📅 Original date posted:2015-08-01
📝 Original message:
Christopher Jamthagen <cjamthagen at gmx.com> writes:
>> Sent: Friday, July 31, 2015 at 1:48 AM
>> From: "Rusty Russell" <rusty at rustcorp.com.au>
>> To: "Christopher Jamthagen" <cjamthagen at gmx.com>
>> Cc: "lightning-dev at lists.linuxfoundation.org" <lightning-dev at lists.linuxfoundation.org>
>> Subject: Re: [Lightning-dev] Stealing money from a hub?
>> Christopher Jamthagen <cjamthagen at gmx.com> writes:
>>> Would it be desirable/possible to implement the timestop feature for
>>> CLTV as well? That would make the difference between the number of
>>> blocks until either expiration the same in case of a block-filling
>>> attack. If I'm not mistaken Peter Todds BIP is already merged, but
>>> this feature could be implemented with another soft fork.
>
>> Yes, timestop would logically be a softfork add, and it should apply to
>> both (same logic applies).
>
> If the timestop feature would activate only when the CLTV transaction
> is included in a block, it would allow for a pretty serious DoS attack
> vector where hubs can be forced to close channels with other hubs by
> having the attacker, as the receiver, never reveal R and create a
> block-filling attack.
I don't think so. Let's say the rule is "time doesn't pass if a block
is full".
> This would force the hub connected to the receiver to broadcast the
> commitment transaction
Why? The HTLC wouldn't expire, which would be a pain, but there's no
reason to panic and dump transactions. By definition, during a block
filling attack you've got all the time in the world.
Now, preventing HTLCs from expiring is a DoS, but a lesser one.
What am I missing?
> CLTV transactions would need to include the current block-height
> immediately when a commitment transaction is signed, so that miners
> can know where to start counting full blocks from as soon as it is
> broadcast. So my question is: Is such an upgrade for CLTV, as it is
> now, soft-forkable as it requires additional arguments? I am not
> totally clear on when upgrades are soft-forkable vs. hard-forkable.
Anything which is a furthur restriction (as in "this used to be valid,
and no longer is") is soft-forkable. So delaying timeouts is a soft-fork.
>>> Speaking of being online all the time, checking the blockchain is
>>> outsourceable, right? So it seems that miners would be the perfect
>>> third party to check for cheaters in LN. By offering them a nice chunk
>>> of our counterparty's funds as fees, they should be incentiviced
>>> enough to keep an extra eye for us on the blockchain.
>
>> Outsourcability scales really well; once you're full-time monitoring the
>> blockchain, might as well get as many clients as possible. You can also
>> automate the outsourcee's fee, by including it in the "steal" tx.
>
> Does it scale that well? I guess looking up pre-images in the shachain is fast, but what about R values in HTLCs? Would the third party have to store all those values or is there a nice optimization I have missed?
Indeed, there's a separate thread where Anthony Towns points out that
remembering R values and timeouts is an issue.
I was referring to the part where you watch the chain for spends on the
anchor outputs. You only need to do work to check what happened when
one of them gets spent, should almost never happen (since the client
should tell you they're going to close the channel cooperatively).
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:43:52
in reply to nevent1q…hq46
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:43:52Event JSON
{
"id": "697ed76362f2f4fb23b808842804e0e853a334b0fb20e777852fee3a18b2b505",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314632,
"kind": 1,
"tags": [
[
"e",
"bd7e3601ad88d218940ec74c685433092458d0efc616b43a30f14fda82e7310e",
"",
"root"
],
[
"e",
"2dba3bef8bab53391a689b71715a04a7c56aba526f61672e4793c99b2a8aa6a3",
"",
"reply"
],
[
"p",
"ad104cac8fd9919c65a2df9e910166f2a1513845fdfa37fd10f1063eb12f5254"
]
],
"content": "📅 Original date posted:2015-08-01\n📝 Original message:\nChristopher Jamthagen \u003ccjamthagen at gmx.com\u003e writes:\n\u003e\u003e Sent: Friday, July 31, 2015 at 1:48 AM\n\u003e\u003e From: \"Rusty Russell\" \u003crusty at rustcorp.com.au\u003e\n\u003e\u003e To: \"Christopher Jamthagen\" \u003ccjamthagen at gmx.com\u003e\n\u003e\u003e Cc: \"lightning-dev at lists.linuxfoundation.org\" \u003clightning-dev at lists.linuxfoundation.org\u003e\n\u003e\u003e Subject: Re: [Lightning-dev] Stealing money from a hub?\n\u003e\u003e Christopher Jamthagen \u003ccjamthagen at gmx.com\u003e writes:\n\u003e\u003e\u003e Would it be desirable/possible to implement the timestop feature for\n\u003e\u003e\u003e CLTV as well? That would make the difference between the number of\n\u003e\u003e\u003e blocks until either expiration the same in case of a block-filling\n\u003e\u003e\u003e attack. If I'm not mistaken Peter Todds BIP is already merged, but\n\u003e\u003e\u003e this feature could be implemented with another soft fork.\n\u003e\n\u003e\u003e Yes, timestop would logically be a softfork add, and it should apply to\n\u003e\u003e both (same logic applies).\n\u003e\n\u003e If the timestop feature would activate only when the CLTV transaction\n\u003e is included in a block, it would allow for a pretty serious DoS attack\n\u003e vector where hubs can be forced to close channels with other hubs by\n\u003e having the attacker, as the receiver, never reveal R and create a\n\u003e block-filling attack.\n\nI don't think so. Let's say the rule is \"time doesn't pass if a block\nis full\".\n\n\u003e This would force the hub connected to the receiver to broadcast the\n\u003e commitment transaction\n\nWhy? The HTLC wouldn't expire, which would be a pain, but there's no\nreason to panic and dump transactions. By definition, during a block\nfilling attack you've got all the time in the world.\n\nNow, preventing HTLCs from expiring is a DoS, but a lesser one.\n\nWhat am I missing?\n\n\u003e CLTV transactions would need to include the current block-height\n\u003e immediately when a commitment transaction is signed, so that miners\n\u003e can know where to start counting full blocks from as soon as it is\n\u003e broadcast. So my question is: Is such an upgrade for CLTV, as it is\n\u003e now, soft-forkable as it requires additional arguments? I am not\n\u003e totally clear on when upgrades are soft-forkable vs. hard-forkable.\n\nAnything which is a furthur restriction (as in \"this used to be valid,\nand no longer is\") is soft-forkable. So delaying timeouts is a soft-fork.\n\n\u003e\u003e\u003e Speaking of being online all the time, checking the blockchain is\n\u003e\u003e\u003e outsourceable, right? So it seems that miners would be the perfect\n\u003e\u003e\u003e third party to check for cheaters in LN. By offering them a nice chunk\n\u003e\u003e\u003e of our counterparty's funds as fees, they should be incentiviced\n\u003e\u003e\u003e enough to keep an extra eye for us on the blockchain.\n\u003e\n\u003e\u003e Outsourcability scales really well; once you're full-time monitoring the\n\u003e\u003e blockchain, might as well get as many clients as possible. You can also\n\u003e\u003e automate the outsourcee's fee, by including it in the \"steal\" tx.\n\u003e\n\u003e Does it scale that well? I guess looking up pre-images in the shachain is fast, but what about R values in HTLCs? Would the third party have to store all those values or is there a nice optimization I have missed?\n\nIndeed, there's a separate thread where Anthony Towns points out that\nremembering R values and timeouts is an issue.\n\nI was referring to the part where you watch the chain for spends on the\nanchor outputs. You only need to do work to check what happened when\none of them gets spent, should almost never happen (since the client\nshould tell you they're going to close the channel cooperatively).\n\nCheers,\nRusty.",
"sig": "d99e40ac8d56d35e6f137f3504443f506c15a4d359ed477452e5268195ad9286d1703c67e42660fca6bbb72258e13121aa5adb31e1b259f3f52c1502da58b037"
}