📅 Original date posted:2017-11-29
📝 Original message:
I noticed the Commitment Transaction Output script is weak to malleability,
this can be used to delay confirmation of the revocation.
Luckily, fixing the situation does not require lots of development.
```
OP_IF
# Penalty transaction
<revocationkey>
OP_ELSE
`to_self_delay`
OP_CSV
OP_DROP
<local_delayedkey>
OP_ENDIF
OP_CHECKSIG
```
An attacker can delay the Penalty Transaction by malleating it. Which can
lead to very bad outcome as Lightning dependant on time locks.
The penalty transaction would have.
```
<revocation_sig> 1
```
Problem is that Eve could malleate OP_1 into a positive, huge number. This
would have for effect to fill the mempool of nodes/miners with the
malleated version which will have an higher fee rate, delaying the
confirmation of the penalty transaction.
Now, there is a policy rule called SCRIPT_VERIFY_MINIMALIF by jl2012 which
was merged into v0.15.1. (
https://github.com/bitcoin/bitcoin/commit/c72c5b1e3bd42e84465677e94aa83316ff3d9a14
)
I guess that by the time LN is ready, 0.15.1 will be spread enough among
miners, but still I think a 2 bytes overhead is well worth the fix.
```
1 OP_EQUAL OP_IF
# Penalty transaction
<revocationkey>
OP_ELSE
`to_self_delay`
OP_CSV
OP_DROP
<local_delayedkey>
OP_ENDIF
OP_CHECKSIG
```
Nicolas,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20171129/50ea31fc/attachment.html>;
Nicolas Dorier [ARCHIVE] /
npub1hu…9q4u3
2023-06-09 12:47:52
in reply to nevent1q…72fp
Author Public Key
npub1huz53hq26gu7nc0qhw3uj6tr9hk5q2ngpywduxep5zy4ay9unftsm9q4u3Published at
2023-06-09 12:47:52Event JSON
{
"id": "6fb1832bdb366e67495e893c53f8ea8ac96e13c72ec693621b9e06b258ed22ca",
"pubkey": "bf0548dc0ad239e9e1e0bba3c969632ded402a68091cde1b21a0895e90bc9a57",
"created_at": 1686314872,
"kind": 1,
"tags": [
[
"e",
"9f91982bc4954a3c5f27221faaed89e1ee1e26160e0c41e8e02949f21fa117e8",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2017-11-29\n📝 Original message:\nI noticed the Commitment Transaction Output script is weak to malleability,\nthis can be used to delay confirmation of the revocation.\nLuckily, fixing the situation does not require lots of development.\n\n```\nOP_IF\n # Penalty transaction\n \u003crevocationkey\u003e\nOP_ELSE\n `to_self_delay`\n OP_CSV\n OP_DROP\n \u003clocal_delayedkey\u003e\nOP_ENDIF\nOP_CHECKSIG\n```\n\nAn attacker can delay the Penalty Transaction by malleating it. Which can\nlead to very bad outcome as Lightning dependant on time locks.\n\nThe penalty transaction would have.\n\n```\n\u003crevocation_sig\u003e 1\n```\n\nProblem is that Eve could malleate OP_1 into a positive, huge number. This\nwould have for effect to fill the mempool of nodes/miners with the\nmalleated version which will have an higher fee rate, delaying the\nconfirmation of the penalty transaction.\n\nNow, there is a policy rule called SCRIPT_VERIFY_MINIMALIF by jl2012 which\nwas merged into v0.15.1. (\nhttps://github.com/bitcoin/bitcoin/commit/c72c5b1e3bd42e84465677e94aa83316ff3d9a14\n)\n\nI guess that by the time LN is ready, 0.15.1 will be spread enough among\nminers, but still I think a 2 bytes overhead is well worth the fix.\n\n```\n1 OP_EQUAL OP_IF\n # Penalty transaction\n \u003crevocationkey\u003e\nOP_ELSE\n `to_self_delay`\n OP_CSV\n OP_DROP\n \u003clocal_delayedkey\u003e\nOP_ENDIF\nOP_CHECKSIG\n```\n\nNicolas,\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20171129/50ea31fc/attachment.html\u003e",
"sig": "db0536e5518444307147c9300fb5c66cbd58e9d8f2a2ae6a88909fbfaac0da6e449394f0315a9eed8ff6fe458bd56a6fc21b7875268f32f9098f5733b2f12a73"
}