Delivery-date: Mon, 18 Mar 2024 06:24:20 -0700 Received: from mail-oo1-f55.google.com ([209.85.161.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rmCyR-0000Jj-Pr for bitcoindev@gnusha.org; Mon, 18 Mar 2024 06:24:20 -0700 Received: by mail-oo1-f55.google.com with SMTP id 006d021491bc7-5a478fe8814sf3211144eaf.3 for ; Mon, 18 Mar 2024 06:24:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710768253; cv=pass; d=google.com; s=arc-20160816; b=pC+xDIoP9d0R998j8hLEHxO0rUo3WK0TPtrXew+aTLw/U5QQkGbiOQDNNu/txjUjNQ Ug8NFdXPsQ5cklehJXl7RSL98YMo/0LrUSB4egPNcdHlD6t7oE6FDe7zhFYvoEU3DsU4 I+SyQJgLqhg/ysz0awpb9wR22k6/68HF2JXQQm1nkGrBIQcTxCsYcVyaSiF6qCR5RqlC LF20kdQTrxapWl26s0z4mBSz+If1nyT8aDCTANViOk7aJJC/KGQ4gE6BLwe1s9DNpg8D 2U40imxKTHirOMBYU//py91WE4pnXCSQgQfRrPc4smgJ46a2QtHOg4yiJo0kHmLaGCy6 uXLg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-disposition:mime-version :message-id:subject:to:from:date:feedback-id:sender:dkim-signature; bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=; fh=B11tC+ZI0VkfbwVIG3oZxRmyhOnGUo1psYMBUvUuFlU=; b=Z3Mq/YuzQenj7P/Y/AHmdxWP0Sp+snYbLvTP9nwWk80GgaIZ0INdfLlsz2f1d21QPC pYAyp4+EIMmd1AsoHOHGqsp4yG/AN9LZ94paPN0MW+uamKlO2adaRZOrkqspChMZpo7+ fyVqdzDKSPSlWkTZQwNHrbWmOWA7f8/MP2gtln5Qa3X8o12DJxekPbVNMQQ6SJvUNnDs hkUlnJp4+gVOlC1eFhpSrgDDSKZzNMfWSVaFhHGcFu7b1ImRQEEIPNlF6Xgd+nI/nWEM 1Ov2r5QtMSzCISMA2L8kEpFTPixXe6C5xN1qofJAdV2COKJ2oYRQepxmtm5xjsvl2Qew WX8Q==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3; spf=pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=pete@petertodd.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1710768253; x=1711373053; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:to:from:date:feedback-id:sender:from:to:cc:subject:date :message-id:reply-to; bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=; b=tzRSU5Rj/uIxFbCVJ0jxN6WqrXem9iNYDYqzec5soW+LQKOitvcnLTWLBPttEJ4HNC Pj3t0qHyA9G0bxEXt5GheHpr9c0PkJYEfXhqbFg4rivP+uFaxWpWSYQthdpy7R49k/Zx bnExGDUiTtUp2jugYyzQE+AMDwdP15VfrLbz0e1cwN82RxqMTvWBi5V657hbBOZ3UUN3 0gTBE7P5Wi8BO/jUER5LnDMvfMgZJvbRfLXqqkQ/qNBWKz21Oi3TZekKwgp9y3rvkj+R khiKF0vF4hdwgStv4AwTR5j4cjqkCejCDHaww2Wmx3IDnQzMbI/QD9k9/uDauiD1q87k zj6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710768253; x=1711373053; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:to:from:date:feedback-id:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=; b=T+bAPbruX6VLiYxy9Lm1URhP2srAUQfpW3R8O7K+yNE3IMEppBDcd5obRjKs5g2m6E lVsPaBB6gxAiHrkIfVITdjVdwRsfrzRnme6AEdvRUl0P1woowa3CysBGcIb9+m01TaKc Vve/LqxLkfn3w+nVmWOyw70NTnB2klmW7KncWxWj1Z5IPicCsdwixsHq7KTg4pj1GoMq Imcc3OcMpKD1Gtk2bxX+6dszMGxVDcl3QD/HAqV7fPMbe8iMuMf1wI3EyaDecG2IbK2B xUsMJiinl3RL6xN0ajn2W3f8hrwntTzso72NuI7ZTOL/4I2aHQ2DMrlV+Ts/fWH9K/wy BPaA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCV3ozUS4VS4DVTDqjQniDGSTB/oPNS9+7hMgDgP8oiEoKjAY5q8HzKNdMTXiA0gQx7IEPY6z+OwzU6djAO9Lt55F8Oc9DI= X-Gm-Message-State: AOJu0YwT3/Vs/ZUtsbG53bLb0NCyMuOOlJ50Kvm9aSOlcONnY3OSspT5 Z/9WxjhKs4gnm0wtaPVN8t0HvU71CVxdulhyB5Cb8Yda0/mY6S/E X-Google-Smtp-Source: AGHT+IGYRaaSRZLhnSwwQjfnI3HOC/fS1MERaT8mYba9rO04fl5ANgZZz0ZYFVy0oP3xDIbNFDH6Kw== X-Received: by 2002:a05:6820:1686:b0:5a2:602:15be with SMTP id bc6-20020a056820168600b005a2060215bemr11971123oob.2.1710768252677; Mon, 18 Mar 2024 06:24:12 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6820:34d:b0:5a4:93b6:9ae with SMTP id m13-20020a056820034d00b005a493b609aels1656176ooe.1.-pod-prod-08-us; Mon, 18 Mar 2024 06:24:12 -0700 (PDT) X-Received: by 2002:a05:6820:2229:b0:5a3:8bff:3286 with SMTP id cj41-20020a056820222900b005a38bff3286mr746502oob.1.1710768251930; Mon, 18 Mar 2024 06:24:11 -0700 (PDT) Received: by 2002:a05:6808:1150:b0:3c1:b790:b6ba with SMTP id 5614622812f47-3c25eca4aa3msb6e; Mon, 18 Mar 2024 06:21:47 -0700 (PDT) X-Received: by 2002:a17:902:b591:b0:1de:ebb8:4071 with SMTP id a17-20020a170902b59100b001deebb84071mr8894885pls.58.1710768106124; Mon, 18 Mar 2024 06:21:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710768106; cv=none; d=google.com; s=arc-20160816; b=NQwR26u94ReU9244Yuwq6HeHCTtGIIAB2DgjoWsJ8tWb8jQOmG8JSFWMTLO5Kk1L9G IDoTBwiELbOlYHpMpwKkqcocsvRRNVdXVeepuDb0H5AdQ429EOe450WUJWBNmLp/2dRG 5pJ4pbqp0C0KDI8gDKpNDe0wDA3KWkBdGRDJuVPe4QGoo5dD/1/TbRvBxRP3j4wtcfp3 FrbbPK23gKDxf2ZLcU4c4DW6ecfrxg7S8xpT3b6TbaExD726U6tob9zfv1IuhOcC3a3A sY67u7SRtt/VuOwaB6NGbCvmZ8lQSmDfXgFVkdxT6UWC/lPqzNMukdyyYyuLJaaRk+BD O1FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-disposition:mime-version:message-id:subject:to:from:date :feedback-id:dkim-signature; bh=SV+k6DnC1rns/cIHC37JzzJYMau16i+ZEghatCllAdo=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=nD/Sm8IFJV6xzMRQrQPjtloRoUMduoDh4ucDPEgqA7gFFbw57PiGtPpwVHJqSyCVhJ MnYmS1aGshMPTeKoE3JrhshAPm3eqcwxdvyqwUWpskvU+gNIwr3FiYrtBZ2xYgLrvWE1 9frkJpFMocNSvwg4/0RTpARnppl8q1W7l84jWC4mh+1k0vBsiJNVBHXE98jJ71rPluVu bU6/BIM+Tq98vHomEJpLU5Cloyd65In7cGIhVk33Prba82liRuF7FMr4NJrSKuBgw5w9 +JuNSGycbvu1g9p0GN+8gDw1tZB3uivwfPu0mGFWgClalyasIlQSrEePaLIwbOoeLB+y yOlA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3; spf=pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=pete@petertodd.org Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com. [66.111.4.26]) by gmr-mx.google.com with ESMTPS id jh9-20020a170903328900b001dcd7469086si668796plb.4.2024.03.18.06.21.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 06:21:45 -0700 (PDT) Received-SPF: pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) client-ip=66.111.4.26; Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailout.nyi.internal (Postfix) with ESMTP id 626AB5C005E for ; Mon, 18 Mar 2024 09:21:45 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Mon, 18 Mar 2024 09:21:45 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgdehudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd dunecuhfhrohhmpefrvghtvghrucfvohguugcuoehpvghtvgesphgvthgvrhhtohguugdr ohhrgheqnecuggftrfgrthhtvghrnhepheevtdejtddvhfegteeuvddvffeiudevtdejgf dvkeelffdttdduhedvffdtffdunecuffhomhgrihhnpehgihhthhhusgdrtghomhdpphgv thgvrhhtohguugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehpvghtvgesphgvthgvrhhtohguugdrohhrgh X-ME-Proxy: Feedback-ID: i525146e8:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 18 Mar 2024 09:21:44 -0400 (EDT) Received: by localhost (Postfix, from userid 1000) id 99CA45F84B; Mon, 18 Mar 2024 13:21:44 +0000 (UTC) Date: Mon, 18 Mar 2024 13:21:44 +0000 From: Peter Todd To: bitcoindev@googlegroups.com Subject: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6 Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1dnJ+e/PJ8Ph9IcQ" Content-Disposition: inline X-Original-Sender: pete@petertodd.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3; spf=pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=pete@petertodd.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --1dnJ+e/PJ8Ph9IcQ Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable RBF Rule #6 requires that a replacement transaction have a fee-rate higher = than the fee-rate of all conflicting transactions. This rule aligns economic incentives, as in most circumstances miners earn more money by mining a hig= her fee-rate transaction than a lower fee-rate transaction, even if the absolut= e fee paid by the replacement is more. While RBF Rule #6 was implemented as part of my original Full-RBF opt-in pull-req=C2=B9, it was mistakenly left out of BIP-125, which was written la= ter by Harding. Thus it's often forgotten in analysis of RBF. Rule #6 creates a path dependency: the order in which replacement transacti= ons are received determines which transactions are ultimately accepted. This creates an opportunity for free-relay, as follows: 1. Create two transactions, A and B, where A is a large, low fee-rate, high absolute fee, transaction, and B is a small, high fee-rate, low absolute= fee transaction. 2. Broadcast A and B to different nodes simultaneously. 3. Nodes that receive A first will not replace A with B, because B pays a l= ower fee, violating RBF Rule #3. Notes that receive B first, will not replace= B with A, because A has a lower fee-rate, violating RBF Rule #6. 4. Create A_1, a transaction with the same (large) size as A, but paying a slightly higher fee (and thus fee-rate). Nodes that received A first wil= l replace A with A_1, consuming bandwidth. These nodes will also broadcast= A_1 to peers who have B, consuming their bandwidth even though they reject A_1. 5. Repeat until A_n has a fee-rate high enough to have a non-trivial risk o= f being mined. Or B is mined, invalidating all A_n. The marginal cost to an attacker who was planning on broadcasting B anyway = is fairly small, as provided that sufficiently small fee-rates are chosen for = A_n, the probability of A_n being mined is low. The attack does of course requir= e capital, as the attacker needs to have UTXO's of sufficient size for A_n. The attack is most effective in cases where fee-rates have a significant sl= ope to them, with the minimum relay fee being small compared to the competitive= fee to get into the next block. The larger the mempool size limit, the more effective the attack tends to be. Similarly, the attack is more effective w= ith a larger size difference between A and B. Finally, the attack is more effec= tive with a smaller minimum incremental relay fee, as more individual versions o= f the transaction can be broadcast for a given fee-delta range. Of course, this attack can be parallelized, with many non-conflicting A_n chains at once. Depending on P2P topology, maximum bandwidth may be consum= able by broadcasting multiple _conflicting_ A's to different nodes at once=C2=B2= , a fairly obvious attack that I (and probably others) have already disclosed. # Mitigations Replace-by-Fee-Rate mitigates the attack, by limiting the possible range of fee-rate delta. For example, in Libre Relay, which does replace-by-fee-rate= at a fee-rate ratio of >=3D 2x, if A starts at 3sat/VB, the attacker can only = do 2 cycles of the attack as a B >=3D 6sat/VB will simply replace A. The attack itself is arguably an economic exploit: *because* Bitcoin Core doesn't yet implement replace-by-fee-rate, nodes who accepted A first, are wasting their bandwidth relaying variations on A that are clearly less desirable to miners than B. An economically rational miner would just mine = B right now, and the fact that _other_ economically rational miners would min= e B just strengthens the case for mining B now. Indeed, real-world measurements= of replace-by-fee-rate have found that (most likely) due to mempool inconsistencies, roughly half or more=C2=B3 of RBFR replacements are mined = already. Requiring replacements to increase the fee-rate by a certain ratio would al= so mitigate the attack. However doing so would break a lot of wallet software = that bumps fees by values equal or close to the minimum relay fee. # Related Attacks Rule #6 is just one of many ways to achieve the same effect: getting a mine= r to invalidate a set of large transactions, wasting bandwidth. For example, min= ers who accept payment for guaranteeing that a specific transaction gets mined = also make this kind of attack possible. # Discussion Ironically, the existence of this attack is an argument in favor of replace-by-fee-rate. While RBFR introduces a degree of free-relay, the fact that Bitcoin Core's existing rules *also* allow for free-relay in this form makes the difference inconsequential. # Disclosure This issue was disclosed to bitcoin-security first. I received no objection= s to making it public. All free-relay attacks are mitigated by the requirement t= o at least have sufficient funds available to allocate to fees, even if the fund= s might not actually be spent. # References 1) https://github.com/bitcoin/bitcoin/pull/6871 2) https://petertodd.org/2024/one-shot-replace-by-fee-rate#the-status-quo 3) https://petertodd.org/2024/replace-by-fee-rate-success-rate --=20 https://petertodd.org 'peter'[:-1]@petertodd.org --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/Zfg/6IZyA/iInyMx%40petertodd.org. --1dnJ+e/PJ8Ph9IcQ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmX4P+IACgkQLly11TVR LzdBtA/+JTP2hLvTBQts1VVjnK/oltbb6SRxuta8t2yU7fFHHE+e8zYqNVO68dU0 7u9n089abE82m6gYWPvrIsYeJxrA9ySgjNAoVhRl4dRnzY6tlqIRLN4eZIsyf21B p4fTLHjhbJQaUfiGXDC4Ddxb/r710SsHhhwWkWqRynKkTqdq0Vklw6RhC5TQO2zM 55193abaK/nMyIumBj55X9KNC4OnzxcP4Gu2iR/tGMndsmqU+VYKVWnUVU1IYIla tF9/NQaySisGiRCMgl7KCb83aq4AM/Qf42OhI+sdKjZLWbdTjRRnPhXbHGbaHcaU mk10mROyU4p7KeZH/3kcN+6Ui8VFcbkB+ik3Lbz/l6wXyh8OT7/oE16QyIE06JHr WQ/i2KzgXixH7nLwnOpvaMU4SiJBONGX/UgA5aGtpAxZ5MsyZy2jGTw2KiyyRlqJ 0+KHms29HVHnFlSllcq7oq9VIDxWt82NWsI5xyV7SRCPgX7Uj/gIG2mvQ73i5zO3 dRfIrGenjfP/UZ0y3vY/QTKIMp9qoXtD9ngEE9nFXTMfbIP6oxLzCQoefvykzPFW D1QMFEOGPJqGBNUxVwSC4ZGkPAaIHNTvbml8FcLVmKqjMLad5R+Y+fNHWPaX1QAS ukj9kWzVDNDm80T648qn/2LD0NDjBWASiWQ6hrOx7rWxk9q1kGw= =fpkO -----END PGP SIGNATURE----- --1dnJ+e/PJ8Ph9IcQ--