1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
Delivery-date: Fri, 02 Aug 2024 05:31:05 -0700
Received: from mail-vs1-f59.google.com ([209.85.217.59])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDRYHVHZTUGRBAFDWO2QMGQER7YQWZI@googlegroups.com>)
id 1sZrR2-0003kV-UJ
for bitcoindev@gnusha.org; Fri, 02 Aug 2024 05:31:05 -0700
Received: by mail-vs1-f59.google.com with SMTP id ada2fe7eead31-49292256be3sf800461137.0
for <bitcoindev@gnusha.org>; Fri, 02 Aug 2024 05:31:04 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1722601858; cv=pass;
d=google.com; s=arc-20160816;
b=aK94HcPnMdKKPJh/3eV6t4bkZhf8Jsggqq0lkZK9V4R1nf6yD6Sahpc/gYRQCs/OgK
2gvkoYaMzDqXo9+AmJbFEmHL6DoOm/pSSTwS2vvO4pW3+S3MjN868L8H7b1njCeO6/zm
LiA4iBUNrBeNF3MvGWOetfzoJ1IqvEMIJGSCYAtSPDtRp+mHTOpoxvCdJji+GMMfDjnR
ig+8GbI5rtZe0L0SnRjuGHzO0IM11kTaNkQzx2oUlwSuQjP1VsSAp76IEtGft05rNnX/
1L7qapULgL3PN3O3fsQmKd7evR0gG3hY+iiplaT+6oRzUvKi9k1p8uN7RYUKVpszJ6JS
y2tQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-disposition:mime-version
:message-id:subject:to:from:date:feedback-id:sender:dkim-signature;
bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
fh=XVk2QkvgRPLFdPnjevP8jLotxQk2HlTV0b/+CyZnOcg=;
b=SpaTMs7BFs/1Ygz4vdA0uCCAkDM3NCt9a9jDLvFFKaDZR34dMU3yuiRErj4qrDq88h
nBAD8iz0Yz9KZc3FL1vDihD1ly8RPhSWGydnCWm0ljZXQSqopdPRg7vhuhc9+58klUpe
X4dreOu8E8G9/Z30Xg4GNwj4Qd+4bp2ktRG9uf3hh4WCm22RXnoTRlUPK2evWV0u3Haz
VwQXYX4Z4QZhOmRyBGrDRdoc92ZDPhKYYmZATHEg3JpKg3DY/exRHBo1PAho0zKoMxNV
uOduqKNSA3KBlOQARwZ+q7RBNzogujf9gb3jaYHmfrKR7xyP0tfH2+4D9bezcqtTkztu
fGfg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI;
spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1722601858; x=1723206658; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-disposition:mime-version:message-id
:subject:to:from:date:feedback-id:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
b=wnZotPwl1PX/sZkes4IrrWOKflO0Bo94ou8kuU82Hk7ZFvkxDk8m8N0aA5aFEIcD4V
Q31/EiPaqaR5TWEAaRybdGTZPwHgHrmg9/SuT/ZxkQTTeNOidWIfNZqJeULPITlMx8c7
fwY9aIkoNIOqY6wKU56gUSnev5bWhc0snmCca+Qxu2GuQ+QgqU9ZLfp0Q9rd8Nbfsoe5
BLat+2G5kiXvJ3YJot90gtztPvJ/54DBOPFs3yC7wVt8lBn0wWvLv2Gic9E/9uT4+isr
t+RMBqnI5P1c9fhZt73/bF07Ub91xce5War1iY5H19dObQs0xSGTi5UPxuFCVbeHErbO
t7OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1722601858; x=1723206658;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-disposition:mime-version:message-id
:subject:to:from:date:feedback-id:x-beenthere:x-gm-message-state
:sender:from:to:cc:subject:date:message-id:reply-to;
bh=WFuGMJcEa+dYoL+12Fwo2UxSjoQL3CMGBhETdCHqGqs=;
b=YnpLNa8LIX5FMRwzUByv/BVvS5XncLZi/KDbjuBVRY9TYF/LrV23G/3KcTLn4engPM
fFRmLrCkPx5sW0rVL1LhfOjM6Uc25ZIP3Xst8D7Vmg00pW9uCspvmxhIL5HScJ24i1fU
3qDevf21TX5R9uebWNJwAmPCSfnl2NxzPLigAm4OFnW/0TdPoOYWAfoCRGBc87xhA+DH
OIKlxQUmOLQZFdyi123Ihjovfn/OpJHea5/t0RYhjUKOC571wVKH+gB0C+i8zqCKfN3d
b2UWiQgwNqFfupFTAA8By1j6YiM0/EK8AWx8hQfqz0F8zgoadCU8B/1i97wmBEFc5pJj
sJcA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUTzRNDl6w1URnHBH4+484A0h6tSwa3rzPv77AoOocjP+inhqysSwKla17Z8RGKmJeWzT9vQ/LxZCCjU+rucBg06n+FBu0=
X-Gm-Message-State: AOJu0Ywa6ch0f+YE0psvlxVwSjzSXIT8gZvyELv0gluZAGLVzQm9QDCl
puDS06bzDZ6i6aOJnvLDK4F0XApSOjk9kEfplLL/vSF5Jc2nF+rB
X-Google-Smtp-Source: AGHT+IFvX4HUaye8s0+7YNaQ/vslXeCWYP68z3VwnYs75h4fqxhf9nFL6nhyoJ9mBk1H3j6IfkOjeA==
X-Received: by 2002:a67:f99a:0:b0:493:e582:70ce with SMTP id ada2fe7eead31-4945be0ab86mr3095767137.10.1722601857969;
Fri, 02 Aug 2024 05:30:57 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ac8:5982:0:b0:447:e719:3e13 with SMTP id d75a77b69052e-44fe3192a76ls179169671cf.1.-pod-prod-06-us;
Fri, 02 Aug 2024 05:30:56 -0700 (PDT)
X-Received: by 2002:a05:6214:4005:b0:6bb:79b4:1546 with SMTP id 6a1803df08f44-6bb983fc1f8mr2727906d6.7.1722601856457;
Fri, 02 Aug 2024 05:30:56 -0700 (PDT)
Received: by 2002:a05:620a:3843:b0:7a1:d643:94b4 with SMTP id af79cd13be357-7a34f8113e8ms85a;
Fri, 2 Aug 2024 00:54:32 -0700 (PDT)
X-Received: by 2002:a05:6902:c0c:b0:e0b:ab65:19c8 with SMTP id 3f1490d57ef6-e0bde4c57ffmr3688511276.48.1722585271371;
Fri, 02 Aug 2024 00:54:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1722585271; cv=none;
d=google.com; s=arc-20160816;
b=CWcJCCDBCe/0vZr4g0a2e7d+SDu3v+TerqWSDqQbhcJ2nifovMl8H5C19R3lruK1W+
rU0F0qhHd+VQOx0QzuBdCTks9MJbYXwsbfkTYRMRsD9rCnhBkO5AJMcu/ijz7l/YdX11
KTi1jAK31dAnVdmSmKHdTsLy0P/HpI5tOKZ6lidGvHX9byjkZvUjxhtqpZcPLoEwaaxD
zhPpsU45js74ivk/gZs7ZbFMRmTbEgx0agHtT815alwQlO6tJeqjaocagxAFmJ54+DRD
R75JenDdomXfqwXumgHt0QboNSY7R8uG4YxH55F5Bjiq601i1No6ZuomWhbCEIJqlsXP
P9jA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-disposition:mime-version:message-id:subject:to:from:date
:feedback-id:dkim-signature;
bh=QBUZpWUBw2UsgA6J6zU5dy7ijrGDtiS7ycCPXC8hgR8=;
fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
b=Sv/6ZWk/7hgGzKOfY0LxNR/2lNuYznTRj9/P8JMgVlhLKA4biz3uwowy60E8QMoo5s
QHzqH4bxPY5yiUR8biHUEcw/Nbnu7YW60STaolbxLGLlXZ0E1EFjqvK0M9oofp3ZqRuY
Dng93+YJqXOZrFRTXu3QVCfH4W+WLqG+LScg5cJf7VpMp+l+1YOcQQaNtPRW0XYDtFBm
PrYyjMxPib1rnlsMYubw0cO4pYNzlMaY3JQA/W9csFo1Vr9F0NTPMC5YjCqf7wIjzCCW
ARUrtvMbMbc6oxZbsy6vnIqtaPnaa+9l9agwY6QCtAfe72mkYgODZo0LQT9o2Tr4Tfq8
VPbg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI;
spf=pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) smtp.mailfrom=pete@petertodd.org
Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com. [103.168.172.158])
by gmr-mx.google.com with ESMTPS id 3f1490d57ef6-e0be5562950si56809276.2.2024.08.02.00.54.31
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 02 Aug 2024 00:54:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of pete@petertodd.org designates 103.168.172.158 as permitted sender) client-ip=103.168.172.158;
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
by mailfhigh.nyi.internal (Postfix) with ESMTP id D17971151AD9
for <bitcoindev@googlegroups.com>; Fri, 2 Aug 2024 03:54:30 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
by compute4.internal (MEProxy); Fri, 02 Aug 2024 03:54:30 -0400
X-ME-Sender: <xms:tpCsZmPUUF05EL7svfcvOo4N3MUttnADAMUzGvhqZxcgz9K0H8I5Ow>
<xme:tpCsZk98dUcOP-LfiQmAkSt1PRkeJQBOFCWvGy7y4UK4FHYa74dc11wHhB44OTCsq
2vYgZzYA24HCdnbNwk>
X-ME-Received: <xmr:tpCsZtQ_6Qyq226zqDGat_woCZWul1HHXyxDvRIYwZ1Hx1tk9YzxLH4YwNbpnRjHWMpN2f1nLB64RstbkMAplHEV68oB>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjeelgdduvdejucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesghdtreertd
dtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghrthhouggu
rdhorhhgqeenucggtffrrghtthgvrhhnpefhteevgeeuvdekheeivdeffeduuedufefhte
elheffgfelueefieffjeefffeuleenucffohhmrghinhepphgvthgvrhhtohguugdrohhr
ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehpvg
htvgesphgvthgvrhhtohguugdrohhrghdpnhgspghrtghpthhtoheptd
X-ME-Proxy: <xmx:tpCsZmsR_ALY6dY_9vKLaD72Y1qATZGkwhgLpTO07juU3fKdEEby7Q>
<xmx:tpCsZudQ4dGbDCA8SwI5pYMfGBSO-VGUSaz9g13CFWmf2HEgWFQVoA>
<xmx:tpCsZq2YeTPsVMrRL6amjt31wrIuhUYiEvSev_-PrSJ6KgYb2VPjrQ>
<xmx:tpCsZi8BC2K3iNIy5SSuTypOg2sv9UhLqPkA377PjMqemu2mJvIAZg>
<xmx:tpCsZt7m4yrIbef2qqM_k6-Wd-CUcWbHTMP3wndCAhpr5LiFflsk1ibB>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
<bitcoindev@googlegroups.com>; Fri, 2 Aug 2024 03:54:30 -0400 (EDT)
Received: by localhost (Postfix, from userid 1000)
id BF23B5F854; Fri, 2 Aug 2024 07:54:28 +0000 (UTC)
Date: Fri, 2 Aug 2024 07:54:28 +0000
From: Peter Todd <pete@petertodd.org>
To: bitcoindev@googlegroups.com
Subject: [bitcoindev] Keyless Anchors Are Vulnerable To Replacement Cycling Attacks
Message-ID: <ZqyQtNEOZVgTRw2N@petertodd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="vRkTbBrP6olNI+nv"
Content-Disposition: inline
X-Original-Sender: pete@petertodd.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@messagingengine.com header.s=fm3 header.b=Beh025kI; spf=pass
(google.com: domain of pete@petertodd.org designates 103.168.172.158 as
permitted sender) smtp.mailfrom=pete@petertodd.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
--vRkTbBrP6olNI+nv
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
This feels like someone should have published it before. But I can't find an
obvious citation (eg in any of the documentation around keyless ephemeral
anchors), so I'll publish one here. Maybe I'm the first to point this out
explicitly? Probably not; I'd appreciate an earlier citation if one exists.
tl;dr: _Anyone_ can do a replacement cycling attack on transactions where fees
are paid via CPFP via keyless anchors and similar outputs that a third-party
can double-spend. Secondly, for attackers who were already planning on making a
transaction with a higher total fee and total fee-rate than the target, this
attack is almost free.
# The Attack
Suppose that Alice has created a 2 transaction package consisting of low-fee or
zero-fee transaction A, whose fees are CPFP paid via a keyless ephemeral anchor
spent by transaction B. For B to pay fees, obviously it must spend a second
transaction output.
Mallory can cycle A and B out of mempools by broadcasting transaction B2,
spending his own output and the keyless ephemeral anchor of A, at a higher
fee/fee-rate than B. Next, Mallory broadcasts B3, double-spending B2 by
spending Mallory's input but not the ephemeral anchor of A. Assuming Mallory
needed to mine B3 anyway, the only cost to this attack is the small chance that
B2 will in fact be mined between the time that B2 is replaced by B3.
At this point A is no longer economical to mine as B has been cycled out, and A
may be dropped from mempools depending on the circumstances.
## SIGHASH_ANYONECANPAY
Obviously, a similar attack is possible against SIGHASH_ANYONECANPAY-using
transactions, provided that _all_ signatures sign with SIGHASH_ANYONECANPAY.
# Countermeasures
As with other replacement cycling attacks, rebroadcasting A and B fixes the
issue. I think the existence of this additional type of replacement cycling
attack suggests that adding an optional rebroadcasting module to Bitcoin Core
that would keep track of dropped transactions and re-add them to mempools when
they are again valid would make sense. This fixes all replacement cycling
attacks and there's probably lots of nodes who have the memory and/or disk
space to keep track of dropped transactions like this.
Preventing the replacement of B2 with B3 is _not_ a viable countermeasure: if
that replacement was prohibited, attackers could in turn exploit that rule as a
new form of transaction pinning!
# Privacy
The fact that rebroadcasting is a countermeasure is a privacy concern. Each
time a transaction is rebroadcast by the sender is a potential opportunity to
track the origin of a transaction. Again, having third parties rebroadcasting
transactions altruistically would mitigate this privacy concern.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZqyQtNEOZVgTRw2N%40petertodd.org.
--vRkTbBrP6olNI+nv
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmaskLMACgkQLly11TVR
LzfreA//WnWPNqDyHOnqdilxmWyXLLpuzh8qoYOSkuBoZYODk9U8rcuQUqg3mpct
GWyYvwH8+jAAH47of6nTa3CLrRi5RG1jI0icCihWxfElC3+7U+WnUOk7pN2cDwGX
W4pdeyf8FCjJVJgDFPOhWymmeUYtjEXDw+FFYcjNjKBBpwcW+/SHXClqrWIhFaD7
RRMbFJ/F7K3tAT6OIfooeoLxMAwGmj/P01qg6OR/X1SDrbZqv5AhVRyK4ZX4u2nn
UiYX3WeugedJXOR2RWdRBKVnHnMBNdkPS9JJYCIocDvdRW2gCznZkTmQNd4Rn5d8
Mpj8i2vcw+qyBdoMl3bxpj7vIn3JjuQPhpANFLM4aYhZLLnS4ugiXSxujlmXZO9S
7ft8E3ZDInwhmmma3CMK60GmbYfoPTe44siPA0Gqlxm/QBWTXEII2Ig8ipgN3f9j
ocw2vwTNnySwb7eHQCuwwsaTuJXSjaA5MzT+E+cRlwgoUSCdak+qSCFtrBRsubjO
ACbz+jRL36I28TwgQ7RwUl6Yz7uH7nkoPzDtikoHFTcC7DEV7RXiK2zlaCbFwFSd
DfhDhdlEX8i8Jzgl+eJ0s8wQ2ods/Oh1cbnT17P0+xhppK10NsBdUe4Xk25DINV0
mDCYCgatFdep7+UeTkEolB9MYfqYU2Rt+ZF1TPJEZN5zmJq7A1I=
=LR7g
-----END PGP SIGNATURE-----
--vRkTbBrP6olNI+nv--
|
