ð
Original date posted:2019-06-09
ð Original message:On Thu, Jun 06, 2019 at 02:46:54PM +0930, Rusty Russell via bitcoin-dev wrote:
> Matt Corallo <lf-lists at mattcorallo.com> writes:
> > 2) wrt rule 4, I'd like to see a calculation of worst-case free
> > relay. I think we're already not in a great place, but maybe it's
> > worth it or maybe there is some other way to reduce this cost
> > (intuitively it looks like this proposal could make things very,
> > very, very bad).
>
> I *think* you can currently create a tx at 1 sat/byte, have it
> propagate, then RBF it to 2 sat/byte, 3... and do that a few thousand
> times before your transaction gets mined.
Yes, the current incremental relay fee in Bitcoin Core is 0.00001000
BTC/KvB.
> If that's true, I don't think this proposal makes it worse.
Here's a scenario that I think shows it being at least 20x worse.
Let's imagine that you create two transactions:
tx0: A very small transaction (~100 vbytes) that's just 1-in, 1-out.
At the minimum relay fee, this costs 0.00000100 BTC
tx1: A child of that transaction that's very large (~100,000 vbytes,
or almost 400,000 bytes using special scripts that allow witness
stuffing). At the minimum relay fee, this costs 0.00100000 BTC
Under the current rules, if an attacker wants to fee-bump tx0 by the
minimum incremental fee (a trivial amount, ~0.00000100 BTC), the
attacker's replacement also needs to pay for the eviction of the huge
child tx1 by that same incremental fee (~0.00100000).
Thus the replacement would cost the attacker a minimum of about
0.00100100 (~1 mBTC) for the original transactions and 0.00100100 for
the replacement (about 2 mBTC total).
The attacker could then spend another 1 mBTC re-attaching the child and
yet another 1 mBTC bumping again, incuring about a 2 mBTC cost per
replacement round. At writing, 2 mBTC is about $14.00 USD---an amount
that's probably enough to deter most attacks at scale.
* * *
Under the new proposed rule 6, Mallory's replacement cost would be the
amount to get the small tx0 to near the top of the mempool (say
0.00100000 BTC/KvB, so 0.00010000 BTC total). Because this would evict
the expensive child, it would actually reduce the original amount paid
by the attacker by 90% compared to the previous section's example where
using RBF increased the original costs by 100%.
The 0.1 mBTC cost of this attack is about $0.70 USD today for the
roughly the same data relay use as one round of the currently possible
attack. In short, if I haven't misplaced a decimal point or made some
other mistake, I think the proposed rule 6 would result in approximately
a 95% reduction in the cost paid by an attacker for wasting 400,000
bytes of bandwidth per node (x60,000 nodes = 24 GB across all nodes, not
counting INV overhead).
Although the attacker might only get one replacement per block per
transaction pair out of this version of the attack, they could execute
the attack many times in parallel using different tranaction pairs. If
this is combined with the treadmill leapfrogging Russell O'Connor
described elsewhere in this thread, the attack could possibly be
repeated multiple times per block per transaction pair at only slightly
increased cost (to pay the increasing next-block transaction fees).
> >> 3) wrt rule 5, I'd like to see benchmarks, it's probably a pretty
> >> nasty DoS attack, but it may also be the case that is (a) not worse
> >> than other fundamental issues or (b) sufficiently expensive.
>
> I thought we still meet rule 5 in practice since bitcoind will never
> even accept a tree of unconfirmed txs which is > 100 txs? That would
> still stand, it's just that we'd still consider a replacement.
Although the BIP125 limit is 100, Bitcoin Core's current default is 25.[1]
(When RBF was implemented in Bitcoin Core, transaction ancestry was only
tracked for purposes of ensuring valid transaction ordering within
blocks; later when CPFP was implemented, ancestry was additionally used
to calculate each transaction's package fee---the value of it and all
its unconfirmed ancestors. This requires more computation to update
the mempool metadata when the ancestry graph changes.)
Again, I'd be thinking here of something similar to O'Connor's
treadmilling attack where replacements can push each other out of the
top mempool and so create enough churn for a CPU exhaustion attack.
> >> Obviously there is also a ton more client-side knowledge required
> >> and complexity to RBF decisions here than other previous, more
> >> narrowly-targeted proposals.
> I'd say from the lightning side it's as simple as a normal RBF policy
> until you get within a few blocks of a deadline, then you increase the
> fees until it's well within reach of the next block.
It's already hard for wallet software to determine whether or not its
transactions have successfully been relayed. This proposal requires LN
wallets not only be able to guess where the next-block feerate boundary
is in other nodes' individual mempools (now and in the future for the
time it takes the transaction to propagate to ~100% of miners), but it
possibly requires that under the condition that the LN wallet can't
guess too low because it might not get another chance for relay in the
limited time available before contract expiration.
On top of that, there's O'Connor's suggestion to increase treadmilling
costs by only allowing bumps if they're in the top-half of the
next-block mempool.
Considered that way, I worry that these constraints produce a recipe for
paying extremely high feerates. If that's an actual risk, is that
actually significantly better than dealing with the existing transaction
pinning issue where one needs to pay a high total fee in order to evict
a bunch of junk descendents? Paying lots of fees may not be the optimal
solution to the problem of having to pay lots of fees. :-)
-Dave
[1] Excerpt from bitcoind -help-debug :
-limitancestorcount=<n>
Do not accept transactions if number of in-mempool ancestors is <n> or
more (default: 25)
-limitdescendantcount=<n>
Do not accept transactions if any ancestor would have <n> or more
in-mempool descendants (default: 25)
David A. Harding [ARCHIVE] /
npub16dâŠx4wrd
2023-06-07 18:18:32
in reply to nevent1qâŠgfp7
Author Public Key
npub16dt55fpq3a8r6zpphd9xngxr46zzqs75gna9cj5vf8pknyv2d7equx4wrdPublished at
2023-06-07 18:18:32Event JSON
{
"id": "46801daf968c8f542c77fae89de1dc98d35322a4b31ab824ca3d0a695b844b12",
"pubkey": "d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2",
"created_at": 1686161912,
"kind": 1,
"tags": [
[
"e",
"4ed6b3bfac83a99a462d959ed4b694df66ad2dfbc9892c6468b3b5ef5318cefd",
"",
"root"
],
[
"e",
"96bbe2d6d67516fa8e0a5a6b7dac4d4de4e052a754655f0836d67ade93e71ae3",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "ð
Original date posted:2019-06-09\nð Original message:On Thu, Jun 06, 2019 at 02:46:54PM +0930, Rusty Russell via bitcoin-dev wrote:\n\u003e Matt Corallo \u003clf-lists at mattcorallo.com\u003e writes:\n\u003e \u003e 2) wrt rule 4, I'd like to see a calculation of worst-case free\n\u003e \u003e relay. I think we're already not in a great place, but maybe it's\n\u003e \u003e worth it or maybe there is some other way to reduce this cost\n\u003e \u003e (intuitively it looks like this proposal could make things very,\n\u003e \u003e very, very bad).\n\u003e \n\u003e I *think* you can currently create a tx at 1 sat/byte, have it\n\u003e propagate, then RBF it to 2 sat/byte, 3... and do that a few thousand\n\u003e times before your transaction gets mined.\n\nYes, the current incremental relay fee in Bitcoin Core is 0.00001000\nBTC/KvB.\n\n\u003e If that's true, I don't think this proposal makes it worse.\n\nHere's a scenario that I think shows it being at least 20x worse.\n\nLet's imagine that you create two transactions:\n\n tx0: A very small transaction (~100 vbytes) that's just 1-in, 1-out.\n At the minimum relay fee, this costs 0.00000100 BTC\n\n tx1: A child of that transaction that's very large (~100,000 vbytes,\n or almost 400,000 bytes using special scripts that allow witness\n stuffing). At the minimum relay fee, this costs 0.00100000 BTC\n\nUnder the current rules, if an attacker wants to fee-bump tx0 by the\nminimum incremental fee (a trivial amount, ~0.00000100 BTC), the\nattacker's replacement also needs to pay for the eviction of the huge\nchild tx1 by that same incremental fee (~0.00100000).\n\nThus the replacement would cost the attacker a minimum of about\n0.00100100 (~1 mBTC) for the original transactions and 0.00100100 for\nthe replacement (about 2 mBTC total).\n\nThe attacker could then spend another 1 mBTC re-attaching the child and\nyet another 1 mBTC bumping again, incuring about a 2 mBTC cost per\nreplacement round. At writing, 2 mBTC is about $14.00 USD---an amount\nthat's probably enough to deter most attacks at scale.\n\n* * *\n\nUnder the new proposed rule 6, Mallory's replacement cost would be the\namount to get the small tx0 to near the top of the mempool (say\n0.00100000 BTC/KvB, so 0.00010000 BTC total). Because this would evict\nthe expensive child, it would actually reduce the original amount paid\nby the attacker by 90% compared to the previous section's example where\nusing RBF increased the original costs by 100%.\n\nThe 0.1 mBTC cost of this attack is about $0.70 USD today for the\nroughly the same data relay use as one round of the currently possible\nattack. In short, if I haven't misplaced a decimal point or made some\nother mistake, I think the proposed rule 6 would result in approximately\na 95% reduction in the cost paid by an attacker for wasting 400,000\nbytes of bandwidth per node (x60,000 nodes = 24 GB across all nodes, not\ncounting INV overhead).\n\nAlthough the attacker might only get one replacement per block per\ntransaction pair out of this version of the attack, they could execute\nthe attack many times in parallel using different tranaction pairs. If\nthis is combined with the treadmill leapfrogging Russell O'Connor\ndescribed elsewhere in this thread, the attack could possibly be\nrepeated multiple times per block per transaction pair at only slightly\nincreased cost (to pay the increasing next-block transaction fees).\n\n\u003e \u003e\u003e 3) wrt rule 5, I'd like to see benchmarks, it's probably a pretty\n\u003e \u003e\u003e nasty DoS attack, but it may also be the case that is (a) not worse\n\u003e \u003e\u003e than other fundamental issues or (b) sufficiently expensive.\n\u003e \n\u003e I thought we still meet rule 5 in practice since bitcoind will never\n\u003e even accept a tree of unconfirmed txs which is \u003e 100 txs? That would\n\u003e still stand, it's just that we'd still consider a replacement.\n\nAlthough the BIP125 limit is 100, Bitcoin Core's current default is 25.[1]\n(When RBF was implemented in Bitcoin Core, transaction ancestry was only\ntracked for purposes of ensuring valid transaction ordering within\nblocks; later when CPFP was implemented, ancestry was additionally used\nto calculate each transaction's package fee---the value of it and all\nits unconfirmed ancestors. This requires more computation to update\nthe mempool metadata when the ancestry graph changes.)\n\nAgain, I'd be thinking here of something similar to O'Connor's\ntreadmilling attack where replacements can push each other out of the\ntop mempool and so create enough churn for a CPU exhaustion attack.\n\n\u003e \u003e\u003e Obviously there is also a ton more client-side knowledge required\n\u003e \u003e\u003e and complexity to RBF decisions here than other previous, more\n\u003e \u003e\u003e narrowly-targeted proposals.\n\u003e I'd say from the lightning side it's as simple as a normal RBF policy\n\u003e until you get within a few blocks of a deadline, then you increase the\n\u003e fees until it's well within reach of the next block.\n\nIt's already hard for wallet software to determine whether or not its\ntransactions have successfully been relayed. This proposal requires LN\nwallets not only be able to guess where the next-block feerate boundary\nis in other nodes' individual mempools (now and in the future for the\ntime it takes the transaction to propagate to ~100% of miners), but it\npossibly requires that under the condition that the LN wallet can't\nguess too low because it might not get another chance for relay in the\nlimited time available before contract expiration.\n\nOn top of that, there's O'Connor's suggestion to increase treadmilling\ncosts by only allowing bumps if they're in the top-half of the\nnext-block mempool.\n\nConsidered that way, I worry that these constraints produce a recipe for\npaying extremely high feerates. If that's an actual risk, is that\nactually significantly better than dealing with the existing transaction\npinning issue where one needs to pay a high total fee in order to evict\na bunch of junk descendents? Paying lots of fees may not be the optimal\nsolution to the problem of having to pay lots of fees. :-)\n\n-Dave\n\n[1] Excerpt from bitcoind -help-debug :\n\n -limitancestorcount=\u003cn\u003e\n Do not accept transactions if number of in-mempool ancestors is \u003cn\u003e or\n more (default: 25)\n\n -limitdescendantcount=\u003cn\u003e\n Do not accept transactions if any ancestor would have \u003cn\u003e or more\n in-mempool descendants (default: 25)",
"sig": "cf365b7b310f8592307a40f7a487eb80e07893bca4928c42fc97f558c21656a41c339b24875cfa9ff24bd91a9522117e96686083a4c53dde7537ecc1797350ae"
}