Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3EB2FC0032; Thu, 2 Nov 2023 17:07:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1513F706A5; Thu, 2 Nov 2023 17:07:56 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1513F706A5 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=FMDliHV5 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybDGqRyMi5Y0; Thu, 2 Nov 2023 17:07:51 +0000 (UTC) Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) by smtp3.osuosl.org (Postfix) with ESMTPS id BB12560783; Thu, 2 Nov 2023 17:07:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BB12560783 Received: by mail-oi1-x232.google.com with SMTP id 5614622812f47-3b2e330033fso688927b6e.3; Thu, 02 Nov 2023 10:07:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698944870; x=1699549670; darn=lists.linuxfoundation.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5r+o4ATHgKT58QXZbiAEn/is1WwWeMEaTrtSA5oONLM=; b=FMDliHV5CDgmnGBaALXO7Ah/YIUfxbvSyNfMMlvSGHxoLarg3JXyQNNOc0zHLiYRNC ucIlKQntD75sQhhiEirAX9U153wdTjNHqylOWAJwLHUhNp6AYQ4lnm12h1sgXcYRgyEy lNsdoMbfAzjUDgFvqo0YS5RDCFFs+LOWdi7q0kTQs8uqk2s49I0m/Zhh1Kz2t8pJ/+NC mRohvnmgQ7e3fBglEr937PkLiSK8oYt88Nzr9/ltmpCBPzAQ5QB+kw0BG1JDfpeF0i5A qBX+ACTGA9FlOg7S01hyhVLqFl861EizqAylSek5k6OaUlc31wLwVubS1fxcBS1GoMIT gehg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698944870; x=1699549670; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5r+o4ATHgKT58QXZbiAEn/is1WwWeMEaTrtSA5oONLM=; b=t98lpUsp7QxRTT44rkulaK/sX+iRUD448RpD61TIgHZ/kXvu2C0snxgGNTu3nlOkpL li5NCgtDDGcefneRFIvuOg3a+aabJH/SqONOpToC7FWwgsBV3YlJp8zDGZBuoy41QTsF WaaVe3p/4N0+FtMF+bq30kO898I9ha42f8XuZ9K4tBXXGiqQz6AmchzBbUFa3K/LkRpD esmrYD8rKVc+D7IHVY9U7B/h4GRujvuRchJwhksuudxxUTvlm+vlFjU0PsUHoUZ5mIPx EtG4kFcl9RsvQenP/yTTA6sQA4aXLyzWZ91R0C2yYNGGFO3Fg7dF6tNVHbRay1ooYT+e m3bw== X-Gm-Message-State: AOJu0Yz3cch2z4x/9d02ZQzb//d9sVhbQ2KBqC4Un/MKOAa5wrYSXhIi aobfEpiXowVeZR/zDX+O/gPcpsMxhT2JVsLpDNI= X-Google-Smtp-Source: AGHT+IEliIQ/upGSPVEHvm4D2BbiXTN+X1LPM9i6HL0+Bp+JzXGyNpk+GlPEGN4pb67AwyUI89ZzmK9Ge9b5Mzl4mug= X-Received: by 2002:a05:6808:16a3:b0:3b2:f588:5a9c with SMTP id bb35-20020a05680816a300b003b2f5885a9cmr22151542oib.6.1698944870599; Thu, 02 Nov 2023 10:07:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matt Morehouse Date: Thu, 2 Nov 2023 17:07:39 +0000 Message-ID: To: Peter Todd , Bitcoin Protocol Discussion Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 02 Nov 2023 18:12:35 +0000 Cc: security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org" Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2023 17:07:56 -0000 On Thu, Nov 2, 2023 at 6:27=E2=80=AFAM Peter Todd via bitcoin-dev wrote: > > On Thu, Nov 02, 2023 at 05:24:36AM +0000, Antoine Riard wrote: > > Hi Peter, > > > > > So, why can't we make the HTLC-preimage path expire? Traditionally, w= e've > > tried > > > to ensure that transactions - once valid - remain valid forever. We d= o > > this > > > because we don't want transactions to become impossible to mine in th= e > > event of > > > a large reorganization. > > > > I don't know if reverse time-lock where a lightning spending path becom= es > > invalid after a block height or epoch point solves the more advanced > > replacement cycling attacks, where a malicious commitment transaction > > itself replaces out a honest commitment transaction, and the > > child-pay-for-parent of this malicious transaction is itself replaced o= ut > > by the attacker, leading to the automatic trimming of the malicious > > commitment transaction. > > To be clear, are you talking about anchor channels or non-anchor channels= ? > Because in anchor channels, all outputs other than the anchor outputs pro= vided > for fee bumping can't be spent until the commitment transaction is mined,= which > means RBF/CPFP isn't relevant. IIUC, Antoine is talking about a cycling attack of the commitment transaction itself, not the HTLC transactions. It seems possible for future (ephemeral) anchor channels in a world with package relay. The idea with package relay is that commitment transaction fees will be zero and that fees will always be paid via CPFP on the anchor output. Consider this scenario: Mallory1 -> Alice -> Mallory2. Mallory2 claims an HTLC from Alice off chain via the preimage. Alice attempts to claim the corresponding HTLC from Mallory1, but Mallory1 refuses to cooperate. So Alice publishes her commitment transaction along with a CPFP on the anchor output. Mallory1 publishes her competing commitment transaction with a higher CPFP fee on the anchor output, thereby replacing Alice's package in the mempool. Mallory1 then replacement-cycles the anchor output child transaction, causing her commitment transaction to lose its CPFP and the package feerate to go to zero, which is below the minimum relay fee. Thus, Mallory1's commitment transaction is also evicted from the mempool. Mallory1 repeats this process every time Alice broadcasts her commitment, until the HTLC timeout expires. At that point the preimage path becomes unspendable, and Mallory1 can claim the HTLC via timeout at her leisure. > > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev