1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
|
Delivery-date: Fri, 19 Jul 2024 23:51:18 -0700
Received: from mail-yb1-f186.google.com ([209.85.219.186])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBCU2P6FJ3EBBBXF45W2AMGQE7QUXVUA@googlegroups.com>)
id 1sV3w4-0003K1-BY
for bitcoindev@gnusha.org; Fri, 19 Jul 2024 23:51:17 -0700
Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e05ec8921fdsf5666942276.1
for <bitcoindev@gnusha.org>; Fri, 19 Jul 2024 23:51:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1721458270; x=1722063070; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=GHeXiCoNlUk1MQPiD1hrAQQuJLbxdW2U08DxW6VGoHs=;
b=Jb1y3hdiozUElGzm0JVyEDIH2J3DRwfWrBMC0NM2T1ILIIHYNFAor898u2/ETLHn8I
M9qQd69AXdiKBo8NLWGC2y28eLHTFrf1aQM00MH6dt3Edgw7UDABjPIS7tZqYGs35txw
9vVGc7vg7R/Jwf7oU1ua4pR8WPaLtj+IlTk16W2We2Dv1lC31I+S0r+9knB4Ab7F253L
w7OJWoebV2/N1z2Nau5QNe5SG3bnzyaxQyMj98L+Vto7YQhxTLV2vdNzUs1/vEiATmib
9KrEbXL3FuMgw1mkm1TgNfw91s5eGNQ4c1scLk9cMJRtWF/preFAqk/qfOPgWWU+TIIT
WgZA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1721458270; x=1722063070; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=GHeXiCoNlUk1MQPiD1hrAQQuJLbxdW2U08DxW6VGoHs=;
b=Fl4q9mJdCKdEamsfxsZAu7Yiqj/NZmQb5JePuRbWBNWZPj9Oi6Y5l5n5I+1uBuWJBN
lyllgn8VmE2iITnRWsDAGOgXNkTvm2Ij8A5+fNYyeU+DLRszmRPKwpbj6CruxCu1qU+A
ozhYN5a+KG3raPQxEFSvXQqF1+w/qRamv3VRKS48lLINjIrzyHZafv99fnc+Av8UV8sR
6D61hvaHlTPB7275SrJgD0JrFHYaeuzATA2fUEWX2tyAHq3N3BRCnU+DHIWcpNj0E1C9
0C89zodmWSIVO9P95FSGPa55/C2svKEO+LaoM9isAjK5hLX9UCkoYXWI3NpHJ5b+vLNZ
azvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1721458270; x=1722063070;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=GHeXiCoNlUk1MQPiD1hrAQQuJLbxdW2U08DxW6VGoHs=;
b=Y112cTBVRE8gpyStaHikgRFfYsWoahi5nA+tcl11RawGaz3Ww7A58PJA+p9w63hc9Z
e5S+kcLpNV+W3N9k6F1X7rqisQAu4WsJwyfQ5Faf7avhfQ90ptDvGrh8fH2bl+aToAku
+SRRc2wBH7CqPQi8RQMWetVW9sYQXgeUBGeNs3YW/aumf8V6a2MocE0gwNZj0vQlXXiz
c0aQC+fNWoA6BKqtwdpjy+GhjnmcLGnxNUg/s3mPlyuLgGzaQPkQRyDDIgLq57iTAH/X
iHgtOiDx8pPVbcBPHQzWZz8N2ytsz4C5x+taFdz0kaGhhB2VWBrlen7sxXW4wyZXteVc
oqTw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVgn+IHZpxKd9kBcWGMJnU0nGe1ZHmHeYqW78ylDjy2xaapnrbDJx7srltNa1WYXKL0R1//ePbJbAKgBOaPDqz7EZr4yc4=
X-Gm-Message-State: AOJu0YwejEPzEGUAIeAFCtxcdiGwsvH0A+5FbHD/ASzclvHapQXe4/Ik
+MvJrT4lQbJn67x18Lvd5F/NQmgh7A1Gs9lgNW/Q0z3d09TdH/3z
X-Google-Smtp-Source: AGHT+IFwtZXeBcjBpH6bq/Szm0J7oXepBQTIQ3Y7AKu5o+Zr5HfBCd+2KRSeVm6dqQpgnlpiP51EEg==
X-Received: by 2002:a05:6902:1241:b0:e08:782f:b68a with SMTP id 3f1490d57ef6-e08782fba45mr1214656276.17.1721458269723;
Fri, 19 Jul 2024 23:51:09 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a25:53c2:0:b0:e03:aa7a:bb87 with SMTP id 3f1490d57ef6-e05fd8ce7fals4371132276.0.-pod-prod-09-us;
Fri, 19 Jul 2024 23:51:08 -0700 (PDT)
X-Received: by 2002:a05:690c:2a44:b0:650:a16c:91ac with SMTP id 00721157ae682-66a66d16f5dmr428687b3.8.1721458268313;
Fri, 19 Jul 2024 23:51:08 -0700 (PDT)
Received: by 2002:a05:690c:26c7:b0:627:7f59:2eee with SMTP id 00721157ae682-6691747e85ems7b3;
Fri, 19 Jul 2024 22:57:41 -0700 (PDT)
X-Received: by 2002:a05:6902:70c:b0:e05:a1df:5644 with SMTP id 3f1490d57ef6-e086f9963bemr61220276.2.1721455060940;
Fri, 19 Jul 2024 22:57:40 -0700 (PDT)
Date: Fri, 19 Jul 2024 22:57:40 -0700 (PDT)
From: /dev /fd0 <alicexbtong@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n@googlegroups.com>
In-Reply-To: <9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com>
References: <Zpk7EYgmlgPP3Y9D@petertodd.org>
<18a5e5a2-92b3-4345-853d-5a63b71d848bn@googlegroups.com>
<9c4c2a65-2c87-47f1-85d1-137c32099fb7n@googlegroups.com>
Subject: [bitcoindev] Re: A "Free" Relay Attack Taking Advantage of The Lack
of Full-RBF In Core
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_315086_645987492.1721455060728"
X-Original-Sender: alicexbtong@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_315086_645987492.1721455060728
Content-Type: multipart/alternative;
boundary="----=_Part_315087_1827213981.1721455060728"
------=_Part_315087_1827213981.1721455060728
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Antoine,
> I'm interested if you can propose a formal or mathematical definition of=
=20
what constitute
> an in-topic of off-topic comments on a matters like full RBF, which has=
=20
been controversial
> for like a decade.
I will quote _willcl-ark_'s last comment as I do not have enough=20
permissions in bitcoin core repository to moderate comments:
"However the comments section here has become difficult to follow due to=20
numerous off-topic comments, a few personal disagreements, and repetition=
=20
of arguments. In the interest of having a more productive and focused=20
technical and philosophical discussion we are going to close and lock this=
=20
PR."
A new pull request should help reviewers. If you do not agree with it, feel=
=20
free to discuss it with moderators in bitcoin core IRC channel.
> Again, I'm interested if you can propose a formal or mathematical=20
definition of what constitute
> a reasonable bitcoin core vulnerability handling policy and that way give=
=20
more ground on qualifying
> if a present situation is falling out of this reasonable guidelines and=
=20
that can be qualified more
> objectively as "politics".
Related discussion: https://github.com/bitcoin-core/meta/issues/5
> I think we have a mailing list to favorize textual long format and=20
encourage a more self-reflexive
> mode of reasoning in the conduct of bitcoin engineering discussions. I=20
believe comments not bringing
> new factual information or pointing to past experiences or concrete piece=
=20
of information are better
> left to twitter / nostr / reddit, whatever other communication channel=20
where the scientific and
> ethics of conversation standards are less stringent.
Ironically, this is exactly how moderation works in bitcoin core pull=20
requests and some comments were marked off-topic..
I have opened a pull request with the same commits (Peter Todd being the=20
author) to enable Full RBF by default:=20
https://github.com/bitcoin/bitcoin/pull/30493
/dev/fd0
floppy disk guy
On Saturday, July 20, 2024 at 12:01:12=E2=80=AFAM UTC Antoine Riard wrote:
> Hi /dev/fd0
>
> > The last comment in the pull request suggests opening a new pull reques=
t=20
> to enable full RBF by default, referencing the one closed due to off-topi=
c=20
> comments.
>
> I'm interested if you can propose a formal or mathematical definition of=
=20
> what constitute
> an in-topic of off-topic comments on a matters like full RBF, which has=
=20
> been controversial
> for like a decade. I can only think such definition could make future=20
> conversations about
> the boundaries of what is in / off bitcoin engineering topic more=20
> objective.
>
> > It seems that you are the one trying to politicize this issue.
>
> Let's be realistic on the state of bitcoin core security issues handling=
=20
> in the recent words of
> a group of some active contributors:
>
> "The project has historically done a poor job at publicly disclosing=20
> security-critical bugs, whether
> externally reported or found by contributors. This has led to a situation=
=20
> where a lot of users perceive
> Bitcoin Core as never having bugs. This perception is dangerous and,=20
> unfortunately, not accurate." [0].
>
> [0] https://groups.google.com/g/bitcoindev/c/Q2ZGit2wF7w
>
> Again, I'm interested if you can propose a formal or mathematical=20
> definition of what constitute
> a reasonable bitcoin core vulnerability handling policy and that way give=
=20
> more ground on qualifying
> if a present situation is falling out of this reasonable guidelines and=
=20
> that can be qualified more=20
> objectively as "politics".
>
> I think we have a mailing list to favorize textual long format and=20
> encourage a more self-reflexive
> mode of reasoning in the conduct of bitcoin engineering discussions. I=20
> believe comments not bringing
> new factual information or pointing to past experiences or concrete piece=
=20
> of information are better
> left to twitter / nostr / reddit, whatever other communication channel=20
> where the scientific and
> ethics of conversation standards are less stringent.
>
> All that said, I'm thinking to agree that the usage of all political=20
> rhethoric is a fallacy better
> left for expressions on other communication channels and this is note wis=
e=20
> to bundle it with novel
> technical information, as from the outset it does not favor to concentrat=
e=20
> the discussion on the fact
> and logical reasoning themselves. Even more, political rhetoric very=20
> easily downgrade in moralistic
> contest among protagonists on who has the monopole of the good / truth.=
=20
> Somehow bitcoin is beyond
> good and evil (-- under some long-term and abstract perspective).
>
> Best,
> Antoine
> ots hash: 3088507ecfb55ed301bb0defce9fb490daa6bb9594e96d57336d603556a8fda=
b
> Le vendredi 19 juillet 2024 =C3=A0 19:27:36 UTC+1, /dev /fd0 a =C3=A9crit=
:
>
>> Hi Peter,
>>
>> > I didn't get a substantive
>> > response from Bitcoin Core, other than Core closing the my pull-req=20
>> enabling
>> > full-RBF by default that would fix this specific vulnerability.
>>
>> The last comment in the pull request suggests opening a new pull request=
=20
>> to enable full RBF by default, referencing the one closed due to off-top=
ic=20
>> comments.=20
>>
>> > But read on, this is quite an odd case of Core politics, and the story=
=20
>> is not
>> > as simple as Core refusing to fix a vulnerability.
>>
>> It seems that you are the one trying to politicize this issue.=20
>>
>> /dev/fd0
>> floppy disk guy
>>
>> On Thursday, July 18, 2024 at 4:04:26=E2=80=AFPM UTC Peter Todd wrote:
>>
>>> # Summary=20
>>>
>>> This is a public disclosure of a vulnerability that I previously=20
>>> disclosed to=20
>>> the bitcoin-security mailing list. It's an easy vulnerability to fix.=
=20
>>> Although=20
>>> as with other "free" relay attacks I've disclosed, I didn't get a=20
>>> substantive=20
>>> response from Bitcoin Core, other than Core closing the my pull-req=20
>>> enabling=20
>>> full-RBF by default that would fix this specific vulnerability.=20
>>>
>>> But read on, this is quite an odd case of Core politics, and the story=
=20
>>> is not=20
>>> as simple as Core refusing to fix a vulnerability. Also, I've including=
=20
>>> a fun=20
>>> homework problem at the end: figure out how TRUC/V3 transactions itself=
=20
>>> creates=20
>>> a "free" relay attack.=20
>>>
>>>
>>> # Background=20
>>>
>>> This is just one of a few "free" relay attacks that I have recently=20
>>> disclosed,=20
>>> including, but not limited to:=20
>>>
>>> "A Free-Relay Attack Exploiting RBF Rule #6" - Mar 18th 2024=20
>>> https://groups.google.com/g/bitcoindev/c/EJYoeNTPVhg=20
>>>
>>> "A Free-Relay Attack Exploiting Min-Relay-Fee Differences" - Mar 31st=
=20
>>> 2024=20
>>> https://groups.google.com/g/bitcoindev/c/3XqfIOYzXqo=20
>>>
>>> The term "free relay attack" simply refers to any mechanism where=20
>>> transaction=20
>>> data can be broadcast at unusually low cost; the "free" in "free relay"=
=20
>>> is a=20
>>> misnomer as all these attacks do in fact have some cost.=20
>>>
>>> This particular attack isn't significantly different than the other=20
>>> attacks=20
>>> I've disclosed. With one important exception: unlike those other=20
>>> attacks,=20
>>> fixing this particular attack would be quite easy, by enabling full-rbf=
=20
>>> by=20
>>> default. So I disclosed it to the bitcoin-security mailing list as a=20
>>> test: does=20
>>> Bitcoin Core actually care about free relay attacks? My hypothesis is=
=20
>>> that Core=20
>>> does not, as they know full well that "free" relay is an unavoidable=20
>>> problem;=20
>>> I've received absolutely no feedback from any Bitcoin Core members for=
=20
>>> the=20
>>> other disclosed attacks, beyond achow using my disclosure of the RBF=20
>>> Rule #6=20
>>> attack as an excuse to remove me from the bitcoin-security mailing list=
.=20
>>>
>>> The fact that Core doesn't actually care about "free" relay attacks is=
=20
>>> relevant=20
>>> to TRUC/V3 Transactions. As per BIP-431:=20
>>>
>>> "The primary problem with [RBFR proposals] is the potential for free=20
>>> relay and DDoS attacks.=20
>>>
>>> Removing Rule 3 and 4 in general would allow free relay [27]."=20
>>>
>>> https://github.com/bitcoin/bips/blob/812907c2b00b92ee31e2b638622a4fe14a=
428aee/bip-0431.mediawiki#user-content-Alternatives_replace_by_feerate=20
>>>
>>> I believe the authors of that BIP are fully aware of the fact that=20
>>> "free" relay=20
>>> is an unavoidable problem, making their rational for TRUC/V3 bogus, and=
=20
>>> don't=20
>>> want to admit that they've wasted a large amount of engineering time on=
=20
>>> a bad=20
>>> proposal. I will be submitting a pull-req to get BIP-431 corrected, as=
=20
>>> the many=20
>>> "free" relay attacks I've disclosed clearly show that claiming RBFR=20
>>> would=20
>>> "allow" free relay is simply not true.=20
>>>
>>> Notably, full-RBF is _itself_ a transaction pinning fix for many=20
>>> use-cases;=20
>>> part of the TRUC/V3 standard is to force full-RBF behavior for V3=20
>>> transactions.=20
>>> So Core closing my full-RF pull-req is doubling down on TRUC/V3 in a=20
>>> second=20
>>> way, and TRUC/V3 proponents were the ones who tried to get the full-RBF=
=20
>>> option=20
>>> removed from Core in the first place. If not for this dumb bit of Core=
=20
>>> politics, I'm sure my year-old pull-req to enable full-RBF by default=
=20
>>> would=20
>>> have been merged many months ago, as almost all hashpower has adopted=
=20
>>> full-RBF=20
>>> making objections based on "zeroconf" absurd.=20
>>>
>>>
>>> # The Attack=20
>>>
>>> If you're a competent Bitcoin engineer, familiar with how mempools work=
,=20
>>> you've=20
>>> probably figured it out already based on the title: obviously, if a hig=
h=20
>>> percentage of miners are adopting a policy that Bitcoin Core nodes are=
=20
>>> not, you=20
>>> can cheaply consume transaction relay bandwidth by simply relaying=20
>>> transations=20
>>> that miners are rejecting.=20
>>>
>>> Specifically, do the following:=20
>>>
>>> 1. Broadcast a small, low-fee-rate, tx A with BIP-125 opt-in disabled.=
=20
>>> 2. Broadcast a full-RBF double-spend of A, A2, with a higher fee-rate.=
=20
>>> 3. Spend the outputs of A in a large, low fee-rate, transaction B with=
=20
>>> BIP-125=20
>>> opt-in enabled. ~100% of miners will reject B, as it spends an input no=
t=20
>>> in=20
>>> their mempools. However Bitcoin Core nodes will waste bandwidth=20
>>> propagating=20
>>> B.=20
>>> 4. (Optional) Double-spend B repeatedly. Again, Bitcoin Core nodes will=
=20
>>> waste=20
>>> bandwidth propagating Bn's that ~100% of miners are ignoring.=20
>>> 5. Double-spend A2 to recover your funds and do it all over again (or i=
f=20
>>> A2 had=20
>>> a high enough fee-rate, just wait for it to be mined).=20
>>>
>>> The cost to relay each B transaction depends on the fee-rate of B. Sinc=
e=20
>>> Bitcoin Core defaults to a fairly large mempool, the minimum relay=20
>>> fee-rate is=20
>>> typically well below the economic fee-rate required for miners to=20
>>> actually mine=20
>>> a transaction; Core accepts transactions that are uneconomical for=20
>>> miners to=20
>>> mine for the forseeable future.=20
>>>
>>> For example, at the moment typical mempools require transactions to pay=
=20
>>> at=20
>>> least 1sat/vB, while there are hundreds of MvB worth of transactions=20
>>> paying=20
>>> 4sat/vB, the minimum economical fee-rate. Thus, transactions paying les=
s=20
>>> than=20
>>> 4sat/VB are extremely unlikely to get mined in the nearish future.=20
>>>
>>> Concretely, broadcasting B transactions at 1sat/vB, 2sat/vB, and 3sat/v=
B=20
>>> would=20
>>> have almost zero cost as the probability of those transactions getting=
=20
>>> mined is=20
>>> nearly zero. This is true _regardless_ of what % of miners are mining=
=20
>>> full-RBF!=20
>>> As long as you can get at least one miner to mine the A double-spend,=
=20
>>> the=20
>>> attack only costs what it cost to get A mined.=20
>>>
>>> If B's are broadcast at a higher fee-rate than the minimum economical=
=20
>>> fee-rate,=20
>>> then the % of full-RBF miners matters. For example, if only 99% of=20
>>> miners mine=20
>>> full-RBF, the chance of a B transaction getting mined per block is abou=
t=20
>>> 1%, so=20
>>> the amortized cost of broadcasting B is about 1% of whatever total fee=
=20
>>> the=20
>>> highest fee-rate variant of B pays.=20
>>>
>>> For an attacker who does not need any B to be broadcast, the cost=20
>>> savings to=20
>>> use of relay bandwidth is approximately the ratio of the difference in=
=20
>>> size=20
>>> between B and and A. With a maximum standard transaction size of 100KvB=
,=20
>>> or=20
>>> 400KB serialized size, this ratio is on the order of 5000:1, times the=
=20
>>> total=20
>>> number of B variants broadcast, and the % chance of each B being mined;=
=20
>>> it's a=20
>>> few orders of magnitude.=20
>>>
>>> Of course, as mentioned above, this is just one of *many* "free" relay=
=20
>>> attacks,=20
>>> so fixing this particular issue doesn't change much.=20
>>>
>>>
>>> # Attackers Who Benefit From B Getting Mined=20
>>>
>>> Some attackers actually need B to get mined. For example, imagine an=20
>>> exchange=20
>>> who needs to do large consolidation transactions. They could use this=
=20
>>> attack=20
>>> (and some attacks like it) as a way to goad users and miners into minin=
g=20
>>> consolidation transactions for them at low cost. In this variant of the=
=20
>>> attack,=20
>>> the attacker would pad the size of B with consolidation spends that the=
y=20
>>> needed=20
>>> to do anyway. Someone who tried to stop the attack by getting B mined=
=20
>>> (eg via=20
>>> mempool.space's transaction accellerator) would simply be paying the=20
>>> attacker's=20
>>> fees for them.=20
>>>
>>> Obviously, this strategy is only relevant for B's below the economic=20
>>> fee-rate.=20
>>> However, the weaker version of this strategy is to parallize the attack=
,=20
>>> and do=20
>>> your consolidation with the _A_ double-spends to reduce the # of bytes=
=20
>>> used per=20
>>> full-rbf double-spend.=20
>>>
>>>
>>> # TRUC/V3 Creates a Free Relay Attack=20
>>>
>>> I'll leave the details of this as a homework problem. But obviously, th=
e=20
>>> introduction of TRUC/V3 transactions *itself* creates a free relay=20
>>> attack very=20
>>> similar to the above! Just like full-RBF, not all miners will mine V3=
=20
>>> transactions. So you can do the exact same type of attack by taking=20
>>> advantage=20
>>> of this difference in mining policy.=20
>>>
>>> --=20
>>> https://petertodd.org 'peter'[:-1]@petertodd.org=20
>>>
>>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n%40googlegroups.com.
------=_Part_315087_1827213981.1721455060728
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Antoine,<div><br /></div><div>>=C2=A0
I'm interested if you can propose a formal or mathematical definition of wh=
at constitute<br />> an in-topic of off-topic comments on a matters like=
full RBF, which has been controversial<br />> for like a decade.<br /><=
br />I will quote _willcl-ark_'s last comment as I do not have enough permi=
ssions in bitcoin core repository to moderate comments:</div><div><br /></d=
iv><div>"However the comments section here has become difficult to follow d=
ue to numerous off-topic comments, a few personal disagreements, and repeti=
tion of arguments. In the interest of having a more productive and focused =
technical and philosophical discussion we are going to close and lock this =
PR."</div><div><br /></div><div>A new pull request should help reviewers. I=
f you do not agree with it, feel free to discuss it with moderators in bitc=
oin core IRC channel.</div><div><br /></div><div>>=C2=A0
Again, I'm interested if you can propose a formal or mathematical definitio=
n of what constitute<br />> a reasonable bitcoin core vulnerability hand=
ling policy and that way give more ground on qualifying<br />> if a pres=
ent situation is falling out of this reasonable guidelines and that can be =
qualified more<br />> objectively as "politics".<br /><br />Related disc=
ussion:=C2=A0<a href=3D"https://github.com/bitcoin-core/meta/issues/5">http=
s://github.com/bitcoin-core/meta/issues/5</a></div><div><br /></div><div>&g=
t;=C2=A0I think we have a mailing list to favorize textual long format and =
encourage a more self-reflexive<br />> mode of reasoning in the conduct =
of bitcoin engineering discussions. I believe comments not bringing<br />&g=
t; new factual information or pointing to past experiences or concrete piec=
e of information are better<br />> left to twitter / nostr / reddit, wha=
tever other communication channel where the scientific and<br />> ethics=
of conversation standards are less stringent.</div><div><br /></div><div>I=
ronically, this is exactly how moderation works in bitcoin core pull reques=
ts and some comments were marked off-topic..</div><div><br /></div><div>I h=
ave opened a pull request with the same commits (Peter Todd being the autho=
r) to enable Full RBF by default:=C2=A0<a href=3D"https://github.com/bitcoi=
n/bitcoin/pull/30493">https://github.com/bitcoin/bitcoin/pull/30493</a></di=
v><div><br /></div><div>/dev/fd0</div><div>floppy disk guy<br /><br /></div=
><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Satur=
day, July 20, 2024 at 12:01:12=E2=80=AFAM UTC Antoine Riard wrote:<br/></di=
v><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-le=
ft: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi /dev/fd0<br><br>&g=
t; The last comment in the pull request suggests opening a new pull request=
to enable full RBF by default, referencing the one closed due to off-topic=
comments.<br><br>I'm interested if you can propose a formal or mathema=
tical definition of what constitute<br>an in-topic of off-topic comments on=
a matters like full RBF, which has been controversial<br>for like a decade=
. I can only think such definition could make future conversations about<br=
>the boundaries of what is in / off bitcoin engineering topic more objectiv=
e.<br><br>> It seems that you are the one trying to politicize this issu=
e.<br><br>Let's be realistic on the state of bitcoin core security issu=
es handling in the recent words of<br>a group of some active contributors:<=
br><br>"The project has historically done a poor job at publicly discl=
osing security-critical bugs, whether<br>externally reported or found by co=
ntributors. This has led to a situation where a lot of users perceive<br>Bi=
tcoin Core as never having bugs. This perception is dangerous and, unfortun=
ately, not accurate." [0].<br><br>[0] <a href=3D"https://groups.google=
.com/g/bitcoindev/c/Q2ZGit2wF7w" target=3D"_blank" rel=3D"nofollow" data-sa=
feredirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://groups.=
google.com/g/bitcoindev/c/Q2ZGit2wF7w&source=3Dgmail&ust=3D17215349=
27747000&usg=3DAOvVaw11jj_KEXeTl30GgjuRr4oo">https://groups.google.com/=
g/bitcoindev/c/Q2ZGit2wF7w</a><br><br>Again, I'm interested if you can =
propose a formal or mathematical definition of what constitute<br>a reasona=
ble bitcoin core vulnerability handling policy and that way give more groun=
d on qualifying<br>if a present situation is falling out of this reasonable=
guidelines and that can be qualified more <br>objectively as "politic=
s".<br><br>I think we have a mailing list to favorize textual long for=
mat and encourage a more self-reflexive<br>mode of reasoning in the conduct=
of bitcoin engineering discussions. I believe comments not bringing<br>new=
factual information or pointing to past experiences or concrete piece of i=
nformation are better<br>left to twitter / nostr / reddit, whatever other c=
ommunication channel where the scientific and<br>ethics of conversation sta=
ndards are less stringent.<br><br>All that said, I'm thinking to agree =
that the usage of all political rhethoric is a fallacy better<br>left for e=
xpressions on other communication channels and this is note wise to bundle =
it with novel<br>technical information, as from the outset it does not favo=
r to concentrate the discussion on the fact<br>and logical reasoning themse=
lves. Even more, political rhetoric very easily downgrade in moralistic<br>=
contest among protagonists on who has the monopole of the good / truth. Som=
ehow bitcoin is beyond<br>good and evil (-- under some long-term and abstra=
ct perspective).<br><br>Best,<br>Antoine<br>ots hash: 3088507ecfb55ed301bb0=
defce9fb490daa6bb9594e96d57336d603556a8fdab<br><div class=3D"gmail_quote"><=
div dir=3D"auto" class=3D"gmail_attr">Le vendredi 19 juillet 2024 =C3=A0 19=
:27:36 UTC+1, /dev /fd0 a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">Hi Peter,<br><br>>=C2=A0I didn't get a substan=
tive<br>> response from Bitcoin Core, other than Core closing the my pul=
l-req enabling<br>> full-RBF by default that would fix this specific vul=
nerability.<br><br>
The last comment in the pull request suggests opening a new pull request to=
enable full RBF by default, referencing the one closed due to off-topic co=
mments.
<div><br></div><div>>=C2=A0But read on, this is quite an odd case of Cor=
e politics, and the story is not<br>> as simple as Core refusing to fix =
a vulnerability.</div><div><br></div><div>
It seems that you are the one trying to politicize this issue.
</div><div><br></div><div>/dev/fd0</div><div>floppy disk guy<br><br></div><=
div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Thursda=
y, July 18, 2024 at 4:04:26=E2=80=AFPM UTC Peter Todd wrote:<br></div><bloc=
kquote class=3D"gmail_quote" style=3D"margin:0 0 0 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex"># Summary
<br>
<br>This is a public disclosure of a vulnerability that I previously disclo=
sed to
<br>the bitcoin-security mailing list. It's an easy vulnerability to fi=
x. Although
<br>as with other "free" relay attacks I've disclosed, I didn=
't get a substantive
<br>response from Bitcoin Core, other than Core closing the my pull-req ena=
bling
<br>full-RBF by default that would fix this specific vulnerability.
<br>
<br>But read on, this is quite an odd case of Core politics, and the story =
is not
<br>as simple as Core refusing to fix a vulnerability. Also, I've inclu=
ding a fun
<br>homework problem at the end: figure out how TRUC/V3 transactions itself=
creates
<br>a "free" relay attack.
<br>
<br>
<br># Background
<br>
<br>This is just one of a few "free" relay attacks that I have re=
cently disclosed,
<br>including, but not limited to:
<br>
<br> "A Free-Relay Attack Exploiting RBF Rule #6" - Mar 18th 2=
024
<br> <a href=3D"https://groups.google.com/g/bitcoindev/c/EJYoeNTPVhg" re=
l=3D"nofollow" target=3D"_blank" data-saferedirecturl=3D"https://www.google=
.com/url?hl=3Den&q=3Dhttps://groups.google.com/g/bitcoindev/c/EJYoeNTPV=
hg&source=3Dgmail&ust=3D1721534927747000&usg=3DAOvVaw1pg9w4b8YJ=
YubGAHVLkgbg">https://groups.google.com/g/bitcoindev/c/EJYoeNTPVhg</a>
<br>
<br> "A Free-Relay Attack Exploiting Min-Relay-Fee Differences"=
; - Mar 31st 2024
<br> <a href=3D"https://groups.google.com/g/bitcoindev/c/3XqfIOYzXqo" re=
l=3D"nofollow" target=3D"_blank" data-saferedirecturl=3D"https://www.google=
.com/url?hl=3Den&q=3Dhttps://groups.google.com/g/bitcoindev/c/3XqfIOYzX=
qo&source=3Dgmail&ust=3D1721534927747000&usg=3DAOvVaw1fO722xNF_=
wkzTiuEK8qk_">https://groups.google.com/g/bitcoindev/c/3XqfIOYzXqo</a>
<br>
<br>The term "free relay attack" simply refers to any mechanism w=
here transaction
<br>data can be broadcast at unusually low cost; the "free" in &q=
uot;free relay" is a
<br>misnomer as all these attacks do in fact have some cost.
<br>
<br>This particular attack isn't significantly different than the other=
attacks
<br>I've disclosed. With one important exception: unlike those other at=
tacks,
<br>fixing this particular attack would be quite easy, by enabling full-rbf=
by
<br>default. So I disclosed it to the bitcoin-security mailing list as a te=
st: does
<br>Bitcoin Core actually care about free relay attacks? My hypothesis is t=
hat Core
<br>does not, as they know full well that "free" relay is an unav=
oidable problem;
<br>I've received absolutely no feedback from any Bitcoin Core members =
for the
<br>other disclosed attacks, beyond achow using my disclosure of the RBF Ru=
le #6
<br>attack as an excuse to remove me from the bitcoin-security mailing list=
.
<br>
<br>The fact that Core doesn't actually care about "free" rel=
ay attacks is relevant
<br>to TRUC/V3 Transactions. As per BIP-431:
<br>
<br> "The primary problem with [RBFR proposals] is the potential fo=
r free relay and DDoS attacks.
<br>
<br> Removing Rule 3 and 4 in general would allow free relay [27]."
<br> <a href=3D"https://github.com/bitcoin/bips/blob/812907c2b00b92ee31e=
2b638622a4fe14a428aee/bip-0431.mediawiki#user-content-Alternatives_replace_=
by_feerate" rel=3D"nofollow" target=3D"_blank" data-saferedirecturl=3D"http=
s://www.google.com/url?hl=3Den&q=3Dhttps://github.com/bitcoin/bips/blob=
/812907c2b00b92ee31e2b638622a4fe14a428aee/bip-0431.mediawiki%23user-content=
-Alternatives_replace_by_feerate&source=3Dgmail&ust=3D1721534927747=
000&usg=3DAOvVaw0sIymiR757C-0TPYkXkjNY">https://github.com/bitcoin/bips=
/blob/812907c2b00b92ee31e2b638622a4fe14a428aee/bip-0431.mediawiki#user-cont=
ent-Alternatives_replace_by_feerate</a>
<br>
<br>I believe the authors of that BIP are fully aware of the fact that &quo=
t;free" relay
<br>is an unavoidable problem, making their rational for TRUC/V3 bogus, and=
don't
<br>want to admit that they've wasted a large amount of engineering tim=
e on a bad
<br>proposal. I will be submitting a pull-req to get BIP-431 corrected, as =
the many
<br>"free" relay attacks I've disclosed clearly show that cla=
iming RBFR would
<br>"allow" free relay is simply not true.
<br>
<br>Notably, full-RBF is _itself_ a transaction pinning fix for many use-ca=
ses;
<br>part of the TRUC/V3 standard is to force full-RBF behavior for V3 trans=
actions.
<br>So Core closing my full-RF pull-req is doubling down on TRUC/V3 in a se=
cond
<br>way, and TRUC/V3 proponents were the ones who tried to get the full-RBF=
option
<br>removed from Core in the first place. If not for this dumb bit of Core
<br>politics, I'm sure my year-old pull-req to enable full-RBF by defau=
lt would
<br>have been merged many months ago, as almost all hashpower has adopted f=
ull-RBF
<br>making objections based on "zeroconf" absurd.
<br>
<br>
<br># The Attack
<br>
<br>If you're a competent Bitcoin engineer, familiar with how mempools =
work, you've
<br>probably figured it out already based on the title: obviously, if a hig=
h
<br>percentage of miners are adopting a policy that Bitcoin Core nodes are =
not, you
<br>can cheaply consume transaction relay bandwidth by simply relaying tran=
sations
<br>that miners are rejecting.
<br>
<br>Specifically, do the following:
<br>
<br>1. Broadcast a small, low-fee-rate, tx A with BIP-125 opt-in disabled.
<br>2. Broadcast a full-RBF double-spend of A, A2, with a higher fee-rate.
<br>3. Spend the outputs of A in a large, low fee-rate, transaction B with =
BIP-125
<br> opt-in enabled. ~100% of miners will reject B, as it spends an input=
not in
<br> their mempools. However Bitcoin Core nodes will waste bandwidth prop=
agating
<br> B.
<br>4. (Optional) Double-spend B repeatedly. Again, Bitcoin Core nodes will=
waste
<br> bandwidth propagating Bn's that ~100% of miners are ignoring.
<br>5. Double-spend A2 to recover your funds and do it all over again (or i=
f A2 had
<br> a high enough fee-rate, just wait for it to be mined).
<br>
<br>The cost to relay each B transaction depends on the fee-rate of B. Sinc=
e
<br>Bitcoin Core defaults to a fairly large mempool, the minimum relay fee-=
rate is
<br>typically well below the economic fee-rate required for miners to actua=
lly mine
<br>a transaction; Core accepts transactions that are uneconomical for mine=
rs to
<br>mine for the forseeable future.
<br>
<br>For example, at the moment typical mempools require transactions to pay=
at
<br>least 1sat/vB, while there are hundreds of MvB worth of transactions pa=
ying
<br>4sat/vB, the minimum economical fee-rate. Thus, transactions paying les=
s than
<br>4sat/VB are extremely unlikely to get mined in the nearish future.
<br>
<br>Concretely, broadcasting B transactions at 1sat/vB, 2sat/vB, and 3sat/v=
B would
<br>have almost zero cost as the probability of those transactions getting =
mined is
<br>nearly zero. This is true _regardless_ of what % of miners are mining f=
ull-RBF!
<br>As long as you can get at least one miner to mine the A double-spend, t=
he
<br>attack only costs what it cost to get A mined.
<br>
<br>If B's are broadcast at a higher fee-rate than the minimum economic=
al fee-rate,
<br>then the % of full-RBF miners matters. For example, if only 99% of mine=
rs mine
<br>full-RBF, the chance of a B transaction getting mined per block is abou=
t 1%, so
<br>the amortized cost of broadcasting B is about 1% of whatever total fee =
the
<br>highest fee-rate variant of B pays.
<br>
<br>For an attacker who does not need any B to be broadcast, the cost savin=
gs to
<br>use of relay bandwidth is approximately the ratio of the difference in =
size
<br>between B and and A. With a maximum standard transaction size of 100KvB=
, or
<br>400KB serialized size, this ratio is on the order of 5000:1, times the =
total
<br>number of B variants broadcast, and the % chance of each B being mined;=
it's a
<br>few orders of magnitude.
<br>
<br>Of course, as mentioned above, this is just one of *many* "free&qu=
ot; relay attacks,
<br>so fixing this particular issue doesn't change much.
<br>
<br>
<br># Attackers Who Benefit From B Getting Mined
<br>
<br>Some attackers actually need B to get mined. For example, imagine an ex=
change
<br>who needs to do large consolidation transactions. They could use this a=
ttack
<br>(and some attacks like it) as a way to goad users and miners into minin=
g
<br>consolidation transactions for them at low cost. In this variant of the=
attack,
<br>the attacker would pad the size of B with consolidation spends that the=
y needed
<br>to do anyway. Someone who tried to stop the attack by getting B mined (=
eg via
<br><a href=3D"http://mempool.space" rel=3D"nofollow" target=3D"_blank" dat=
a-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttp://memp=
ool.space&source=3Dgmail&ust=3D1721534927747000&usg=3DAOvVaw0L2=
JLAPj_sT4UDdjU-wz-4">mempool.space</a>'s transaction accellerator) woul=
d simply be paying the attacker's
<br>fees for them.
<br>
<br>Obviously, this strategy is only relevant for B's below the economi=
c fee-rate.
<br>However, the weaker version of this strategy is to parallize the attack=
, and do
<br>your consolidation with the _A_ double-spends to reduce the # of bytes =
used per
<br>full-rbf double-spend.
<br>
<br>
<br># TRUC/V3 Creates a Free Relay Attack
<br>
<br>I'll leave the details of this as a homework problem. But obviously=
, the
<br>introduction of TRUC/V3 transactions *itself* creates a free relay atta=
ck very
<br>similar to the above! Just like full-RBF, not all miners will mine V3
<br>transactions. So you can do the exact same type of attack by taking adv=
antage
<br>of this difference in mining policy.
<br>
<br>--=20
<br><a href=3D"https://petertodd.org" rel=3D"nofollow" target=3D"_blank" da=
ta-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://pe=
tertodd.org&source=3Dgmail&ust=3D1721534927747000&usg=3DAOvVaw1=
WRvR1CVWQdmg69DP8T4_6">https://petertodd.org</a> 'peter'[:-1]@<a hr=
ef=3D"http://petertodd.org" rel=3D"nofollow" target=3D"_blank" data-safered=
irecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttp://petertodd.org=
&source=3Dgmail&ust=3D1721534927747000&usg=3DAOvVaw10zh6HFaRQYk=
991fLPAyRZ">petertodd.org</a>
<br></blockquote></div></blockquote></div></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/fd1e1dd3-ffda-416b-9bc8-900d0b69c8c1n%40googlegroups.com</a>.=
<br />
------=_Part_315087_1827213981.1721455060728--
------=_Part_315086_645987492.1721455060728--
|