📅 Original date posted:2022-11-08
📝 Original message:Hi aj and list,
(questions inline)
------- Original Message -------
On Thursday, October 27th, 2022 at 18:21, Anthony Towns via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> Is that true? Antoine claims [1] that opt-in RBF isn't enough to avoid
> a DoS issue when utxos are jointly funded by untrusting partners, and,
> aiui, that's the main motivation for addressing this now.
>
> [1] https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033.html
>
> The scenario he describes is: A, B, C create a tx:
>
> inputs: A1, B1, C1 [opts in to RBF]
> fees: normal
> outputs:
> [lightning channel, DLC, etc, who knows]
>
> they all analyse the tx, and agree it looks great; however just before
> publishing it, A spams the network with an alternative tx, double
> spending her input:
>
> inputs: A1 [does not opt in to RBF]
> fees: low
> outputs: A
>
> If A gets the timing right, that's bad for B and C because they've
> populated their mempool with the 1st transaction, while everyone else
> sees the 2nd one instead; and neither tx will replace the other. B and
> C can't know that they should just cancel their transaction, eg:
>
> inputs: B1, C1 [opts in to RBF]
> fees: 50% above normal
> outputs:
> [smaller channel, refund, whatever]
>
> and might instead waste time trying to fee bump the tx to get it mined,
> or similar.
>
> What should folks wanting to do coinjoins/dualfunding/dlcs/etc do to
> solve that problem if they have only opt-in RBF available?
>
<snip>
>
I read Antoine's original post on this and got the general gist, and here also, it makes sense, but I'd like to ask: is it necessary that (B, C) in the above not *see* A's opt-out "pre-replacement" (inputs: A1, outputs: A, fees: low; call it TX_2)? I get that they cannot replace it, but the idea that they suffer financial loss from "ignorant" fee bumping is the part that seems weird to me. Clearly TX_2 gets gossiped to other mempools; and understood that it does not replace the TX_1 (the 3-input) in B's mempool, say, but why should they not even hear about it? Is it just a matter of engineering, or is there some deeper problem with that.
About this general flavour of attack, it's never been a *big* concern in Joinmarket imo (though, we did until recently have a bug that made this happen *by accident*, i.e. people double spending an input out of a negotiated join, albeit it was rare; but it's ofc definitely *possible* to 'grief' like this, given the ordering of events; maker sends signature, maker broadcasts double spend - 95% of the time they will be first). Interactive protocols are yucky and I think there'll always be griefing possibilities; designing around multiple-rounds of negotiation amongst not always-on participants is even more yucky, so just having a 'taker is in charge of network fee; if it's slow or gets double spent out causing time delay then just wait', combined with 'there really isn't any economic incentive for an attacker' (i.e. ignoring griefing) might sound crappy but it's probably just being realistic.
Of course, off-chain contracting has more sophisticated considerations than this.
Cheers,
AdamISZ/waxwing
AdamISZ [ARCHIVE] /
npub1nv…kqw2t
2023-06-07 23:16:21
in reply to nevent1q…452p
Author Public Key
npub1nv7tjpn2g8tvt8qfq5ccyl00ucfcu98ch998sq4g5xp65vy6fc4sykqw2tPublished at
2023-06-07 23:16:21Event JSON
{
"id": "440a998675af361b04a904dbfc90ec4c4f3da8d9b570d9c5b51d057e12968115",
"pubkey": "9b3cb9066a41d6c59c090531827defe6138e14f8b94a7802a8a183aa309a4e2b",
"created_at": 1686179781,
"kind": 1,
"tags": [
[
"e",
"da6b9abb4324405cd4b243e228b3f24914204671328c740ca96b666c4bff2a5c",
"",
"root"
],
[
"e",
"815a485eddc6d2cc7ec09bb17ae831ca8e5c06a969e46250e0b0e24c94d508eb",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2022-11-08\n📝 Original message:Hi aj and list,\n(questions inline)\n\n\n------- Original Message -------\nOn Thursday, October 27th, 2022 at 18:21, Anthony Towns via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e \n\u003e Is that true? Antoine claims [1] that opt-in RBF isn't enough to avoid\n\u003e a DoS issue when utxos are jointly funded by untrusting partners, and,\n\u003e aiui, that's the main motivation for addressing this now.\n\u003e \n\u003e [1] https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033.html\n\u003e \n\u003e The scenario he describes is: A, B, C create a tx:\n\u003e \n\u003e inputs: A1, B1, C1 [opts in to RBF]\n\u003e fees: normal\n\u003e outputs:\n\u003e [lightning channel, DLC, etc, who knows]\n\u003e \n\u003e they all analyse the tx, and agree it looks great; however just before\n\u003e publishing it, A spams the network with an alternative tx, double\n\u003e spending her input:\n\u003e \n\u003e inputs: A1 [does not opt in to RBF]\n\u003e fees: low\n\u003e outputs: A\n\u003e \n\u003e If A gets the timing right, that's bad for B and C because they've\n\u003e populated their mempool with the 1st transaction, while everyone else\n\u003e sees the 2nd one instead; and neither tx will replace the other. B and\n\u003e C can't know that they should just cancel their transaction, eg:\n\u003e \n\u003e inputs: B1, C1 [opts in to RBF]\n\u003e fees: 50% above normal\n\u003e outputs:\n\u003e [smaller channel, refund, whatever]\n\u003e \n\u003e and might instead waste time trying to fee bump the tx to get it mined,\n\u003e or similar.\n\u003e \n\u003e What should folks wanting to do coinjoins/dualfunding/dlcs/etc do to\n\u003e solve that problem if they have only opt-in RBF available?\n\u003e \n\u003csnip\u003e\n\u003e \n\nI read Antoine's original post on this and got the general gist, and here also, it makes sense, but I'd like to ask: is it necessary that (B, C) in the above not *see* A's opt-out \"pre-replacement\" (inputs: A1, outputs: A, fees: low; call it TX_2)? I get that they cannot replace it, but the idea that they suffer financial loss from \"ignorant\" fee bumping is the part that seems weird to me. Clearly TX_2 gets gossiped to other mempools; and understood that it does not replace the TX_1 (the 3-input) in B's mempool, say, but why should they not even hear about it? Is it just a matter of engineering, or is there some deeper problem with that.\n\nAbout this general flavour of attack, it's never been a *big* concern in Joinmarket imo (though, we did until recently have a bug that made this happen *by accident*, i.e. people double spending an input out of a negotiated join, albeit it was rare; but it's ofc definitely *possible* to 'grief' like this, given the ordering of events; maker sends signature, maker broadcasts double spend - 95% of the time they will be first). Interactive protocols are yucky and I think there'll always be griefing possibilities; designing around multiple-rounds of negotiation amongst not always-on participants is even more yucky, so just having a 'taker is in charge of network fee; if it's slow or gets double spent out causing time delay then just wait', combined with 'there really isn't any economic incentive for an attacker' (i.e. ignoring griefing) might sound crappy but it's probably just being realistic.\n\nOf course, off-chain contracting has more sophisticated considerations than this.\n\nCheers,\nAdamISZ/waxwing",
"sig": "790a880e8f15c7df40795a822bece54914e30e15db8235f6b80005a092a2aecbf8988a7555b3e9da9f74a7358fb2acadb5287ca51786c5463baae35207eb044d"
}