56/a98b5c3372b53daa502dd6d72447b6829a7a10


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

Delivery-date: Tue, 26 Mar 2024 11:39:04 -0700
Received: from mail-oo1-f64.google.com ([209.85.161.64])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDZ3NVEJ5UFBBQNMRSYAMGQEEPM2X2A@googlegroups.com>)
	id 1rpBhQ-0005al-Gz
	for bitcoindev@gnusha.org; Tue, 26 Mar 2024 11:39:04 -0700
Received: by mail-oo1-f64.google.com with SMTP id 006d021491bc7-5a1d14ca2absf5324247eaf.0
        for <bitcoindev@gnusha.org>; Tue, 26 Mar 2024 11:39:04 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711478338; cv=pass;
        d=google.com; s=arc-20160816;
        b=y7AcaHkxFF9qM9QTDE+isz7gMPw0GW7B51pwhIHSgp2b4QTjZH+4qLJJBw5t4Z5zA1
         uaMDqWnrXCMPIeVWtgqfgp0vDcjD5eBeHoGBbslGUeBtmcw+3OgE11ya1B6vSxw74qPq
         gJoIFsSTWzn7xtaNBrsupW7xXoTGl95uzKlGdUe53PhdaDOoZljQ6GmbLfpcOVgjAzC9
         gSmhWzUNtlV8xhAfAKyJn6zgb/j/VNCcXRD4tHkuLlHvMKwxbxO+i8PD+TDzrbdeNrP8
         QlKwcswRH8RxKCZPLF3fhqapNVv0JvaNGK4PecOhKuUkl6hey4i1yss5VOWAzQDBiB18
         Ya5A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:message-id:user-agent:references
         :in-reply-to:subject:cc:to:from:date:mime-version:sender
         :dkim-signature;
        bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=;
        fh=moLVZxZkuyMi2Uc6khBP8ZPSJHN1hMRPOvjakymrq14=;
        b=ULcuSA3GYN2n6dTum4tVIV/s7vKG5PnyTodTcMvvyu8a25CZPn/uozUG9WtSzIsrAF
         A+g72eutqgC629fOE86YCYFXrqZcxr+C5LPg2uFB01zLiwOlNpfZCcY+fbQF7QBLaG8r
         6uEDdsBAxL6aVtgJgLkCvqHPytu7BMfMYx2TZJHnwDMfXbxvxh7s7rFI+aZjRZ33OZI+
         i5vzu3tZJMzK8RRJFsBu49PUTlaflX5G8NZ2jVPoCOz4RMGiOmrguIdftDvTPLRKtd0c
         dhjuKUa3aMgNK4Fr0Zl4xqgqfEMdgV21j20cvztAHpxPFR4LUHvvJnIrAWfUihvqBqRF
         OnNA==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1711478338; x=1712083138; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:message-id:user-agent:references:in-reply-to
         :subject:cc:to:from:date:mime-version:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=;
        b=iuVEdpBdmFFMxG31gUMg99G5x3JrNyYXx4k14V2f/WesJgU25not/B1ZfkDcqFsUYO
         vIKFwiU04/sbTnsxxRzB0GY5fXHRn65I+V2kDTohj66YIXb5ZTKttfC+ndJATrHJAX1e
         GNCFEwWIkcjJNlZo5QKMe/htH9j98R8vLGa+78wNCWlr4M18OT5ZVzB+Mk8dQlJ5wdpr
         QGkvvCD9VQxOG8SIER4rIsqebuNiqmSNFgKIEx+pbC6UnmNjbPCKM5dReUiI78BKpBit
         dt8t1OUx2vME0Y/vUaovQNSkJNRjXUCNkzogYdY1Y3UkCzkeccqmJ1xW9VDEBnoVkJHV
         /2wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711478338; x=1712083138;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:message-id:user-agent:references:in-reply-to
         :subject:cc:to:from:date:mime-version:x-beenthere:x-gm-message-state
         :sender:from:to:cc:subject:date:message-id:reply-to;
        bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=;
        b=w6NRk8m0XAXmK4Jwq3/ilyH8TpxmVlIwnDXVG7ppRz91kFpjOV6cOg288EYFQynnv0
         N3qEpHFzKge29pFYwZd2hrC571FG1lQNqGTV4ELeaGZMxnn+FsE3my8MFd+tZZsRN9/9
         FOCoxGmyFvwVTRRZQoCpoKXEYttlmQMhGKN4jmah6sy8sJDJi1Y9ho1CJvoyTmj/IQaz
         lntbEpiQA8GCdDOzV30QxtDZkoRQIVDDIVR/D02usHKO12JffEtnHv3jJqW1o59u34TT
         pc1s7qYxfRfRQ+uyjkoQWrDDjSBWNP9rVXpUXBubcMNRGlGRwR7UaUoONjphIb/DSWWY
         4Qhg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCWLCJK16CRYTGx6vhVJ7891U6hiV9QxVO9/wPOkdYPAgmd6Gnsztb2O9T/I90iOJNFBnd8Snb3kldWswKwhIT19Slm4mRU=
X-Gm-Message-State: AOJu0YxsOXATuG2+VlQ1mce+3uYS9f78JAcyRd5RPgjQj4T+025Qd16F
	ZT81Q8zJxj581cVrE8PaHCu7plqCuTcmxqGJdiV222kQz4Z/B1kq
X-Google-Smtp-Source: AGHT+IEMJ9Z5cD+WwvYQbLDyjWJ5asXfWBCvWqvqLuWdyETAsdBflNrrOnspciEZDV4/r4H7TQURMQ==
X-Received: by 2002:a05:6820:1e02:b0:5a4:b99f:83c7 with SMTP id dh2-20020a0568201e0200b005a4b99f83c7mr10141501oob.9.1711478338361;
        Tue, 26 Mar 2024 11:38:58 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:e1aa:0:b0:5a5:37c6:7e3a with SMTP id 10-20020a4ae1aa000000b005a537c67e3als3275278ooy.0.-pod-prod-05-us;
 Tue, 26 Mar 2024 11:38:57 -0700 (PDT)
X-Received: by 2002:a05:6830:906:b0:6e6:efba:ba7d with SMTP id v6-20020a056830090600b006e6efbaba7dmr27962ott.1.1711478337116;
        Tue, 26 Mar 2024 11:38:57 -0700 (PDT)
Received: by 2002:a05:6808:3098:b0:3c3:cc09:ef6d with SMTP id 5614622812f47-3c3de96a8cbmsb6e;
        Tue, 26 Mar 2024 11:36:50 -0700 (PDT)
X-Received: by 2002:a17:902:c211:b0:1e0:64bd:51ac with SMTP id 17-20020a170902c21100b001e064bd51acmr9207295pll.22.1711478209817;
        Tue, 26 Mar 2024 11:36:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711478209; cv=none;
        d=google.com; s=arc-20160816;
        b=ZeIIxk7dT15lfXArPhCOQR9U2XmX6+THpSJV157WY8j27aZvqTpBpLW3FSkYL98JTd
         4JghZt31t/DtricVhcN7Fpm8R37NxhZcOY24DwSK9sJp6dVAUzAt6ipmF0Y7As1dvJfQ
         r8mDyOfRhEImOhYAaZbP4TVTCk3j8AO37EixRgXVfKa+D3iD/uKqCI2RQTIZVH4JW/pn
         s/ea56PShxO+ScJ8GkhXnXsZk7lC4drxDhy6ZV+bAs6q/y4Y/ea3VJeyoVsRfN5H58kt
         j0c+LTcj94ysV41yl6vI8lLV5Dt4YS0LWiIYfYy6j/rhWyu4eEHVFuxS973eFNFWPTRU
         CXXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:message-id:user-agent:references
         :in-reply-to:subject:cc:to:from:date:mime-version;
        bh=7IYB95fXrz4G1lbva2Mf6ct+e3abLCFs1NTOfFaKtE8=;
        fh=psWP3UCtCzzPEOUoUzVM9ZZK8adYsTeWDAKCd6L5Zok=;
        b=QBzeYWQoYwBon9FLilf4hj5e8HBb2Xob1awvOHRCar3mzzDo4oiZFsHywe1FnHrHbb
         qG6gCgS/EbstmT+JFGMEC93IzH3hluiiQj4ufPh+DCMmpaKM+Wq7smUFeDxrWZGupSew
         Gy+7xvl5KBIxlkLKYQm+NOJTwPCHqucvWsTOizswCP39RzIgYlrNGWuPTiCTC3TfL3xh
         t/Zn4LNtx5GPfZ8cj+gjPS8wyG5XZ8XeX3SI1AKPN07DBASvsYYEJEF6HSWPl9Hr4oSF
         ow6YfkcaIUsyftEvxVjb3nEhKwdT2e8lRnNlNqYIey7rNjGA70Rca+/oKKBfVCwo08qH
         rthQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us. [2607:fe70:0:3::d])
        by gmr-mx.google.com with ESMTPS id kc12-20020a17090333cc00b001dcd7469086si496861plb.4.2024.03.26.11.36.49
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Mar 2024 11:36:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) client-ip=2607:fe70:0:3::d;
Received: from smtpauth.rollernet.us (localhost [127.0.0.1])
	by smtpauth.rollernet.us (Postfix) with ESMTP id 3D31B280004A;
	Tue, 26 Mar 2024 11:36:46 -0700 (PDT)
Received: from webmail.rollernet.us (webmail.rollernet.us [IPv6:2607:fe70:0:14::a])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(Client did not present a certificate)
	by smtpauth.rollernet.us (Postfix) with ESMTPSA;
	Tue, 26 Mar 2024 11:36:45 -0700 (PDT)
MIME-Version: 1.0
Date: Tue, 26 Mar 2024 08:36:45 -1000
From: "David A. Harding" <dave@dtrt.org>
To: Peter Todd <pete@petertodd.org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
In-Reply-To: <Zfg/6IZyA/iInyMx@petertodd.org>
References: <Zfg/6IZyA/iInyMx@petertodd.org>
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <012f89763cc336cd91eec13dccefc921@dtrt.org>
X-Sender: dave@dtrt.org
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy: http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 29b0.660315bd.c5057.0
X-Original-Sender: dave@dtrt.org
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted
 sender) smtp.mailfrom=dave@dtrt.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)

On 2024-03-18 03:21, Peter Todd wrote:
> [...] the existence of this attack is an argument in favor of
> replace-by-fee-rate. While RBFR introduces a degree of free-relay, the 
> fact
> that Bitcoin Core's existing rules *also* allow for free-relay in this 
> form
> makes the difference inconsequential.
> 
> # Disclosure
> 
> This issue was disclosed to bitcoin-security first. I received no 
> objections to
> making it public. All free-relay attacks are mitigated by the 
> requirement to at
> least have sufficient funds available to allocate to fees, even if the 
> funds
> might not actually be spent.

Could you tell us more about the disclosure process you followed?  I'm 
surprised to see it disclosed without any apparent attempt at patching.  
I'm especially concerned given your past history of publicly revealing 
vulnerabilities before they could be quietly patched[1] and the conflict 
of interest of you using this disclosure to advocate for a policy change 
you are championing.

-Dave

[1] 
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016100.html

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/012f89763cc336cd91eec13dccefc921%40dtrt.org.