1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id B2824C0032;
Tue, 17 Oct 2023 18:35:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 71290613EF;
Tue, 17 Oct 2023 18:35:06 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 71290613EF
Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=jTEFNoP8
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id SKvrXBHiA65i; Tue, 17 Oct 2023 18:35:04 +0000 (UTC)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com
[IPv6:2607:f8b0:4864:20::d36])
by smtp3.osuosl.org (Postfix) with ESMTPS id 52EB9613D7;
Tue, 17 Oct 2023 18:35:04 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 52EB9613D7
Received: by mail-io1-xd36.google.com with SMTP id
ca18e2360f4ac-79f9acc857cso216159839f.2;
Tue, 17 Oct 2023 11:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1697567703; x=1698172503;
darn=lists.linuxfoundation.org;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=Vmzl/6LUF5jOPFXTaWppJwarQcnTEBT2dGdn4evdWmM=;
b=jTEFNoP8V8Fzi4Mu45TzA/8HdjMQFbQPesqPPj0hGrcr5qi078KveaZKeo9/V/OuU9
wZLPyLapnIApvZf56I7/+I8F4Bu7GSS8p7VQfyh7+0kg7hfj+EamfSOjKMeZcAQYM9Ly
Iib+ZjAJ7rV1NH+JCxbBZMaCU84FugJ8Y89jVUI5qcQoxGjpHes6oMhgdDrju+u4z18e
lybgV6UN6sk74sdupJqmUaVczIJa0Qdo1l2Qg3S/LSv3nesytbiEBlRmQH/aost9dRSU
FFNXzZP9h4LDOkLn1cz2bA7UmtxMTNYudyKW3U7ha368aQGIuAcQqAoffp3Ljx72d/dr
EDEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1697567703; x=1698172503;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=Vmzl/6LUF5jOPFXTaWppJwarQcnTEBT2dGdn4evdWmM=;
b=Y07yjdg7UeMSGkKgFDUu3vidR9GCoG0jdbZE/t4qMdC7zLPmZW0zMmAqMeJg3OWszr
9TqxeCqnr1Lo7aVG/Qa1X5nSfHnWarNt0Czx8KvAaxTXq/cO6U01eq1MUd7nCu9Q2hvm
oV9/NE0iK3u5JbAFFRu1uJidDdcQuYZlGEtzqjU8AbcYdZLnEs8IRUQfr3eJMU+QsKpt
c83c+pehWhxHPwp2z+kdjc5kwz8rikKvc/BIjNdAJclI5bHTKLgN/ERGUbnJbz7+zmRy
aa8AyAp8Ta5VX8vRW2ImRt1GqprHXY5yzZ0bb7saE2kNOJTUXbnsx3TyXQO7TZLWkIKi
W6dg==
X-Gm-Message-State: AOJu0YzbxdZheM8w1oIXfQvUDBN8cK9pnJRrxcQpCfNA6eQF5OnCUp+V
yTNSFjf65jTPAoL7an2W9qcmCsH/iHeY/Y005jg=
X-Google-Smtp-Source: AGHT+IH9+dx6j9PqlUQoJsOQoB0qJpFvkkUudlLJo5iQEB2b8AI6WvuvEpqxNpoCm7VW4UvGFEmy3sJMw00Jxw9Y7p4=
X-Received: by 2002:a05:6e02:54e:b0:357:4509:a3c6 with SMTP id
i14-20020a056e02054e00b003574509a3c6mr2958994ils.32.1697567703270; Tue, 17
Oct 2023 11:35:03 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
<eW4O0HQJ2cbrzZhXSlgeDRWuhgRHXcAxIQCHJiqPh1zUxr270xPvl_tb7C4DUauZy56HaCq6BqGN9p4k-bkqQmLb4EHzPgIxZIZGVPlqyF0=@protonmail.com>
<64VpLnXQLbeoc895Z9aR7C1CfH6IFxPFDrk0om-md1eqvdMczLSnhwH29T6EWCXgiGQiRqQnAYsezbvNvoPCdcfvCvp__Y8BA1ow5UwY2yQ=@protonmail.com>
In-Reply-To: <64VpLnXQLbeoc895Z9aR7C1CfH6IFxPFDrk0om-md1eqvdMczLSnhwH29T6EWCXgiGQiRqQnAYsezbvNvoPCdcfvCvp__Y8BA1ow5UwY2yQ=@protonmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Tue, 17 Oct 2023 19:34:52 +0100
Message-ID: <CALZpt+Gu9JJUeJfdUm_eT66DEH=UY+z1vkD_jUNZZyTPaet_QA@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: multipart/alternative; boundary="000000000000ef8adb0607edc7c2"
X-Mailman-Approved-At: Wed, 18 Oct 2023 00:07:44 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
security@ariard.me,
"lightning-dev\\\\\\\\\\\\\\\\@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Full Disclosure: CVE-2023-40231 /
CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are
belong to us"
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2023 18:35:06 -0000
--000000000000ef8adb0607edc7c2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Zeeman,
> At block height 100, `B` notices the `B->C` HTLC timelock is expired
without `C` having claimed it, so `B` forces the `B=3D=3D=3D=3DC` channel o=
nchain.
> However, onchain feerates have risen and the commitment transaction and
HTLC-timeout transaction do not confirm.
This is not that the HTLC-timeout does not confirm. It is replaced in
cycles by C's HTLC-preimage which is still valid after `B->C` HTLC timelock
has expired. And this HTLC-preimage is subsequently replaced itself.
See the test here:
https://github.com/ariard/bitcoin/commit/19d61fa8cf22a5050b51c4005603f43d72=
f1efcf
> At block height 144, `B` is still not able to claim the `A->B` HTLC, so
`A` drops the `A=3D=3D=3D=3DB` channel onchain.
> As the fees are up-to-date, this confirms immediately and `A` is able to
recover the HTLC funds.
> However, the feerates of the `B=3D=3D=3D=3DC` pre-signed transactions rem=
ain at
the old, uncompetitive feerates.
This is correct that A tries to recover the HTLC funds on the `A=3D=3D=3DB`
channel.
However, there is no need to consider the fee rates nor mempool congestion
as the exploit lays on the replacement mechanism itself (in simple
scenario).
> At this point, `C` broadcasts an HTLC-success transaction with high
feerates that CPFPs the commitment tx.
> However, it replaces the HTLC-timeout transaction, which is at the old,
low feerate.
> `C` is thus able to get the value of the HTLC, but `B` is now no longer
able to use the knowledge of the preimage, as its own incoming HTLC was
already confirmed as claimed by `A`.
This is correct that `C` broadcasts an HTLC-success transaction at block
height 144.
However `C` broadcasts this high feerate transaction at _every block_
between blocks 100 and 144 to replace B's HTLC-timeout transaction.
> Let me also explain to non-Lightning experts why HTLC-timeout is
presigned in this case and why `B` cannot feebump it.
Note `B` can feebump the HTLC-timeout for anchor output channels thanks to
sighash_single | anyonecanpay on C's signature.
Le mar. 17 oct. 2023 =C3=A0 11:34, ZmnSCPxj <ZmnSCPxj@protonmail.com> a =C3=
=A9crit :
> Good morning Antoine et al.,
>
> Let me try to rephrase the core of the attack.
>
> There exists these nodes on the LN (letters `A`, `B`, and `C` are nodes,
> `=3D=3D` are channels):
>
> A =3D=3D=3D=3D=3D B =3D=3D=3D=3D=3D C
>
> `A` routes `A->B->C`.
>
> The timelocks, for example, could be:
>
> A->B timeelock =3D 144
> B->C timelock =3D 100
>
> The above satisfies the LN BOLT requirements, as long as `B` has a
> `cltv_expiry_delta` of 44 or lower.
>
> After `B` forwards the HTLC `B->C`, C suddenly goes offline, and all the
> signed transactions --- commitment transaction and HTLC-timeout
> transactions --- are "stuck" at the feerate at the time.
>
> At block height 100, `B` notices the `B->C` HTLC timelock is expired
> without `C` having claimed it, so `B` forces the `B=3D=3D=3D=3DC` channel=
onchain.
> However, onchain feerates have risen and the commitment transaction and
> HTLC-timeout transaction do not confirm.
>
> In the mean time, `A` is still online with `B` and updates the onchain
> fees of the `A=3D=3D=3D=3DB` channel pre-signed transactions (commitment =
tx and
> HTLC-timeout tx) to the latest.
>
> At block height 144, `B` is still not able to claim the `A->B` HTLC, so
> `A` drops the `A=3D=3D=3D=3DB` channel onchain.
> As the fees are up-to-date, this confirms immediately and `A` is able to
> recover the HTLC funds.
> However, the feerates of the `B=3D=3D=3D=3DC` pre-signed transactions rem=
ain at
> the old, uncompetitive feerates.
>
> At this point, `C` broadcasts an HTLC-success transaction with high
> feerates that CPFPs the commitment tx.
> However, it replaces the HTLC-timeout transaction, which is at the old,
> low feerate.
> `C` is thus able to get the value of the HTLC, but `B` is now no longer
> able to use the knowledge of the preimage, as its own incoming HTLC was
> already confirmed as claimed by `A`.
>
> Is the above restatement accurate?
>
> ----
>
> Let me also explain to non-Lightning experts why HTLC-timeout is presigne=
d
> in this case and why `B` cannot feebump it.
>
> In the Poon-Dryja mechanism, the HTLCs are "infected" by the Poon-Dryja
> penalty case, and are not plain HTLCs.
>
> A plain HTLC offerred by `B` to `C` would look like this:
>
> (B && OP_CLTV) || (C && OP_HASH160)
>
> However, on the commitment transaction held by `B`, it would be infected
> by the penalty case in this way:
>
> (B && C && OP_CLTV) || (C && OP_HASH160) || (C && revocation)
>
> There are two changes:
>
> * The addition of a revocation branch `C && revocation`.
> * The branch claimable by `B` in the "plain" HTLC (`B && OP_CLTV`) also
> includes `C`.
>
> These are necessary in case `B` tries to cheat and this HTLC is on an old=
,
> revoked transaction.
> If the revoked transaction is *really* old, the `OP_CLTV` would already
> impose a timelock far in the past.
> This means that a plain `B && OP_CLTV` branch can be claimed by `B` if it
> retained this very old revoked transaction.
>
> To prevent that, `C` is added to the `B && OP_CLTV` branch.
> We also introduce an HTLC-timeout transaction, which spends the `B && C &=
&
> OP_CLTV` branch, and outputs to:
>
> (B && OP_CSV) || (C && revocation)
>
> Thus, even if `B` held onto a very old revoked commitment transaction and
> attempts to spend the timelock branch (because the `OP_CLTV` is for an ol=
d
> blockheight), it still has to contend with a new output with a *relative*
> timelock.
>
> Unfortunately, this means that the HTLC-timeout transaction is pre-signed=
,
> and has a specific feerate.
> In order to change the feerate, both `B` and `C` have to agree to re-sign
> the HTLC-timeout transaction at the higher feerate.
>
> However, the HTLC-success transaction in this case spends the plain `(C &=
&
> OP_HASH160)` branch, which only involves `C`.
> This allows `C` to feebump the HTLC-success transaction arbitrarily even
> if `B` does not cooperate.
>
> While anchor outputs can be added to the HTLC-timeout transaction as well=
,
> `C` has a greater advantage here due to being able to RBF the HTLC-timeou=
t
> out of the way (1 transaction), while `B` has to get both HTLC-timeout an=
d
> a CPFP-RBF of the anchor output of the HTLC-timeout transaction (2
> transactions).
> `C` thus requires a smaller fee to achieve a particular feerate due to
> having to push a smaller number of bytes compared to `B`.
>
> Regards,
> ZmnSCPxj
>
--000000000000ef8adb0607edc7c2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Zeeman,<div><br></div><div>> At block height 100, `B=
` notices the `B->C` HTLC timelock is expired without `C` having claimed=
it, so `B` forces the `B=3D=3D=3D=3DC` channel onchain.<br>> However, o=
nchain feerates have risen and the commitment transaction and HTLC-timeout =
transaction do not confirm.<br></div><div><br></div><div>This is not that t=
he HTLC-timeout does not confirm. It is replaced in cycles by C's HTLC-=
preimage which is still valid after `B->C` HTLC timelock has expired. An=
d this HTLC-preimage is subsequently=C2=A0replaced itself.</div><div><br></=
div><div>See the test here:=C2=A0<a href=3D"https://github.com/ariard/bitco=
in/commit/19d61fa8cf22a5050b51c4005603f43d72f1efcf">https://github.com/aria=
rd/bitcoin/commit/19d61fa8cf22a5050b51c4005603f43d72f1efcf</a></div><div><b=
r></div><div>> At block height 144, `B` is still not able to claim the `=
A->B` HTLC, so `A` drops the `A=3D=3D=3D=3DB` channel onchain.<br>> A=
s the fees are up-to-date, this confirms immediately and `A` is able to rec=
over the HTLC funds.<br>> However, the feerates of the `B=3D=3D=3D=3DC` =
pre-signed transactions remain at the old, uncompetitive feerates.<br></div=
><div><br></div><div>This is correct that A tries to recover the HTLC funds=
on the `A=3D=3D=3DB` channel.</div><div><br></div><div>However, there is n=
o need to consider the fee rates nor mempool congestion as the exploit lays=
on the replacement mechanism itself (in simple scenario).</div><div><br></=
div><div>> At this point, `C` broadcasts an HTLC-success transaction wit=
h high feerates that CPFPs the commitment tx.</div>> However, it replace=
s the HTLC-timeout transaction, which is at the old, low feerate.<br>> `=
C` is thus able to get the value of the HTLC, but `B` is now no longer able=
to use the knowledge of the preimage, as its own incoming HTLC was already=
confirmed as claimed by `A`.<div><br></div><div>This is correct that `C` b=
roadcasts an HTLC-success transaction at block height 144.</div><div><br></=
div><div>However `C` broadcasts this high feerate transaction at _every blo=
ck_ between blocks 100 and 144 to replace B's HTLC-timeout transaction.=
</div><div><br></div><div>> Let me also explain to non-Lightning experts=
why HTLC-timeout is presigned in this case and why `B` cannot feebump it.<=
/div><div><br></div><div>Note `B` can feebump the HTLC-timeout for anchor o=
utput channels thanks to sighash_single |=C2=A0anyonecanpay=C2=A0on C's=
signature.</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" clas=
s=3D"gmail_attr">Le=C2=A0mar. 17 oct. 2023 =C3=A0=C2=A011:34, ZmnSCPxj <=
<a href=3D"mailto:ZmnSCPxj@protonmail.com">ZmnSCPxj@protonmail.com</a>> =
a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-=
left-color:rgb(204,204,204);padding-left:1ex">Good morning Antoine et al.,<=
br>
<br>
Let me try to rephrase the core of the attack.<br>
<br>
There exists these nodes on the LN (letters `A`, `B`, and `C` are nodes, `=
=3D=3D` are channels):<br>
<br>
=C2=A0 =C2=A0 A =3D=3D=3D=3D=3D B =3D=3D=3D=3D=3D C<br>
<br>
`A` routes `A->B->C`.<br>
<br>
The timelocks, for example, could be:<br>
<br>
=C2=A0 =C2=A0A->B timeelock =3D 144<br>
=C2=A0 =C2=A0B->C timelock =3D 100<br>
<br>
The above satisfies the LN BOLT requirements, as long as `B` has a `cltv_ex=
piry_delta` of 44 or lower.<br>
<br>
After `B` forwards the HTLC `B->C`, C suddenly goes offline, and all the=
signed transactions --- commitment transaction and HTLC-timeout transactio=
ns --- are "stuck" at the feerate at the time.<br>
<br>
At block height 100, `B` notices the `B->C` HTLC timelock is expired wit=
hout `C` having claimed it, so `B` forces the `B=3D=3D=3D=3DC` channel onch=
ain.<br>
However, onchain feerates have risen and the commitment transaction and HTL=
C-timeout transaction do not confirm.<br>
<br>
In the mean time, `A` is still online with `B` and updates the onchain fees=
of the `A=3D=3D=3D=3DB` channel pre-signed transactions (commitment tx and=
HTLC-timeout tx) to the latest.<br>
<br>
At block height 144, `B` is still not able to claim the `A->B` HTLC, so =
`A` drops the `A=3D=3D=3D=3DB` channel onchain.<br>
As the fees are up-to-date, this confirms immediately and `A` is able to re=
cover the HTLC funds.<br>
However, the feerates of the `B=3D=3D=3D=3DC` pre-signed transactions remai=
n at the old, uncompetitive feerates.<br>
<br>
At this point, `C` broadcasts an HTLC-success transaction with high feerate=
s that CPFPs the commitment tx.<br>
However, it replaces the HTLC-timeout transaction, which is at the old, low=
feerate.<br>
`C` is thus able to get the value of the HTLC, but `B` is now no longer abl=
e to use the knowledge of the preimage, as its own incoming HTLC was alread=
y confirmed as claimed by `A`.<br>
<br>
Is the above restatement accurate?<br>
<br>
----<br>
<br>
Let me also explain to non-Lightning experts why HTLC-timeout is presigned =
in this case and why `B` cannot feebump it.<br>
<br>
In the Poon-Dryja mechanism, the HTLCs are "infected" by the Poon=
-Dryja penalty case, and are not plain HTLCs.<br>
<br>
A plain HTLC offerred by `B` to `C` would look like this:<br>
<br>
=C2=A0 =C2=A0 (B && OP_CLTV) || (C && OP_HASH160)<br>
<br>
However, on the commitment transaction held by `B`, it would be infected by=
the penalty case in this way:<br>
<br>
=C2=A0 =C2=A0 (B && C && OP_CLTV) || (C && OP_HASH1=
60) || (C && revocation)<br>
<br>
There are two changes:<br>
<br>
* The addition of a revocation branch `C && revocation`.<br>
* The branch claimable by `B` in the "plain" HTLC (`B && =
OP_CLTV`) also includes `C`.<br>
<br>
These are necessary in case `B` tries to cheat and this HTLC is on an old, =
revoked transaction.<br>
If the revoked transaction is *really* old, the `OP_CLTV` would already imp=
ose a timelock far in the past.<br>
This means that a plain `B && OP_CLTV` branch can be claimed by `B`=
if it retained this very old revoked transaction.<br>
<br>
To prevent that, `C` is added to the `B && OP_CLTV` branch.<br>
We also introduce an HTLC-timeout transaction, which spends the `B &&am=
p; C && OP_CLTV` branch, and outputs to:<br>
<br>
=C2=A0 =C2=A0 (B && OP_CSV) || (C && revocation)<br>
<br>
Thus, even if `B` held onto a very old revoked commitment transaction and a=
ttempts to spend the timelock branch (because the `OP_CLTV` is for an old b=
lockheight), it still has to contend with a new output with a *relative* ti=
melock.<br>
<br>
Unfortunately, this means that the HTLC-timeout transaction is pre-signed, =
and has a specific feerate.<br>
In order to change the feerate, both `B` and `C` have to agree to re-sign t=
he HTLC-timeout transaction at the higher feerate.<br>
<br>
However, the HTLC-success transaction in this case spends the plain `(C &am=
p;& OP_HASH160)` branch, which only involves `C`.<br>
This allows `C` to feebump the HTLC-success transaction arbitrarily even if=
`B` does not cooperate.<br>
<br>
While anchor outputs can be added to the HTLC-timeout transaction as well, =
`C` has a greater advantage here due to being able to RBF the HTLC-timeout =
out of the way (1 transaction), while `B` has to get both HTLC-timeout and =
a CPFP-RBF of the anchor output of the HTLC-timeout transaction (2 transact=
ions).<br>
`C` thus requires a smaller fee to achieve a particular feerate due to havi=
ng to push a smaller number of bytes compared to `B`.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
</blockquote></div>
--000000000000ef8adb0607edc7c2--
|