📅 Original date posted:2015-08-01
📝 Original message:
> Sent: Friday, July 31, 2015 at 1:48 AM
> From: "Rusty Russell" <rusty at rustcorp.com.au>
> To: "Christopher Jamthagen" <cjamthagen at gmx.com>
> Cc: "lightning-dev at lists.linuxfoundation.org" <lightning-dev at lists.linuxfoundation.org>
> Subject: Re: [Lightning-dev] Stealing money from a hub?
> Christopher Jamthagen <cjamthagen at gmx.com> writes:
>> Would it be desirable/possible to implement the timestop feature for
>> CLTV as well? That would make the difference between the number of
>> blocks until either expiration the same in case of a block-filling
>> attack. If I'm not mistaken Peter Todds BIP is already merged, but
>> this feature could be implemented with another soft fork.
> Yes, timestop would logically be a softfork add, and it should apply to
> both (same logic applies).
If the timestop feature would activate only when the CLTV transaction is included in a block, it would allow for a pretty serious DoS attack vector where hubs can be forced to close channels with other hubs by having the attacker, as the receiver, never reveal R and create a block-filling attack. This would force the hub connected to the receiver to broadcast the commitment transaction, but since there is a block-filling attack going on, the hub can't settle with the next hub because the first hubs CSV and CLTV are being pushed beyond the second hubs CLTV (which isn't broadcasted or included in a block yet, so the timestop feature doesn't apply) and so it goes on forcing every hub along the payment path back to the sender to broadcast their commitment transactions and closing the channels. It would be cheap to amplify this attack since the attacker only need to make enough HTLC transactions including as many hubs in LN as possible to take out a large portion of the network for a while.
CLTV transactions would need to include the current block-height immediately when a commitment transaction is signed, so that miners can know where to start counting full blocks from as soon as it is broadcast. So my question is: Is such an upgrade for CLTV, as it is now, soft-forkable as it requires additional arguments? I am not totally clear on when upgrades are soft-forkable vs. hard-forkable.
>> Speaking of being online all the time, checking the blockchain is
>> outsourceable, right? So it seems that miners would be the perfect
>> third party to check for cheaters in LN. By offering them a nice chunk
>> of our counterparty's funds as fees, they should be incentiviced
>> enough to keep an extra eye for us on the blockchain.
> Outsourcability scales really well; once you're full-time monitoring the
> blockchain, might as well get as many clients as possible. You can also
> automate the outsourcee's fee, by including it in the "steal" tx.
Does it scale that well? I guess looking up pre-images in the shachain is fast, but what about R values in HTLCs? Would the third party have to store all those values or is there a nice optimization I have missed?
> But I realized yesterday, outsourcing needs a new sighash op mode (or
> normalized txids), so it's not really something to design a deployable
> system around today.
So it is. What a shame.
> Cheers,
> Rusty.
Christopher Jamthagen [ARCHIVE] /
npub145…cvvwf
2023-06-09 12:43:52
in reply to nevent1q…gpd3
Author Public Key
npub145gyety0mxgecedzm70fzqtx72s4zwz9lhar0lgs7yrravf02f2qvcvvwfPublished at
2023-06-09 12:43:52Event JSON
{
"id": "2dba3bef8bab53391a689b71715a04a7c56aba526f61672e4793c99b2a8aa6a3",
"pubkey": "ad104cac8fd9919c65a2df9e910166f2a1513845fdfa37fd10f1063eb12f5254",
"created_at": 1686314632,
"kind": 1,
"tags": [
[
"e",
"bd7e3601ad88d218940ec74c685433092458d0efc616b43a30f14fda82e7310e",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2015-08-01\n📝 Original message:\n\u003e Sent: Friday, July 31, 2015 at 1:48 AM\n\u003e From: \"Rusty Russell\" \u003crusty at rustcorp.com.au\u003e\n\u003e To: \"Christopher Jamthagen\" \u003ccjamthagen at gmx.com\u003e\n\u003e Cc: \"lightning-dev at lists.linuxfoundation.org\" \u003clightning-dev at lists.linuxfoundation.org\u003e\n\u003e Subject: Re: [Lightning-dev] Stealing money from a hub?\n\u003e Christopher Jamthagen \u003ccjamthagen at gmx.com\u003e writes:\n\u003e\u003e Would it be desirable/possible to implement the timestop feature for\n\u003e\u003e CLTV as well? That would make the difference between the number of\n\u003e\u003e blocks until either expiration the same in case of a block-filling\n\u003e\u003e attack. If I'm not mistaken Peter Todds BIP is already merged, but\n\u003e\u003e this feature could be implemented with another soft fork.\n\n\u003e Yes, timestop would logically be a softfork add, and it should apply to\n\u003e both (same logic applies).\n\nIf the timestop feature would activate only when the CLTV transaction is included in a block, it would allow for a pretty serious DoS attack vector where hubs can be forced to close channels with other hubs by having the attacker, as the receiver, never reveal R and create a block-filling attack. This would force the hub connected to the receiver to broadcast the commitment transaction, but since there is a block-filling attack going on, the hub can't settle with the next hub because the first hubs CSV and CLTV are being pushed beyond the second hubs CLTV (which isn't broadcasted or included in a block yet, so the timestop feature doesn't apply) and so it goes on forcing every hub along the payment path back to the sender to broadcast their commitment transactions and closing the channels. It would be cheap to amplify this attack since the attacker only need to make enough HTLC transactions including as many hubs in LN as possible to take out a large portion of the network for a while.\n\nCLTV transactions would need to include the current block-height immediately when a commitment transaction is signed, so that miners can know where to start counting full blocks from as soon as it is broadcast. So my question is: Is such an upgrade for CLTV, as it is now, soft-forkable as it requires additional arguments? I am not totally clear on when upgrades are soft-forkable vs. hard-forkable.\n\n\u003e\u003e Speaking of being online all the time, checking the blockchain is\n\u003e\u003e outsourceable, right? So it seems that miners would be the perfect\n\u003e\u003e third party to check for cheaters in LN. By offering them a nice chunk\n\u003e\u003e of our counterparty's funds as fees, they should be incentiviced\n\u003e\u003e enough to keep an extra eye for us on the blockchain.\n\n\u003e Outsourcability scales really well; once you're full-time monitoring the\n\u003e blockchain, might as well get as many clients as possible. You can also\n\u003e automate the outsourcee's fee, by including it in the \"steal\" tx.\n\nDoes it scale that well? I guess looking up pre-images in the shachain is fast, but what about R values in HTLCs? Would the third party have to store all those values or is there a nice optimization I have missed?\n\n\u003e But I realized yesterday, outsourcing needs a new sighash op mode (or\n\u003e normalized txids), so it's not really something to design a deployable\n\u003e system around today.\n\nSo it is. What a shame.\n\n\u003e Cheers,\n\u003e Rusty.",
"sig": "59b90c64e36e3f346bfe1936e02ec3f768315b8d7295e80de4c5178a5eb0df583538d37d689a8ba0ea3fbbf0c8a22b54b9716f26634312a173a38499bf7fb204"
}