Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 301EDC0033 for ; Thu, 20 Oct 2022 14:14:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 142C342223 for ; Thu, 20 Oct 2022 14:14:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 142C342223 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Cjo+Q9oj X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.088 X-Spam-Level: X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id updA7r_Bp8M1 for ; Thu, 20 Oct 2022 14:14:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D036241A22 Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) by smtp4.osuosl.org (Postfix) with ESMTPS id D036241A22 for ; Thu, 20 Oct 2022 14:14:27 +0000 (UTC) Received: by mail-oo1-xc2a.google.com with SMTP id x6-20020a4ac586000000b0047f8cc6dbe4so4016240oop.3 for ; Thu, 20 Oct 2022 07:14:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Dlr+OMf++3gsRnmVy5AztvAgIdOzM3NzuVDqzLUhQts=; b=Cjo+Q9ojLVHmgaTO9M/pQMYMswTSh05k8xMPx1L2aR780hgmU45TUg6s8OyMdMLaml K6SYbQNjKXFezcQBBDu4PsEGQ0N0qYsqigrQbrZm+v149WxH0gIfy1wUdBIQFo/ANTD6 Z8zSF+Ca7Pszlqj/B57WCUnOd7n62C2lAtfwu9i8zR7hPeap1go1XxWz/KE3pjGbg1ah JPf8lUmpTLD+uMgph/W97Qi6dC3W5R23kCv1fLWQVrgol0n05F1gE9Y4y0YnWkWOtODW fCivdq4DQjLen8xYI0CpsXCHMZxmcuAVJuWA5dgB0qGGFworKnkQ8UmunbNzAQZVg/kn Y9QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Dlr+OMf++3gsRnmVy5AztvAgIdOzM3NzuVDqzLUhQts=; b=nkr5zAPg5ETGuo3Fp/Q0+4LC/BwWSvGWjivQ3PeQ6pyfntnJdqtJBhP0p2xw4BbTlg xKC0KrrkSdphKXtXJJHaGz8kNZxscA9AHABm+/MOPEWlDP8VAYz17+m80skrka2DeN5g gZAWGJc853U0Vw4N1rH4rR75gxHX7wYX4bFHLZ0tIA1C4psv8noL09/NTrV5wvJATMs0 1ultdn9oZE57pDyDV2elgO9bmILVQ8gNFBe53JQ5s6K+etCojJkFz3jJI3iBO3v2A/wX LG/aruHp5Url2eGKFc6AsEcJ1g9Q/fykomdjMdW9A6xEscqdnwKvNczNfwi6sJjxm7mp 69sA== X-Gm-Message-State: ACrzQf2N0/Ae6cXvanKAaNFAHgoOCbHgXHDZqg73IFpt/giN9EFgiX4S pC9C7xGHMTyE1K6uKCb/s1v+3QdxhAEDGjpGgfLyl8J229nxPA== X-Google-Smtp-Source: AMsMyM4JI+p8+Ckw8AIgCyy5YO1nIkdKznWjT4IZeKLwtGYgfkT3ePas1xke2IbCpeq8ldc8NK0OGkPCLargA0CN1n4= X-Received: by 2002:a4a:af4d:0:b0:475:dcf4:65fb with SMTP id x13-20020a4aaf4d000000b00475dcf465fbmr6449754oon.1.1666275266322; Thu, 20 Oct 2022 07:14:26 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ruben Somsen Date: Thu, 20 Oct 2022 16:14:14 +0200 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000058e63b05eb77f121" X-Mailman-Approved-At: Thu, 20 Oct 2022 14:15:19 +0000 Cc: Sergej Kotliar , Anthony Towns Subject: Re: [bitcoin-dev] [Opt-in full-RBF] Zero-conf apps in immediate danger X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2022 14:14:31 -0000 --00000000000058e63b05eb77f121 Content-Type: text/plain; charset="UTF-8" Hi, There is a reasonable tradeoff one can make to get eventual settlement assurance prior to confirmation: lock up the funds with a counterparty in a 2-of-2 multisig with a timelock back to the owner. As long as the timelock has not expired and the recipients trust the counterparty not to sign double spends, transactions that are spent from this multisig can be considered instant. In cases where the counterparty and the recipient are the same person, this solution is trustless. Since merchant purchases tend to be low-value, the counterparty risk (facilitating double spends) seems acceptable. GreenAddress provided such a service in 2015 or so, but the idea got abandoned. Personally, I find this solution much more tenable than relying on spurious network assumptions about what will be propagated and mined. Best regards, Ruben On Thu, Oct 20, 2022 at 2:44 PM Sergej Kotliar via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, 20 Oct 2022 at 09:22, Anthony Towns wrote: > >> On Wed, Oct 19, 2022 at 04:29:57PM +0200, Sergej Kotliar via bitcoin-dev >> wrote: >> > The >> > biggest risk in accepting bitcoin payments is in fact not zeroconf risk >> > (it's actually quite easily managed), >> >> You mean "it's quite easily managed, provided the transaction doesn't >> opt-in to rbf", right? At least, that's what I understood you saying last >> time; ie that if the tx signals rbf, then you just don't do zeroconf no >> matter what other trustworthy signals you might see: >> >> https://twitter.com/ziggamon/status/1435863691816275970 >> >> (rbf txs seem to have increased from 22% then to 29% now) >> > > Yeah. Our share of RBF is a bit lower than that as many RBF transactions > are something other than consumer purchases, and most consumer purchases > can't do RBF > > >> > it's FX risk as the merchant must >> > commit to a certain BTCUSD rate ahead of time for a purchase. Over time >> > some transactions lose money to FX and others earn money - that evens >> out >> > in the end. >> >> > But if there is an _easily accessible in the wallet_ feature to >> > "cancel transaction" that means it will eventually get systematically >> > abused. A risk of X% loss on many payments that's easy to systematically >> > abuse is more scary than a rare risk of losing 100% of one occasional >> > payment. It's already possible to execute this form of abuse with opt-in >> > RBF, >> >> If someone's going to systematically exploit your store via this >> mechanism, it seems like they'd just find a single wallet with a good >> UX for opt-in RBF and lowballing fees, and go to town -- not something >> where opt-in rbf vs fullrbf policies make any difference at all? >> > > Sort of. But yes once this starts being abused systemically we will have > to do something else w RBF payments, such as crediting the amount in BTC to > a custodial account. But this option isn't available to your normal payment > processor type business. > > Also worth keeping in mind that sometimes "opportunity makes the thief". > Currently only power-user wallet have that feature and their market share > is relatively small, mainly electrum stands out. But if this is available > to all users everywhere then it will start being abused and we'll have to > then direct all payments to custodial account, or some other convoluted > solution. > > >> It's not like existing wallets that don't let you set RBF will suddenly >> get a good UX for replacing transactions just because they'd be relayed >> if they did, is it? >> >> > To successfully fool (non-RBF) >> > zeroconf one needs to have access to mining infrastructure and >> probability >> > of success is the % of hash rate controlled. >> >> I thought the "normal" avenue for fooling non-RBF zeroconf was to create >> two conflicting txs in advance, one paying the merchant, one paying >> yourself, connect to many peers, relay the one paying the merchant to >> the merchant, and the other to everyone else. >> >> I'm just basing this off Peter Todd's stuff from years ago: >> >> >> https://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_todd_with_my_doublespendpy_tool_with/cytlhh0/ >> >> >> https://github.com/petertodd/replace-by-fee-tools/blob/master/doublespend.py >> >> > > Yeah, I know the list still rehashes a single incident from 10 years ago > to declare the entire practice as unsafe, and ignores real-world data that > of the last million transactions we had zero cases of this successfully > abusing us. > > >> > Currently Lightning is somewhere around 15% of our total bitcoin >> payments. >> >> So, based on last year's numbers, presumably that makes your bitcoin >> payments break down as something like: >> >> 5% txs are on-chain and seem shady and are excluded from zeroconf >> 15% txs are lightning >> 20% txs are on-chain but signal rbf and are excluded from zeroconf >> 60% txs are on-chain and seem fine for zeroconf >> > > Numbers are right. Shady is too strong a word, it's mostly transactions > with very low fee, or high purchase amount, or many dependent unconfirmed > transactions, stuff like that. In some cases we do a human assessment of > the support ticket and often just pass them through. > > >> > This is very much not nothing, and all of us here want Lightning to >> grow, >> > but I think it warrants a serious discussion on whether we want >> Lightning >> > adoption to go to 100% by means of disabling on-chain commerce. >> >> If the numbers above were accurate, this would just mean you'd go from 60% >> zeroconf/25% not-zeroconf to 85% not-zeroconf; wouldn't be 0% on-chain. >> > > Point is that RBF transactions are unsafe even when waiting for a > confirmation, which Peter Todd trivially proved in the reply next to this. > The reliable solution is to reject all RBF payments and direct those users > to custodial accounts. There are other variants to solve this with varying > degree of convolutedness. RBF is a strictly worse UX as proven by anyone > accepting bitcoin payments at scale. > > >> > For me >> > personally it would be an easier discussion to have when Lightning is at >> > 80%+ of all bitcoin transactions. >> >> Can you extrapolate from the numbers you've seen to estimate when that >> might be, given current trends? >> > > Not sure, it might be exponential growth, and the next 60% of Lightning > growth happen faster than the first 15%. Hard to tell. But we're likely > talking years here.. > > >> >> > The benefits of Lightning are many and obvious, >> > we don't need to limit onchain to make Lightning more appealing. >> >> To be fair, I think making lightning (and coinjoins) work better is >> exactly what inspired this -- not as a "make on-chain worse so we look >> better in comparison", but as a "making lightning work well is a bunch >> of hard problems, here's the next thing we need in order to beat the >> next problem". >> > > In deed. The fact that the largest non-custodial Lightning wallet started > this thread should be an indicator that despite these intentions the > solution harms more than it fixes. > Transactions being evicted from mempool is solved by requiring a minimum > fee rate, which we do and now seems to have become a standard practice. > Theoretically we can imagine them being evicted anyway but now we're > several theoreticals deep again when discussing something that will cause > massive problems right away. In emergency situations CPFP and similar can > of course be done manually in special circumstances. > > Cheers > Sergej > > > On Thu, 20 Oct 2022 at 09:22, Anthony Towns wrote: > >> On Wed, Oct 19, 2022 at 04:29:57PM +0200, Sergej Kotliar via bitcoin-dev >> wrote: >> > The >> > biggest risk in accepting bitcoin payments is in fact not zeroconf risk >> > (it's actually quite easily managed), >> >> You mean "it's quite easily managed, provided the transaction doesn't >> opt-in to rbf", right? At least, that's what I understood you saying last >> time; ie that if the tx signals rbf, then you just don't do zeroconf no >> matter what other trustworthy signals you might see: >> >> https://twitter.com/ziggamon/status/1435863691816275970 >> >> (rbf txs seem to have increased from 22% then to 29% now) >> >> > it's FX risk as the merchant must >> > commit to a certain BTCUSD rate ahead of time for a purchase. Over time >> > some transactions lose money to FX and others earn money - that evens >> out >> > in the end. >> >> > But if there is an _easily accessible in the wallet_ feature to >> > "cancel transaction" that means it will eventually get systematically >> > abused. A risk of X% loss on many payments that's easy to systematically >> > abuse is more scary than a rare risk of losing 100% of one occasional >> > payment. It's already possible to execute this form of abuse with opt-in >> > RBF, >> >> If someone's going to systematically exploit your store via this >> mechanism, it seems like they'd just find a single wallet with a good >> UX for opt-in RBF and lowballing fees, and go to town -- not something >> where opt-in rbf vs fullrbf policies make any difference at all? >> >> It's not like existing wallets that don't let you set RBF will suddenly >> get a good UX for replacing transactions just because they'd be relayed >> if they did, is it? >> >> > To successfully fool (non-RBF) >> > zeroconf one needs to have access to mining infrastructure and >> probability >> > of success is the % of hash rate controlled. >> >> I thought the "normal" avenue for fooling non-RBF zeroconf was to create >> two conflicting txs in advance, one paying the merchant, one paying >> yourself, connect to many peers, relay the one paying the merchant to >> the merchant, and the other to everyone else. >> >> I'm just basing this off Peter Todd's stuff from years ago: >> >> >> https://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_todd_with_my_doublespendpy_tool_with/cytlhh0/ >> >> >> https://github.com/petertodd/replace-by-fee-tools/blob/master/doublespend.py >> >> > Currently Lightning is somewhere around 15% of our total bitcoin >> payments. >> >> So, based on last year's numbers, presumably that makes your bitcoin >> payments break down as something like: >> >> 5% txs are on-chain and seem shady and are excluded from zeroconf >> 15% txs are lightning >> 20% txs are on-chain but signal rbf and are excluded from zeroconf >> 60% txs are on-chain and seem fine for zeroconf >> >> > This is very much not nothing, and all of us here want Lightning to >> grow, >> > but I think it warrants a serious discussion on whether we want >> Lightning >> > adoption to go to 100% by means of disabling on-chain commerce. >> >> If the numbers above were accurate, this would just mean you'd go from 60% >> zeroconf/25% not-zeroconf to 85% not-zeroconf; wouldn't be 0% on-chain. >> >> > For me >> > personally it would be an easier discussion to have when Lightning is at >> > 80%+ of all bitcoin transactions. >> >> Can you extrapolate from the numbers you've seen to estimate when that >> might be, given current trends? Or perhaps when fine-for-zeroconf txs >> drop to 20%, since opt-in-RBF txs and considered-unsafe txs would still >> work the same in a fullrbf world. >> >> > The benefits of Lightning are many and obvious, >> > we don't need to limit onchain to make Lightning more appealing. >> >> To be fair, I think making lightning (and coinjoins) work better is >> exactly what inspired this -- not as a "make on-chain worse so we look >> better in comparison", but as a "making lightning work well is a bunch >> of hard problems, here's the next thing we need in order to beat the >> next problem". >> >> > Sidenote: On the efficacy of RBF to "unstuck" stuck transactions >> > After interacting with users during high-fee periods I've come to not >> > appreciate RBF as a solution to that issue. Most users (80% or so) >> simply >> > don't have access to that functionality, because their wallet doesn't >> > support it, or they use a custodial (exchange) wallet etc. Of those that >> > have the feature - only the power users understand how RBF works, and >> > explaining how to do RBF to a non-power-user is just too complex, for >> the >> > same reason why it's complex for wallets to make sensible >> non-power-user UI >> > around it. Current equilibrium is that mostly only power users have >> access >> > to RBF and they know how to handle it, so things are somewhat working. >> But >> > rolling this out to the broad market is something else and would likely >> > cause more confusion. >> > CPFP is somewhat more viable but also not perfect as it would require >> lots >> > of edge case code to handle abuse vectors: What if users abuse a >> generous >> > CPFP policy to unstuck past transactions or consolidate large wallets. >> Best >> > is for CPFP to be done on the wallet side, not the merchant side, but >> there >> > too are the same UX issues as with RBF. >> >> I think if you're ruling out both merchants and users being able to add >> fees to a tx to get it to confirm, then you're going to lose either way. >> Txs will either expire because they've been stuck for more than a week, >> and be vulnerable to replacement at that point anyway, or they'll be >> dropped from mempools because they've filled up and they were the lowest >> fee tx, and be vulnerable to replacement for that reason. In the expiry >> case, the merchant can rebroadcast the original transaction to keep it >> alive, perhaps with a good chance of beating an attacker to the punch, >> but in the full mempool case, you could only do that if you were also >> CPFPing it, which you already ruled out. >> >> Cheers, >> aj >> > > > -- > > Sergej Kotliar > > CEO > > > Twitter: @ziggamon > > > www.bitrefill.com > > Twitter | Blog > | Angellist > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000058e63b05eb77f121 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

There is a reasonable tradeof= f one can make to get eventual settlement assurance prior to confirmation: = lock up the funds with a counterparty in a 2-of-2 multisig with a timelock = back to the owner. As long as the timelock has not expired and the recipien= ts trust the counterparty not to sign double spends, transactions that are = spent from this multisig can be considered instant. In cases where the coun= terparty and the recipient are the same person, this solution=C2=A0is trust= less. Since merchant purchases tend to be low-value, the counterparty risk = (facilitating double spends) seems acceptable. GreenAddress provided such a= service in 2015 or so, but the idea got abandoned.

Pers= onally, I find this solution much more tenable than relying on spurious net= work assumptions about what will be propagated and mined.

Best = regards,
Ruben



On Th= u, Oct 20, 2022 at 2:44 PM Sergej Kotliar via bitcoin-dev <bitcoin-dev@lists.linuxfoundati= on.org> wrote:
On Thu, 20 Oct 2= 022 at 09:22, Anthony Towns <aj@erisian.com.au> wrote:
On Wed, Oct 19, 2022 at 04:29:57PM +0200, Serg= ej Kotliar via bitcoin-dev wrote:
> The
> biggest risk in accep= ting bitcoin payments is in fact not zeroconf risk
> (it's actual= ly quite easily managed),

You mean "it's quite easily manag= ed, provided the transaction doesn't
opt-in to rbf", right? At = least, that's what I understood you saying last
time; ie that if the= tx signals rbf, then you just don't do zeroconf no
matter what othe= r trustworthy signals you might see:

=C2=A0=C2=A0https://twitter.com/ziggamon/status/1435863691816275970
=
(rbf txs seem to have increased from 22% then to 29% now)

Yeah. Our share of RBF is a bit lower than th= at as many RBF transactions are something other than consumer purchases, an= d most consumer purchases can't do RBF
=C2=A0
= > it's FX risk as the merchant must
> commit to a certain BTCU= SD rate ahead of time for a purchase. Over time
> some transactions l= ose money to FX and others earn money - that evens out
> in the end.<= br>
> But if there is an _easily accessible in the wallet_ feature to=
> "cancel transaction" that means it will eventually get s= ystematically
> abused. A risk of X% loss on many payments that's= easy to systematically
> abuse is more scary than a rare risk of los= ing 100% of one occasional
> payment. It's already possible to ex= ecute this form of abuse with opt-in
> RBF,

If someone's g= oing to systematically exploit your store via this
mechanism, it seems l= ike they'd just find a single wallet with a good
UX for opt-in RBF a= nd lowballing fees, and go to town -- not something
where opt-in rbf vs = fullrbf policies make any difference at all?

Sort of. But yes once this starts being abused systemically we= will have to do something else w RBF payments, such as crediting the amoun= t in BTC to a custodial account. But this option isn't available to you= r normal payment processor type business.=C2=A0

Al= so worth keeping in mind that sometimes "opportunity makes the thief&q= uot;. Currently only power-user wallet have that feature and their market s= hare is relatively small, mainly electrum stands out. But if this is availa= ble to all users everywhere then it will start being abused and we'll h= ave to then direct all payments to custodial account, or some other convolu= ted solution.
=C2=A0
It's not like existing wa= llets that don't let you set RBF will suddenly
get a good UX for rep= lacing transactions just because they'd be relayed
if they did, is i= t?

> To successfully fool (non-RBF)
> zeroconf one needs to= have access to mining infrastructure and probability
> of success is= the % of hash rate controlled.

I thought the "normal" ave= nue for fooling non-RBF zeroconf was to create
two conflicting txs in ad= vance, one paying the merchant, one paying
yourself, connect to many pee= rs, relay the one paying the merchant to
the merchant, and the other to = everyone else.

I'm just basing this off Peter Todd's stuff f= rom years ago:

https://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_= todd_with_my_doublespendpy_tool_with/cytlhh0/

https://github.com/petertodd/replace-by-f= ee-tools/blob/master/doublespend.py=C2=A0

Yeah, I know the list still rehashes a single incident from 1= 0 years ago to declare the entire practice as unsafe, and ignores real-worl= d data that of the last million transactions we had zero cases of this succ= essfully abusing us.
=C2=A0
> Currently Lightni= ng is somewhere around 15% of our total bitcoin payments.

So, based = on last year's numbers, presumably that makes your bitcoin
payments = break down as something like:

=C2=A0 =C2=A05% txs are on-chain and s= eem shady and are excluded from zeroconf
=C2=A0 15% txs are lightning=C2=A0 20% txs are on-chain but signal rbf and are excluded from zeroconf<= br>=C2=A0 60% txs are on-chain and seem fine for zeroconf
<= div>
Numbers are right. Shady is too strong a word, it= 's mostly transactions with very low fee, or high purchase amount, or m= any dependent unconfirmed transactions, stuff like that. In some cases we d= o a human assessment of the support ticket and often just pass them through= .=C2=A0
=C2=A0
> This is very much not nothing,= and all of us here want Lightning to grow,
> but I think it warrants= a serious discussion on whether we want Lightning
> adoption to go t= o 100% by means of disabling on-chain commerce.

If the numbers above= were accurate, this would just mean you'd go from 60%
zeroconf/25% = not-zeroconf to 85% not-zeroconf; wouldn't be 0% on-chain.

Point is that RBF transactions are unsafe ev= en when waiting for a confirmation, which Peter Todd trivially proved in th= e reply next to this. The reliable solution is to reject all RBF payments a= nd direct those users to custodial accounts. There are other variants to so= lve this with varying degree of convolutedness. RBF is a strictly worse UX = as proven by anyone accepting bitcoin payments at scale.
=C2=A0
> For me
> personally it would be an easier discus= sion to have when Lightning is at
> 80%+ of all bitcoin transactions.=

Can you extrapolate from the numbers you've seen to estimate wh= en that
might be, given current trends?=C2=A0

<= /div>
Not sure, it might be exponential growth, and the next 60%= of Lightning growth happen faster than the first 15%. Hard to tell. But we= 're likely talking years here..=C2=A0
=C2=A0
<= br>> The benefits of Lightning are many and obvious,
> we don'= t need to limit onchain to make Lightning more appealing.

To be fair= , I think making lightning (and coinjoins) work better is
exactly what i= nspired this -- not as a "make on-chain worse so we look
better in = comparison", but as a "making lightning work well is a bunch
o= f hard problems, here's the next thing we need in order to beat the
= next problem".

In deed. The= fact that the largest non-custodial Lightning wallet started this thread s= hould be an indicator that despite these intentions the solution harms more= than it fixes.
=
Transactions being evicted from mempool is sol= ved by requiring a minimum fee rate, which we do and now seems to have beco= me a=C2=A0standard practice. Theoretically we can imagine them being evicte= d anyway but now we're several theoreticals deep again when discussing = something that will cause massive problems right away. In emergency situati= ons CPFP and similar can of course be done manually in special=C2=A0circums= tances.
=C2=A0
Cheers
Sergej


On Thu, 20 Oct 2022 at 09:22, Anthony T= owns <aj@erisian.= com.au> wrote:
On Wed, Oct 19, 2022 at 04:29:57PM +0200, Sergej Kotliar via bitcoin-= dev wrote:
> The
> biggest risk in accepting bitcoin payments is in fact not zeroconf ris= k
> (it's actually quite easily managed),

You mean "it's quite easily managed, provided the transaction does= n't
opt-in to rbf", right? At least, that's what I understood you sayi= ng last
time; ie that if the tx signals rbf, then you just don't do zeroconf no=
matter what other trustworthy signals you might see:

=C2=A0 https://twitter.com/ziggamon/status/14= 35863691816275970

(rbf txs seem to have increased from 22% then to 29% now)

> it's FX risk as the merchant must
> commit to a certain BTCUSD rate ahead of time for a purchase. Over tim= e
> some transactions lose money to FX and others earn money - that evens = out
> in the end.

> But if there is an _easily accessible in the wallet_ feature to
> "cancel transaction" that means it will eventually get syste= matically
> abused. A risk of X% loss on many payments that's easy to systemat= ically
> abuse is more scary than a rare risk of losing 100% of one occasional<= br> > payment. It's already possible to execute this form of abuse with = opt-in
> RBF,

If someone's going to systematically exploit your store via this
mechanism, it seems like they'd just find a single wallet with a good UX for opt-in RBF and lowballing fees, and go to town -- not something
where opt-in rbf vs fullrbf policies make any difference at all?

It's not like existing wallets that don't let you set RBF will sudd= enly
get a good UX for replacing transactions just because they'd be relayed=
if they did, is it?

> To successfully fool (non-RBF)
> zeroconf one needs to have access to mining infrastructure and probabi= lity
> of success is the % of hash rate controlled.

I thought the "normal" avenue for fooling non-RBF zeroconf was to= create
two conflicting txs in advance, one paying the merchant, one paying
yourself, connect to many peers, relay the one paying the merchant to
the merchant, and the other to everyone else.

I'm just basing this off Peter Todd's stuff from years ago:

h= ttps://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_todd_with_my_doublespe= ndpy_tool_with/cytlhh0/

https://github.com/peter= todd/replace-by-fee-tools/blob/master/doublespend.py

> Currently Lightning is somewhere around 15% of our total bitcoin payme= nts.

So, based on last year's numbers, presumably that makes your bitcoin payments break down as something like:

=C2=A0 =C2=A05% txs are on-chain and seem shady and are excluded from zeroc= onf
=C2=A0 15% txs are lightning
=C2=A0 20% txs are on-chain but signal rbf and are excluded from zeroconf =C2=A0 60% txs are on-chain and seem fine for zeroconf

> This is very much not nothing, and all of us here want Lightning to gr= ow,
> but I think it warrants a serious discussion on whether we want Lightn= ing
> adoption to go to 100% by means of disabling on-chain commerce.

If the numbers above were accurate, this would just mean you'd go from = 60%
zeroconf/25% not-zeroconf to 85% not-zeroconf; wouldn't be 0% on-chain.=

> For me
> personally it would be an easier discussion to have when Lightning is = at
> 80%+ of all bitcoin transactions.

Can you extrapolate from the numbers you've seen to estimate when that<= br> might be, given current trends? Or perhaps when fine-for-zeroconf txs
drop to 20%, since opt-in-RBF txs and considered-unsafe txs would still
work the same in a fullrbf world.

> The benefits of Lightning are many and obvious,
> we don't need to limit onchain to make Lightning more appealing. <= br>
To be fair, I think making lightning (and coinjoins) work better is
exactly what inspired this -- not as a "make on-chain worse so we look=
better in comparison", but as a "making lightning work well is a = bunch
of hard problems, here's the next thing we need in order to beat the next problem".

> Sidenote: On the efficacy of RBF to "unstuck" stuck transact= ions
> After interacting with users during high-fee periods I've come to = not
> appreciate RBF as a solution to that issue. Most users (80% or so) sim= ply
> don't have access to that functionality, because their wallet does= n't
> support it, or they use a custodial (exchange) wallet etc. Of those th= at
> have the feature - only the power users understand how RBF works, and<= br> > explaining how to do RBF to a non-power-user is just too complex, for = the
> same reason why it's complex for wallets to make sensible non-powe= r-user UI
> around it. Current equilibrium is that mostly only power users have ac= cess
> to RBF and they know how to handle it, so things are somewhat working.= But
> rolling this out to the broad market is something else and would likel= y
> cause more confusion.
> CPFP is somewhat more viable but also not perfect as it would require = lots
> of edge case code to handle abuse vectors: What if users abuse a gener= ous
> CPFP policy to unstuck past transactions or consolidate large wallets.= Best
> is for CPFP to be done on the wallet side, not the merchant side, but = there
> too are the same UX issues as with RBF.

I think if you're ruling out both merchants and users being able to add=
fees to a tx to get it to confirm, then you're going to lose either way= .
Txs will either expire because they've been stuck for more than a week,=
and be vulnerable to replacement at that point anyway, or they'll be dropped from mempools because they've filled up and they were the lowes= t
fee tx, and be vulnerable to replacement for that reason. In the expiry
case, the merchant can rebroadcast the original transaction to keep it
alive, perhaps with a good chance of beating an attacker to the punch,
but in the full mempool case, you could only do that if you were also
CPFPing it, which you already ruled out.

Cheers,
aj


--
--00000000000058e63b05eb77f121--