1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
Return-Path: <pete@petertodd.org>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 7DD95C0037
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Dec 2023 10:09:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 33A4E81BB4
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Dec 2023 10:09:08 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 33A4E81BB4
Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key,
unprotected) header.d=messagingengine.com header.i=@messagingengine.com
header.a=rsa-sha256 header.s=fm1 header.b=JjN+pljl
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001,
RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FJ7gbhXDnO-X
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Dec 2023 10:09:06 +0000 (UTC)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com
[64.147.123.25])
by smtp1.osuosl.org (Postfix) with ESMTPS id 5E3A081B52
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Dec 2023 10:09:06 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5E3A081B52
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
by mailout.west.internal (Postfix) with ESMTP id 5BEF63200F6F
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Dec 2023 05:09:00 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
by compute2.internal (MEProxy); Sat, 09 Dec 2023 05:09:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:content-type:date:date
:feedback-id:feedback-id:from:from:in-reply-to:message-id
:mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
1702116539; x=1702202939; bh=0VzGFoRXK4IVQQsmLwzusDBVcjHDOj/Gejt
jfb3Igs4=; b=JjN+pljlf6/RM9MFuY9CprPuv/3MnYp8gwEPW8kFlloIN+zT9hI
j4oaRu5Fg/mWXQ7pFVw7D9AmZFbua1Ru/KOFkB+ajsYdYXAxyfL5g8b1jm3xcHmw
tBWz4p7+MW9Rxf5Yk5I33ppE08YfWZWXkQdepr+sdOqHgacIAjKJqS7QYNx2YwkZ
Y4vmrwNBgosYIQb0XWA4UxZDsO3fi8ACoStEoc4anKtMBwSorgq/NgKOjuMHTzH6
5JT8qNVQVxXz0fSwV05BrNnorStpCM3i//dW5IcW9e1s9vRntjgukzSaiTk7NAep
jD3uKkLABPSNzRmdsaUJnOrDh2Dn8zWRNTg==
X-ME-Sender: <xms:uzx0ZYnBJWod3cxKw80Uf9CW_16pIbZCF_Y9Tgp2cQbBX8lOdHKA8A>
<xme:uzx0ZX2ZNp73UO0Qk_Jax-Y8YdX0P7cEMq84SC2jNEc1sN8NVMXSGngxcoBu5HlOC
wLf5DZLMWEhtsBf8kQ>
X-ME-Received: <xmr:uzx0ZWoAwkdeQGGbSxmW1PdPwB08rHGKv6PyWbmagKcREPbyeLxdWWPMEw7VbdWuLUuoxMdtelLtqI6wDOxBffA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudekkedgudefucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd
dtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthhouggu
rdhorhhgqeenucggtffrrghtthgvrhhnpeeitedvffffkefhhefgveffueefkeefkeelke
efkeektedvtdffudejueelleelheenucffohhmrghinheplhhinhhugihfohhunhgurght
ihhonhdrohhrghdpghhithhhuhgsrdgtohhmpdhpvghtvghrthhouggurdhorhhgnecuve
hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphgvthgvsehp
vghtvghrthhouggurdhorhhg
X-ME-Proxy: <xmx:uzx0ZUnVlGy36Sau1E0SGh6HE0no8_SPZz8o8qm35MYYh8osmDfTvQ>
<xmx:uzx0ZW0qjhyeiqEtxmMinWUZ8jkN7nJBYAj8WKGfeQ8RmB4zLLJvpw>
<xmx:uzx0ZbuaCAbrVbUR-G9kUCiTnJGKA7-HY3wcJ8t5KV5ZfcHS6_ZsuQ>
<xmx:uzx0ZUA4OYyU_re7U4cuJLhKZLu4JWXCZfYZiHWLD6UxIsuPzjqj4w>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
<bitcoin-dev@lists.linuxfoundation.org>; Sat,
9 Dec 2023 05:08:59 -0500 (EST)
Received: by localhost (Postfix, from userid 1000)
id 24ACD5F824; Sat, 9 Dec 2023 10:08:56 +0000 (UTC)
Date: Sat, 9 Dec 2023 10:08:56 +0000
From: Peter Todd <pete@petertodd.org>
To: bitcoin-dev@lists.linuxfoundation.org
Message-ID: <ZXQ8uFLoNlSksalX@petertodd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="RWq1h5nm+ReKvAbI"
Content-Disposition: inline
Subject: [bitcoin-dev] Altruistic Rebroadcasting - A Partial Replacement
Cycling Mitigation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Dec 2023 10:09:08 -0000
--RWq1h5nm+ReKvAbI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
While this seems like a reasonably obvious idea, I couldn't find a previous
example of it published on bitcoin-dev or elsewhere. So for the ability to =
cite
it, I'll publish it now.
# Summary
Altruistic third parties can partially mitigate replacement cycling(1) atta=
cks
by simply rebroadcasting the replaced transactions once the replacement cyc=
le
completes. Since the replaced transaction is in fact fully valid, and the
"cost" of broadcasting it has been paid by the replacement transactions, it=
can
be rebroadcast by anyone at all, and will propagate in a similar way to whe=
n it
was initially propagated. Actually implementing this simply requires code t=
o be
written to keep track of all replaced transactions, and detect opportunitie=
s to
rebroadcast transactions that have since become valid again. Since any
interested third party can do this, the memory/disk space requirements of
keeping track of these replacements aren't important; normal nodes can cont=
inue
to operate exactly as they have before.
# Background
To recall, a replacement cycling attack has three basic stages:
0) Target transaction tx0_a is broadcast, spending one or more outputs
1) Attacker broadcasts double-spend tx0_b, spending an additional output
under the attacker's control
2) Attacker broadcasts double-spend tx1, double-spending only the additional
input, resulting in the original input set not being spent
Replacement cycling is a potential threat any time two or more parties have=
the
ability to spend a single txout, and rendering that output _unspent_ is
harmful. For example, replacement cycling is an attack on lightning HTLCs,
because it can result in an HTLC pre-image not being observed by a party un=
til
after the HTLC expires. Similarly, replacement cycling is a potential attac=
k on
signatureless anchor outputs, as it can allow third parties to revoke a CPFP
anchor spend, making the parent transaction(s) unminable.
# Altruistic Rebroadcasting
Bitcoin Core keeps no records of replaced transactions. Thus after the
replacement cycling attack is complete, tx0_a has been entirely purged from=
a
Bitcoin Core node's mempool, and all inputs to tx0_a are unspent. Thus it is
just as valid to broadcast as before.
## Resources Required
Let's suppose we have a DoS attacker who is constantly broadcasting replace=
ment
in an effort to overwhelm nodes performing altruistic rebroadcasting. The
BIP-125 RBF rules require that a replacement transaction pay for the bandwi=
dth
used by the replacement. On Bitcoin Core, this defaults to 1sat/vByte. Assu=
ming
the attacking transactions are ~100% witness bytes, that is ~0.25sats/byte =
of
relay bandwidth per peer.
Suppose the DoS attacker has a budget equal to 50% of the total block rewar=
d.
That means they can spend 3.125 BTC / 10 minutes, or 520,833sats/s.
520,833 sats/s
-------------- =3D 2,083,332 bytes / s
0.25 sats/byte
Even in this absurd case, storing a one day worth of replacements would req=
uire
just 172GB of storage. 256GB of RAM costs well under $1000 these days, maki=
ng
altruistic rebroadcasting a service that could be provided to the network f=
or
just a few thousand dollars worth of hardware even in this absurd case.
It's notable that miners may in fact want to run replacement rebroadcasting
software themselves, to ensure they are not missing any valid, profitable,
transactions. In the context of a large mining pool, the additional cost ov=
er
running a regular node may be affordable.
## Limitations
At the moment, Bitcoin Core propagates transactions purely via INV
announcements; there is no set reconciliation mechanism to synchronize memp=
ools
between peers. If an INV announcement is missed for some reason, it's quite
possible that the transaction will be missed. Thus rebroadcasting may be
defeated if the % of nodes who do *not* have the transaction at the time of
rebroadcast is below the percolation threshold. Indeed, with good timing an=
d a
sybil attack, an attacker may be able to deliberately trigger this conditio=
n.
Improvements like the Transaction Announcements Reconciliation(2) BIP may be
able to mitigate this issue, by ensuring that regardless of the timing of
replacements, the rebroadcast transaction eventually reaches all nodes via =
the
reconciliation process.
# References
1) https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-October/021=
999.html
2) https://github.com/naumenkogs/bips/blob/bip_0330_updates/bip-0330.mediaw=
iki
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--RWq1h5nm+ReKvAbI
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmV0PKUACgkQLly11TVR
LzdWpw//fnWHLOIRIT8y0dvlQUHZTw+3y6oqz7O4rgJvR2g+kjr738idR7DEzDRZ
gERk+iEeKrpYkx29S53aMK8QhjqF+hCxPHPV/hCTumji8kcT7GU8Inx+o9ad0xrv
zulpyu796RlPF/WrOP9nzQRLhfqvKcYoZEQbF9tebfWuJsaQOBCTucuGGRjhDr9D
Zk8r3ZZYrhpa1Dzd6EXQZA+6LfR0SOJnCTaArOckXDnxWxJNpKjQLvalSrjrO8d+
vH/SbKtFfO/abiTZnmVpZoFROkfofK1/UfDK2sRMjJMpOUz6VP+VwVzCGdIU3Kgz
psMo36TEK1QRJ5I2APdJYHx3yHPYDrv6rbWpKFXgAhD/wWnQb+n1fCenvQ0ZILNF
hmPwH8Ya8QrxtDPLh9y2QUIOJjgxeP7cPO43v4slJLD+RV4mnqzkw+F81wShXbTD
7kvYIZJfVP/UWHTGD7clmVXnHT1kBHTnawBLyNJL4dh4OmoNMwVOSj4W1g5V1NgI
E2FTj424YJQYyMmaW208TWmYxu45pCa65CXRSvX6hV+u+CkNZKHPlSvu9Zr4gX2b
aDGYUnpb0WJ/iT9Z5P8gB+Z3RQOMf2kFwEEBUCjoNRSYTur1MQK4ynZbqpaFGPve
3LRTqOL74nUSb8JxVoWsul9aDO0Dg3OySvOe9uclDyP9bXIb3NE=
=BPVC
-----END PGP SIGNATURE-----
--RWq1h5nm+ReKvAbI--
|