summaryrefslogtreecommitdiff
path: root/b3/507eaf8fa7c2c06937c479e70441677e089d6f
blob: 0ca3237eca27fe75ff35af2b74e9ab2f2537d70d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
Return-Path: <gsanders87@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id EFFCDC002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 19 Oct 2022 16:08:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id BD87F81383
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 19 Oct 2022 16:08:35 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org BD87F81383
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20210112 header.b=WxcsY0KY
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Level: 
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01]
 autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id WNJxroP1Oweb
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 19 Oct 2022 16:08:34 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9AED281320
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com
 [IPv6:2a00:1450:4864:20::632])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 9AED281320
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 19 Oct 2022 16:08:33 +0000 (UTC)
Received: by mail-ej1-x632.google.com with SMTP id a26so40736952ejc.4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 19 Oct 2022 09:08:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=X1fA54JziOb/IpUj78xPMzXQeeuZcRUqQcZTbdzyivo=;
 b=WxcsY0KYj7gDfqj2YSm15VI3dT9y1TQ8SX9dyecQ++EUrD1NCnER488lwzKvcWAteE
 LLss/vEbpLKPikEkq6G8sXHQ2998p80RNB8/fkZzmvUveFeGfDS1Z96rdmwd+Oeabe0k
 6D0S5kmvqbPxpB7/wj0fmUaxaTrFKsY/8fBqtn3WpZIeanfKUlN4csu4tgiYxjp+WgLu
 KTerMnmF7zucELaU2PRtzAIOWN6XK2VKQeKaHeM+fEyKOF09qbLK3ts029vaT/iq+yJR
 sAdD7r6ozVjDSdh1vW9HiJoRE2vv/Zw2ykncyAy2SVnTDaK4npefcPb5OwU5VPG9OkeD
 RUtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=X1fA54JziOb/IpUj78xPMzXQeeuZcRUqQcZTbdzyivo=;
 b=BppJi+1M7jwQtlwp4AHjXeOqJXyRPU6Jq4kqcWS9Efx5dn4XNzCfUgADS8NIGIDHrN
 MNeES+YdJ61sOAF/W1ZRUlTjnZN1a/Ip4INf9rPcT1zObJqBOFj/W1k+lrP+aUZb6T6M
 pCnCBorBWIGBVZRVs9pTipH9h8lqfZbic1r+KUlOa8xScZa+UBZRki6fi8NV1rP/MscT
 Pb5S+UcP69yNyhjO1Nqi8RYVjPfX+pR/5tqMZiLR2LCeXT4ANcqPdxEbNjJUlNiDLZcU
 s5yXEWvRXQu6SIHr0ZPTo+3bDCSC/7jJbQCqBV1mmWnLVVBRWEdALrtR3VS8qBDbvnBf
 3EFA==
X-Gm-Message-State: ACrzQf3ftHRxHnq8RkN3zJMQlvDVn9gREvEbbGdvVohexr4LPgtdEZJT
 IIGSg7hky6BvId3jREPBXs1avcx0MLXuFOaPPIYASttf
X-Google-Smtp-Source: AMsMyM7RXJKoXnfS5F46NbDcgiXOCNU60kxRTW3bIJytrIR2ZOLMDBwTo+DNRlj1+hwQfUieSlICI0MMzTjDwPjPfWs=
X-Received: by 2002:a17:906:d54d:b0:78e:f130:7099 with SMTP id
 cr13-20020a170906d54d00b0078ef1307099mr7604848ejc.142.1666195711588; Wed, 19
 Oct 2022 09:08:31 -0700 (PDT)
MIME-Version: 1.0
References: <CABZBVTC5kh7ca3KhVkFPdQjnsPhP4Kun1k3K6cPkarrjUiTJpA@mail.gmail.com>
 <CABZBVTCgiQFtxEyeOU=-SGDQUDthyy7sOgPwiT+OVi35LVivyA@mail.gmail.com>
 <CAD5xwhjFWgNTT5URX31jrULMb-iTxWih7673tpueD10AGbV=Gg@mail.gmail.com>
 <CABZBVTABUk_-t+LUud_6i=KMR8QpY_LXCKM57FOzNRhUEwmh=g@mail.gmail.com>
In-Reply-To: <CABZBVTABUk_-t+LUud_6i=KMR8QpY_LXCKM57FOzNRhUEwmh=g@mail.gmail.com>
From: Greg Sanders <gsanders87@gmail.com>
Date: Wed, 19 Oct 2022 12:08:19 -0400
Message-ID: <CAB3F3DvH+SKC3x3-qzeQ0mGUMwm8=TH9WObQWVnsp=65autJNA@mail.gmail.com>
To: Sergej Kotliar <sergej@bitrefill.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000084003805eb656b91"
Subject: Re: [bitcoin-dev] [Opt-in full-RBF] Zero-conf apps in immediate
	danger
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 16:08:36 -0000

--00000000000084003805eb656b91
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Another downside is that the sender may not opt into a non-pinnable future
format like "V3 transactions", making CPFP difficult. They may spend a lot
of fees to do this however, so maybe we're really reaching here.

On Wed, Oct 19, 2022 at 12:07 PM Sergej Kotliar via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> It's an interesting idea, presumably it would work w the new package rela=
y.
> Scorched earth bidding war is definitely fine to deter this type of abuse=
.
> Need to consider it more thoroughly from all sides tho. CPFP on the serve=
r
> side generally has a couple of downsides:
> * Requires a hot wallet to receive bitcoin
> * an entity that is reliably known to do CPFP can be abused by people
> looking to consolidate utxos, which can be quite costly. Might be solvabl=
e
> with a set of conditionals, and bad UX for abusers is less of a concern :=
)
>
> Will follow up after more deliberation, thanks!
>
>
> On Wed, 19 Oct 2022 at 17:43, Jeremy Rubin <jeremy.l.rubin@gmail.com>
> wrote:
>
>> If they do this to you, and the delta is substantial, can't you sweep al=
l
>> such abusers with a cpfp transaction replacing their package and giving =
you
>> the original txn?
>>
>> On Wed, Oct 19, 2022, 7:33 AM Sergej Kotliar via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Hi all,
>>>
>>> Chiming in on this thread as I feel like the real dangers of RBF as
>>> default policy aren't sufficiently elaborated here. It's not only about=
 the
>>> zero-conf (I'll get to that) but there is an even bigger danger called =
the
>>> american call option, which risks endangering the entirety of BIP21 "Sc=
an
>>> this QR code with your wallet to buy this product" model that I believe
>>> we've all come to appreciate. Specifically, in a scenario with high
>>> volatility and many transactions in the mempools (which is where RBF wo=
uld
>>> come in handy), a user can make a low-fee transaction and then wait for
>>> hours, days or even longer, and see whether BTCUSD moves. If BTCUSD mov=
es
>>> up, user can cancel his transaction and make a new - cheaper one. The
>>> biggest risk in accepting bitcoin payments is in fact not zeroconf risk
>>> (it's actually quite easily managed), it's FX risk as the merchant must
>>> commit to a certain BTCUSD rate ahead of time for a purchase. Over time
>>> some transactions lose money to FX and others earn money - that evens o=
ut
>>> in the end. But if there is an _easily accessible in the wallet_ featur=
e to
>>> "cancel transaction" that means it will eventually get systematically
>>> abused. A risk of X% loss on many payments that's easy to systematicall=
y
>>> abuse is more scary than a rare risk of losing 100% of one occasional
>>> payment. It's already possible to execute this form of abuse with opt-i=
n
>>> RBF, which may lead to us at some point refusing those payments (even w=
ith
>>> confirmation) or cumbersome UX to work around it, such as crediting the
>>> bitcoin to a custodial account.
>>>
>>> To compare zeroconf risk with FX risk: I think we've had one incident i=
n
>>> 8 years of operation where a user successfully fooled our server to acc=
ept
>>> a payment that in the end didn't confirm. To successfully fool (non-RBF=
)
>>> zeroconf one needs to have access to mining infrastructure and probabil=
ity
>>> of success is the % of hash rate controlled. This is simply due to the =
fact
>>> that the network currently won't propagage the replacement transaction =
to
>>> the miner, which is what's being discussed here. American call option r=
isk
>>> would however be available to 100% of all users, needs nothing beyond t=
he
>>> wallet app, and has no cost to the user - only upside.
>>>
>>> Bitrefill currently processes 1500-2000 onchain payments every day. For
>>> us, a world where bitcoin becomes de facto RBF by default, means that w=
e
>>> would likely turn off the BIP21 model for onchain payments, instruct
>>> Bitcoin users to use Lightning or deposit onchain BTC to a custodial
>>> account that we have.
>>> This option is however not available for your typical
>>> BTCPayServer/CoinGate/Bitpay/IBEX/OpenNode et al. Would be great to hea=
r
>>> from other merchants or payment providers how they see this new behavio=
r
>>> and how they would counteract it.
>>>
>>> Currently Lightning is somewhere around 15% of our total bitcoin
>>> payments. This is very much not nothing, and all of us here want Lightn=
ing
>>> to grow, but I think it warrants a serious discussion on whether we wan=
t
>>> Lightning adoption to go to 100% by means of disabling on-chain commerc=
e.
>>> For me personally it would be an easier discussion to have when Lightni=
ng
>>> is at 80%+ of all bitcoin transactions. Currently far too many bitcoin
>>> users simply don't have access to Lightning, and of those that do and h=
old
>>> their own keys Muun is the biggest wallet per our data, not least due t=
o
>>> their ease-of-use which is under threat per the OP. It's hard to assess=
 how
>>> many users would switch to Lightning in such a scenario, the communicat=
ion
>>> around it would be hard. My intuition says that the majority of the cur=
rent
>>> 85% of bitcoin users that pay onchain would just not use bitcoin anymor=
e,
>>> probably shift to an alt. The benefits of Lightning are many and obviou=
s,
>>> we don't need to limit onchain to make Lightning more appealing. As an
>>> anecdote, we did experiment with defaulting to bech32 addresses some ye=
ars
>>> back. The result was that simply users of the wallets that weren't able=
 to
>>> pay to bech32 didn't complete the purchase, no support ticket or anythi=
ng,
>>> just "it didn't work =F0=9F=A4=B7=E2=80=8D=E2=99=82=EF=B8=8F" and user =
moved on. We rolled it back, and later
>>> implemented a wallet selector to allow modern wallets to pay to bech32
>>> while other wallets can pay to P2SH. This type of thing  is clunky, and
>>> requires a certain level of scale to be able to do, we certainly wouldn=
't
>>> have had the manpower for that when we were starting out. This why I'm
>>> cautious about introducing more such clunkiness vectors as they are
>>> centralizing factors.
>>>
>>> I'm well aware of the reason for this policy being suggested and the
>>> potential pinning attack vector for LN and other smart contracts, but I
>>> think these two risks/costs need to be weighed against eachother first =
and
>>> thoroughly discussed because the costs are non-trivial on both sides.
>>>
>>> Sidenote: On the efficacy of RBF to "unstuck" stuck transactions
>>> After interacting with users during high-fee periods I've come to not
>>> appreciate RBF as a solution to that issue. Most users (80% or so) simp=
ly
>>> don't have access to that functionality, because their wallet doesn't
>>> support it, or they use a custodial (exchange) wallet etc. Of those tha=
t
>>> have the feature - only the power users understand how RBF works, and
>>> explaining how to do RBF to a non-power-user is just too complex, for t=
he
>>> same reason why it's complex for wallets to make sensible non-power-use=
r UI
>>> around it. Current equilibrium is that mostly only power users have acc=
ess
>>> to RBF and they know how to handle it, so things are somewhat working. =
But
>>> rolling this out to the broad market is something else and would likely
>>> cause more confusion.
>>> CPFP is somewhat more viable but also not perfect as it would require
>>> lots of edge case code to handle abuse vectors: What if users abuse a
>>> generous CPFP policy to unstuck past transactions or consolidate large
>>> wallets. Best is for CPFP to be done on the wallet side, not the mercha=
nt
>>> side, but there too are the same UX issues as with RBF.
>>> In the end a risk-based approach to decide on which payments are
>>> non-trivial to reverse is the easiest, taking account user experience a=
nd
>>> such. Remember that in the fiat world card payments have up to 5%
>>> chargebacks, whereas we in zero-conf bitcoin land we deal with "fewer t=
han
>>> 1 in a million" accepted transactions successfully reversed. These days=
 we
>>> have very few support issues related to bitcoin payments. The few that =
do
>>> come in are due to accidental RBF users venting frustration about waiti=
ng
>>> for their tx to confirm.
>>> "In theory, theory and practice are the same. In practice, they are not=
"
>>>
>>> All the best,
>>> Sergej Kotliar
>>> CEO Bitrefill.com
>>>
>>>
>>> --
>>>
>>> Sergej Kotliar
>>>
>>> CEO
>>>
>>>
>>> Twitter: @ziggamon <https://twitter.com/ziggamon>
>>>
>>>
>>> www.bitrefill.com
>>>
>>> Twitter <https://www.twitter.com/bitrefill> | Blog
>>> <https://www.bitrefill.com/blog/> | Angellist
>>> <https://angel.co/bitrefill>
>>>
>>>
>>> --
>>>
>>> Sergej Kotliar
>>>
>>> CEO
>>>
>>>
>>> Twitter: @ziggamon <https://twitter.com/ziggamon>
>>>
>>>
>>> www.bitrefill.com
>>>
>>> Twitter <https://www.twitter.com/bitrefill> | Blog
>>> <https://www.bitrefill.com/blog/> | Angellist
>>> <https://angel.co/bitrefill>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
>
> --
>
> Sergej Kotliar
>
> CEO
>
>
> Twitter: @ziggamon <https://twitter.com/ziggamon>
>
>
> www.bitrefill.com
>
> Twitter <https://www.twitter.com/bitrefill> | Blog
> <https://www.bitrefill.com/blog/> | Angellist <https://angel.co/bitrefill=
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--00000000000084003805eb656b91
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Another=C2=A0downside is that the sender may not opt into =
a non-pinnable future format like &quot;V3 transactions&quot;, making CPFP =
difficult. They may spend a lot of fees to do this however, so maybe we&#39=
;re really reaching here.</div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Wed, Oct 19, 2022 at 12:07 PM Sergej Kotliar vi=
a bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">=
bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">It&#39;s an interesti=
ng idea, presumably it would work w the new package relay.<div>Scorched ear=
th bidding war is definitely fine to deter this type of abuse.</div><div>Ne=
ed to consider it more thoroughly from all sides tho. CPFP on the server si=
de generally has a couple of downsides:</div><div>* Requires a hot wallet t=
o receive bitcoin</div><div>* an entity that is reliably known to do CPFP c=
an be abused by people looking to consolidate utxos, which can be quite cos=
tly. Might be solvable with a set of conditionals, and bad UX for abusers i=
s less of a concern :)</div><div><br></div><div>Will follow up after more d=
eliberation,=C2=A0thanks!</div><div><br></div></div><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, 19 Oct 2022 at 17:43,=
 Jeremy Rubin &lt;<a href=3D"mailto:jeremy.l.rubin@gmail.com" target=3D"_bl=
ank">jeremy.l.rubin@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"auto">If they do this to you, and =
the delta is substantial, can&#39;t you sweep all such abusers with a cpfp =
transaction replacing their package and giving you the original txn?</div><=
br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed,=
 Oct 19, 2022, 7:33 AM Sergej Kotliar via bitcoin-dev &lt;<a href=3D"mailto=
:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists=
.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D=
"ltr">Hi all,<div><br></div><div>Chiming in on this thread as I feel like t=
he real dangers of RBF as default policy aren&#39;t sufficiently elaborated=
 here. It&#39;s not only about the zero-conf (I&#39;ll get to that) but the=
re is an even bigger danger called the american call option, which risks en=
dangering the entirety of BIP21 &quot;Scan this QR code with your wallet to=
 buy this product&quot; model that I believe we&#39;ve all come to apprecia=
te. Specifically, in a scenario with high volatility and many transactions =
in the mempools (which is where RBF would come in handy), a user can make a=
 low-fee transaction and then wait for hours, days or even longer, and see =
whether BTCUSD moves. If BTCUSD moves up, user can cancel his transaction a=
nd make a new - cheaper one. The biggest risk in accepting bitcoin payments=
 is in fact not zeroconf risk (it&#39;s actually quite easily managed), it&=
#39;s FX risk as the merchant must commit to a certain BTCUSD rate ahead of=
 time for a purchase. Over time some transactions lose money to FX and othe=
rs earn money - that evens out in the end. But if there is an _easily acces=
sible in the wallet_ feature to &quot;cancel transaction&quot; that means i=
t will eventually get systematically abused. A risk of X% loss on many paym=
ents that&#39;s easy to systematically abuse is more scary than a rare risk=
 of losing 100% of one occasional payment. It&#39;s already possible to exe=
cute this form of abuse with opt-in RBF, which may lead to us at some point=
 refusing those payments (even with confirmation) or cumbersome UX to work =
around it, such as crediting the bitcoin to a custodial account.</div><div>=
<br></div><div>To compare zeroconf risk with FX risk: I think we&#39;ve had=
 one incident in 8 years of operation where a user successfully fooled our =
server to accept a payment that in the end didn&#39;t confirm. To successfu=
lly fool (non-RBF) zeroconf one needs to have access to mining infrastructu=
re and probability of success is the % of hash rate controlled. This is sim=
ply due to the fact that the network currently won&#39;t propagage the repl=
acement transaction to the miner, which is what&#39;s being discussed here.=
 American call option risk would however be available to 100% of all users,=
 needs nothing beyond the wallet app, and has no cost to the user - only up=
side.<br></div><div><br></div><div>Bitrefill currently processes 1500-2000 =
onchain payments every day. For us, a world where bitcoin becomes de facto =
RBF by default, means that we would likely turn off the BIP21 model for onc=
hain payments, instruct Bitcoin users to use Lightning or deposit onchain B=
TC to a custodial account that we have.=C2=A0<br></div><div>This option is =
however not available for your typical BTCPayServer/CoinGate/Bitpay/IBEX/Op=
enNode et al. Would be great to hear from other merchants or payment provid=
ers how they see this new behavior and how they would counteract it.</div><=
div><br></div><div>Currently Lightning is somewhere around 15% of our total=
 bitcoin payments. This is very much not nothing, and all of us here want L=
ightning to grow, but I think it warrants a serious discussion on whether w=
e want Lightning adoption to go to 100% by means of disabling on-chain comm=
erce. For me personally it would be an easier discussion to have when Light=
ning is at 80%+ of all bitcoin transactions. Currently far too many bitcoin=
 users simply don&#39;t have access to Lightning, and of those that do and =
hold their own keys Muun is the biggest wallet per our data, not least due =
to their ease-of-use which is under threat per the OP. It&#39;s hard to ass=
ess how many users would switch to Lightning in such a scenario, the commun=
ication around it would be hard. My intuition says that the majority of the=
 current 85% of bitcoin users that pay onchain would just not use bitcoin a=
nymore, probably shift to an alt. The benefits of Lightning are many and ob=
vious, we don&#39;t need to limit onchain to make Lightning more appealing.=
 As an anecdote, we did experiment with defaulting to bech32 addresses some=
 years back. The result was that simply users of the wallets that weren&#39=
;t able to pay to bech32 didn&#39;t complete the purchase, no support ticke=
t or anything, just &quot;it didn&#39;t work =F0=9F=A4=B7=E2=80=8D=E2=99=82=
=EF=B8=8F&quot; and user moved on. We rolled it back, and later implemented=
 a wallet selector to allow modern wallets to pay to bech32 while other wal=
lets can pay to P2SH. This type of thing=C2=A0 is clunky, and requires a ce=
rtain level of scale to be able to do, we certainly wouldn&#39;t have had t=
he manpower for that when we were starting out. This why I&#39;m cautious a=
bout introducing more such clunkiness vectors as they are centralizing fact=
ors.</div><div><br></div><div>I&#39;m well aware of the reason for this pol=
icy being suggested and the potential pinning attack vector for LN and othe=
r smart contracts, but I think these two risks/costs need to be weighed aga=
inst eachother first and thoroughly discussed because the costs are non-tri=
vial on both sides.<br clear=3D"all"><div><br></div><div>Sidenote: On the e=
fficacy of RBF to &quot;unstuck&quot; stuck transactions</div><div>After in=
teracting with users during high-fee periods I&#39;ve come to not appreciat=
e RBF as a solution to that issue. Most users (80% or so) simply don&#39;t =
have access to that functionality, because their wallet doesn&#39;t support=
 it, or they use a custodial (exchange) wallet etc. Of those that have the =
feature - only the power users understand how RBF works, and explaining how=
 to do RBF to a non-power-user is just too complex, for the same reason why=
 it&#39;s complex for wallets to make sensible non-power-user UI around it.=
 Current equilibrium is that mostly only power users have access to RBF and=
 they know how to handle it, so things are somewhat working. But rolling th=
is out to the broad market is something else and would likely cause more co=
nfusion.=C2=A0</div><div>CPFP is somewhat more viable but also not perfect =
as it would require lots of edge case code to handle abuse vectors: What if=
 users abuse a generous CPFP policy to unstuck past transactions or consoli=
date large wallets. Best is for CPFP to be done on the wallet side, not the=
 merchant side, but there too are the same UX issues as with RBF.=C2=A0</di=
v><div>In the end a risk-based approach to decide on which payments are non=
-trivial to reverse is the easiest, taking account user experience and such=
. Remember that in the fiat world card payments have up to 5% chargebacks, =
whereas we in zero-conf bitcoin land we deal with &quot;fewer than 1 in a m=
illion&quot; accepted transactions successfully reversed. These days we hav=
e very few support issues related to bitcoin payments. The few that do come=
 in are due to accidental RBF users venting frustration about waiting for t=
heir tx to confirm.</div><div>&quot;In theory, theory and practice are the =
same. In practice, they are not&quot;</div><div><br></div><div>All the best=
,=C2=A0</div><div>Sergej Kotliar</div><div>CEO Bitrefill.com</div><div><br>=
</div><div><br></div>-- <br><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"l=
tr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><di=
v dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><p dir=3D"=
ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span styl=
e=3D"font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:tr=
ansparent;font-weight:700;font-style:normal;font-variant:normal;text-decora=
tion:none;vertical-align:baseline;white-space:pre-wrap">Sergej Kotliar</spa=
n></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom=
:0pt"><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);bac=
kground-color:transparent;font-weight:700;font-style:normal;font-variant:no=
rmal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">CEO=
</span></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-b=
ottom:0pt"><b style=3D"font-weight:normal"><br></b></p><p dir=3D"ltr" style=
=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"font-=
size:11pt;font-family:Arial;color:rgb(102,102,102);background-color:transpa=
rent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:=
none;vertical-align:baseline;white-space:pre-wrap"><span style=3D"border:no=
ne;display:inline-block;overflow:hidden;width:220px;height:80px"><img src=
=3D"https://lh4.googleusercontent.com/wU5i7e8boCd7o3P52cUTKrqeTa7jV2dPEXlui=
jGtPBy0f1F0R2_zIg_zOQ2kigkbVbSWqLlVdwuBYgo_txXMKkCWdMfBFRNhsDhFpNv1QrRZsD-g=
PxDui-4l0tZI1QcjtefCDkNG" width=3D"220" height=3D"80" style=3D"margin-left:=
 0px; margin-top: 0px;"></span></span></p><p dir=3D"ltr" style=3D"line-heig=
ht:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"font-size:9.5pt;fo=
nt-family:Arial;color:rgb(102,102,102);background-color:transparent;font-we=
ight:400;font-style:normal;font-variant:normal;text-decoration:none;vertica=
l-align:baseline;white-space:pre-wrap">Twitter: @</span><a href=3D"https://=
twitter.com/ziggamon" style=3D"text-decoration:none" rel=3D"noreferrer" tar=
get=3D"_blank"><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(1=
02,102,102);background-color:transparent;font-weight:400;font-style:normal;=
font-variant:normal;text-decoration:underline;vertical-align:baseline;white=
-space:pre-wrap">ziggamon</span></a><span style=3D"font-size:9.5pt;font-fam=
ily:Arial;color:rgb(102,102,102);background-color:transparent;font-weight:4=
00;font-style:normal;font-variant:normal;text-decoration:none;vertical-alig=
n:baseline;white-space:pre-wrap">=C2=A0</span></p><p dir=3D"ltr" style=3D"l=
ine-height:1.38;margin-top:0pt;margin-bottom:0pt"><b style=3D"font-weight:n=
ormal"><br></b></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;=
margin-bottom:0pt"><a href=3D"http://www.bitrefill.com/" style=3D"text-deco=
ration:none" rel=3D"noreferrer" target=3D"_blank"><span style=3D"font-size:=
9.5pt;font-family:Arial;color:rgb(102,102,102);background-color:transparent=
;font-weight:400;font-style:normal;font-variant:normal;text-decoration:unde=
rline;vertical-align:baseline;white-space:pre-wrap">www.bitrefill.com</span=
></a></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bot=
tom:0pt"><a href=3D"https://www.twitter.com/bitrefill" rel=3D"noreferrer" t=
arget=3D"_blank"><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb=
(102,102,102);background-color:transparent;vertical-align:baseline;white-sp=
ace:pre-wrap">Twitter</span></a><span style=3D"font-size:9.5pt;font-family:=
Arial;color:rgb(102,102,102);background-color:transparent;vertical-align:ba=
seline;white-space:pre-wrap"> | </span><a href=3D"https://www.bitrefill.com=
/blog/" rel=3D"noreferrer" target=3D"_blank"><span style=3D"font-size:9.5pt=
;font-family:Arial;color:rgb(102,102,102);background-color:transparent;vert=
ical-align:baseline;white-space:pre-wrap">Blog</span></a><span style=3D"fon=
t-size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-color:tran=
sparent;vertical-align:baseline;white-space:pre-wrap"> | </span><a href=3D"=
https://angel.co/bitrefill" rel=3D"noreferrer" target=3D"_blank"><span styl=
e=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-co=
lor:transparent;vertical-align:baseline;white-space:pre-wrap">Angellist </s=
pan></a><br></p></div></div></div></div></div></div></div></div></div></div=
></div></div></div>
</div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"><div dir=3D"=
ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><d=
iv dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=
=3D"ltr"><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bot=
tom:0pt"><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);=
background-color:transparent;font-weight:700;font-style:normal;font-variant=
:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">=
Sergej Kotliar</span></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-to=
p:0pt;margin-bottom:0pt"><span style=3D"font-size:9.5pt;font-family:Arial;c=
olor:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:nor=
mal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-=
space:pre-wrap">CEO</span></p><p dir=3D"ltr" style=3D"line-height:1.38;marg=
in-top:0pt;margin-bottom:0pt"><b style=3D"font-weight:normal"><br></b></p><=
p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><=
span style=3D"font-size:11pt;font-family:Arial;color:rgb(102,102,102);backg=
round-color:transparent;font-weight:700;font-style:normal;font-variant:norm=
al;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><span=
 style=3D"border:none;display:inline-block;overflow:hidden;width:220px;heig=
ht:80px"><img src=3D"https://lh4.googleusercontent.com/wU5i7e8boCd7o3P52cUT=
KrqeTa7jV2dPEXluijGtPBy0f1F0R2_zIg_zOQ2kigkbVbSWqLlVdwuBYgo_txXMKkCWdMfBFRN=
hsDhFpNv1QrRZsD-gPxDui-4l0tZI1QcjtefCDkNG" width=3D"220" height=3D"80" styl=
e=3D"margin-left: 0px; margin-top: 0px;"></span></span></p><p dir=3D"ltr" s=
tyle=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style=3D"f=
ont-size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-color:tr=
ansparent;font-weight:400;font-style:normal;font-variant:normal;text-decora=
tion:none;vertical-align:baseline;white-space:pre-wrap">Twitter: @</span><a=
 href=3D"https://twitter.com/ziggamon" style=3D"text-decoration:none" rel=
=3D"noreferrer" target=3D"_blank"><span style=3D"font-size:9.5pt;font-famil=
y:Arial;color:rgb(102,102,102);background-color:transparent;font-weight:400=
;font-style:normal;font-variant:normal;text-decoration:underline;vertical-a=
lign:baseline;white-space:pre-wrap">ziggamon</span></a><span style=3D"font-=
size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-color:transp=
arent;font-weight:400;font-style:normal;font-variant:normal;text-decoration=
:none;vertical-align:baseline;white-space:pre-wrap">=C2=A0</span></p><p dir=
=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><b sty=
le=3D"font-weight:normal"><br></b></p><p dir=3D"ltr" style=3D"line-height:1=
.38;margin-top:0pt;margin-bottom:0pt"><a href=3D"http://www.bitrefill.com/"=
 style=3D"text-decoration:none" rel=3D"noreferrer" target=3D"_blank"><span =
style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);backgroun=
d-color:transparent;font-weight:400;font-style:normal;font-variant:normal;t=
ext-decoration:underline;vertical-align:baseline;white-space:pre-wrap">www.=
bitrefill.com</span></a></p><p dir=3D"ltr" style=3D"line-height:1.38;margin=
-top:0pt;margin-bottom:0pt"><a href=3D"https://www.twitter.com/bitrefill" r=
el=3D"noreferrer" target=3D"_blank"><span style=3D"font-size:9.5pt;font-fam=
ily:Arial;color:rgb(102,102,102);background-color:transparent;vertical-alig=
n:baseline;white-space:pre-wrap">Twitter</span></a><span style=3D"font-size=
:9.5pt;font-family:Arial;color:rgb(102,102,102);background-color:transparen=
t;vertical-align:baseline;white-space:pre-wrap"> | </span><a href=3D"https:=
//www.bitrefill.com/blog/" rel=3D"noreferrer" target=3D"_blank"><span style=
=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-col=
or:transparent;vertical-align:baseline;white-space:pre-wrap">Blog</span></a=
><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);ba=
ckground-color:transparent;vertical-align:baseline;white-space:pre-wrap"> |=
 </span><a href=3D"https://angel.co/bitrefill" rel=3D"noreferrer" target=3D=
"_blank"><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102=
,102);background-color:transparent;vertical-align:baseline;white-space:pre-=
wrap">Angellist </span></a><br></p></div></div></div></div></div></div></di=
v></div></div></div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" rel=3D"noreferrer"=
 target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.linuxfoundati=
on.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div d=
ir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"l=
tr"><div dir=3D"ltr"><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0p=
t;margin-bottom:0pt"><span style=3D"font-size:9.5pt;font-family:Arial;color=
:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;=
font-variant:normal;text-decoration:none;vertical-align:baseline;white-spac=
e:pre-wrap">Sergej Kotliar</span></p><p dir=3D"ltr" style=3D"line-height:1.=
38;margin-top:0pt;margin-bottom:0pt"><span style=3D"font-size:9.5pt;font-fa=
mily:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;fo=
nt-style:normal;font-variant:normal;text-decoration:none;vertical-align:bas=
eline;white-space:pre-wrap">CEO</span></p><p dir=3D"ltr" style=3D"line-heig=
ht:1.38;margin-top:0pt;margin-bottom:0pt"><b style=3D"font-weight:normal"><=
br></b></p><p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-b=
ottom:0pt"><span style=3D"font-size:11pt;font-family:Arial;color:rgb(102,10=
2,102);background-color:transparent;font-weight:700;font-style:normal;font-=
variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre=
-wrap"><span style=3D"border:none;display:inline-block;overflow:hidden;widt=
h:220px;height:80px"><img src=3D"https://lh4.googleusercontent.com/wU5i7e8b=
oCd7o3P52cUTKrqeTa7jV2dPEXluijGtPBy0f1F0R2_zIg_zOQ2kigkbVbSWqLlVdwuBYgo_txX=
MKkCWdMfBFRNhsDhFpNv1QrRZsD-gPxDui-4l0tZI1QcjtefCDkNG" width=3D"220" height=
=3D"80" style=3D"margin-left: 0px; margin-top: 0px;"></span></span></p><p d=
ir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><spa=
n style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);backgro=
und-color:transparent;font-weight:400;font-style:normal;font-variant:normal=
;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Twitter=
: @</span><a href=3D"https://twitter.com/ziggamon" style=3D"text-decoration=
:none" target=3D"_blank"><span style=3D"font-size:9.5pt;font-family:Arial;c=
olor:rgb(102,102,102);background-color:transparent;font-weight:400;font-sty=
le:normal;font-variant:normal;text-decoration:underline;vertical-align:base=
line;white-space:pre-wrap">ziggamon</span></a><span style=3D"font-size:9.5p=
t;font-family:Arial;color:rgb(102,102,102);background-color:transparent;fon=
t-weight:400;font-style:normal;font-variant:normal;text-decoration:none;ver=
tical-align:baseline;white-space:pre-wrap">=C2=A0</span></p><p dir=3D"ltr" =
style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><b style=3D"fon=
t-weight:normal"><br></b></p><p dir=3D"ltr" style=3D"line-height:1.38;margi=
n-top:0pt;margin-bottom:0pt"><a href=3D"http://www.bitrefill.com/" style=3D=
"text-decoration:none" target=3D"_blank"><span style=3D"font-size:9.5pt;fon=
t-family:Arial;color:rgb(102,102,102);background-color:transparent;font-wei=
ght:400;font-style:normal;font-variant:normal;text-decoration:underline;ver=
tical-align:baseline;white-space:pre-wrap">www.bitrefill.com</span></a></p>=
<p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt">=
<a href=3D"https://www.twitter.com/bitrefill" target=3D"_blank"><span style=
=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);background-col=
or:transparent;vertical-align:baseline;white-space:pre-wrap">Twitter</span>=
</a><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102)=
;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"=
> | </span><a href=3D"https://www.bitrefill.com/blog/" target=3D"_blank"><s=
pan style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);backg=
round-color:transparent;vertical-align:baseline;white-space:pre-wrap">Blog<=
/span></a><span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,10=
2,102);background-color:transparent;vertical-align:baseline;white-space:pre=
-wrap"> | </span><a href=3D"https://angel.co/bitrefill" target=3D"_blank"><=
span style=3D"font-size:9.5pt;font-family:Arial;color:rgb(102,102,102);back=
ground-color:transparent;vertical-align:baseline;white-space:pre-wrap">Ange=
llist </span></a><br></p></div></div></div></div></div></div></div></div></=
div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--00000000000084003805eb656b91--