1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <stephencalebmorse@gmail.com>) id 1Z5wPx-00077B-UI
for bitcoin-development@lists.sourceforge.net;
Fri, 19 Jun 2015 13:33:13 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.213.48 as permitted sender)
client-ip=209.85.213.48;
envelope-from=stephencalebmorse@gmail.com;
helo=mail-yh0-f48.google.com;
Received: from mail-yh0-f48.google.com ([209.85.213.48])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1Z5wPv-0003hz-93
for bitcoin-development@lists.sourceforge.net;
Fri, 19 Jun 2015 13:33:13 +0000
Received: by yhan67 with SMTP id n67so78041330yha.3
for <bitcoin-development@lists.sourceforge.net>;
Fri, 19 Jun 2015 06:33:05 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.129.43.136 with SMTP id r130mr20475261ywr.106.1434720785732;
Fri, 19 Jun 2015 06:33:05 -0700 (PDT)
Received: by 10.37.203.13 with HTTP; Fri, 19 Jun 2015 06:33:05 -0700 (PDT)
In-Reply-To: <20150619103959.GA32315@savin.petertodd.org>
References: <20150619103959.GA32315@savin.petertodd.org>
Date: Fri, 19 Jun 2015 09:33:05 -0400
Message-ID: <CABHVRKR7bXfDX0_frAv_Ph4Saz3SXwXeZae1DEokorvekPeinw@mail.gmail.com>
From: Stephen Morse <stephencalebmorse@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary=001a11451a02c91c370518def6f0
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(stephencalebmorse[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1Z5wPv-0003hz-93
Cc: bitcoin-development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] F2Pool has enabled full replace-by-fee
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 13:33:14 -0000
--001a11451a02c91c370518def6f0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
It is disappointing that F2Pool would enable full RBF when the safe
alternative, first-seen-safe RBF, is also available, especially since the
fees they would gain by supporting full RBF over FSS RBF would likely be
negligible. Did they consider using FSS RBF instead?
Best,
Stephen
On Fri, Jun 19, 2015 at 6:39 AM, Peter Todd <pete@petertodd.org> wrote:
> Yesterday F2Pool, currently the largest pool with 21% of the hashing
> power, enabled full replace-by-fee (RBF) support after discussions with
> me. This means that transactions that F2Pool has will be replaced if a
> conflicting transaction pays a higher fee. There are no requirements for
> the replacement transaction to pay addresses that were paid by the
> previous transaction.
>
>
> I'm a user. What does this mean for me?
> ---------------------------------------
>
> In the short term, very little. Wallet software aimed at average users
> has no ability to reliably detect conditions where an unconfirmed
> transaction may be double-spent by the sender. For example, Schildbach's
> Bitcoin Wallet for Android doesn't even detect double-spends of
> unconfirmed transactions when connected to a RBF or Bitcoin XT nodes
> that propagate them. The least sophisticated double-spend attack
> possibly - simply broadcasting two conflicting transactions at the same
> time - has about 50% probability of success against these wallets.
>
> Additionally, SPV wallets based on bitcoinj can't even detect invalid
> transactions reliably, instead trusting the full node(s) it is connected
> too over the unauthenticated, unencrypted, P2P protocol to do validation
> for them. For instance due to a unfixed bug=C2=B9 Bitcoin XT nodes will r=
elay
> double-spends that spend the output of the conflicting transaction. I've
> personally tested this with Schildbach's Bitcoin Wallet for Android,
> which shows such invalid transactions as standard, unconfirmed,
> transactions.
>
> Users should continue to assume that unconfirmed transactions could be
> trivially reversed by the sender until the first confirmation. In
> general, only the sender can reverse a transaction, so if you do trust
> the sender feel free to assume an unconfirmed transaction will
> eventually confirm. However, if you do not trust the sender and/or have
> no other recourse if they double-spend you, wait until at least the
> first confirmation before assuming the transaction will go through.
>
> In the long term, miner support of full RBF has a number of advantages
> to users, allowing you to more efficiently make transactions, paying
> lower fees. However you'll need a wallet supporting these features; none
> exist yet.
>
>
> I'm a business. What does this mean for me?
> -------------------------------------------
>
> If you use your own node to verify transactions, you probably are in a
> similar situation as average users, so again, this means very little to
> you.
>
> If you use a payment processor/transaction API such as BitPay, Coinbase,
> BlockCypher, etc. you may or may not be accepting unconfirmed
> transactions, and they may or may not be "guaranteed" by your payment
> processor even if double-spent. If like most merchants you're using the
> API such that confirmations are required prior to accepting orders (e.g.
> taking a meaningful loss such as shipping a product if the tx is
> reversed) nothing changes for you. If not I recommend you contact your
> payment processor.
>
>
> I'm a miner. Why should I support replace-by-fee?
> -------------------------------------------------
>
> Whether full or first-seen-safe=E2=81=B5 RBF support (along with
> child-pays-for-parent) is an important step towards a fully functioning
> transaction fee market that doesn't lead to users' transactions getting
> mysteriously "stuck", particularly during network flooding
> events/attacks. A better functioning fee market will help reduce
> pressure to increase the blocksize, particularly from the users creating
> the most valuable transactions.
>
> Full RBF also helps make use of the limited blockchain space more
> efficiently, with up to 90%+ transaction size savings possible in some
> transaction patterns. (e.g. long payment chains=E2=81=B6) More users in l=
ess
> blockchain space will lead to higher overall fees per block.
>
> Finally as we'll discuss below full RBF prevents a number of serious
> threats to the existing level playing field that miners operate in.
>
>
> Why can't we make accepting unconfirmed txs from untrusted people safe?
> -----------------------------------------------------------------------
>
> For a decentralized wallet, the situation is pretty bleak. These wallets
> only have a handful of connections to the network, with no way of
> knowing if those connections give an accurate view of what transactions
> miners actually know about.
>
> The only serious attempt to fix this problem for decentralized wallets
> that has been actually deployed is Andresen/Harding's double-spend
> relaying, implemented in Bitcoin XT. It relays up to one double-spend
> transaction per double-spent txout, with the intended effect to warn
> recipients. In practice however this functionality makes it easier to
> double-spend rather than harder, by giving an efficient and easy way to
> get double-spends to miners after the fact. Notably my RBF
> implementation even connects to Bitcoin XT nodes, reserving a % of all
> incoming and outgoing connection slots for them.
>
> Additionally Bitcoin XT's double-spend relaying is subject to attacks
> include bandwidth exhaustion, sybil attacks, and Gervais's non-sybil
> interactive attacks=E2=81=B7 among many others.
>
>
> What about centralised wallets?
> -------------------------------
>
> Here the solutions being deployed, planned, and proposed are harmful,
> and even represent serious threats to Bitcoin's decentralization.
>
>
> Confidence factors
> ------------------
>
> Many services such as BlockCypher=C2=B2 have attempted to predict the
> probability that unconfirmed transactions will be mined, often
> guaranteeing merchants payment=C2=B3 even in the event of a double-spend.=
The
> key component of these predictions is to sybil attack the P2P network as
> a whole, connecting to as many nodes as possible to measure transaction
> propagation. Additionally these services connect to pools directly via
> the getblocktemplate protocol, repeatedly downloading via GBT the lists
> of transactions in the to-be-mined blocks to determine what transactions
> miners are attempting to mine.
>
> None of these measures scale, wasting significant network and miner
> resources; in one instance a sybil attack by Chainalysis even completely
> blocked the users of the SPV wallet Breadwallet=E2=81=B4 from accessing t=
he
> network. These measures also don't work very well, giving double-spend
> attackers incentives to sybil attack miners themselves.
>
>
> Transaction processing contracts with miners
> --------------------------------------------
>
> The next step after measuring propagation fails is to contract with
> miners directly, signing contracts with as much of the hashing power as
> possible to get the transactions they want mined and double-spends
> rejected. The miners/pools would then provide an authenticated API
> endpoint for exclusive use of this service that would allow the service
> to add and remove specific transactions to the mempool on demand.
>
> There's a number of serious problems with this:
>
> 1) Mining contracts can be used to double-spend
>
> ...even when they're being used "honestly".
>
> Suppose Alice is a merchant using CoinPayCypher, who has contracts with
> 75% of the hashing power. Bob, another merchant, meanwhile uses a
> decentralized Bitcoin Core backend for payments to his website.
>
> Mallory wants to double-spend Bob's to buy his expensive products. He
> can do this by creating a transaction, tx1, that pays Alice, followed by
> a second transaction, tx2, that pays Bob. In any circumstance when
> Mallory can convince Bob to accept tx2, but prevent Bob from seeing tx1,
> the chance of Malory's double-spend succeeding becomes ~75% because
> CoinPayCypher's contracts with mining ensure the transaction paying
> Alice will get mined.
>
> Of course, dishonest use and/or compromise makes double-spending
> trivial: Malory can use the API credentials to ask miners to reject
> Bob's payment at any time.
>
>
> 2) They still don't work, without 51% attacking other miners
>
> Even if CoinPayCypher has 75% of the hashing power on contract, that's
> still a potentially 75% chance of being double-spent. The 25% of miners
> who haven't signed contracts have no _decentralized_ way of ensuring
> they don't create blocks with double-spends, let alone at low cost. If
> those miners won't or can't sign contracts with CoinPayCypher the only
> next step available is to reject their blocks entirely.
>
>
> 3) Legal contracts give the advantage to non-anonymous miners in
> Western jurisdictions
>
> Suppose CoinPayCypher is a US company, and you're a miner with 1%
> hashing power located in northern China. The barriers to you succesfully
> negotiating a contract with CoinPayCypher are significant. You don't
> speak the same langauge, you're in a completely different jurisdiction
> so enforcing the legal contract is difficult, and being just 1%,
> CoinPayCypher sees you as insignificant.
>
> Who's going to get the profitable hashing power contracts first, if at
> all? Your English speaking competitors in the west. This is inherently a
> pressure towards centralization of mining.
>
>
> Why isn't this being announced on the bitcoin-security list first?
> ------------------------------------------------------------------
>
> I've had repeated discussions with services vulnerable to double-spends;
> they have been made well aware of the risk they're taking. If they've
> followed my own and others' advice they'll at minimum have constant
> monitoring of the rate of double-spends both on their own services and
> on the P2P network in general.
>
> If you choose to take a risk you should accept the consequences.
>
>
> How do I actually use full RBF?
> -------------------------------
>
> First get the full-RBF patch to v0.10.2:
>
> https://github.com/petertodd/bitcoin/tree/replace-by-fee-v0.10.2
>
> The above implementation of RBF includes additional code to find and
> preferentially connect to other RBF nodes, as well as Bitcoin XT nodes.
> Secondly, try out my replace-by-fee-tools at:
>
> https://github.com/petertodd/replace-by-fee-tools
>
> You can watch double-spends on the network here:
>
> http://respends.thinlink.com/
>
>
> References
> ----------
>
> 1) "Replace-by-fee v0.10.2 - Serious DoS attack fixed! - Also novel
> variants of existing attacks w/ Bitcoin XT and Android Bitcoin Wallet=
",
> Peter Todd, May 23rd 2015, Bitcoin-development mailing list,
>
> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg=
07795.html
>
> 2) "From Zero to Hero: Bitcoin Transactions in 8 Seconds",
> June 2nd, 2014, Erik Voorhees,
>
> https://medium.com/blockcypher-blog/from-zero-to-hero-bitcoin-transaction=
s-in-8-seconds-7c9edcb3b734
>
> 3) Coinbase Merchant API, Accessed Jun 19th 2015,
> https://developers.coinbase.com/docs/merchants/callbacks#confirmations
>
> 4) "Chainalysis CEO Denies 'Sybil Attack' on Bitcoin's Network",
> March 14th 2015, Grace Caffyn, Coindesk,
>
> http://www.coindesk.com/chainalysis-ceo-denies-launching-sybil-attack-on-=
bitcoin-network/
>
> 5) "First-Seen-Safe Replace-by-Fee",
> May 25th 2015, Peter Todd, Bitcoin-development mailing list,
>
> http://www.mail-archive.com/bitcoin-development%40lists.sourceforge.net/m=
sg07829.html
>
> 6) "Cost savings by using replace-by-fee, 30-90%",
> May 25th 2015, Peter Todd, Bitcoin-development mailing list,
>
> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg=
07813.html
>
> 7) "Tampering with the Delivery of Blocks and Transactions in Bitcoin",
> Arthur Gervais and Hubert Ritzdorf and Ghassan O. Karame and Srdjan
> Capkun,
> Cryptology ePrint Archive: Report 2015/578, Jun 10th 2015,
> http://eprint.iacr.org/2015/578
>
> --
> 'peter'[:-1]@petertodd.org
> 0000000000000000070a2bb3b92c20d5c2c971e6e1a7abe55cdbbe6a2dd9a5ad
>
>
> -------------------------------------------------------------------------=
-----
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--001a11451a02c91c370518def6f0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">It is disappointing that F2Pool would enable full RBF when=
the safe alternative, first-seen-safe RBF, is also available, especially s=
ince the fees they would gain by supporting full RBF over FSS RBF would lik=
ely be negligible. Did they consider using FSS RBF instead?=C2=A0<div><br><=
/div><div>Best,</div><div>Stephen</div></div><div class=3D"gmail_extra"><br=
><div class=3D"gmail_quote">On Fri, Jun 19, 2015 at 6:39 AM, Peter Todd <sp=
an dir=3D"ltr"><<a href=3D"mailto:pete@petertodd.org" target=3D"_blank">=
pete@petertodd.org</a>></span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
Yesterday F2Pool, currently the largest pool with 21% of the hashing<br>
power, enabled full replace-by-fee (RBF) support after discussions with<br>
me. This means that transactions that F2Pool has will be replaced if a<br>
conflicting transaction pays a higher fee. There are no requirements for<br=
>
the replacement transaction to pay addresses that were paid by the<br>
previous transaction.<br>
<br>
<br>
I'm a user. What does this mean for me?<br>
---------------------------------------<br>
<br>
In the short term, very little. Wallet software aimed at average users<br>
has no ability to reliably detect conditions where an unconfirmed<br>
transaction may be double-spent by the sender. For example, Schildbach'=
s<br>
Bitcoin Wallet for Android doesn't even detect double-spends of<br>
unconfirmed transactions when connected to a RBF or Bitcoin XT nodes<br>
that propagate them. The least sophisticated double-spend attack<br>
possibly - simply broadcasting two conflicting transactions at the same<br>
time - has about 50% probability of success against these wallets.<br>
<br>
Additionally, SPV wallets based on bitcoinj can't even detect invalid<b=
r>
transactions reliably, instead trusting the full node(s) it is connected<br=
>
too over the unauthenticated, unencrypted, P2P protocol to do validation<br=
>
for them. For instance due to a unfixed bug=C2=B9 Bitcoin XT nodes will rel=
ay<br>
double-spends that spend the output of the conflicting transaction. I'v=
e<br>
personally tested this with Schildbach's Bitcoin Wallet for Android,<br=
>
which shows such invalid transactions as standard, unconfirmed,<br>
transactions.<br>
<br>
Users should continue to assume that unconfirmed transactions could be<br>
trivially reversed by the sender until the first confirmation. In<br>
general, only the sender can reverse a transaction, so if you do trust<br>
the sender feel free to assume an unconfirmed transaction will<br>
eventually confirm. However, if you do not trust the sender and/or have<br>
no other recourse if they double-spend you, wait until at least the<br>
first confirmation before assuming the transaction will go through.<br>
<br>
In the long term, miner support of full RBF has a number of advantages<br>
to users, allowing you to more efficiently make transactions, paying<br>
lower fees. However you'll need a wallet supporting these features; non=
e<br>
exist yet.<br>
<br>
<br>
I'm a business. What does this mean for me?<br>
-------------------------------------------<br>
<br>
If you use your own node to verify transactions, you probably are in a<br>
similar situation as average users, so again, this means very little to<br>
you.<br>
<br>
If you use a payment processor/transaction API such as BitPay, Coinbase,<br=
>
BlockCypher, etc. you may or may not be accepting unconfirmed<br>
transactions, and they may or may not be "guaranteed" by your pay=
ment<br>
processor even if double-spent. If like most merchants you're using the=
<br>
API such that confirmations are required prior to accepting orders (e.g.<br=
>
taking a meaningful loss such as shipping a product if the tx is<br>
reversed) nothing changes for you. If not I recommend you contact your<br>
payment processor.<br>
<br>
<br>
I'm a miner. Why should I support replace-by-fee?<br>
-------------------------------------------------<br>
<br>
Whether full or first-seen-safe=E2=81=B5 RBF support (along with<br>
child-pays-for-parent) is an important step towards a fully functioning<br>
transaction fee market that doesn't lead to users' transactions get=
ting<br>
mysteriously "stuck", particularly during network flooding<br>
events/attacks. A better functioning fee market will help reduce<br>
pressure to increase the blocksize, particularly from the users creating<br=
>
the most valuable transactions.<br>
<br>
Full RBF also helps make use of the limited blockchain space more<br>
efficiently, with up to 90%+ transaction size savings possible in some<br>
transaction patterns. (e.g. long payment chains=E2=81=B6) More users in les=
s<br>
blockchain space will lead to higher overall fees per block.<br>
<br>
Finally as we'll discuss below full RBF prevents a number of serious<br=
>
threats to the existing level playing field that miners operate in.<br>
<br>
<br>
Why can't we make accepting unconfirmed txs from untrusted people safe?=
<br>
-----------------------------------------------------------------------<br>
<br>
For a decentralized wallet, the situation is pretty bleak. These wallets<br=
>
only have a handful of connections to the network, with no way of<br>
knowing if those connections give an accurate view of what transactions<br>
miners actually know about.<br>
<br>
The only serious attempt to fix this problem for decentralized wallets<br>
that has been actually deployed is Andresen/Harding's double-spend<br>
relaying, implemented in Bitcoin XT. It relays up to one double-spend<br>
transaction per double-spent txout, with the intended effect to warn<br>
recipients. In practice however this functionality makes it easier to<br>
double-spend rather than harder, by giving an efficient and easy way to<br>
get double-spends to miners after the fact. Notably my RBF<br>
implementation even connects to Bitcoin XT nodes, reserving a % of all<br>
incoming and outgoing connection slots for them.<br>
<br>
Additionally Bitcoin XT's double-spend relaying is subject to attacks<b=
r>
include bandwidth exhaustion, sybil attacks, and Gervais's non-sybil<br=
>
interactive attacks=E2=81=B7 among many others.<br>
<br>
<br>
What about centralised wallets?<br>
-------------------------------<br>
<br>
Here the solutions being deployed, planned, and proposed are harmful,<br>
and even represent serious threats to Bitcoin's decentralization.<br>
<br>
<br>
Confidence factors<br>
------------------<br>
<br>
Many services such as BlockCypher=C2=B2 have attempted to predict the<br>
probability that unconfirmed transactions will be mined, often<br>
guaranteeing merchants payment=C2=B3 even in the event of a double-spend. T=
he<br>
key component of these predictions is to sybil attack the P2P network as<br=
>
a whole, connecting to as many nodes as possible to measure transaction<br>
propagation. Additionally these services connect to pools directly via<br>
the getblocktemplate protocol, repeatedly downloading via GBT the lists<br>
of transactions in the to-be-mined blocks to determine what transactions<br=
>
miners are attempting to mine.<br>
<br>
None of these measures scale, wasting significant network and miner<br>
resources; in one instance a sybil attack by Chainalysis even completely<br=
>
blocked the users of the SPV wallet Breadwallet=E2=81=B4 from accessing the=
<br>
network. These measures also don't work very well, giving double-spend<=
br>
attackers incentives to sybil attack miners themselves.<br>
<br>
<br>
Transaction processing contracts with miners<br>
--------------------------------------------<br>
<br>
The next step after measuring propagation fails is to contract with<br>
miners directly, signing contracts with as much of the hashing power as<br>
possible to get the transactions they want mined and double-spends<br>
rejected. The miners/pools would then provide an authenticated API<br>
endpoint for exclusive use of this service that would allow the service<br>
to add and remove specific transactions to the mempool on demand.<br>
<br>
There's a number of serious problems with this:<br>
<br>
1) Mining contracts can be used to double-spend<br>
<br>
...even when they're being used "honestly".<br>
<br>
Suppose Alice is a merchant using CoinPayCypher, who has contracts with<br>
75% of the hashing power. Bob, another merchant, meanwhile uses a<br>
decentralized Bitcoin Core backend for payments to his website.<br>
<br>
Mallory wants to double-spend Bob's to buy his expensive products. He<b=
r>
can do this by creating a transaction, tx1, that pays Alice, followed by<br=
>
a second transaction, tx2, that pays Bob. In any circumstance when<br>
Mallory can convince Bob to accept tx2, but prevent Bob from seeing tx1,<br=
>
the chance of Malory's double-spend succeeding becomes ~75% because<br>
CoinPayCypher's contracts with mining ensure the transaction paying<br>
Alice will get mined.<br>
<br>
Of course, dishonest use and/or compromise makes double-spending<br>
trivial: Malory can use the API credentials to ask miners to reject<br>
Bob's payment at any time.<br>
<br>
<br>
2) They still don't work, without 51% attacking other miners<br>
<br>
Even if CoinPayCypher has 75% of the hashing power on contract, that's<=
br>
still a potentially 75% chance of being double-spent. The 25% of miners<br>
who haven't signed contracts have no _decentralized_ way of ensuring<br=
>
they don't create blocks with double-spends, let alone at low cost. If<=
br>
those miners won't or can't sign contracts with CoinPayCypher the o=
nly<br>
next step available is to reject their blocks entirely.<br>
<br>
<br>
3) Legal contracts give the advantage to non-anonymous miners in<br>
=C2=A0 =C2=A0Western jurisdictions<br>
<br>
Suppose CoinPayCypher is a US company, and you're a miner with 1%<br>
hashing power located in northern China. The barriers to you succesfully<br=
>
negotiating a contract with CoinPayCypher are significant. You don't<br=
>
speak the same langauge, you're in a completely different jurisdiction<=
br>
so enforcing the legal contract is difficult, and being just 1%,<br>
CoinPayCypher sees you as insignificant.<br>
<br>
Who's going to get the profitable hashing power contracts first, if at<=
br>
all? Your English speaking competitors in the west. This is inherently a<br=
>
pressure towards centralization of mining.<br>
<br>
<br>
Why isn't this being announced on the bitcoin-security list first?<br>
------------------------------------------------------------------<br>
<br>
I've had repeated discussions with services vulnerable to double-spends=
;<br>
they have been made well aware of the risk they're taking. If they'=
ve<br>
followed my own and others' advice they'll at minimum have constant=
<br>
monitoring of the rate of double-spends both on their own services and<br>
on the P2P network in general.<br>
<br>
If you choose to take a risk you should accept the consequences.<br>
<br>
<br>
How do I actually use full RBF?<br>
-------------------------------<br>
<br>
First get the full-RBF patch to v0.10.2:<br>
<br>
=C2=A0 =C2=A0 <a href=3D"https://github.com/petertodd/bitcoin/tree/replace-=
by-fee-v0.10.2" rel=3D"noreferrer" target=3D"_blank">https://github.com/pet=
ertodd/bitcoin/tree/replace-by-fee-v0.10.2</a><br>
<br>
The above implementation of RBF includes additional code to find and<br>
preferentially connect to other RBF nodes, as well as Bitcoin XT nodes.<br>
Secondly, try out my replace-by-fee-tools at:<br>
<br>
=C2=A0 =C2=A0 <a href=3D"https://github.com/petertodd/replace-by-fee-tools"=
rel=3D"noreferrer" target=3D"_blank">https://github.com/petertodd/replace-=
by-fee-tools</a><br>
<br>
You can watch double-spends on the network here:<br>
<br>
=C2=A0 =C2=A0 <a href=3D"http://respends.thinlink.com/" rel=3D"noreferrer" =
target=3D"_blank">http://respends.thinlink.com/</a><br>
<br>
<br>
References<br>
----------<br>
<br>
1) "Replace-by-fee v0.10.2 - Serious DoS attack fixed! - Also novel<br=
>
=C2=A0 =C2=A0 variants of existing attacks w/ Bitcoin XT and Android Bitcoi=
n Wallet",<br>
=C2=A0 =C2=A0Peter Todd, May 23rd 2015, Bitcoin-development mailing list,<b=
r>
=C2=A0 =C2=A0<a href=3D"http://www.mail-archive.com/bitcoin-development@lis=
ts.sourceforge.net/msg07795.html" rel=3D"noreferrer" target=3D"_blank">http=
://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg07795.=
html</a><br>
<br>
2) "From Zero to Hero: Bitcoin Transactions in 8 Seconds",<br>
=C2=A0 =C2=A0June 2nd, 2014, Erik Voorhees,<br>
=C2=A0 =C2=A0<a href=3D"https://medium.com/blockcypher-blog/from-zero-to-he=
ro-bitcoin-transactions-in-8-seconds-7c9edcb3b734" rel=3D"noreferrer" targe=
t=3D"_blank">https://medium.com/blockcypher-blog/from-zero-to-hero-bitcoin-=
transactions-in-8-seconds-7c9edcb3b734</a><br>
<br>
3) Coinbase Merchant API, Accessed Jun 19th 2015,<br>
=C2=A0 =C2=A0<a href=3D"https://developers.coinbase.com/docs/merchants/call=
backs#confirmations" rel=3D"noreferrer" target=3D"_blank">https://developer=
s.coinbase.com/docs/merchants/callbacks#confirmations</a><br>
<br>
4) "Chainalysis CEO Denies 'Sybil Attack' on Bitcoin's Net=
work",<br>
=C2=A0 =C2=A0March 14th 2015, Grace Caffyn, Coindesk,<br>
=C2=A0 =C2=A0<a href=3D"http://www.coindesk.com/chainalysis-ceo-denies-laun=
ching-sybil-attack-on-bitcoin-network/" rel=3D"noreferrer" target=3D"_blank=
">http://www.coindesk.com/chainalysis-ceo-denies-launching-sybil-attack-on-=
bitcoin-network/</a><br>
<br>
5) "First-Seen-Safe Replace-by-Fee",<br>
=C2=A0 =C2=A0May 25th 2015, Peter Todd, Bitcoin-development mailing list,<b=
r>
=C2=A0 =C2=A0<a href=3D"http://www.mail-archive.com/bitcoin-development%40l=
ists.sourceforge.net/msg07829.html" rel=3D"noreferrer" target=3D"_blank">ht=
tp://www.mail-archive.com/bitcoin-development%40lists.sourceforge.net/msg07=
829.html</a><br>
<br>
6) "Cost savings by using replace-by-fee, 30-90%",<br>
=C2=A0 =C2=A0May 25th 2015, Peter Todd, Bitcoin-development mailing list,<b=
r>
=C2=A0 =C2=A0<a href=3D"http://www.mail-archive.com/bitcoin-development@lis=
ts.sourceforge.net/msg07813.html" rel=3D"noreferrer" target=3D"_blank">http=
://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg07813.=
html</a><br>
<br>
7) "Tampering with the Delivery of Blocks and Transactions in Bitcoin&=
quot;,<br>
=C2=A0 =C2=A0 Arthur Gervais and Hubert Ritzdorf and Ghassan O. Karame and =
Srdjan Capkun,<br>
=C2=A0 =C2=A0 Cryptology ePrint Archive: Report 2015/578, Jun 10th 2015,<br=
>
=C2=A0 =C2=A0 <a href=3D"http://eprint.iacr.org/2015/578" rel=3D"noreferrer=
" target=3D"_blank">http://eprint.iacr.org/2015/578</a><br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
'peter'[:-1]@<a href=3D"http://petertodd.org" rel=3D"noreferrer" ta=
rget=3D"_blank">petertodd.org</a><br>
0000000000000000070a2bb3b92c20d5c2c971e6e1a7abe55cdbbe6a2dd9a5ad<br>
</font></span><br>---------------------------------------------------------=
---------------------<br>
<br>_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" rel=3D"noreferrer" target=3D"_blank">https://lists.sourceforge.net/lists/=
listinfo/bitcoin-development</a><br>
<br></blockquote></div><br></div>
--001a11451a02c91c370518def6f0--
|