1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
Return-Path: <hoenicke@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 11A90C0733;
Wed, 15 Jul 2020 15:23:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 006D18B554;
Wed, 15 Jul 2020 15:23:37 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id KXVQ12CtRADW; Wed, 15 Jul 2020 15:23:35 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
[209.85.214.175])
by whitealder.osuosl.org (Postfix) with ESMTPS id CCAB28B54B;
Wed, 15 Jul 2020 15:23:35 +0000 (UTC)
Received: by mail-pl1-f175.google.com with SMTP id k5so2517476plk.13;
Wed, 15 Jul 2020 08:23:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=DfFuP8yRe/6olh6UzT4ENvjSKOcoPlqopfoHoBEUrjk=;
b=twsXNyfPYMSRMK779k6S1FnsL6pE5iAG6mt3fOYq7f5GYSM1bKCIqnM62e90NMrBfW
i2PAgdfnguUGikLH6iWuGjvcN5FB98Qm87SPBBTnXxpmgfI1/Qe7QWvFGAow7HcpWt/z
Ppt5ugVqo1qo11HmWGK+0C6WDNA6SbOW7Jf7GoOeJ/yrditHmF8E3BI0roWD5Yzt3jzi
2QSAGIidH9h2xq06hKaokqQNDnnqjA5xSDe8uedLgFjzxoLp3/UDnHkfdZvRKyr8vuX3
wLbxYMvRC0IKzCh4ZWj8Q687ZNX7YeMK8wLUrG1npT74QHvB6vbXG5WG0OcKoja3P7fm
eoZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=DfFuP8yRe/6olh6UzT4ENvjSKOcoPlqopfoHoBEUrjk=;
b=BAVmVGNDSnyXGqy0k4LnKtD5NRUfLbQ6difP65C0yl+v6Dhz5mJBv4ckzAAtvQDrOb
Bl2q1kn+928NhuiV5x322445YU4TarloIwugxn/7CAaISyEC+1oL9MBAKGykjEvEH80u
XdZVUaAByn2lt3QzuFIjezKwCARA8bQU++N2XwrzFWyD2PdC1OanZeYDQy0YubYFCuBa
H70KYJllI6b+nh6S++2Hm4xycUD/hFEvRROLrFZ8sw46SJtnKi7UyLfw9IhiCMKfXVeP
b8CVllpa1/FRGrryb+chMJ4R07KDfEApVPgCqHHSiXNsW0qk00TY0U/RXqeWEGHzOH7m
SbyQ==
X-Gm-Message-State: AOAM530DAWwKJFhAKlrAbY+auPxZZ86vMOVaeBXk7Aab1q1hCbg75wLr
BgyZBaSemMdW316azt5KbAvHdse4zTleQWUN7+o=
X-Google-Smtp-Source: ABdhPJxTu55oEJVAFmhVmXfnVoBarWHBCR54RIuSJrXY6VTsTVHL8EA77czP7gk7zmvTE1/fO+ZxuUVD0NFC+wo/2uk=
X-Received: by 2002:a17:90a:2367:: with SMTP id
f94mr191678pje.20.1594826615356;
Wed, 15 Jul 2020 08:23:35 -0700 (PDT)
MIME-Version: 1.0
References: <f0372f8eec5878fd919b654db76aeff7.squirrel@giyzk7o6dcunb2ry.onion>
<6443d6fb7ba06151b8a4ff4914761471.squirrel@giyzk7o6dcunb2ry.onion>
<CfSfVLj40qBl-ygOD-toPfDmJrLMTyP19sCLqFSe-aK7GQAjwmtAo6EznQ4VgzPKlIHpmnORP5-18hVW7Wh_Z0FwPZ9isT2wkIORMaMq55o=@protonmail.com>
In-Reply-To: <CfSfVLj40qBl-ygOD-toPfDmJrLMTyP19sCLqFSe-aK7GQAjwmtAo6EznQ4VgzPKlIHpmnORP5-18hVW7Wh_Z0FwPZ9isT2wkIORMaMq55o=@protonmail.com>
From: Jochen Hoenicke <hoenicke@gmail.com>
Date: Wed, 15 Jul 2020 17:23:24 +0200
Message-ID: <CANYHNmL2NR-+s6Z+VsUE=8U49F4dfeXwbgXWwh4O8RnZ2dZctA@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000e3006705aa7c8107"
Cc: "lightning-dev@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Lightning - Is HTLC vulnerable? And mention of
Channel Factories
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 15:23:37 -0000
--000000000000e3006705aa7c8107
Content-Type: text/plain; charset="UTF-8"
On Tue, 14 Jul 2020 at 16:42, ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Good morning Mr. Lee,
>
> > Sorry. Re-sending with correction to CC bitcoin-dev
> >
> > I am sorry if this was already brought up in previous threads. If I know
> > lightning network correctly then HTLC is used to enforce settlements on
> > blockchain if there is a dispute. Could a person lose money if their HTLC
> > does not get confirmed in the timeframe or if an older HTLC gets
> > confirmed first? I see different ways this could happen.
> >
> > One, if the blockchain is very saturated with other transactions. The
> > reason we need lightning network is why it might have troubles with
> > settlements?
>
> This could happen, but the entire exercise is to move transactions off the
> blockchain, precisely to lower this risk.
>
> Otherwise, transfers onchain will take a long time.
> In practice, a long time to settle a payment will invalidate many
> real-world economic exchanges anyway (consider paying for food at a
> restaurant --- if your payments take days to settle, the food has gotten
> stale before the restaurant receives payment and releases your food).
> Thus, if an onchain transfer takes a long time to settle, there is already
> risk of economic loss present.
>
> By moving activity offchain, we reduce pressure onchain and improve
> settlement speeds on both offchain and onchain, reducing risk of economic
> loss due to delay.
>
>
> > Two, competition from a different conflicting HTLC. A newer
> > HTLC might not get confirmed before an older HTL.
>
> I cannot make sense of this.
>
> You cannot create conflicting HTLCs.
>
Correct. Removing or Creating an HTLC is something that both channel
partners need to agree on. They may create multiple pending HTLCs as long
as there are enough funds, but creating conflicting HTLCs is not possible.
> >
> > I found out about a recent attack technique that sounds like it might be
> > similar called "flood and loot".
>
> Roughly, my understanding of Flood and Loot is to make a lot of
> uneconomically tiny HTLCs going through a target victim forwarding node.
> You make circular routes going from your own node back to yourself.
> Then you refuse to actually claim the HTLCs sent back to yourself.
>
No, the way I understand it is that an attacker, say Malleroy, routes a lot
of medium sized HTLC payments from his node to his node via a victim node,
say Alice's, and possibly other nodes.
Then Malleroy *accepts* the payments by publishing the hash on the
receiving end, so he gets all the sent funds on his receiving channel.
Malleroy's receiving node behaves completely honestly, and nobody can prove
that it belongs to the attacker.
Finally when Alice claims her HTLC by presenting the hash, Malleroy just
ignores the claim. Now Alice, the victim, is forced to close the channel
to prevent the HTLC to timeout. If Malleroy does it with multiple victims
at exactly the same time, they will all compete with each other. The
victims cannot increase the fee for the HTLC claiming transaction, because
they are the ones who force-closed the channel. CPFP doesn't work, because
their ultimate output is CLTV'd. As soon as the HTLC timeouts Malleroy can
claim the still pending HTLCs using an RBF transaction.
So it is Alice who has to force close, which puts her at a big disadvantage.
Malleroy will have to pay the lightning fees, but they are negligible. The
fee for the on-chain force-close transaction (with the HTLC outputs) is
paid by whoever opened the channel. AFAIK the fee for the HTLC resolving
transactions is paid by whoever claims the HTLC. In this scenario it is
paid from Alice's money. If Malleroy opened the channel, he risks losing
some funds to on-chain fees. On the other hand the one who pays the fee
controls the fee. He could negotiate a very low fee (say a cent per HTLC),
when the network is idle and then wait for a natural congestion before
starting the attack, giving him a low risk with high success probability.
Every HTLC he can claim after timeout is profit.
Regards,
Jochen
--000000000000e3006705aa7c8107
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Tue, 14 Jul 2020 at 16:42, ZmnSCPx=
j via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.o=
rg">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">Good morning Mr. Lee,<br>
<br>
> Sorry. Re-sending with correction to CC bitcoin-dev<br>
><br>
> I am sorry if this was already brought up in previous threads. If I kn=
ow<br>
> lightning network correctly then HTLC is used to enforce settlements o=
n<br>
> blockchain if there is a dispute. Could a person lose money if their H=
TLC<br>
> does not get confirmed in the timeframe or if an older HTLC gets<br>
> confirmed first? I see different ways this could happen.<br>
><br>
> One, if the blockchain is very saturated with other transactions. The<=
br>
> reason we need lightning network is why it might have troubles with<br=
>
> settlements?<br>
<br>
This could happen, but the entire exercise is to move transactions off the =
blockchain, precisely to lower this risk.<br>
<br>
Otherwise, transfers onchain will take a long time.<br>
In practice, a long time to settle a payment will invalidate many real-worl=
d economic exchanges anyway (consider paying for food at a restaurant --- i=
f your payments take days to settle, the food has gotten stale before the r=
estaurant receives payment and releases your food).<br>
Thus, if an onchain transfer takes a long time to settle, there is already =
risk of economic loss present.<br>
<br>
By moving activity offchain, we reduce pressure onchain and improve settlem=
ent speeds on both offchain and onchain, reducing risk of economic loss due=
to delay.<br>
<br>
<br>
> Two, competition from a different conflicting HTLC. A newer<br>
> HTLC might not get confirmed before an older HTL.<br>
<br>
I cannot make sense of this.<br>
<br>
You cannot create conflicting HTLCs.<br></blockquote><div><br></div><div>Co=
rrect.=C2=A0 Removing or Creating an HTLC is something that both channel pa=
rtners need to agree on.=C2=A0 They may create multiple pending HTLCs as lo=
ng as there are enough funds, but creating conflicting HTLCs is not possibl=
e.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
><br>
> I found out about a recent attack technique that sounds like it might =
be<br>
> similar called "flood and loot".<br>
<br>
Roughly, my understanding of Flood and Loot is to make a lot of uneconomica=
lly tiny HTLCs going through a target victim forwarding node.<br>
You make circular routes going from your own node back to yourself.<br>
Then you refuse to actually claim the HTLCs sent back to yourself.<br></blo=
ckquote><div><br></div><div>No, the way I understand it is that an attacker=
, say Malleroy, routes a lot of medium sized HTLC payments from his node to=
his node via a victim node, say Alice's, and possibly other=C2=A0nodes=
.=C2=A0</div><div>Then Malleroy *accepts* the payments by publishing the ha=
sh on the receiving end, so he gets all the sent funds on his receiving cha=
nnel.=C2=A0 Malleroy's receiving node behaves completely honestly, and =
nobody can prove that it belongs to the attacker.</div><div>Finally when Al=
ice claims her HTLC by presenting the hash, Malleroy just ignores the claim=
.=C2=A0 Now Alice, the victim, is forced to close the channel to prevent th=
e HTLC to timeout. If Malleroy does it with multiple victims at exactly the=
same time, they will all compete with each other.=C2=A0 The victims cannot=
increase the fee for the HTLC claiming transaction, because they are the o=
nes who force-closed=C2=A0the channel.=C2=A0 CPFP doesn't work, because=
their ultimate output is CLTV'd.=C2=A0 As soon as the HTLC timeouts Ma=
lleroy can claim the still pending HTLCs using an RBF transaction.</div><di=
v><br></div><div>So it is Alice who has to force close, which puts her at a=
big disadvantage.</div><div><br></div><div>Malleroy will have to pay the l=
ightning fees, but they are negligible.=C2=A0 The fee for the on-chain forc=
e-close transaction (with the HTLC outputs) is paid by whoever opened the c=
hannel. AFAIK the fee for the HTLC resolving transactions is paid by whoeve=
r claims the HTLC.=C2=A0 In this=C2=A0scenario it is paid from Alice's =
money.=C2=A0 If Malleroy opened the channel, he risks losing some funds to =
on-chain fees.=C2=A0 On the other hand the one who pays the fee controls th=
e fee.=C2=A0 He could negotiate a very low fee (say a cent per HTLC), when =
the network is idle and then wait for a natural congestion before starting =
the attack, giving him a low risk with high success probability.=C2=A0 Ever=
y HTLC he can claim after timeout is profit.</div><div><br></div><div>Regar=
ds,</div><div>=C2=A0 Jochen</div><div><br></div></div></div>
--000000000000e3006705aa7c8107--
|