[bitcoindev] Keyless Anchors Are Vulnerable To Replacement Cycling Attacks

author: Peter Todd <pete@petertodd.org> 2024-08-02 07:54:28 +0000
committer: bitcoindev <bitcoindev@googlegroups.com> 2024-08-02 05:31:05 -0700
commit: a41c37479c62922fa08fb411aa80157b5338ae53 (patch)
tree: 37598ba72a3c746d5759a3aca5ad905b9ce60f72 /dc
parent: f0276cb11519748b541c7e47d3643801d71d1ffc (diff)
download: pi-bitcoindev-a41c37479c62922fa08fb411aa80157b5338ae53.tar.gz
pi-bitcoindev-a41c37479c62922fa08fb411aa80157b5338ae53.zip
1 files changed, 253 insertions, 0 deletions
diff --git a/dc/e3f423ad18aa732b67f3c600ee8d9e6b9ccbab b/dc/e3f423ad18aa732b67f3c600ee8d9e6b9ccbab
new file mode 100644
index 000000000..b566d7a50
--- /dev/null
+++ b/dc/e3f423ad18aa732b67f3c600ee8d9e6b9ccbab
@@ -0,0 +1,253 @@
+Delivery-date: Fri, 02 Aug 2024 05:31:05 -0700
+Received: from mail-vs1-f59.google.com ([209.85.217.59])
+	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+	(Exim 4.94.2)
+	(envelope-from <bitcoindev+bncBDRYHVHZTUGRBAFDWO2QMGQER7YQWZI@googlegroups.com>)
+	id 1sZrR2-0003kV-UJ
+	for bitcoindev@gnusha.org; Fri, 02 Aug 2024 05:31:05 -0700
+Received: by mail-vs1-f59.google.com with SMTP id ada2fe7eead31-49292256be3sf800461137.0
+        for <bitcoindev@gnusha.org>; Fri, 02 Aug 2024 05:31:04 -0700 (PDT)
+ARC-Seal: i=2; a=rsa-sha256; t=1722601858; cv=pass;
+        d=google.com; s=arc-20160816;
+        b=aK94HcPnMdKKPJh/3eV6t4bkZhf8Jsggqq0lkZK9V4R1nf6yD6Sahpc/gYRQCs/OgK
+         2gvkoYaMzDqXo9+AmJbFEmHL6DoOm/pSSTwS2vvO4pW3+S3MjN868L8H7b1njCeO6/zm
+         LiA4iBUNrBeNF3MvGWOetfzoJ1IqvEMIJGSCYAtSPDtRp+mHTOpoxvCdJji+GMMfDjnR
+         ig+8GbI5rtZe0L0SnRjuGHzO0IM11kTaNkQzx2oUlwSuQjP1VsSAp76IEtGft05rNnX/
+         1L7qapULgL3PN3O3fsQmKd7evR0gG3hY+iiplaT+6oRzUvKi9k1p8uN7RYUKVpszJ6JS
+         y2tQ==
+ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:content-disposition:mime-version
+         :message-id:subject:to:from:date:feedback-id:sender:dkim-signature;
+        bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
+        fh=XVk2QkvgRPLFdPnjevP8jLotxQk2HlTV0b/+CyZnOcg=;
+        b=SpaTMs7BFs/1Ygz4vdA0uCCAkDM3NCt9a9jDLvFFKaDZR34dMU3yuiRErj4qrDq88h
+         nBAD8iz0Yz9KZc3FL1vDihD1ly8RPhSWGydnCWm0ljZXQSqopdPRg7vhuhc9+58klUpe
+         X4dreOu8E8G9/Z30Xg4GNwj4Qd+4bp2ktRG9uf3hh4WCm22RXnoTRlUPK2evWV0u3Haz
+         VwQXYX4Z4QZhOmRyBGrDRdoc92ZDPhKYYmZATHEg3JpKg3DY/exRHBo1PAho0zKoMxNV
+         uOduqKNSA3KBlOQARwZ+q7RBNzogujf9gb3jaYHmfrKR7xyP0tfH2+4D9bezcqtTkztu
+         fGfg==;
+        darn=gnusha.org
+ARC-Authentication-Results: i=2; gmr-mx.google.com;
+       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI;
+       spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=googlegroups.com; s=20230601; t=1722601858; x=1723206658; darn=gnusha.org;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:content-disposition:mime-version:message-id
+         :subject:to:from:date:feedback-id:sender:from:to:cc:subject:date
+         :message-id:reply-to;
+        bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
+        b=wnZotPwl1PX/sZkes4IrrWOKflO0Bo94ou8kuU82Hk7ZFvkxDk8m8N0aA5aFEIcD4V
+         Q31/EiPaqaR5TWEAaRybdGTZPwHgHrmg9/SuT/ZxkQTTeNOidWIfNZqJeULPITlMx8c7
+         fwY9aIkoNIOqY6wKU56gUSnev5bWhc0snmCca+Qxu2GuQ+QgqU9ZLfp0Q9rd8Nbfsoe5
+         BLat+2G5kiXvJ3YJot90gtztPvJ/54DBOPFs3yC7wVt8lBn0wWvLv2Gic9E/9uT4+isr
+         t+RMBqnI5P1c9fhZt73/bF07Ub91xce5War1iY5H19dObQs0xSGTi5UPxuFCVbeHErbO
+         t7OQ==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20230601; t=1722601858; x=1723206658;
+        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+         :list-id:mailing-list:precedence:x-original-authentication-results
+         :x-original-sender:content-disposition:mime-version:message-id
+         :subject:to:from:date:feedback-id:x-beenthere:x-gm-message-state
+         :sender:from:to:cc:subject:date:message-id:reply-to;
+        bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
+        b=YnpLNa8LIX5FMRwzUByv/BVvS5XncLZi/KDbjuBVRY9TYF/LrV23G/3KcTLn4engPM
+         fFRmLrCkPx5sW0rVL1LhfOjM6Uc25ZIP3Xst8D7Vmg00pW9uCspvmxhIL5HScJ24i1fU
+         3qDevf21TX5R9uebWNJwAmPCSfnl2NxzPLigAm4OFnW/0TdPoOYWAfoCRGBc87xhA+DH
+         OIKlxQUmOLQZFdyi123Ihjovfn/OpJHea5/t0RYhjUKOC571wVKH+gB0C+i8zqCKfN3d
+         b2UWiQgwNqFfupFTAA8By1j6YiM0/EK8AWx8hQfqz0F8zgoadCU8B/1i97wmBEFc5pJj
+         sJcA==
+Sender: bitcoindev@googlegroups.com
+X-Forwarded-Encrypted: i=2; AJvYcCUTzRNDl6w1URnHBH4+484A0h6tSwa3rzPv77AoOocjP+inhqysSwKla17Z8RGKmJeWzT9vQ/LxZCCjU+rucBg06n+FBu0=
+X-Gm-Message-State: AOJu0Ywa6ch0f+YE0psvlxVwSjzSXIT8gZvyELv0gluZAGLVzQm9QDCl
+	puDS06bzDZ6i6aOJnvLDK4F0XApSOjk9kEfplLL/vSF5Jc2nF+rB
+X-Google-Smtp-Source: AGHT+IFvX4HUaye8s0+7YNaQ/vslXeCWYP68z3VwnYs75h4fqxhf9nFL6nhyoJ9mBk1H3j6IfkOjeA==
+X-Received: by 2002:a67:f99a:0:b0:493:e582:70ce with SMTP id ada2fe7eead31-4945be0ab86mr3095767137.10.1722601857969;
+        Fri, 02 Aug 2024 05:30:57 -0700 (PDT)
+X-BeenThere: bitcoindev@googlegroups.com
+Received: by 2002:ac8:5982:0:b0:447:e719:3e13 with SMTP id d75a77b69052e-44fe3192a76ls179169671cf.1.-pod-prod-06-us;
+ Fri, 02 Aug 2024 05:30:56 -0700 (PDT)
+X-Received: by 2002:a05:6214:4005:b0:6bb:79b4:1546 with SMTP id 6a1803df08f44-6bb983fc1f8mr2727906d6.7.1722601856457;
+        Fri, 02 Aug 2024 05:30:56 -0700 (PDT)
+Received: by 2002:a05:620a:3843:b0:7a1:d643:94b4 with SMTP id af79cd13be357-7a34f8113e8ms85a;
+        Fri, 2 Aug 2024 00:54:32 -0700 (PDT)
+X-Received: by 2002:a05:6902:c0c:b0:e0b:ab65:19c8 with SMTP id 3f1490d57ef6-e0bde4c57ffmr3688511276.48.1722585271371;
+        Fri, 02 Aug 2024 00:54:31 -0700 (PDT)
+ARC-Seal: i=1; a=rsa-sha256; t=1722585271; cv=none;
+        d=google.com; s=arc-20160816;
+        b=CWcJCCDBCe/0vZr4g0a2e7d+SDu3v+TerqWSDqQbhcJ2nifovMl8H5C19R3lruK1W+
+         rU0F0qhHd+VQOx0QzuBdCTks9MJbYXwsbfkTYRMRsD9rCnhBkO5AJMcu/ijz7l/YdX11
+         KTi1jAK31dAnVdmSmKHdTsLy0P/HpI5tOKZ6lidGvHX9byjkZvUjxhtqpZcPLoEwaaxD
+         zhPpsU45js74ivk/gZs7ZbFMRmTbEgx0agHtT815alwQlO6tJeqjaocagxAFmJ54+DRD
+         R75JenDdomXfqwXumgHt0QboNSY7R8uG4YxH55F5Bjiq601i1No6ZuomWhbCEIJqlsXP
+         P9jA==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
+        h=content-disposition:mime-version:message-id:subject:to:from:date
+         :feedback-id:dkim-signature;
+        bh=QBUZpWUBw2UsgA6J6zU5dy7ijrGDtiS7ycCPXC8hgR8=;
+        fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
+        b=Sv/6ZWk/7hgGzKOfY0LxNR/2lNuYznTRj9/P8JMgVlhLKA4biz3uwowy60E8QMoo5s
+         QHzqH4bxPY5yiUR8biHUEcw/Nbnu7YW60STaolbxLGLlXZ0E1EFjqvK0M9oofp3ZqRuY
+         Dng93+YJqXOZrFRTXu3QVCfH4W+WLqG+LScg5cJf7VpMp+l+1YOcQQaNtPRW0XYDtFBm
+         PrYyjMxPib1rnlsMYubw0cO4pYNzlMaY3JQA/W9csFo1Vr9F0NTPMC5YjCqf7wIjzCCW
+         ARUrtvMbMbc6oxZbsy6vnIqtaPnaa+9l9agwY6QCtAfe72mkYgODZo0LQT9o2Tr4Tfq8
+         VPbg==;
+        dara=google.com
+ARC-Authentication-Results: i=1; gmr-mx.google.com;
+       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI;
+       spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org
+Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com. [103.168.172.158])
+        by gmr-mx.google.com with ESMTPS id 3f1490d57ef6-e0be5562950si56809276.2.2024.08.02.00.54.31
+        for <bitcoindev@googlegroups.com>
+        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+        Fri, 02 Aug 2024 00:54:31 -0700 (PDT)
+Received-SPF: pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) client-ip=103.168.172.158;
+Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
+	by mailfhigh.nyi.internal (Postfix) with ESMTP id D17971151AD9
+	for <bitcoindev@googlegroups.com>; Fri,  2 Aug 2024 03:54:30 -0400 (EDT)
+Received: from mailfrontend1 ([10.202.2.162])
+  by compute4.internal (MEProxy); Fri, 02 Aug 2024 03:54:30 -0400
+X-ME-Sender: <xms:tpCsZmPUUF05EL7svfcvOo4N3MUttnADAMUzGvhqZxcgz9K0H8I5Ow>
+    <xme:tpCsZk98dUcOP-LfiQmAkSt1PRkeJQBOFCWvGy7y4UK4FHYa74dc11wHhB44OTCsq
+    2vYgZzYA24HCdnbNwk>
+X-ME-Received: <xmr:tpCsZtQ_6Qyq226zqDGat_woCZWul1HHXyxDvRIYwZ1Hx1tk9YzxLH4YwNbpnRjHWMpN2f1nLB64RstbkMAplHEV68oB>
+X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjeelgdduvdejucetufdoteggodetrfdotf
+    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
+    uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd
+    dtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthhouggu
+    rdhorhhgqeenucggtffrrghtthgvrhhnpefhteevgeeuvdekheeivdeffeduuedufefhte
+    elheffgfelueefieffjeefffeuleenucffohhmrghinhepphgvthgvrhhtohguugdrohhr
+    ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvg
+    htvgesphgvthgvrhhtohguugdrohhrghdpnhgspghrtghpthhtoheptd
+X-ME-Proxy: <xmx:tpCsZmsR_ALY6dY_9vKLaD72Y1qATZGkwhgLpTO07juU3fKdEEby7Q>
+    <xmx:tpCsZudQ4dGbDCA8SwI5pYMfGBSO-VGUSaz9g13CFWmf2HEgWFQVoA>
+    <xmx:tpCsZq2YeTPsVMrRL6amjt31wrIuhUYiEvSev_-PrSJ6KgYb2VPjrQ>
+    <xmx:tpCsZi8BC2K3iNIy5SSuTypOg2sv9UhLqPkA377PjMqemu2mJvIAZg>
+    <xmx:tpCsZt7m4yrIbef2qqM_k6-Wd-CUcWbHTMP3wndCAhpr5LiFflsk1ibB>
+Feedback-ID: i525146e8:Fastmail
+Received: by mail.messagingengine.com (Postfix) with ESMTPA for
+ <bitcoindev@googlegroups.com>; Fri, 2 Aug 2024 03:54:30 -0400 (EDT)
+Received: by localhost (Postfix, from userid 1000)
+	id BF23B5F854; Fri,  2 Aug 2024 07:54:28 +0000 (UTC)
+Date: Fri, 2 Aug 2024 07:54:28 +0000
+From: Peter Todd <pete@petertodd.org>
+To: bitcoindev@googlegroups.com
+Subject: [bitcoindev] Keyless Anchors Are Vulnerable To Replacement Cycling Attacks
+Message-ID: <ZqyQtNEOZVgTRw2N@petertodd.org>
+MIME-Version: 1.0
+Content-Type: multipart/signed; micalg=pgp-sha512;
+	protocol="application/pgp-signature"; boundary="vRkTbBrP6olNI+nv"
+Content-Disposition: inline
+X-Original-Sender: pete@petertodd.org
+X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
+ header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI;       spf=pass
+ (google.com: domain of pete@petertodd.org designates 103.168.172.158 as
+ permitted sender) smtp.mailfrom=pete@petertodd.org
+Precedence: list
+Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
+List-ID: <bitcoindev.googlegroups.com>
+X-Google-Group-Id: 786775582512
+List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
+List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
+List-Archive: <https://groups.google.com/group/bitcoindev
+List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
+List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
+ <https://groups.google.com/group/bitcoindev/subscribe>
+X-Spam-Score: -0.8 (/)
+
+
+--vRkTbBrP6olNI+nv
+Content-Type: text/plain; charset="UTF-8"
+Content-Disposition: inline
+
+This feels like someone should have published it before. But I can't find an
+obvious citation (eg in any of the documentation around keyless ephemeral
+anchors), so I'll publish one here. Maybe I'm the first to point this out
+explicitly? Probably not; I'd appreciate an earlier citation if one exists.
+
+
+tl;dr: _Anyone_ can do a replacement cycling attack on transactions where fees
+are paid via CPFP via keyless anchors and similar outputs that a third-party
+can double-spend. Secondly, for attackers who were already planning on making a
+transaction with a higher total fee and total fee-rate than the target, this
+attack is almost free.
+
+
+# The Attack
+
+Suppose that Alice has created a 2 transaction package consisting of low-fee or
+zero-fee transaction A, whose fees are CPFP paid via a keyless ephemeral anchor
+spent by transaction B. For B to pay fees, obviously it must spend a second
+transaction output.
+
+Mallory can cycle A and B out of mempools by broadcasting transaction B2,
+spending his own output and the keyless ephemeral anchor of A, at a higher
+fee/fee-rate than B. Next, Mallory broadcasts B3, double-spending B2 by
+spending Mallory's input but not the ephemeral anchor of A. Assuming Mallory
+needed to mine B3 anyway, the only cost to this attack is the small chance that
+B2 will in fact be mined between the time that B2 is replaced by B3.
+
+At this point A is no longer economical to mine as B has been cycled out, and A
+may be dropped from mempools depending on the circumstances.
+
+
+## SIGHASH_ANYONECANPAY
+
+Obviously, a similar attack is possible against SIGHASH_ANYONECANPAY-using
+transactions, provided that _all_ signatures sign with SIGHASH_ANYONECANPAY.
+
+
+# Countermeasures
+
+As with other replacement cycling attacks, rebroadcasting A and B fixes the
+issue. I think the existence of this additional type of replacement cycling
+attack suggests that adding an optional rebroadcasting module to Bitcoin Core
+that would keep track of dropped transactions and re-add them to mempools when
+they are again valid would make sense. This fixes all replacement cycling
+attacks and there's probably lots of nodes who have the memory and/or disk
+space to keep track of dropped transactions like this.
+
+Preventing the replacement of B2 with B3 is _not_ a viable countermeasure: if
+that replacement was prohibited, attackers could in turn exploit that rule as a
+new form of transaction pinning!
+
+
+# Privacy
+
+The fact that rebroadcasting is a countermeasure is a privacy concern. Each
+time a transaction is rebroadcast by the sender is a potential opportunity to
+track the origin of a transaction. Again, having third parties rebroadcasting
+transactions altruistically would mitigate this privacy concern.
+
+-- 
+https://petertodd.org 'peter'[:-1]@petertodd.org
+
+-- 
+You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
+To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
+To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqyQtNEOZVgTRw2N%40petertodd.org.
+
+--vRkTbBrP6olNI+nv
+Content-Type: application/pgp-signature; name="signature.asc"
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmaskLMACgkQLly11TVR
+LzfreA//WnWPNqDyHOnqdilxmWyXLLpuzh8qoYOSkuBoZYODk9U8rcuQUqg3mpct
+GWyYvwH8+jAAH47of6nTa3CLrRi5RG1jI0icCihWxfElC3+7U+WnUOk7pN2cDwGX
+W4pdeyf8FCjJVJgDFPOhWymmeUYtjEXDw+FFYcjNjKBBpwcW+/SHXClqrWIhFaD7
+RRMbFJ/F7K3tAT6OIfooeoLxMAwGmj/P01qg6OR/X1SDrbZqv5AhVRyK4ZX4u2nn
+UiYX3WeugedJXOR2RWdRBKVnHnMBNdkPS9JJYCIocDvdRW2gCznZkTmQNd4Rn5d8
+Mpj8i2vcw+qyBdoMl3bxpj7vIn3JjuQPhpANFLM4aYhZLLnS4ugiXSxujlmXZO9S
+7ft8E3ZDInwhmmma3CMK60GmbYfoPTe44siPA0Gqlxm/QBWTXEII2Ig8ipgN3f9j
+ocw2vwTNnySwb7eHQCuwwsaTuJXSjaA5MzT+E+cRlwgoUSCdak+qSCFtrBRsubjO
+ACbz+jRL36I28TwgQ7RwUl6Yz7uH7nkoPzDtikoHFTcC7DEV7RXiK2zlaCbFwFSd
+DfhDhdlEX8i8Jzgl+eJ0s8wQ2ods/Oh1cbnT17P0+xhppK10NsBdUe4Xk25DINV0
+mDCYCgatFdep7+UeTkEolB9MYfqYU2Rt+ZF1TPJEZN5zmJq7A1I=
+=LR7g
+-----END PGP SIGNATURE-----
+
+--vRkTbBrP6olNI+nv--
+
author	Peter Todd <pete@petertodd.org>	2024-08-02 07:54:28 +0000
committer	bitcoindev <bitcoindev@googlegroups.com>	2024-08-02 05:31:05 -0700
commit	a41c37479c62922fa08fb411aa80157b5338ae53 (patch)
tree	37598ba72a3c746d5759a3aca5ad905b9ce60f72 /dc
parent	f0276cb11519748b541c7e47d3643801d71d1ffc (diff)
download	pi-bitcoindev-a41c37479c62922fa08fb411aa80157b5338ae53.tar.gz pi-bitcoindev-a41c37479c62922fa08fb411aa80157b5338ae53.zip