Delivery-date: Fri, 02 Aug 2024 05:31:05 -0700 Received: from mail-vs1-f59.google.com ([209.85.217.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sZrR2-0003kV-UJ for bitcoindev@gnusha.org; Fri, 02 Aug 2024 05:31:05 -0700 Received: by mail-vs1-f59.google.com with SMTP id ada2fe7eead31-49292256be3sf800461137.0 for ; Fri, 02 Aug 2024 05:31:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1722601858; cv=pass; d=google.com; s=arc-20160816; b=aK94HcPnMdKKPJh/3eV6t4bkZhf8Jsggqq0lkZK9V4R1nf6yD6Sahpc/gYRQCs/OgK 2gvkoYaMzDqXo9+AmJbFEmHL6DoOm/pSSTwS2vvO4pW3+S3MjN868L8H7b1njCeO6/zm LiA4iBUNrBeNF3MvGWOetfzoJ1IqvEMIJGSCYAtSPDtRp+mHTOpoxvCdJji+GMMfDjnR ig+8GbI5rtZe0L0SnRjuGHzO0IM11kTaNkQzx2oUlwSuQjP1VsSAp76IEtGft05rNnX/ 1L7qapULgL3PN3O3fsQmKd7evR0gG3hY+iiplaT+6oRzUvKi9k1p8uN7RYUKVpszJ6JS y2tQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-disposition:mime-version :message-id:subject:to:from:date:feedback-id:sender:dkim-signature; bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=; fh=XVk2QkvgRPLFdPnjevP8jLotxQk2HlTV0b/+CyZnOcg=; b=SpaTMs7BFs/1Ygz4vdA0uCCAkDM3NCt9a9jDLvFFKaDZR34dMU3yuiRErj4qrDq88h nBAD8iz0Yz9KZc3FL1vDihD1ly8RPhSWGydnCWm0ljZXQSqopdPRg7vhuhc9+58klUpe X4dreOu8E8G9/Z30Xg4GNwj4Qd+4bp2ktRG9uf3hh4WCm22RXnoTRlUPK2evWV0u3Haz VwQXYX4Z4QZhOmRyBGrDRdoc92ZDPhKYYmZATHEg3JpKg3DY/exRHBo1PAho0zKoMxNV uOduqKNSA3KBlOQARwZ+q7RBNzogujf9gb3jaYHmfrKR7xyP0tfH2+4D9bezcqtTkztu fGfg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI; spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1722601858; x=1723206658; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:to:from:date:feedback-id:sender:from:to:cc:subject:date :message-id:reply-to; bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=; b=wnZotPwl1PX/sZkes4IrrWOKflO0Bo94ou8kuU82Hk7ZFvkxDk8m8N0aA5aFEIcD4V Q31/EiPaqaR5TWEAaRybdGTZPwHgHrmg9/SuT/ZxkQTTeNOidWIfNZqJeULPITlMx8c7 fwY9aIkoNIOqY6wKU56gUSnev5bWhc0snmCca+Qxu2GuQ+QgqU9ZLfp0Q9rd8Nbfsoe5 BLat+2G5kiXvJ3YJot90gtztPvJ/54DBOPFs3yC7wVt8lBn0wWvLv2Gic9E/9uT4+isr t+RMBqnI5P1c9fhZt73/bF07Ub91xce5War1iY5H19dObQs0xSGTi5UPxuFCVbeHErbO t7OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722601858; x=1723206658; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:to:from:date:feedback-id:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=; b=YnpLNa8LIX5FMRwzUByv/BVvS5XncLZi/KDbjuBVRY9TYF/LrV23G/3KcTLn4engPM fFRmLrCkPx5sW0rVL1LhfOjM6Uc25ZIP3Xst8D7Vmg00pW9uCspvmxhIL5HScJ24i1fU 3qDevf21TX5R9uebWNJwAmPCSfnl2NxzPLigAm4OFnW/0TdPoOYWAfoCRGBc87xhA+DH OIKlxQUmOLQZFdyi123Ihjovfn/OpJHea5/t0RYhjUKOC571wVKH+gB0C+i8zqCKfN3d b2UWiQgwNqFfupFTAA8By1j6YiM0/EK8AWx8hQfqz0F8zgoadCU8B/1i97wmBEFc5pJj sJcA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUTzRNDl6w1URnHBH4+484A0h6tSwa3rzPv77AoOocjP+inhqysSwKla17Z8RGKmJeWzT9vQ/LxZCCjU+rucBg06n+FBu0= X-Gm-Message-State: AOJu0Ywa6ch0f+YE0psvlxVwSjzSXIT8gZvyELv0gluZAGLVzQm9QDCl puDS06bzDZ6i6aOJnvLDK4F0XApSOjk9kEfplLL/vSF5Jc2nF+rB X-Google-Smtp-Source: AGHT+IFvX4HUaye8s0+7YNaQ/vslXeCWYP68z3VwnYs75h4fqxhf9nFL6nhyoJ9mBk1H3j6IfkOjeA== X-Received: by 2002:a67:f99a:0:b0:493:e582:70ce with SMTP id ada2fe7eead31-4945be0ab86mr3095767137.10.1722601857969; Fri, 02 Aug 2024 05:30:57 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:5982:0:b0:447:e719:3e13 with SMTP id d75a77b69052e-44fe3192a76ls179169671cf.1.-pod-prod-06-us; Fri, 02 Aug 2024 05:30:56 -0700 (PDT) X-Received: by 2002:a05:6214:4005:b0:6bb:79b4:1546 with SMTP id 6a1803df08f44-6bb983fc1f8mr2727906d6.7.1722601856457; Fri, 02 Aug 2024 05:30:56 -0700 (PDT) Received: by 2002:a05:620a:3843:b0:7a1:d643:94b4 with SMTP id af79cd13be357-7a34f8113e8ms85a; Fri, 2 Aug 2024 00:54:32 -0700 (PDT) X-Received: by 2002:a05:6902:c0c:b0:e0b:ab65:19c8 with SMTP id 3f1490d57ef6-e0bde4c57ffmr3688511276.48.1722585271371; Fri, 02 Aug 2024 00:54:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722585271; cv=none; d=google.com; s=arc-20160816; b=CWcJCCDBCe/0vZr4g0a2e7d+SDu3v+TerqWSDqQbhcJ2nifovMl8H5C19R3lruK1W+ rU0F0qhHd+VQOx0QzuBdCTks9MJbYXwsbfkTYRMRsD9rCnhBkO5AJMcu/ijz7l/YdX11 KTi1jAK31dAnVdmSmKHdTsLy0P/HpI5tOKZ6lidGvHX9byjkZvUjxhtqpZcPLoEwaaxD zhPpsU45js74ivk/gZs7ZbFMRmTbEgx0agHtT815alwQlO6tJeqjaocagxAFmJ54+DRD R75JenDdomXfqwXumgHt0QboNSY7R8uG4YxH55F5Bjiq601i1No6ZuomWhbCEIJqlsXP P9jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-disposition:mime-version:message-id:subject:to:from:date :feedback-id:dkim-signature; bh=QBUZpWUBw2UsgA6J6zU5dy7ijrGDtiS7ycCPXC8hgR8=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=Sv/6ZWk/7hgGzKOfY0LxNR/2lNuYznTRj9/P8JMgVlhLKA4biz3uwowy60E8QMoo5s QHzqH4bxPY5yiUR8biHUEcw/Nbnu7YW60STaolbxLGLlXZ0E1EFjqvK0M9oofp3ZqRuY Dng93+YJqXOZrFRTXu3QVCfH4W+WLqG+LScg5cJf7VpMp+l+1YOcQQaNtPRW0XYDtFBm PrYyjMxPib1rnlsMYubw0cO4pYNzlMaY3JQA/W9csFo1Vr9F0NTPMC5YjCqf7wIjzCCW ARUrtvMbMbc6oxZbsy6vnIqtaPnaa+9l9agwY6QCtAfe72mkYgODZo0LQT9o2Tr4Tfq8 VPbg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI; spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com. [103.168.172.158]) by gmr-mx.google.com with ESMTPS id 3f1490d57ef6-e0be5562950si56809276.2.2024.08.02.00.54.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Aug 2024 00:54:31 -0700 (PDT) Received-SPF: pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) client-ip=103.168.172.158; Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailfhigh.nyi.internal (Postfix) with ESMTP id D17971151AD9 for ; Fri, 2 Aug 2024 03:54:30 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 02 Aug 2024 03:54:30 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjeelgdduvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd dtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthhouggu rdhorhhgqeenucggtffrrghtthgvrhhnpefhteevgeeuvdekheeivdeffeduuedufefhte elheffgfelueefieffjeefffeuleenucffohhmrghinhepphgvthgvrhhtohguugdrohhr ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvg htvgesphgvthgvrhhtohguugdrohhrghdpnhgspghrtghpthhtoheptd X-ME-Proxy: Feedback-ID: i525146e8:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Fri, 2 Aug 2024 03:54:30 -0400 (EDT) Received: by localhost (Postfix, from userid 1000) id BF23B5F854; Fri, 2 Aug 2024 07:54:28 +0000 (UTC) Date: Fri, 2 Aug 2024 07:54:28 +0000 From: Peter Todd To: bitcoindev@googlegroups.com Subject: [bitcoindev] Keyless Anchors Are Vulnerable To Replacement Cycling Attacks Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vRkTbBrP6olNI+nv" Content-Disposition: inline X-Original-Sender: pete@petertodd.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI; spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --vRkTbBrP6olNI+nv Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline This feels like someone should have published it before. But I can't find an obvious citation (eg in any of the documentation around keyless ephemeral anchors), so I'll publish one here. Maybe I'm the first to point this out explicitly? Probably not; I'd appreciate an earlier citation if one exists. tl;dr: _Anyone_ can do a replacement cycling attack on transactions where fees are paid via CPFP via keyless anchors and similar outputs that a third-party can double-spend. Secondly, for attackers who were already planning on making a transaction with a higher total fee and total fee-rate than the target, this attack is almost free. # The Attack Suppose that Alice has created a 2 transaction package consisting of low-fee or zero-fee transaction A, whose fees are CPFP paid via a keyless ephemeral anchor spent by transaction B. For B to pay fees, obviously it must spend a second transaction output. Mallory can cycle A and B out of mempools by broadcasting transaction B2, spending his own output and the keyless ephemeral anchor of A, at a higher fee/fee-rate than B. Next, Mallory broadcasts B3, double-spending B2 by spending Mallory's input but not the ephemeral anchor of A. Assuming Mallory needed to mine B3 anyway, the only cost to this attack is the small chance that B2 will in fact be mined between the time that B2 is replaced by B3. At this point A is no longer economical to mine as B has been cycled out, and A may be dropped from mempools depending on the circumstances. ## SIGHASH_ANYONECANPAY Obviously, a similar attack is possible against SIGHASH_ANYONECANPAY-using transactions, provided that _all_ signatures sign with SIGHASH_ANYONECANPAY. # Countermeasures As with other replacement cycling attacks, rebroadcasting A and B fixes the issue. I think the existence of this additional type of replacement cycling attack suggests that adding an optional rebroadcasting module to Bitcoin Core that would keep track of dropped transactions and re-add them to mempools when they are again valid would make sense. This fixes all replacement cycling attacks and there's probably lots of nodes who have the memory and/or disk space to keep track of dropped transactions like this. Preventing the replacement of B2 with B3 is _not_ a viable countermeasure: if that replacement was prohibited, attackers could in turn exploit that rule as a new form of transaction pinning! # Privacy The fact that rebroadcasting is a countermeasure is a privacy concern. Each time a transaction is rebroadcast by the sender is a potential opportunity to track the origin of a transaction. Again, having third parties rebroadcasting transactions altruistically would mitigate this privacy concern. -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqyQtNEOZVgTRw2N%40petertodd.org. --vRkTbBrP6olNI+nv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmaskLMACgkQLly11TVR LzfreA//WnWPNqDyHOnqdilxmWyXLLpuzh8qoYOSkuBoZYODk9U8rcuQUqg3mpct GWyYvwH8+jAAH47of6nTa3CLrRi5RG1jI0icCihWxfElC3+7U+WnUOk7pN2cDwGX W4pdeyf8FCjJVJgDFPOhWymmeUYtjEXDw+FFYcjNjKBBpwcW+/SHXClqrWIhFaD7 RRMbFJ/F7K3tAT6OIfooeoLxMAwGmj/P01qg6OR/X1SDrbZqv5AhVRyK4ZX4u2nn UiYX3WeugedJXOR2RWdRBKVnHnMBNdkPS9JJYCIocDvdRW2gCznZkTmQNd4Rn5d8 Mpj8i2vcw+qyBdoMl3bxpj7vIn3JjuQPhpANFLM4aYhZLLnS4ugiXSxujlmXZO9S 7ft8E3ZDInwhmmma3CMK60GmbYfoPTe44siPA0Gqlxm/QBWTXEII2Ig8ipgN3f9j ocw2vwTNnySwb7eHQCuwwsaTuJXSjaA5MzT+E+cRlwgoUSCdak+qSCFtrBRsubjO ACbz+jRL36I28TwgQ7RwUl6Yz7uH7nkoPzDtikoHFTcC7DEV7RXiK2zlaCbFwFSd DfhDhdlEX8i8Jzgl+eJ0s8wQ2ods/Oh1cbnT17P0+xhppK10NsBdUe4Xk25DINV0 mDCYCgatFdep7+UeTkEolB9MYfqYU2Rt+ZF1TPJEZN5zmJq7A1I= =LR7g -----END PGP SIGNATURE----- --vRkTbBrP6olNI+nv--