đź“… Original date posted:2020-04-22
đź“ť Original message:
Hmm, that's an interesting suggestion, it definitely raises the bar for attack execution rather significantly. Because lightning (and other second-layer systems) already relies heavily on uncensored access to blockchain data, its reasonable to extend the "if you don't have enough blocks, aggressively query various sources to find new blocks, or, really just do it always" solution to "also send relevant transactions while we're at it".
Sadly, unlike for block data, there is no consensus mechanism for nodes to ensure the transactions in their mempools are the same as others. Thus, if you focus on sending the pinning transaction to miner nodes directly (which isn't trivial, but also not nearly as hard as it sounds), you could still pull off the attack. However, to do it now, you'd need to
wait for your counterparty to broadcast the corresponding timeout transaction (once it is confirmable, and can thus get into mempools), turning the whole thing into a mempool-acceptance race. Luckily there isn’t much cost to *trying*, though it’s less likely you’ll succeed.
There are also practical design issues - if you’re claiming multiple HTLC output in a single transaction the node would need to provide reject messages for each input which is conflicted, something which we’d need to think hard about the DoS implications of.
In any case, while it’s definitely better than nothing, it’s unclear if it’s really the kind of thing I’d want to rely on for my own funds.
Matt
> On 4/22/20 2:24 PM, David A. Harding wrote:
>> On Mon, Apr 20, 2020 at 10:43:14PM -0400, Matt Corallo via Lightning-dev wrote:
>> A lightning counterparty (C, who received the HTLC from B, who
>> received it from A) today could, if B broadcasts the commitment
>> transaction, spend an HTLC using the preimage with a low-fee,
>> RBF-disabled transaction. After a few blocks, A could claim the HTLC
>> from B via the timeout mechanism, and then after a few days, C could
>> get the HTLC-claiming transaction mined via some out-of-band agreement
>> with a small miner. This leaves B short the HTLC value.
>
> IIUC, the main problem is honest Bob will broadcast a transaction
> without realizing it conflicts with a pinned transaction that's already
> in most node's mempools. If Bob knew about the pinned transaction and
> could get a copy of it, he'd be fine.
>
> In that case, would it be worth re-implementing something like a BIP61
> reject message but with an extension that returns the txids of any
> conflicts? For example, when Bob connects to a bunch of Bitcoin nodes
> and sends his conflicting transaction, the nodes would reply with
> something like "rejected: code 123: conflicts with txid 0123...cdef".
> Bob could then reply with a a getdata('tx', '0123...cdef') to get the
> pinned transaction, parse out its preimage, and resolve the HTLC.
>
> This approach isn't perfect (if it even makes sense at all---I could be
> misunderstanding the problem) because one of the problems that caused
> BIP61 to be disabled in Bitcoin Core was its unreliability, but I think
> if Bob had at least one honest peer that had the pinned transaction in
> its mempool and which implemented reject-with-conflicting-txid, Bob
> might be ok.
>
> -Dave
Matt Corallo [ARCHIVE] /
npub1e4…jxmcu
2023-06-09 12:59:39
in reply to nevent1q…p7dx
Author Public Key
npub1e46n428mcyfwznl7nlsf6d3s7rhlwm9x3cmkuqzt3emmdpadmkaqqjxmcuPublished at
2023-06-09 12:59:39Event JSON
{
"id": "b5fb3b3688fa554a581745c09029e50428ebee8f1c29b6105e2892d188d4860b",
"pubkey": "cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba",
"created_at": 1686315579,
"kind": 1,
"tags": [
[
"e",
"f6dc2fa7f1427cf5499629a680568aff2ec65976aee4433534619390a65b0b47",
"",
"root"
],
[
"e",
"4ed6fc3299e932c30b019cca67d3962f088bf1137a40dca55f7e11f7d9497a95",
"",
"reply"
],
[
"p",
"d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2"
]
],
"content": "📅 Original date posted:2020-04-22\n📝 Original message:\nHmm, that's an interesting suggestion, it definitely raises the bar for attack execution rather significantly. Because lightning (and other second-layer systems) already relies heavily on uncensored access to blockchain data, its reasonable to extend the \"if you don't have enough blocks, aggressively query various sources to find new blocks, or, really just do it always\" solution to \"also send relevant transactions while we're at it\".\n\nSadly, unlike for block data, there is no consensus mechanism for nodes to ensure the transactions in their mempools are the same as others. Thus, if you focus on sending the pinning transaction to miner nodes directly (which isn't trivial, but also not nearly as hard as it sounds), you could still pull off the attack. However, to do it now, you'd need to\nwait for your counterparty to broadcast the corresponding timeout transaction (once it is confirmable, and can thus get into mempools), turning the whole thing into a mempool-acceptance race. Luckily there isn’t much cost to *trying*, though it’s less likely you’ll succeed.\n\nThere are also practical design issues - if you’re claiming multiple HTLC output in a single transaction the node would need to provide reject messages for each input which is conflicted, something which we’d need to think hard about the DoS implications of.\n\nIn any case, while it’s definitely better than nothing, it’s unclear if it’s really the kind of thing I’d want to rely on for my own funds.\n\nMatt\n\n\n\u003e On 4/22/20 2:24 PM, David A. Harding wrote:\n\u003e\u003e On Mon, Apr 20, 2020 at 10:43:14PM -0400, Matt Corallo via Lightning-dev wrote:\n\u003e\u003e A lightning counterparty (C, who received the HTLC from B, who\n\u003e\u003e received it from A) today could, if B broadcasts the commitment\n\u003e\u003e transaction, spend an HTLC using the preimage with a low-fee,\n\u003e\u003e RBF-disabled transaction. After a few blocks, A could claim the HTLC\n\u003e\u003e from B via the timeout mechanism, and then after a few days, C could\n\u003e\u003e get the HTLC-claiming transaction mined via some out-of-band agreement\n\u003e\u003e with a small miner. This leaves B short the HTLC value.\n\u003e \n\u003e IIUC, the main problem is honest Bob will broadcast a transaction\n\u003e without realizing it conflicts with a pinned transaction that's already\n\u003e in most node's mempools. If Bob knew about the pinned transaction and\n\u003e could get a copy of it, he'd be fine.\n\u003e \n\u003e In that case, would it be worth re-implementing something like a BIP61\n\u003e reject message but with an extension that returns the txids of any\n\u003e conflicts? For example, when Bob connects to a bunch of Bitcoin nodes\n\u003e and sends his conflicting transaction, the nodes would reply with\n\u003e something like \"rejected: code 123: conflicts with txid 0123...cdef\".\n\u003e Bob could then reply with a a getdata('tx', '0123...cdef') to get the\n\u003e pinned transaction, parse out its preimage, and resolve the HTLC.\n\u003e \n\u003e This approach isn't perfect (if it even makes sense at all---I could be\n\u003e misunderstanding the problem) because one of the problems that caused\n\u003e BIP61 to be disabled in Bitcoin Core was its unreliability, but I think\n\u003e if Bob had at least one honest peer that had the pinned transaction in\n\u003e its mempool and which implemented reject-with-conflicting-txid, Bob\n\u003e might be ok.\n\u003e \n\u003e -Dave",
"sig": "0a37510cc33a2c8cf634ce871585ed4a8af256b0f24f2bb301f5eaec45ac3a2e109b547989a7fc0add000cc7a6d9853aacacf4551a7154d58c14cdbaba5721da"
}