Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id BDF48C002D for ; Tue, 10 Jan 2023 09:19:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 98057416D3 for ; Tue, 10 Jan 2023 09:19:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 98057416D3 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=MXC786xT X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8wozUhIyEAe for ; Tue, 10 Jan 2023 09:19:52 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9FBFB416D1 Received: from mail-4319.protonmail.ch (mail-4319.protonmail.ch [185.70.43.19]) by smtp4.osuosl.org (Postfix) with ESMTPS id 9FBFB416D1 for ; Tue, 10 Jan 2023 09:19:51 +0000 (UTC) Date: Tue, 10 Jan 2023 09:19:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1673342389; x=1673601589; bh=2pFzzAutVocXEnwNcmAnX5kD2wBfiFwH0hx+Qmecq+o=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=MXC786xTOp4A6zE9ZmfFbp0952TiKOAzdNzIAGZTPP0zFzB+7JY4VH9dEz9j24cN9 yr6Ypnk2EqlqHeo65GCv+eVUyfVJ+4r7welDfpX526j4Fsy6/Udw5ZiBauEZvZFEmK fGGrfecNG6JEvbNwB/RAp+aTtp7Du8il9Na5pakBPfpPkJzd6QrOWq+1xaMKbxVZ/B JaYv+mZQu56kI/3i8y1JkzqsmRA/ds6NAkyXdRh1+9cFqv7cpW3w+sd5FhTHixl5Ul /TOoHBv03tjYQ5/4BysF8CDtyHAk5eqDtcVJowou+2fg1Wq/RoLSts/oL1tEARFW8Z YMOtqCiIGMELg== To: Peter Todd From: alicexbt Message-ID: In-Reply-To: References: Feedback-ID: 40602938:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 12 Jan 2023 09:59:50 +0000 Cc: bitcoin-dev@lists.linuxfoundation.org Subject: Re: [bitcoin-dev] Why Full-RBF Makes DoS Attacks on Multiparty Protocols Significantly More Expensive X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2023 09:19:53 -0000 Hi Peter, > ## How Full-RBF Mitigates the Double-Spend DoS Attack >=20 > Modulo tx-pinning, full-rbf mitigates the double-spend DoS attack in a ve= ry > straightforward way: the low fee transaction is replaced by the higher fe= e > transaction, resulting in the latter getting mined in a reasonable amount= of > time and the protocol making forward progress. Asking this question based on a [discussion on twitter][0]. How would you g= et extra sats to increase the fees? It seems this would be possible with Jo= inmarket, Wasabi and even joinstr although things would get worse for Whirl= pool. Whirlpool coinjoin transactions do not signal BIP 125 RBF so they wer= e not replaceable earlier, however attacker would be able to perform DoS at= tacks now by double spending their inputs used in coinjoin. [0]: https://twitter.com/dammkewl/status/1599692908860706818 /dev/fd0 floppy disc guy Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, January 10th, 2023 at 3:48 AM, Peter Todd via bitcoin-dev wrote: > I was reminded recently that while Suhas Daftuar cited tx-pinning as a re= ason > to remove full-rbf, he neglected to mention that tx-pinning greatly incre= ases > the cost of attacks on multi-party protocols. Him (rhetorically?) asking(= 4): >=20 > "Does fullrbf offer any benefits other than breaking zeroconf business > practices?" >=20 > ...has caused a lot of confusion by implying that there were no benefits.= So > I'm writing this to set the record straight and provide an easily cited > explanation as to why full-rbf - even with tx-pinning - is a valuable > improvement for multi-party protocols like coinjoins that rely on transac= tions > containing multiple inputs exclusively controlled(1) by different parties= . >=20 > tl;dr: without full-rbf people can intentionally and unintentionally DoS = attack > multi-party protocols by double-spending their inputs with low-fee txs, h= olding > up progress until that low-fee tx gets mined. This could take days, weeks= , or > even worse. Modulo intentional tx-pinning, full-RBF fixes this by ensurin= g that > a higher fee transaction gets mined in a reasonable amount of time so the > protocol makes forward progress. And as for tx-pinning, exploiting it is = very > expensive, so full-rbf still makes the situation much better than the sta= tus > quo. >=20 >=20 > # The Double-Spend DoS Attack on Multi-Party, Multi-Input, Transactions >=20 > If a protocol constructs transactions containing multiple inputs exclusiv= ely > controlled by different parties, those parties can intentionally and > unintentionally double-spend those inputs in alternate transactions. For > example, in a Wasabi coinjoin any one of the hundreds of participants cou= ld > sign and broadcast a transaction spending their input. If they do that at= the > right time, as much as ~100% of the hashing power may see the double-spen= d > first, prior to the intended coinjoin transaction. This in fact does happ= en > regularly in production to Wasabi coinjoins, probably due to people > accidentally running different wallets at the same time using the same se= ed, as > well as people importing their seeds into alternative wallets. >=20 > By itself this isn't a significant problem: Wasabi coinjoins are a two ph= ase > protocol, and, like any multi-step, multi-party protocol, they have to de= al > with the fact that participants in the protocol may fail to complete all = the > steps necessary for a transaction to be completed. It's very common for o= ne or > more parties in a Wasabi coinjoin to fail to complete both steps of the > protocol, and a majority of Wasabi coinjoin rounds fail. Wasabi deals wit= h this > economically by (temporarily or ~permanently) blacklisting UTXOs that fai= led to > complete a round, making DoS attacks expensive by forcing the attacker to= tie > up funds/create new UTXOs. >=20 > Similarly, in use-cases such as multi-party-funded Lightning channels(5),= an > attacker can always DoS attack the protocol by participating in a channel= open, > and then failing to allow payments to be routed through it. The solution = is > again to use economics to ensure the attack is sufficiently costly. >=20 > However, under the right circumstances double-spends are an unusually pow= erful > DoS attack on multi-party, multi-input, transaction. When mempool demand = is > high, low fee transactions can take arbitrarily long to get mined. Bitcoi= n has > seen periods of mempool demand where low-fee transactions would take mont= hs > to get mined. Transaction expiry does not solve this problem, as anyone c= an > rebroadcast transactions at any time. In these circumstances without > transaction replacement a multi-party transaction such as a Wasabi coinjo= in > could be held up indefinitely by a low-fee double-spend. >=20 >=20 > ## How Full-RBF Mitigates the Double-Spend DoS Attack >=20 > Modulo tx-pinning, full-rbf mitigates the double-spend DoS attack in a ve= ry > straightforward way: the low fee transaction is replaced by the higher fe= e > transaction, resulting in the latter getting mined in a reasonable amount= of > time and the protocol making forward progress. >=20 > Note that the converse is not a useful attack: if the attacker broadcasts= a > high-fee double spend, higher than the intended multi-party transaction, = the > transaction will get mined in a reasonable amount of time, costing the at= tacker > money and the defender nothing beyond wasted time. Multi-party protocols = always > have the property that attackers can spend money to DoS attack by creatin= g more > UTXOs/identities/etc, so this isn't any worse than the status quo! >=20 >=20 > ## Transaction Pinning >=20 > So what about transaction pinning? The term actually refers to a few diff= erent > techniques that can make it difficult/expensive to fee-bump a transaction= . > We're interested in the techniques relevant to replacements, namely > exploitation of: >=20 > 1. BIP-125 RBF Rule #3: a replacement transaction is required to pay > the higher absolute fee (not just fee rate) than the sum of fees paid by = all > transactions being replaced. >=20 > 2. BIP-125 RBF Rule #5: the number of transactions replaced at one time m= ust > not exceed 100. Note that this rule only exists due to limitations of the > existing Bitcoin Core implementation; it has absolute no economic rationa= l and > should be removed by either improving the implementation's scalability is= sues, > or rejecting transactions that could make a transaction unreplaceable(2). >=20 > Exploiting either rule is expensive. To exploit rule #3 the attacker has = to > broadcast fee-paying transactions paying a total amount of fees higher th= an the > defender is willing to pay. Since transactions don't expire, in almost al= l > circumstances those transactions will eventually be mined, costing the at= tacker > much more money than they would have spent without full-rbf. >=20 > To exploit rule #5, the attacker has to broadcast 100x more fee-paying > transactions than they otherwise would have. As with rule #3, those > transactions will almost always eventually be mined, costing the attacker > significantly more money than they would have spent without full-rbf. And= , as > mentioned above(2), rule #5 is merely an artifact of the existing > implementation which can and should be fixed. >=20 > The only avenue for an attacker to avoid transaction pinning costs is > amortisation: reusing the extra transactions required for pinning for oth= er > attacks/other purposes. But of course, amortisation is already a potent c= ost > reduction strategy for attacks on multi-party protocols such as coinjoin,= so > the existence of transaction pinning doesn't appreciably change the situa= tion. > Again, there are mitigations such as requiring participants to post nLock= Time'd > fee-paying transactions(3), and limiting attacks to parties who are heavi= ly > invested in Bitcoin for other reasons is a valuable improvement on the st= atus > quo. >=20 >=20 > # Conclusion >=20 > Far from not "offering any benefits other than breaking zeroconf business > practices"(4), full-rbf clearly improves Bitcoin for multi-party protocol= s, > among the many other reasons to adopt it. >=20 >=20 > # Footnotes >=20 > 1. What do I mean by "exclusively controlled"? Let's compare coinjoin, to= an > ordinary single-payer Lightning channel. In a coinjoin, the goal is to ge= t a > transaction mined containing multiple inputs from different parties. Each= of > these inputs is individually, exclusively controlled by a single party: > without the cooperation of any other party that input that be spend. This= is > unlike an ordinary single-payer Lightning channel: while the commitment > transactions are multi-party transactions, the multisig transaction outpu= ts > involved are jointly controlled by both parties, and thus neither party c= an > spend it without the cooperation of the other at some point. >=20 > 2. [bitcoin-dev] Removing BIP-125 Rule #5 Pinning with the Always-Replace= able > Invariant, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-N= ovember/021175.html >=20 > 3. [bitcoin-dev] Using Full-RBF to fix BIP-125 Rule #3 Pinning with nLock= Time, > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021= 176.html >=20 > 4. https://github.com/bitcoin/bitcoin/pull/26438 >=20 > 5. There are even more exotic proposed Lightning-related protocols where = a failure > of transaction replacement can cause the loss of funds. I'm not covering > those scenarios because they have such strong requirements - beyond what > full-rbf offers - that the technical community does not have consensus th= at > these proposed protocols are even viable. >=20 > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev