📅 Original date posted:2016-08-19
📝 Original message:
On Fri, Aug 19, 2016 at 10:26:31AM +0930, Rusty Russell wrote:
> >> > While not dangerous it is rather unfortunate as it results in
> >> > guesswork. It is not dangerous because if A transferred litecoin to B
> >> > then B will (hopefully) never forward a higher value to C using
> >> > bitcoin, and if it were bitcoin then the final recipient would not
> >> > sign off an inferior amount than what he expected.
> >>
> >> Worse case: C is a charity, accepting donations. A's software screwed
> >> up and didn't realize C was litecoin, not bitcoin. B collects a huge
> >> fee, C gets tiny donation.
Yeah, for sure, I agree with y'all. By default, there should be a
requirement that the amount is pre-negotiated by the sender and the
recipient (pay-to-contract, etc.)
Sufficient percentages of senders to a charity should be interested in
getting a receipt to prove funds were sent to a charity that I don't
think pre-sending it without generating a proof shouldn't be a normal
case. By default, I don't think clients should even send funds until
they have a signed receipt before cross-chain is supported for safety.
However, I'm not too concerned with cross-chain. As long as there's some
identifier between each hop, I suspect that should be sufficient. Is the
intent of the realm byte to indicate protocols? I think it's reasonable
to have some kind of byte for identifying the message (e.g. using this
as a transport layer for other things), but I think there should already
be sufficient information for cross-chain, presuming pay-to-contract.
> > True, that's a dangerous scenario. If the recipient does not know the
> > intended amount and accepts anything then fee-shaving is very
> > profitable.
>
> Which creates a subtle requirement: even the terminal onion should
> include an amount.
This may not fully solve the problem, since if one presumes that the
second-to-last hop is malicious, they can re-create a new onion blob
(presuming consistent hashes for each hop, of course).
There may be a requirement from deriving the fee amount for the last
hop, though.
> > In general I'm a bit concerned about rhash re-use, after
> > all today it's not uncommon to just publish a bitcoin address, people
> > might be tempted to do the same in Lightning.
>
> Hmm, maybe we should implement the code to steal such re-sends? Or more
> generously, fail it. That would prevent this from becoming a habit, at
> least.
Either way seems practical for some nodes -- I presume if a small
percentage of nodes redeem without forwarding, then basically nobody
would re-use. Not sure if "steal" is the right word, though.
--
Joseph Poon
Joseph Poon [ARCHIVE] /
npub1ej…p9cq8
2023-06-09 12:46:27
in reply to nevent1q…4pnt
Author Public Key
npub1ej6vep7y2km5l6awukffelg8yeppkth2vjkjk9jypd5w336rxggs3p9cq8Published at
2023-06-09 12:46:27Event JSON
{
"id": "2b3a5bc01ba5c76bd5f772acf067337bd053400f681a64b25e776d7c094afa72",
"pubkey": "ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211",
"created_at": 1686314787,
"kind": 1,
"tags": [
[
"e",
"f166a20039cde752a8ba4e6cccc22d4b2719f9a29840f0c295641243ae59d83f",
"",
"root"
],
[
"e",
"af2349dd446f75af24f8430c6cbb2b95d2d320039b13dcf81b0e9741af413f63",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2016-08-19\n📝 Original message:\nOn Fri, Aug 19, 2016 at 10:26:31AM +0930, Rusty Russell wrote:\n\u003e \u003e\u003e \u003e While not dangerous it is rather unfortunate as it results in\n\u003e \u003e\u003e \u003e guesswork. It is not dangerous because if A transferred litecoin to B\n\u003e \u003e\u003e \u003e then B will (hopefully) never forward a higher value to C using\n\u003e \u003e\u003e \u003e bitcoin, and if it were bitcoin then the final recipient would not\n\u003e \u003e\u003e \u003e sign off an inferior amount than what he expected.\n\u003e \u003e\u003e \n\u003e \u003e\u003e Worse case: C is a charity, accepting donations. A's software screwed\n\u003e \u003e\u003e up and didn't realize C was litecoin, not bitcoin. B collects a huge\n\u003e \u003e\u003e fee, C gets tiny donation.\n\nYeah, for sure, I agree with y'all. By default, there should be a\nrequirement that the amount is pre-negotiated by the sender and the\nrecipient (pay-to-contract, etc.)\n\nSufficient percentages of senders to a charity should be interested in\ngetting a receipt to prove funds were sent to a charity that I don't\nthink pre-sending it without generating a proof shouldn't be a normal\ncase. By default, I don't think clients should even send funds until\nthey have a signed receipt before cross-chain is supported for safety.\n\nHowever, I'm not too concerned with cross-chain. As long as there's some\nidentifier between each hop, I suspect that should be sufficient. Is the\nintent of the realm byte to indicate protocols? I think it's reasonable\nto have some kind of byte for identifying the message (e.g. using this\nas a transport layer for other things), but I think there should already\nbe sufficient information for cross-chain, presuming pay-to-contract.\n\n\u003e \u003e True, that's a dangerous scenario. If the recipient does not know the\n\u003e \u003e intended amount and accepts anything then fee-shaving is very\n\u003e \u003e profitable.\n\u003e \n\u003e Which creates a subtle requirement: even the terminal onion should\n\u003e include an amount.\n\nThis may not fully solve the problem, since if one presumes that the\nsecond-to-last hop is malicious, they can re-create a new onion blob\n(presuming consistent hashes for each hop, of course).\n\nThere may be a requirement from deriving the fee amount for the last\nhop, though.\n\n\u003e \u003e In general I'm a bit concerned about rhash re-use, after\n\u003e \u003e all today it's not uncommon to just publish a bitcoin address, people\n\u003e \u003e might be tempted to do the same in Lightning.\n\u003e \n\u003e Hmm, maybe we should implement the code to steal such re-sends? Or more\n\u003e generously, fail it. That would prevent this from becoming a habit, at\n\u003e least.\n\nEither way seems practical for some nodes -- I presume if a small\npercentage of nodes redeem without forwarding, then basically nobody\nwould re-use. Not sure if \"steal\" is the right word, though.\n\n-- \nJoseph Poon",
"sig": "4ad3e2645ecf1a39f1c199528d8f9317a3c693c85eaa5a0bab055be152c996259e62f2fef2e86f9f158e785059a2998f6eaccb484cb73a4df419fbc074c02e0b"
}