Delivery-date: Mon, 18 Mar 2024 06:24:20 -0700
Received: from mail-oo1-f55.google.com ([209.85.161.55])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDRYHVHZTUGRB7EA4GXQMGQEFB6QJ3Y@googlegroups.com>)
id 1rmCyR-0000Jj-Pr
for bitcoindev@gnusha.org; Mon, 18 Mar 2024 06:24:20 -0700
Received: by mail-oo1-f55.google.com with SMTP id 006d021491bc7-5a478fe8814sf3211144eaf.3
for <bitcoindev@gnusha.org>; Mon, 18 Mar 2024 06:24:19 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710768253; cv=pass;
d=google.com; s=arc-20160816;
b=pC+xDIoP9d0R998j8hLEHxO0rUo3WK0TPtrXew+aTLw/U5QQkGbiOQDNNu/txjUjNQ
Ug8NFdXPsQ5cklehJXl7RSL98YMo/0LrUSB4egPNcdHlD6t7oE6FDe7zhFYvoEU3DsU4
I+SyQJgLqhg/ysz0awpb9wR22k6/68HF2JXQQm1nkGrBIQcTxCsYcVyaSiF6qCR5RqlC
LF20kdQTrxapWl26s0z4mBSz+If1nyT8aDCTANViOk7aJJC/KGQ4gE6BLwe1s9DNpg8D
2U40imxKTHirOMBYU//py91WE4pnXCSQgQfRrPc4smgJ46a2QtHOg4yiJo0kHmLaGCy6
uXLg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-disposition:mime-version
:message-id:subject:to:from:date:feedback-id:sender:dkim-signature;
bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=;
fh=B11tC+ZI0VkfbwVIG3oZxRmyhOnGUo1psYMBUvUuFlU=;
b=Z3Mq/YuzQenj7P/Y/AHmdxWP0Sp+snYbLvTP9nwWk80GgaIZ0INdfLlsz2f1d21QPC
pYAyp4+EIMmd1AsoHOHGqsp4yG/AN9LZ94paPN0MW+uamKlO2adaRZOrkqspChMZpo7+
fyVqdzDKSPSlWkTZQwNHrbWmOWA7f8/MP2gtln5Qa3X8o12DJxekPbVNMQQ6SJvUNnDs
hkUlnJp4+gVOlC1eFhpSrgDDSKZzNMfWSVaFhHGcFu7b1ImRQEEIPNlF6Xgd+nI/nWEM
1Ov2r5QtMSzCISMA2L8kEpFTPixXe6C5xN1qofJAdV2COKJ2oYRQepxmtm5xjsvl2Qew
WX8Q==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3;
spf=pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=pete@petertodd.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1710768253; x=1711373053; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-disposition:mime-version:message-id
:subject:to:from:date:feedback-id:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=;
b=tzRSU5Rj/uIxFbCVJ0jxN6WqrXem9iNYDYqzec5soW+LQKOitvcnLTWLBPttEJ4HNC
Pj3t0qHyA9G0bxEXt5GheHpr9c0PkJYEfXhqbFg4rivP+uFaxWpWSYQthdpy7R49k/Zx
bnExGDUiTtUp2jugYyzQE+AMDwdP15VfrLbz0e1cwN82RxqMTvWBi5V657hbBOZ3UUN3
0gTBE7P5Wi8BO/jUER5LnDMvfMgZJvbRfLXqqkQ/qNBWKz21Oi3TZekKwgp9y3rvkj+R
khiKF0vF4hdwgStv4AwTR5j4cjqkCejCDHaww2Wmx3IDnQzMbI/QD9k9/uDauiD1q87k
zj6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710768253; x=1711373053;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-disposition:mime-version:message-id
:subject:to:from:date:feedback-id:x-beenthere:x-gm-message-state
:sender:from:to:cc:subject:date:message-id:reply-to;
bh=yhVkOeD/v17LjlO07gs3/rIQ0TFN8vakkXZDAUyoZNw=;
b=T+bAPbruX6VLiYxy9Lm1URhP2srAUQfpW3R8O7K+yNE3IMEppBDcd5obRjKs5g2m6E
lVsPaBB6gxAiHrkIfVITdjVdwRsfrzRnme6AEdvRUl0P1woowa3CysBGcIb9+m01TaKc
Vve/LqxLkfn3w+nVmWOyw70NTnB2klmW7KncWxWj1Z5IPicCsdwixsHq7KTg4pj1GoMq
Imcc3OcMpKD1Gtk2bxX+6dszMGxVDcl3QD/HAqV7fPMbe8iMuMf1wI3EyaDecG2IbK2B
xUsMJiinl3RL6xN0ajn2W3f8hrwntTzso72NuI7ZTOL/4I2aHQ2DMrlV+Ts/fWH9K/wy
BPaA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV3ozUS4VS4DVTDqjQniDGSTB/oPNS9+7hMgDgP8oiEoKjAY5q8HzKNdMTXiA0gQx7IEPY6z+OwzU6djAO9Lt55F8Oc9DI=
X-Gm-Message-State: AOJu0YwT3/Vs/ZUtsbG53bLb0NCyMuOOlJ50Kvm9aSOlcONnY3OSspT5
Z/9WxjhKs4gnm0wtaPVN8t0HvU71CVxdulhyB5Cb8Yda0/mY6S/E
X-Google-Smtp-Source: AGHT+IGYRaaSRZLhnSwwQjfnI3HOC/fS1MERaT8mYba9rO04fl5ANgZZz0ZYFVy0oP3xDIbNFDH6Kw==
X-Received: by 2002:a05:6820:1686:b0:5a2:602:15be with SMTP id bc6-20020a056820168600b005a2060215bemr11971123oob.2.1710768252677;
Mon, 18 Mar 2024 06:24:12 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6820:34d:b0:5a4:93b6:9ae with SMTP id
m13-20020a056820034d00b005a493b609aels1656176ooe.1.-pod-prod-08-us; Mon, 18
Mar 2024 06:24:12 -0700 (PDT)
X-Received: by 2002:a05:6820:2229:b0:5a3:8bff:3286 with SMTP id cj41-20020a056820222900b005a38bff3286mr746502oob.1.1710768251930;
Mon, 18 Mar 2024 06:24:11 -0700 (PDT)
Received: by 2002:a05:6808:1150:b0:3c1:b790:b6ba with SMTP id 5614622812f47-3c25eca4aa3msb6e;
Mon, 18 Mar 2024 06:21:47 -0700 (PDT)
X-Received: by 2002:a17:902:b591:b0:1de:ebb8:4071 with SMTP id a17-20020a170902b59100b001deebb84071mr8894885pls.58.1710768106124;
Mon, 18 Mar 2024 06:21:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1710768106; cv=none;
d=google.com; s=arc-20160816;
b=NQwR26u94ReU9244Yuwq6HeHCTtGIIAB2DgjoWsJ8tWb8jQOmG8JSFWMTLO5Kk1L9G
IDoTBwiELbOlYHpMpwKkqcocsvRRNVdXVeepuDb0H5AdQ429EOe450WUJWBNmLp/2dRG
5pJ4pbqp0C0KDI8gDKpNDe0wDA3KWkBdGRDJuVPe4QGoo5dD/1/TbRvBxRP3j4wtcfp3
FrbbPK23gKDxf2ZLcU4c4DW6ecfrxg7S8xpT3b6TbaExD726U6tob9zfv1IuhOcC3a3A
sY67u7SRtt/VuOwaB6NGbCvmZ8lQSmDfXgFVkdxT6UWC/lPqzNMukdyyYyuLJaaRk+BD
O1FQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-disposition:mime-version:message-id:subject:to:from:date
:feedback-id:dkim-signature;
bh=SV+k6DnC1rns/cIHC37JzzJYMau16i+ZEghatCllAdo=;
fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
b=nD/Sm8IFJV6xzMRQrQPjtloRoUMduoDh4ucDPEgqA7gFFbw57PiGtPpwVHJqSyCVhJ
MnYmS1aGshMPTeKoE3JrhshAPm3eqcwxdvyqwUWpskvU+gNIwr3FiYrtBZ2xYgLrvWE1
9frkJpFMocNSvwg4/0RTpARnppl8q1W7l84jWC4mh+1k0vBsiJNVBHXE98jJ71rPluVu
bU6/BIM+Tq98vHomEJpLU5Cloyd65In7cGIhVk33Prba82liRuF7FMr4NJrSKuBgw5w9
+JuNSGycbvu1g9p0GN+8gDw1tZB3uivwfPu0mGFWgClalyasIlQSrEePaLIwbOoeLB+y
yOlA==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3;
spf=pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) smtp.mailfrom=pete@petertodd.org
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com. [66.111.4.26])
by gmr-mx.google.com with ESMTPS id jh9-20020a170903328900b001dcd7469086si668796plb.4.2024.03.18.06.21.45
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 18 Mar 2024 06:21:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted sender) client-ip=66.111.4.26;
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48])
by mailout.nyi.internal (Postfix) with ESMTP id 626AB5C005E
for <bitcoindev@googlegroups.com>; Mon, 18 Mar 2024 09:21:45 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute7.internal (MEProxy); Mon, 18 Mar 2024 09:21:45 -0400
X-ME-Sender: <xms:6T_4ZbDPOJpmWtLGjKrWsioZM_3Ss0MtQjo1pQdhw5o_iBaoDhXQuQ>
<xme:6T_4ZRiq_hIvlg2z5p_D08kw0lq-afTU_IuSt36HoaRDjFEbF6-6CzFZR6mTPzfw3
HGV4-DKY7okcGR3pq4>
X-ME-Received: <xmr:6T_4ZWlUwHgz3aLdHJsqC3z2t-1Wv03SdymFgzNqAPwVuIQL0PzJqR1fHw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeejgdehudcutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd
dunecuhfhrohhmpefrvghtvghrucfvohguugcuoehpvghtvgesphgvthgvrhhtohguugdr
ohhrgheqnecuggftrfgrthhtvghrnhepheevtdejtddvhfegteeuvddvffeiudevtdejgf
dvkeelffdttdduhedvffdtffdunecuffhomhgrihhnpehgihhthhhusgdrtghomhdpphgv
thgvrhhtohguugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh
grihhlfhhrohhmpehpvghtvgesphgvthgvrhhtohguugdrohhrgh
X-ME-Proxy: <xmx:6T_4ZdyyaVmhdLsTTlvuMuF-CaQJOZ6_LbdM7ft8sp2vkQoDXLUcWw>
<xmx:6T_4ZQSUxu-hiamoAcs3WcotiMzhVnvbYeGycgx_yI2IceqMlmY1AA>
<xmx:6T_4ZQY6H-3R4Klo0MXHNwPcxFKrxEhu08U8zRcAx8RbetpMHSxLKw>
<xmx:6T_4ZRSqkihU77lkeOVervSlKCDzPZwOjdUrmNh6cw8zMNGycPj1nQ>
<xmx:6T_4ZWPnX6gcDNGBGbSzlxLHEVevYGcBP-2ZSz1FsryKkk-r3C3wbQ>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
<bitcoindev@googlegroups.com>; Mon, 18 Mar 2024 09:21:44 -0400 (EDT)
Received: by localhost (Postfix, from userid 1000)
id 99CA45F84B; Mon, 18 Mar 2024 13:21:44 +0000 (UTC)
Date: Mon, 18 Mar 2024 13:21:44 +0000
From: Peter Todd <pete@petertodd.org>
To: bitcoindev@googlegroups.com
Subject: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
Message-ID: <Zfg/6IZyA/iInyMx@petertodd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="1dnJ+e/PJ8Ph9IcQ"
Content-Disposition: inline
X-Original-Sender: pete@petertodd.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@messagingengine.com header.s=fm2 header.b=OG9IOcx3; spf=pass
(google.com: domain of pete@petertodd.org designates 66.111.4.26 as permitted
sender) smtp.mailfrom=pete@petertodd.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
--1dnJ+e/PJ8Ph9IcQ
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
RBF Rule #6 requires that a replacement transaction have a fee-rate higher =
than
the fee-rate of all conflicting transactions. This rule aligns economic
incentives, as in most circumstances miners earn more money by mining a hig=
her
fee-rate transaction than a lower fee-rate transaction, even if the absolut=
e
fee paid by the replacement is more.
While RBF Rule #6 was implemented as part of my original Full-RBF opt-in
pull-req=C2=B9, it was mistakenly left out of BIP-125, which was written la=
ter by
Harding. Thus it's often forgotten in analysis of RBF.
Rule #6 creates a path dependency: the order in which replacement transacti=
ons
are received determines which transactions are ultimately accepted. This
creates an opportunity for free-relay, as follows:
1. Create two transactions, A and B, where A is a large, low fee-rate, high
absolute fee, transaction, and B is a small, high fee-rate, low absolute=
fee
transaction.
2. Broadcast A and B to different nodes simultaneously.
3. Nodes that receive A first will not replace A with B, because B pays a l=
ower
fee, violating RBF Rule #3. Notes that receive B first, will not replace=
B with
A, because A has a lower fee-rate, violating RBF Rule #6.
4. Create A_1, a transaction with the same (large) size as A, but paying a
slightly higher fee (and thus fee-rate). Nodes that received A first wil=
l
replace A with A_1, consuming bandwidth. These nodes will also broadcast=
A_1 to
peers who have B, consuming their bandwidth even though they reject A_1.
5. Repeat until A_n has a fee-rate high enough to have a non-trivial risk o=
f
being mined. Or B is mined, invalidating all A_n.
The marginal cost to an attacker who was planning on broadcasting B anyway =
is
fairly small, as provided that sufficiently small fee-rates are chosen for =
A_n,
the probability of A_n being mined is low. The attack does of course requir=
e
capital, as the attacker needs to have UTXO's of sufficient size for A_n.
The attack is most effective in cases where fee-rates have a significant sl=
ope
to them, with the minimum relay fee being small compared to the competitive=
fee
to get into the next block. The larger the mempool size limit, the more
effective the attack tends to be. Similarly, the attack is more effective w=
ith
a larger size difference between A and B. Finally, the attack is more effec=
tive
with a smaller minimum incremental relay fee, as more individual versions o=
f
the transaction can be broadcast for a given fee-delta range.
Of course, this attack can be parallelized, with many non-conflicting A_n
chains at once. Depending on P2P topology, maximum bandwidth may be consum=
able
by broadcasting multiple _conflicting_ A's to different nodes at once=C2=B2=
, a
fairly obvious attack that I (and probably others) have already disclosed.
# Mitigations
Replace-by-Fee-Rate mitigates the attack, by limiting the possible range of
fee-rate delta. For example, in Libre Relay, which does replace-by-fee-rate=
at
a fee-rate ratio of >=3D 2x, if A starts at 3sat/VB, the attacker can only =
do 2
cycles of the attack as a B >=3D 6sat/VB will simply replace A.
The attack itself is arguably an economic exploit: *because* Bitcoin Core
doesn't yet implement replace-by-fee-rate, nodes who accepted A first, are
wasting their bandwidth relaying variations on A that are clearly less
desirable to miners than B. An economically rational miner would just mine =
B
right now, and the fact that _other_ economically rational miners would min=
e B
just strengthens the case for mining B now. Indeed, real-world measurements=
of
replace-by-fee-rate have found that (most likely) due to mempool
inconsistencies, roughly half or more=C2=B3 of RBFR replacements are mined =
already.
Requiring replacements to increase the fee-rate by a certain ratio would al=
so
mitigate the attack. However doing so would break a lot of wallet software =
that
bumps fees by values equal or close to the minimum relay fee.
# Related Attacks
Rule #6 is just one of many ways to achieve the same effect: getting a mine=
r to
invalidate a set of large transactions, wasting bandwidth. For example, min=
ers
who accept payment for guaranteeing that a specific transaction gets mined =
also
make this kind of attack possible.
# Discussion
Ironically, the existence of this attack is an argument in favor of
replace-by-fee-rate. While RBFR introduces a degree of free-relay, the fact
that Bitcoin Core's existing rules *also* allow for free-relay in this form
makes the difference inconsequential.
# Disclosure
This issue was disclosed to bitcoin-security first. I received no objection=
s to
making it public. All free-relay attacks are mitigated by the requirement t=
o at
least have sufficient funds available to allocate to fees, even if the fund=
s
might not actually be spent.
# References
1) https://github.com/bitcoin/bitcoin/pull/6871
2) https://petertodd.org/2024/one-shot-replace-by-fee-rate#the-status-quo
3) https://petertodd.org/2024/replace-by-fee-rate-success-rate
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/Zfg/6IZyA/iInyMx%40petertodd.org.
--1dnJ+e/PJ8Ph9IcQ
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmX4P+IACgkQLly11TVR
LzdBtA/+JTP2hLvTBQts1VVjnK/oltbb6SRxuta8t2yU7fFHHE+e8zYqNVO68dU0
7u9n089abE82m6gYWPvrIsYeJxrA9ySgjNAoVhRl4dRnzY6tlqIRLN4eZIsyf21B
p4fTLHjhbJQaUfiGXDC4Ddxb/r710SsHhhwWkWqRynKkTqdq0Vklw6RhC5TQO2zM
55193abaK/nMyIumBj55X9KNC4OnzxcP4Gu2iR/tGMndsmqU+VYKVWnUVU1IYIla
tF9/NQaySisGiRCMgl7KCb83aq4AM/Qf42OhI+sdKjZLWbdTjRRnPhXbHGbaHcaU
mk10mROyU4p7KeZH/3kcN+6Ui8VFcbkB+ik3Lbz/l6wXyh8OT7/oE16QyIE06JHr
WQ/i2KzgXixH7nLwnOpvaMU4SiJBONGX/UgA5aGtpAxZ5MsyZy2jGTw2KiyyRlqJ
0+KHms29HVHnFlSllcq7oq9VIDxWt82NWsI5xyV7SRCPgX7Uj/gIG2mvQ73i5zO3
dRfIrGenjfP/UZ0y3vY/QTKIMp9qoXtD9ngEE9nFXTMfbIP6oxLzCQoefvykzPFW
D1QMFEOGPJqGBNUxVwSC4ZGkPAaIHNTvbml8FcLVmKqjMLad5R+Y+fNHWPaX1QAS
ukj9kWzVDNDm80T648qn/2LD0NDjBWASiWQ6hrOx7rWxk9q1kGw=
=fpkO
-----END PGP SIGNATURE-----
--1dnJ+e/PJ8Ph9IcQ--