if making musig work doesn't require a dread rewrite\n\u003e of the state machine as well, and then there's PTLCs and eltoo...\n\nHmm, PTLCs and eltoo don't. Musig requires some mods to the protocol,\nbut the state machine changes are trivial.\n\n\u003e\u003e \u003e\u003e There's an old proposal to fast-fail HTLCs: Bob sends an new message \"I\n\u003e\u003e \u003e\u003e would fail this HTLC once it's committed, here's the error\" \n\u003e\u003e \u003e Yeah, you could do \"B-\u003eC: proposal, C-\u003eB: no way!\" instead of \"sure\" to\n\u003e\u003e \u003e fast fail the above too. \n\u003e\u003e \u003e And I think something like that's necessary (at least with my view of how\n\u003e\u003e \u003e this \"keep the HTLC open\" payment would work), otherwise B could send C a\n\u003e\u003e \u003e \"1 microsecond grace period, rate of 3e11 msat/minute, HTLC for 100 sat,\n\u003e\u003e \u003e timeout of 2016 blocks\" and if C couldn't reject it immediately would\n\u003e\u003e \u003e owe B 50c per millisecond it took to cancel.\n\u003e\u003e Well, surely grace period (and penalty rate) are either fixed in the\n\u003e\u003e protocol or negotiated up-front, not per-HTLC.\n\u003e\n\u003e I think the \"keep open rate\" should depend on how many nodes have\n\u003e already been in the route (the more hops it's gone through, the more\n\u003e funds/channels you're tying up by holding onto the HTLC, so the more\n\u003e you should pay), while the grace period should depend on how many nodes\n\u003e there are still to go in the route (it needs to be higher to let each of\n\u003e those nodes deduct their delta from it). So I think you *should* expect\n\u003e those to change per HTLC than you're forwarding, as those factors will\n\u003e be different for different HTLCs.\n\nIn theory, but I could lie about both, and it's very undesirable to\ncommunicate these things anyway. I think it might make it worse, not\nbetter, than having a fixed (per-msat?) rate.\n\nCheers,\nRusty.",
"sig": "337d397819773830519ebbc6ac79c8bc132a31b12a9c337c8eef9fa693ad59b98148fb973e6e60f9a6c8c611d4dd6b33298841d87c333ca931594c2e3a225b00"
}