Return-Path: <pete@petertodd.org>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 2DDFDC002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 08:47:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id CF7BE60D4D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 08:47:56 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CF7BE60D4D
Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=messagingengine.com header.i=@messagingengine.com
 header.a=rsa-sha256 header.s=fm3 header.b=cOzSTh4R
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6vuhAnq4N0ts
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 08:47:55 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1412B60D7B
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com
 [64.147.123.21])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 1412B60D7B
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 10 Jan 2023 08:47:54 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailout.west.internal (Postfix) with ESMTP id DA53E3200985;
 Tue, 10 Jan 2023 03:47:51 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Tue, 10 Jan 2023 03:47:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:date:date:feedback-id
 :feedback-id:from:from:in-reply-to:in-reply-to:message-id
 :mime-version:references:reply-to:sender:subject:subject:to:to
 :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; t=1673340471; x=1673426871; bh=9aWSLdVLOQJEu9mEQ/MOvN/Xs2Jz
 oHRhfVe07x2hDY8=; b=cOzSTh4Ro7zr1Ty0qlW9Xb0SEmDWIHmV8iigm6hpk3Am
 thdDwZJD24IJZcsVVQj/8gAdHbmkywiPEi5ZOzZU0qBDbDlwZeVDfY6MFFxM4VM9
 TQB8Nbdum3n5jaRLdHdxaO3FIGOPyeDn424++NutM04JAw3Wqq0E1khX+5dSAGED
 oixV0iuv4vg84sIm24qnLSLwnmlMLDv79GP9DA1JQ5oIHRYdQWYR8erDyOkWVlh5
 PR1YVkyj5Mz+hdkpB3n8xys7d4mEede0awGxlT9Fhm5H11Lhqm7pvdFxROwVSBHi
 8/wMnVMl8sw4pc5bQl7fIAmf0L2q5sw8lMqToIrblw==
X-ME-Sender: <xms:Nya9Y-UyXIKS3VUEbPK83PGwIPXyZCmTN-YVo9-4zfTL3jEnYVpx7w>
 <xme:Nya9Y6mFDSBbf1geisjg5PhUCjEtNxu4CkctU8A_dSdFLB3LgMEYQjYr__XcXb51V
 HD5WhJ9-S5q36t95bE>
X-ME-Received: <xmr:Nya9YyYXBIkbeiXe6Z2rdyFxfPD7wU05u1JKMqklOTZO2WpURCdm7F8ntMU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrkeejgdduvdeiucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvvefukfhfgggtuggjsehgtd
 erredttddvnecuhfhrohhmpefrvghtvghrucfvohguugcuoehpvghtvgesphgvthgvrhht
 ohguugdrohhrgheqnecuggftrfgrthhtvghrnhepledvleelffdtudekudffjefgfeejue
 ehieelfedtgfetudetgeegveeutefhjedtnecuffhomhgrihhnpehpvghtvghrthhouggu
 rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh
 epphgvthgvsehpvghtvghrthhouggurdhorhhg
X-ME-Proxy: <xmx:Nya9Y1VrdZNcAb1tOdaDdp3ryNUcykTIqksFrxcrdZEX1ZELURERqg>
 <xmx:Nya9Y4nVDCwVxT1KnbuiLd7kv4WxfngiS_9DWMReztFB2iS_DqZb2w>
 <xmx:Nya9Y6edgnKqD6u_P6U07aHBncYpo8qijngAiqeQGbvw4XK1ATyrjg>
 <xmx:Nya9YyhxjEpz_QaGXsqq_D8hrVYS7dmezDZLObJQ9Qu1Xn2D8sBnjg>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 10 Jan 2023 03:47:50 -0500 (EST)
Received: by localhost (Postfix, from userid 1000)
 id 30A8C5F823; Tue, 10 Jan 2023 03:47:48 -0500 (EST)
Date: Tue, 10 Jan 2023 03:47:48 -0500
From: Peter Todd <pete@petertodd.org>
To: "David A. Harding" <dave@dtrt.org>
Message-ID: <Y70mNHsX4JcKYZyi@petertodd.org>
References: <Y7ySzDjzx5eDjOH9@petertodd.org>
 <aaaeda2950e61127a3218c523927a0d8@dtrt.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="eXFKUwX/XF0SKWEr"
Content-Disposition: inline
In-Reply-To: <aaaeda2950e61127a3218c523927a0d8@dtrt.org>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Why Full-RBF Makes DoS Attacks on Multiparty
 Protocols Significantly More Expensive
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2023 08:47:57 -0000


--eXFKUwX/XF0SKWEr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 09, 2023 at 09:11:46PM -1000, David A. Harding wrote:
> On 2023-01-09 12:18, Peter Todd via bitcoin-dev wrote:
> > [The quote:]
> >=20
> >     "Does fullrbf offer any benefits other than breaking zeroconf
> > business
> >      practices?"
> >=20
> > ...has caused a lot of confusion by implying that there were no
> > benefits. [...]
> >=20
> > tl;dr: without full-rbf people can intentionally and unintentionally DoS
> > attack
> > multi-party protocols by double-spending their inputs with low-fee txs,
> > holding
> > up progress until that low-fee tx gets mined.
>=20
> Hi Peter,
>=20
> I'm confused.  Isn't this an easily solvable issue without full-RBF?
> Let's say Alice, Bob, Carol, and Mallory create a coinjoin transaction.
> Mallory either intentionally or unintentionally creates a conflicting
> transaction that does not opt-in to RBF.
>=20
> You seem to be proposing that the other participants force the coinjoin
> to complete by having the coinjoin transaction replace Mallory's
> conflicting transaction, which requires a full-RBF world.
>=20
> But isn't it also possible in a non-full-RBF world for Alice, Bob, and
> Carol to simply create a new coinjoin transaction which does not include
> any of Mallory's inputs so it doesn't conflict with Mallory's
> transaction?  That way their second coinjoin transaction can confirm
> independently of Mallory's transaction.

How do you propose that the participants learn about the double-spend? With=
out
knowing that it happened, they can't respond as you suggested.

> Likewise, if Alice and Mallory attempt an LN dual funding and Mallory
> creates a conflict, Alice can just create an alternative dual funding
> with Bob rather than try to use full-RBF to force Mallory's earlier dual
> funding to confirm.

Same issue.

And of course, in both cases full-rbf makes Mallory have to actually pay fu=
ll
price for the attack. Either because the intended transaction goes through.=
 Or
because their double-spending DoS attack had to be much more expensive in t=
he
first place.

> > ## Transaction Pinning
> >=20
> > Exploiting either rule is expensive.
>=20
> I think this transaction pinning attack against coinjoins and dual
> fundings is also solved in a non-full-RBF world by the honest
> participants just creating a non-conflicting transaction.
>=20
> That said, if I'm missing something and these attacks do actually apply,
> then it might be worth putting price figures on the attack in terms most
> people will understand.  The conflicting inputs attack you described in
> the beginning as being solved by full-RBF costs about $0.05 USD at
> $17,000/BTC.  The transaction pinning attack you imply is unsolved by
> full-RBF costs about $17.00.  If both attacks apply, any protocol which
> is vulnerable to a $17.00 attack still seems highly vulnerable to me, so
> it doesn't feel like a stretch to say that full-RBF lacks significant
> benefits for those protocols.

Coinjoins are an automated process that happens constantly. As I described =
in
my email, it's totally normal for them to fail constantly - I was told by
Wasabi that only ~25% of coinjoin rounds succeed right now, a figure that
frankly was much higher than I expected. Being forced to spend $17/round ra=
ther
than $0.05/round is a huge improvement that adds up to serious money at the
scale at which Wasabi and similar protocols operate at.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--eXFKUwX/XF0SKWEr
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmO9JiYACgkQLly11TVR
Lzc0iw//dKF+VNqlAIcu8eDI9aVOcMWBrfdka62pjhkCXym4WI1NIdo92seHPjo1
92K+pfEqq5pUHSNVTbayw3JIiDrh48XsIk/N+jTnMgqA3VZ+lMxhzYTSHhMOAs/F
j/YQQIfGqECAsv86z6i/Ow7cHjFfBOpxG2k8XolNBqh6FINrn88Nkw16wO/T2ATO
B71V80JV+tUSjfBZ7CrVqoCpARGE3n+huQ4r+QFnLMd/F9PpbXQySo8T9TEuQwCR
hSrL9OZwhjLpOAPU6aIGLRgiucOjC2UcImwm/W/OVwUWPFAlKZck6p54bcr2TuSV
uwPjmYbtYGVlSr860Tl5pqUSfnf0i0bQGl0F0cAEJRTSwx5ajJnOXITNjGmoHuVo
8CILhK/DpWD6wvV+Xi/C2/hCYxLEMVpHNJCUc1AB01o4HZ7u07RgFYrv6NY4MSK5
Lk4gA/7eVDdfXUVxCSmPjjsVHQ9C2OH53Xxl+WQHDQuKeAX2z7w15W2NLsr5D02T
mn5JbRqNPCIzj5xyq15NsEtpNL7IBj7B+zOl93ZiU9/0GiJi9X35tP+hECqGG+tn
fjc8SIyHHRbHjql0UZ6ywtHWQIysRuWQUIrZocBA0L68B13Dcr51S7eXSD1241L+
yMKS41n/+nk8EYuUPd9V/8jASepTGCIxd5wbvqtIdzROtSVp1hs=
=n7LS
-----END PGP SIGNATURE-----

--eXFKUwX/XF0SKWEr--