📅 Original date posted:2015-12-18
📝 Original message:On Fri, Dec 18, 2015 at 10:47:14AM +0800, Jonathan Toomim via bitcoin-dev wrote:
> On Dec 18, 2015, at 10:30 AM, Pieter Wuille via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > 1) The risk of an old full node wallet accepting a transaction that is
> > invalid to the new rules.
> > The receiver wallet chooses what address/script to accept coins on.
> > They'll upgrade to the new softfork rules before creating an address
> > that depends on the softfork's features.
> > So, not a problem.
> Mallory wants to defraud Bob with a 1 BTC payment for some beer. Bob
> runs the old rules. Bob creates a p2pkh address for Mallory to
> use. Mallory takes 1 BTC, and creates an invalid SegWit transaction
> that Bob cannot properly validate and that pays into one of Mallory's
> wallets. [...]
> Clueless Carol is one of the 4.9% of miners who forgot to upgrade
> her mining node. Carol sees that Mallory included an enormous fee in
> his transactions, so Carol makes sure to include both transactions in
> her block.
For it to be a "safe" soft fork, the "invalid segwit transaction" should
look non-standard to Carol, and as such she should refuse to mine it.
I think the attack has to go like this:
* segwit activates; 5% of miners fail to upgrade however
* Mallory creates a transaction paying to a segwit script
(ie scriptPubKey is just a 33 byte push) [0]
* non-upgraded nodes and miners will refuse to forward or mine
this transaction (a non-p2sh scriptPubKey that just pushes data is
non-standard) but the upgraded nodes and miners will forward and mine
it. it will be included in the blockchain by upgraded miners fairly
soon, and will then be in the UTXO set of non-upgraded miners and
nodes too.
* Mallory creates a segwit-invalid spend back to himself (or directly
to Bob for the 1BTC), ie provides empty scriptSig, but no
witness data. Upgraded miners and nodes reject the transaction,
but non-upgraded nodes will relay and mine it afaics.
I *think* that transaction will fail the AreInputsStandard() test on
non-upgraded nodes, and thus still won't be accepted to the mempool
or mined by non-upgraded nodes, and thus no one will see it, or any
descendent transactions. (Upgraded nodes will reject it because it's
segwit invalid, of course)
If it is accepted by some old nodes, that transaction won't ever get many
confirmations -- if Carol mines it, her block will be orphaned by the
upgraded mining majority after the next two or three blocks are found.
With only 5% of hashpower, it will take around three hours for Carol
and friends to find a block in general.
Also, the fact that segwit outputs are "anyone can spend" maybe mitigates
this further -- you could have a vigilante node that creates invalid
segwit txns for every segwit output that just spends the entire thing
to fees. Even if the vigilante's transactions get rejected by nodes who
see Mallory's attempt first, that should still be enough to trigger any
sort of double-spend alerts I can think of, at least if anyone at all
is altruistic enough to run a vigilante node like that in the first place.
> Mallory gets free beer.
> Anything I'm missing?
So I think the only way Mallory gets free beer from you with segwit
soft-fork is if:
- you're running out of date software and you're ignoring warnings to
upgrade (block versions have bumped)
- you've turned off standardness checks
- you're accepting low-confirmation transactions
- you're not using any double-spend detection service
If you're not accepting zero-confirmation transactions straight from
the mempool, (ie you require 1 or 2 confirmations) you also need:
- some non-upgraded miners who have turned off standardness checks
- your business is setup that an attacker can happily wait hours for
the transaction to be included in a block before trying to get beer
from you
In general (IMO), just leaving standardness checks turned on (and waiting
for 6 confirmations before accepting any non-standard transaction) should
be enough to keep you safe from any attack a soft-fork might enable.
Upgrading your software regularly should also be enough to keep you safe
for any soft-fork, and also for any hard-fork, obviously.
Cheers,
aj
[0] Actually, for this attack Mallory could use *any* segwit payment, it
doesn't have to be his bitcoins to start with, he just has to make
it look like they finish up with him, which is trivial if segwit
looks like anyone can spend. Having it be his segwit payment in the
first place makes it a little easier to ensure his payment is seen
as the original and not the doublespend though.
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 17:46:47
in reply to nevent1q…9v57
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hSeen on
wss://relay.noswhere.comPublished at
2023-06-07 17:46:47Event JSON
{
"id": "e4a5177eb830b04d3e20c1f1d2ebd445a8956576f0c4c57eba364091fd0aa577",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686160007,
"kind": 1,
"tags": [
[
"e",
"98cf2e35838fa134ae6f1ae02856ea7c4d6d5aae2f9a5a6272379073f8e32519",
"",
"root"
],
[
"e",
"7b2ef02ee47dbb059df09763d5bdd45ac53819b691ceb9bad7f73027b2e1aef2",
"",
"reply"
],
[
"p",
"498a711971f8a0194289aee037a4c481a99e731b5151724064973cc0e0b27c84"
]
],
"content": "📅 Original date posted:2015-12-18\n📝 Original message:On Fri, Dec 18, 2015 at 10:47:14AM +0800, Jonathan Toomim via bitcoin-dev wrote:\n\u003e On Dec 18, 2015, at 10:30 AM, Pieter Wuille via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e \u003e 1) The risk of an old full node wallet accepting a transaction that is\n\u003e \u003e invalid to the new rules.\n\u003e \u003e The receiver wallet chooses what address/script to accept coins on.\n\u003e \u003e They'll upgrade to the new softfork rules before creating an address\n\u003e \u003e that depends on the softfork's features.\n\u003e \u003e So, not a problem.\n\u003e Mallory wants to defraud Bob with a 1 BTC payment for some beer. Bob\n\u003e runs the old rules. Bob creates a p2pkh address for Mallory to\n\u003e use. Mallory takes 1 BTC, and creates an invalid SegWit transaction\n\u003e that Bob cannot properly validate and that pays into one of Mallory's\n\u003e wallets. [...]\n\u003e Clueless Carol is one of the 4.9% of miners who forgot to upgrade\n\u003e her mining node. Carol sees that Mallory included an enormous fee in\n\u003e his transactions, so Carol makes sure to include both transactions in\n\u003e her block.\n\nFor it to be a \"safe\" soft fork, the \"invalid segwit transaction\" should\nlook non-standard to Carol, and as such she should refuse to mine it.\n\nI think the attack has to go like this:\n\n * segwit activates; 5% of miners fail to upgrade however\n\n * Mallory creates a transaction paying to a segwit script\n (ie scriptPubKey is just a 33 byte push) [0]\n\n * non-upgraded nodes and miners will refuse to forward or mine\n this transaction (a non-p2sh scriptPubKey that just pushes data is\n non-standard) but the upgraded nodes and miners will forward and mine\n it. it will be included in the blockchain by upgraded miners fairly\n soon, and will then be in the UTXO set of non-upgraded miners and\n nodes too.\n\n * Mallory creates a segwit-invalid spend back to himself (or directly\n to Bob for the 1BTC), ie provides empty scriptSig, but no\n witness data. Upgraded miners and nodes reject the transaction,\n but non-upgraded nodes will relay and mine it afaics.\n\nI *think* that transaction will fail the AreInputsStandard() test on\nnon-upgraded nodes, and thus still won't be accepted to the mempool\nor mined by non-upgraded nodes, and thus no one will see it, or any\ndescendent transactions. (Upgraded nodes will reject it because it's\nsegwit invalid, of course)\n\nIf it is accepted by some old nodes, that transaction won't ever get many\nconfirmations -- if Carol mines it, her block will be orphaned by the\nupgraded mining majority after the next two or three blocks are found.\nWith only 5% of hashpower, it will take around three hours for Carol\nand friends to find a block in general.\n\nAlso, the fact that segwit outputs are \"anyone can spend\" maybe mitigates\nthis further -- you could have a vigilante node that creates invalid\nsegwit txns for every segwit output that just spends the entire thing\nto fees. Even if the vigilante's transactions get rejected by nodes who\nsee Mallory's attempt first, that should still be enough to trigger any\nsort of double-spend alerts I can think of, at least if anyone at all\nis altruistic enough to run a vigilante node like that in the first place.\n\n\u003e Mallory gets free beer.\n\u003e Anything I'm missing?\n\nSo I think the only way Mallory gets free beer from you with segwit\nsoft-fork is if:\n\n - you're running out of date software and you're ignoring warnings to\n upgrade (block versions have bumped)\n - you've turned off standardness checks\n - you're accepting low-confirmation transactions\n - you're not using any double-spend detection service\n\nIf you're not accepting zero-confirmation transactions straight from\nthe mempool, (ie you require 1 or 2 confirmations) you also need:\n\n - some non-upgraded miners who have turned off standardness checks\n - your business is setup that an attacker can happily wait hours for\n the transaction to be included in a block before trying to get beer\n from you\n\nIn general (IMO), just leaving standardness checks turned on (and waiting\nfor 6 confirmations before accepting any non-standard transaction) should\nbe enough to keep you safe from any attack a soft-fork might enable.\n\nUpgrading your software regularly should also be enough to keep you safe\nfor any soft-fork, and also for any hard-fork, obviously.\n\nCheers,\naj\n\n[0] Actually, for this attack Mallory could use *any* segwit payment, it\n doesn't have to be his bitcoins to start with, he just has to make\n it look like they finish up with him, which is trivial if segwit\n looks like anyone can spend. Having it be his segwit payment in the\n first place makes it a little easier to ensure his payment is seen\n as the original and not the doublespend though.",
"sig": "413afa061163335216bf6bc26dac83e590fc362736ff542ee37e78fddee1b42130e70ce2616fb37b21304301a650b141379cf5bae54cb423f67aac1bfc14604b"
}