1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 91DFBC0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 12 May 2021 13:12:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 6B1E883D5E
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 12 May 2021 13:12:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Level:
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id scgYE3EfFwii
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 12 May 2021 13:12:03 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
[IPv6:2a00:1450:4864:20::330])
by smtp1.osuosl.org (Postfix) with ESMTPS id 46D0983D56
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 12 May 2021 13:12:03 +0000 (UTC)
Received: by mail-wm1-x330.google.com with SMTP id
j3-20020a05600c4843b02901484662c4ebso3006711wmo.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 12 May 2021 06:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=pKuo17M3eD63ul/wk3oQQDap6pASVlD2+Vr7iMqooAw=;
b=pJs1t+Y1TtgvhuUBP9TpEwajmbQqLdfxIVVFxxlNALSQDOiKiBsa/jgJnsz8UzSe/h
y+uVHePhQwZxKz9tzV4T+08a9TPT2zmrDUNkN4nu8aWJTOy52UAtnxjmJlXSSE2GFp1d
O2+6d1bxhy12pkV4m1p0KFWY4eVxkJR4+/tqfAX5jyfOL7xNQWgzm7XlD7TPCuUzDteK
H+EzuJl5p7U5ETd/JganiZalPmGQUCfbiVQsIjPkHOoa7ohBCAkrJUN5mDrNzCC+d6En
qUmB9JXxvpQxFqLTMtU8mAtJKlA+9yuw/8ux5p91diABwXBt9ogiQzmsiTtpYUXt9HSZ
QOqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=pKuo17M3eD63ul/wk3oQQDap6pASVlD2+Vr7iMqooAw=;
b=XeaKDFbUtHV27rLWmWHkmMmk40T/Q9Xbz0znOdf/SXfksM2aKYlHTujiNGME7jI0oK
sSx/op5/t/dH2CzKG06rLjUr8uvtwNDAHiI1fYXUvonu3hwwIBXxmzD5rVxEH5PwRJ0i
6UV28jEAVVWq+ubEN05dyyleaz+xImiYlBOsmjIMjCdvE77Hc8rCSrYwgfPJpFqYdBmt
2dO0tYV/KgL8eH7WehISnMWEF807StXarbWIHYKpmqOM2YaaFUWc+Od6yJiSH7XQjPOj
qM1TcaQxe5Q9xKTwzpx61CsgwGXq5mqjHDsFDDsMQkZsovvnTjZor0+7JgW41cdbPUaM
z9eQ==
X-Gm-Message-State: AOAM530vfvGd3SfOhjPxTv2ZouHx8hpgWjs3fQzaK0AYvrFVSSlPRXYB
MLCdbphhh+ki2mSxT7epVtQtvYI/wv8cKFQMTLo=
X-Google-Smtp-Source: ABdhPJyiMfiH3vI5Jnql1HJ5nmCSCE6D6M/fL/yzzevhcTyT4+o/GR1rixlj4uKFnMRAtP7raCR4xPUb1vCwxzWtxuc=
X-Received: by 2002:a7b:c196:: with SMTP id y22mr39017181wmi.1.1620825121505;
Wed, 12 May 2021 06:12:01 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+GK4WNBmKim3w9LAd1b69+uAyAsNu5tVniHzN6Ue4KJCw@mail.gmail.com>
<MT4soB8ro1-wKY5ht6hqY0c2OutPMDgdLrSny8I9-KPn75p6CdatFkwDZCPNI98yYXOqMeKLu9Z1EBwMXXWZQmCE6Nv70gPo6Mv8FjsGnxc=@protonmail.com>
<CAPv7Tjb5+B5MMrf5QZySbqgoQL2+rTpcHDh5E8pBdcRgc5ZNUw@mail.gmail.com>
In-Reply-To: <CAPv7Tjb5+B5MMrf5QZySbqgoQL2+rTpcHDh5E8pBdcRgc5ZNUw@mail.gmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Wed, 12 May 2021 09:11:50 -0400
Message-ID: <CALZpt+GxNF_PPN2-fSWXT3RNHTdOb1emwuXvK+iw23+XsCBaxA@mail.gmail.com>
To: Ruben Somsen <rsomsen@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009c43d905c221c1ae"
X-Mailman-Approved-At: Wed, 12 May 2021 13:30:25 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Full Disclosure: CVE-2021-31876 Defect in Bitcoin
Core's bip125 logic
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 13:12:05 -0000
--0000000000009c43d905c221c1ae
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Ruben,
Thanks for raising awareness about spacechains/BMM, I didn't have knowledge
it was relying on a fee-based English auction to mine side-blocks. IIUC,
it's another type of dynamic membership
multi-party signature where parties are block-signing with a fee proposal
instead of a PoW ? Though you still assume mainchain miners aren't
colluding and blindly applying the RBF policy
Effectively, if you can block RBF by opting-out, parties are not competing
anymore on feerate but on gaining propagation advantage in the tx-relay
topology. And such advantage is quite easy to
gain with a modified client, mass-connecting and not enforcing inventory
broadcast interval timers.
> As it stands, this bug gets in the way of being able to deploy
spacechains.
Noted, yet another good-point to transition towards full-rbf!
Cheers,
Antoine
Le mar. 11 mai 2021 =C3=A0 17:16, Ruben Somsen <rsomsen@gmail.com> a =C3=A9=
crit :
> Hi Antoine,
>
> Thanks for bringing this up.
>
> It seems spacechains[0] are impacted by this. Simply explained, the idea
> is to allow for fee-bidding Blind Merged Mining[1] by creating one
> transaction for each block, to which anyone can attach a block hash. The
> preferred mechanism utilizes sighash_anyprevout and is not affected, but
> there is also a practical variant that could be used without requiring th=
e
> anyprevout soft fork, which unfortunately does seem to be impacted. Here'=
s
> a brief description:
>
> TX0:
>
> input 0
>
> output 1a*
> output 1b
>
> TX1:
>
> input 1a*
>
> output 2a**
> output 2b
>
> TX2:
>
> input 2a**
>
> output 3a***
> output 3b
>
> Etc.
>
> Every TX has two outputs, one of which ("a") is used as the input for the
> next TX (these are pre-signed and act as a covenant), resulting in a
> continuous chain of transactions. The other output ("b") can be spent by
> anyone, and is meant to CPFP the parent TX and, importantly, be RBF
> replaceable by anyone. This allows whoever pays the highest CPFP fee to
> "win the RBF auction" and attach their TX to the output, containing the
> winning spacechain block hash.
>
> With inherited signalling, this works because each pre-signed TX is RBF
> enabled, so each CPFP transaction inherits RBF as well. But if inherited
> signalling does not function, the first person who makes a CPFP transacti=
on
> can simply disable RBF and win the auction, thus breaking the intended
> fee-bidding mechanism.
>
> You can also find a diagram in this spacechains presentation (timestamped
> link): https://youtu.be/N2ow4Q34Jeg?t=3D2555
>
> As it stands, this bug gets in the way of being able to deploy spacechain=
s.
>
> -- Ruben Somsen
>
>
>
> [0]
> https://medium.com/@RubenSomsen/21-million-bitcoins-to-rule-all-sidechain=
s-the-perpetual-one-way-peg-96cb2f8ac302
>
> [1] https://gist.github.com/RubenSomsen/5e4be6d18e5fa526b17d8b34906b16a5
>
>
>
>
> On Sun, May 9, 2021 at 10:41 AM darosior via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi Antoine,
>>
>>
>> Thank you for the disclosure.
>>
>>
>>
>> > * Onchain DLC/Coinswap/Vault : Those contract protocols have also
>> multiple stages of execution with time-sensitive transactions opening th=
e
>> way to pinning attacks. Those protocols being non-deployed or in early
>> phase, I would recommend that any in-protocol competing transactions
>> explicitly signal RBF.
>>
>>
>> For what it's worth, Revault isn't vulnerable as all transactions signal
>> RBF and there is no way to sneak a non-signaling competing transaction (=
as
>> long as the CSV isn't matured yet).
>>
>>
>>
>> Thanks,
>>
>> Antoine (the other one)_______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--0000000000009c43d905c221c1ae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Ruben,<br><br>Thanks for raising awareness about spacec=
hains/BMM, I didn't have knowledge it was relying on a fee-based Englis=
h auction to mine side-blocks. IIUC, it's another type of dynamic membe=
rship<br>multi-party signature where parties are block-signing with a fee p=
roposal instead of a PoW ? Though you still assume mainchain miners aren=
9;t colluding and blindly applying the RBF policy<br><br>Effectively, if yo=
u can block RBF by opting-out, parties are not competing anymore on feerate=
but on gaining propagation advantage in the tx-relay topology. And such ad=
vantage is quite easy to<br>gain with a modified client, mass-connecting an=
d not enforcing inventory broadcast interval timers.<br><br>> As it stan=
ds, this bug gets in the way of being able to deploy spacechains.<br><br>No=
ted, yet another good-point to transition towards full-rbf!<br><br>Cheers,<=
br>Antoine<br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">Le=C2=A0mar. 11 mai 2021 =C3=A0=C2=A017:16, Ruben Somsen &l=
t;<a href=3D"mailto:rsomsen@gmail.com">rsomsen@gmail.com</a>> a =C3=A9cr=
it=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div d=
ir=3D"ltr">Hi Antoine,<div><br></div><div>Thanks for bringing this up.</div=
><div><br></div><div>It seems spacechains[0]=C2=A0are impacted by this. Sim=
ply explained, the idea is to allow for fee-bidding Blind Merged Mining[1] =
by creating one transaction for each block, to which anyone can attach a bl=
ock hash. The preferred mechanism utilizes sighash_anyprevout and is not af=
fected, but there is also a practical variant that could be used without re=
quiring the anyprevout soft fork, which unfortunately does seem to be impac=
ted. Here's a brief description:</div><div><br></div><div>TX0:</div><di=
v><br></div><div>input 0</div><div><br></div><div>output 1a*</div><div>outp=
ut 1b</div><div><br></div><div>TX1:</div><div><br></div><div>input 1a*</div=
><div><br></div><div>output 2a**</div><div>output 2b</div><div><br></div><d=
iv><div>TX2:</div><div><br></div><div>input 2a**</div><div><br></div><div>o=
utput 3a***</div><div>output 3b</div></div><div><br></div><div>Etc.</div><d=
iv><br></div><div>Every TX has two outputs, one of which ("a") is=
used as the input for the next TX (these are pre-signed and act as a coven=
ant), resulting in a continuous chain of transactions. The other output (&q=
uot;b") can be spent by anyone, and is meant to CPFP the parent TX and=
, importantly, be RBF replaceable by anyone. This allows whoever pays the h=
ighest CPFP fee to "win the RBF auction" and attach their TX to t=
he output, containing the winning spacechain block hash.</div><div><br></di=
v><div>With inherited signalling, this works because each pre-signed TX is =
RBF enabled, so each CPFP transaction inherits RBF as well. But if inherite=
d signalling does not function, the first person who makes a CPFP transacti=
on can simply disable RBF and win the auction, thus breaking the intended f=
ee-bidding mechanism.</div><div><br></div><div>You can also find a diagram =
in this spacechains presentation (timestamped link):=C2=A0<a href=3D"https:=
//youtu.be/N2ow4Q34Jeg?t=3D2555" target=3D"_blank">https://youtu.be/N2ow4Q3=
4Jeg?t=3D2555</a></div><div><br></div><div>As it stands, this bug gets in t=
he way of being able to deploy spacechains.</div><div><br></div><div>-- Rub=
en Somsen</div><div><br></div><div><br></div><div><br></div><div>[0]=C2=A0<=
a href=3D"https://medium.com/@RubenSomsen/21-million-bitcoins-to-rule-all-s=
idechains-the-perpetual-one-way-peg-96cb2f8ac302" target=3D"_blank">https:/=
/medium.com/@RubenSomsen/21-million-bitcoins-to-rule-all-sidechains-the-per=
petual-one-way-peg-96cb2f8ac302</a></div><div><br></div><div>[1]=C2=A0<a hr=
ef=3D"https://gist.github.com/RubenSomsen/5e4be6d18e5fa526b17d8b34906b16a5"=
target=3D"_blank">https://gist.github.com/RubenSomsen/5e4be6d18e5fa526b17d=
8b34906b16a5</a></div><div><br></div><div><br></div><div><br></div></div><b=
r><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, =
May 9, 2021 at 10:41 AM darosior via bitcoin-dev <<a href=3D"mailto:bitc=
oin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linu=
xfoundation.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pad=
ding-left:1ex">Hi Antoine,<div><br></div><div><br></div>Thank you for the d=
isclosure.<div><br></div><div><br></div><div><br></div>> * Onchain DLC/C=
oinswap/Vault : Those contract protocols have also multiple stages of execu=
tion with time-sensitive transactions opening the way to pinning attacks. T=
hose protocols being non-deployed or in early phase, I would recommend that=
any in-protocol competing transactions explicitly signal RBF.<div><br></di=
v><div><br></div>For what it's worth, Revault isn't vulnerable as a=
ll transactions signal RBF and there is no way to sneak a non-signaling com=
peting transaction (as long as the CSV isn't matured yet).<div><br></di=
v><div><br></div><div><br></div>Thanks,<div><br></div>Antoine (the other on=
e)_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div>
--0000000000009c43d905c221c1ae--
|