summaryrefslogtreecommitdiff
path: root/15/83577481229853ede88ea357b26c918a489bd2
blob: 46a42bafe26201bbcdbb1b03c322dcb0192f5480 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
Return-Path: <alicexbt@protonmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id BDF48C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 09:19:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 98057416D3
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 09:19:53 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 98057416D3
Authentication-Results: smtp4.osuosl.org;
 dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
 header.a=rsa-sha256 header.s=protonmail3 header.b=MXC786xT
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level: 
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id i8wozUhIyEAe
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 09:19:52 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9FBFB416D1
Received: from mail-4319.protonmail.ch (mail-4319.protonmail.ch [185.70.43.19])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 9FBFB416D1
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 09:19:51 +0000 (UTC)
Date: Tue, 10 Jan 2023 09:19:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1673342389; x=1673601589;
 bh=2pFzzAutVocXEnwNcmAnX5kD2wBfiFwH0hx+Qmecq+o=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=MXC786xTOp4A6zE9ZmfFbp0952TiKOAzdNzIAGZTPP0zFzB+7JY4VH9dEz9j24cN9
 yr6Ypnk2EqlqHeo65GCv+eVUyfVJ+4r7welDfpX526j4Fsy6/Udw5ZiBauEZvZFEmK
 fGGrfecNG6JEvbNwB/RAp+aTtp7Du8il9Na5pakBPfpPkJzd6QrOWq+1xaMKbxVZ/B
 JaYv+mZQu56kI/3i8y1JkzqsmRA/ds6NAkyXdRh1+9cFqv7cpW3w+sd5FhTHixl5Ul
 /TOoHBv03tjYQ5/4BysF8CDtyHAk5eqDtcVJowou+2fg1Wq/RoLSts/oL1tEARFW8Z
 YMOtqCiIGMELg==
To: Peter Todd <pete@petertodd.org>
From: alicexbt <alicexbt@protonmail.com>
Message-ID: <OwgJwjPrZWRtBaIDDZ8g-xbFPlryUXUopqUuKYVUNE-mVHzCWHFXl77YzDlItEjHTHcGjpzIC5alGsnFEsOtSgHLm9We92gcWrLTahzPGFk=@protonmail.com>
In-Reply-To: <Y7ySzDjzx5eDjOH9@petertodd.org>
References: <Y7ySzDjzx5eDjOH9@petertodd.org>
Feedback-ID: 40602938:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 12 Jan 2023 09:59:50 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Why Full-RBF Makes DoS Attacks on Multiparty
	Protocols Significantly More Expensive
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2023 09:19:53 -0000

Hi Peter,

> ## How Full-RBF Mitigates the Double-Spend DoS Attack
>=20
> Modulo tx-pinning, full-rbf mitigates the double-spend DoS attack in a ve=
ry
> straightforward way: the low fee transaction is replaced by the higher fe=
e
> transaction, resulting in the latter getting mined in a reasonable amount=
 of
> time and the protocol making forward progress.

Asking this question based on a [discussion on twitter][0]. How would you g=
et extra sats to increase the fees? It seems this would be possible with Jo=
inmarket, Wasabi and even joinstr although things would get worse for Whirl=
pool. Whirlpool coinjoin transactions do not signal BIP 125 RBF so they wer=
e not replaceable earlier, however attacker would be able to perform DoS at=
tacks now by double spending their inputs used in coinjoin.

[0]: https://twitter.com/dammkewl/status/1599692908860706818

/dev/fd0
floppy disc guy

Sent with Proton Mail secure email.

------- Original Message -------
On Tuesday, January 10th, 2023 at 3:48 AM, Peter Todd via bitcoin-dev <bitc=
oin-dev@lists.linuxfoundation.org> wrote:


> I was reminded recently that while Suhas Daftuar cited tx-pinning as a re=
ason
> to remove full-rbf, he neglected to mention that tx-pinning greatly incre=
ases
> the cost of attacks on multi-party protocols. Him (rhetorically?) asking(=
4):
>=20
> "Does fullrbf offer any benefits other than breaking zeroconf business
> practices?"
>=20
> ...has caused a lot of confusion by implying that there were no benefits.=
 So
> I'm writing this to set the record straight and provide an easily cited
> explanation as to why full-rbf - even with tx-pinning - is a valuable
> improvement for multi-party protocols like coinjoins that rely on transac=
tions
> containing multiple inputs exclusively controlled(1) by different parties=
.
>=20
> tl;dr: without full-rbf people can intentionally and unintentionally DoS =
attack
> multi-party protocols by double-spending their inputs with low-fee txs, h=
olding
> up progress until that low-fee tx gets mined. This could take days, weeks=
, or
> even worse. Modulo intentional tx-pinning, full-RBF fixes this by ensurin=
g that
> a higher fee transaction gets mined in a reasonable amount of time so the
> protocol makes forward progress. And as for tx-pinning, exploiting it is =
very
> expensive, so full-rbf still makes the situation much better than the sta=
tus
> quo.
>=20
>=20
> # The Double-Spend DoS Attack on Multi-Party, Multi-Input, Transactions
>=20
> If a protocol constructs transactions containing multiple inputs exclusiv=
ely
> controlled by different parties, those parties can intentionally and
> unintentionally double-spend those inputs in alternate transactions. For
> example, in a Wasabi coinjoin any one of the hundreds of participants cou=
ld
> sign and broadcast a transaction spending their input. If they do that at=
 the
> right time, as much as ~100% of the hashing power may see the double-spen=
d
> first, prior to the intended coinjoin transaction. This in fact does happ=
en
> regularly in production to Wasabi coinjoins, probably due to people
> accidentally running different wallets at the same time using the same se=
ed, as
> well as people importing their seeds into alternative wallets.
>=20
> By itself this isn't a significant problem: Wasabi coinjoins are a two ph=
ase
> protocol, and, like any multi-step, multi-party protocol, they have to de=
al
> with the fact that participants in the protocol may fail to complete all =
the
> steps necessary for a transaction to be completed. It's very common for o=
ne or
> more parties in a Wasabi coinjoin to fail to complete both steps of the
> protocol, and a majority of Wasabi coinjoin rounds fail. Wasabi deals wit=
h this
> economically by (temporarily or ~permanently) blacklisting UTXOs that fai=
led to
> complete a round, making DoS attacks expensive by forcing the attacker to=
 tie
> up funds/create new UTXOs.
>=20
> Similarly, in use-cases such as multi-party-funded Lightning channels(5),=
 an
> attacker can always DoS attack the protocol by participating in a channel=
 open,
> and then failing to allow payments to be routed through it. The solution =
is
> again to use economics to ensure the attack is sufficiently costly.
>=20
> However, under the right circumstances double-spends are an unusually pow=
erful
> DoS attack on multi-party, multi-input, transaction. When mempool demand =
is
> high, low fee transactions can take arbitrarily long to get mined. Bitcoi=
n has
> seen periods of mempool demand where low-fee transactions would take mont=
hs
> to get mined. Transaction expiry does not solve this problem, as anyone c=
an
> rebroadcast transactions at any time. In these circumstances without
> transaction replacement a multi-party transaction such as a Wasabi coinjo=
in
> could be held up indefinitely by a low-fee double-spend.
>=20
>=20
> ## How Full-RBF Mitigates the Double-Spend DoS Attack
>=20
> Modulo tx-pinning, full-rbf mitigates the double-spend DoS attack in a ve=
ry
> straightforward way: the low fee transaction is replaced by the higher fe=
e
> transaction, resulting in the latter getting mined in a reasonable amount=
 of
> time and the protocol making forward progress.
>=20
> Note that the converse is not a useful attack: if the attacker broadcasts=
 a
> high-fee double spend, higher than the intended multi-party transaction, =
the
> transaction will get mined in a reasonable amount of time, costing the at=
tacker
> money and the defender nothing beyond wasted time. Multi-party protocols =
always
> have the property that attackers can spend money to DoS attack by creatin=
g more
> UTXOs/identities/etc, so this isn't any worse than the status quo!
>=20
>=20
> ## Transaction Pinning
>=20
> So what about transaction pinning? The term actually refers to a few diff=
erent
> techniques that can make it difficult/expensive to fee-bump a transaction=
.
> We're interested in the techniques relevant to replacements, namely
> exploitation of:
>=20
> 1. BIP-125 RBF Rule #3: a replacement transaction is required to pay
> the higher absolute fee (not just fee rate) than the sum of fees paid by =
all
> transactions being replaced.
>=20
> 2. BIP-125 RBF Rule #5: the number of transactions replaced at one time m=
ust
> not exceed 100. Note that this rule only exists due to limitations of the
> existing Bitcoin Core implementation; it has absolute no economic rationa=
l and
> should be removed by either improving the implementation's scalability is=
sues,
> or rejecting transactions that could make a transaction unreplaceable(2).
>=20
> Exploiting either rule is expensive. To exploit rule #3 the attacker has =
to
> broadcast fee-paying transactions paying a total amount of fees higher th=
an the
> defender is willing to pay. Since transactions don't expire, in almost al=
l
> circumstances those transactions will eventually be mined, costing the at=
tacker
> much more money than they would have spent without full-rbf.
>=20
> To exploit rule #5, the attacker has to broadcast 100x more fee-paying
> transactions than they otherwise would have. As with rule #3, those
> transactions will almost always eventually be mined, costing the attacker
> significantly more money than they would have spent without full-rbf. And=
, as
> mentioned above(2), rule #5 is merely an artifact of the existing
> implementation which can and should be fixed.
>=20
> The only avenue for an attacker to avoid transaction pinning costs is
> amortisation: reusing the extra transactions required for pinning for oth=
er
> attacks/other purposes. But of course, amortisation is already a potent c=
ost
> reduction strategy for attacks on multi-party protocols such as coinjoin,=
 so
> the existence of transaction pinning doesn't appreciably change the situa=
tion.
> Again, there are mitigations such as requiring participants to post nLock=
Time'd
> fee-paying transactions(3), and limiting attacks to parties who are heavi=
ly
> invested in Bitcoin for other reasons is a valuable improvement on the st=
atus
> quo.
>=20
>=20
> # Conclusion
>=20
> Far from not "offering any benefits other than breaking zeroconf business
> practices"(4), full-rbf clearly improves Bitcoin for multi-party protocol=
s,
> among the many other reasons to adopt it.
>=20
>=20
> # Footnotes
>=20
> 1. What do I mean by "exclusively controlled"? Let's compare coinjoin, to=
 an
> ordinary single-payer Lightning channel. In a coinjoin, the goal is to ge=
t a
> transaction mined containing multiple inputs from different parties. Each=
 of
> these inputs is individually, exclusively controlled by a single party:
> without the cooperation of any other party that input that be spend. This=
 is
> unlike an ordinary single-payer Lightning channel: while the commitment
> transactions are multi-party transactions, the multisig transaction outpu=
ts
> involved are jointly controlled by both parties, and thus neither party c=
an
> spend it without the cooperation of the other at some point.
>=20
> 2. [bitcoin-dev] Removing BIP-125 Rule #5 Pinning with the Always-Replace=
able
> Invariant, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-N=
ovember/021175.html
>=20
> 3. [bitcoin-dev] Using Full-RBF to fix BIP-125 Rule #3 Pinning with nLock=
Time,
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021=
176.html
>=20
> 4. https://github.com/bitcoin/bitcoin/pull/26438
>=20
> 5. There are even more exotic proposed Lightning-related protocols where =
a failure
> of transaction replacement can cause the loss of funds. I'm not covering
> those scenarios because they have such strong requirements - beyond what
> full-rbf offers - that the technical community does not have consensus th=
at
> these proposed protocols are even viable.
>=20
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev