Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 27C19C000B for ; Mon, 31 Jan 2022 15:58:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id EB06D60F00 for ; Mon, 31 Jan 2022 15:58:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=acinq-fr.20210112.gappssmtp.com Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIKKjbO7MdpP for ; Mon, 31 Jan 2022 15:58:05 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) by smtp3.osuosl.org (Postfix) with ESMTPS id 6B33360BD7 for ; Mon, 31 Jan 2022 15:58:05 +0000 (UTC) Received: by mail-yb1-xb29.google.com with SMTP id c6so41855959ybk.3 for ; Mon, 31 Jan 2022 07:58:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=acinq-fr.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mfqrY7ohJU3D484jGW0oPKDqiYANOG7ahvpl54NLgPE=; b=KVMfcIwBbUPiVs7aGopYOipKrUT0A9BnaibbNWn944zZlX5GX7BisKEsJYSG1328nR iPkNWAh+LVqBINAPkIfB2s3xxUIYQ43dM46iWywgMjz2LeKLE/Suj9d/okM/wDlFNeyO YhZLCZp6zP//tVlxpHmBrk1WfIpYir6Odnw+pl4E+r1Smcrxpd6egBAyVPc/lkiVWcFm WQZAX/VPJEEJpEcX7iV4IxSTOqbLXPis95FMrDRgMLGNJVEtT7VFTAtT3vgXefeZ/LpF DrYP8INXnzVHL6sUN45f9vSpmEnBTU+9Kdh/o4d8WI8ecLIFqe+T1XgUY9uzHK3C67CE 3Cjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mfqrY7ohJU3D484jGW0oPKDqiYANOG7ahvpl54NLgPE=; b=aZWXG9gxAAwkbrj6mRKEB+QGx3gRZFGkZ7y829hvJwcDPFZdOon5zdwrsTCd2356BW EsfMiKxYnioXDW5gBHXrPre9cK9XjnmEGehgedaoRkvZf5SlnmTEQqL8Zub+54X1QFsB hkDJbhhYOhyCQmYKOcHOVha9PvmY4iCNoMILNZLqn5VhAWtTgLsxbCH2kpuhViD/g7rp 5piKXdJa/J0LOWXoGpldrbSeT190Fuzgs9kAk3BJY1j9EGoi9kfNpT9KE0dcxmz9HQbv oZbfE1Rax/EtG1JQ9vYjPMO1D0/rIZHw0f41rJgS3HFM+xmoAsKfSz6lZoy1b4JvpEJF WZPQ== X-Gm-Message-State: AOAM532i7a+VcQDyrItYeqcsyA6ycbHxmEQHALfb9Ht8dqH9Y7MUOabi Jy6fRIlIvlPpIPdaNv4FR5BoKE+K2ABPHz5nyRmstkAgr+2tuQ== X-Google-Smtp-Source: ABdhPJxFeyKrtiyMp1kig4ZXLBQETpElQZFqIAMw+kL4jqe2zloMa4FyRtoLhy0AW2Mao9jsyRjME1u3jnxU9I1KpUs= X-Received: by 2002:a25:cdc5:: with SMTP id d188mr31488854ybf.534.1643644683675; Mon, 31 Jan 2022 07:58:03 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Bastien TEINTURIER Date: Mon, 31 Jan 2022 16:57:52 +0100 Message-ID: To: Antoine Riard , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000008240c605d6e2d9c0" X-Mailman-Approved-At: Mon, 31 Jan 2022 16:03:52 +0000 Subject: Re: [bitcoin-dev] Improving RBF Policy X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2022 15:58:10 -0000 --0000000000008240c605d6e2d9c0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Gloria, Many thanks for raising awareness on these issues and constantly pushing towards finding a better model. This work will highly improve the security of any multi-party contract trying to build on top of bitcoin (because most multi-party contracts will need to have timeout conditions and participants will need to make some transactions confirm before a timeout happens - otherwise they may lose funds). For starters, let me quickly explain why the current rules are hard to work with in the context of lightning (but I believe most L2 protocols will have the same issues). Feel free to skip this part if you are already convinced. ## Motivation The biggest pain point is BIP 125 rule 2. If I need to increase the fees of a time-sensitive transaction because the feerate has been rising since I broadcast it, I may need to also pay high fees just to produce a confirmed utxo that I can use. I'm actually paying a high fee twice instead of once (and needlessly using on-chain space, our scarcest asset, because we could have avoided that additional transaction!). It also has some annoying "non-determinism". Imagine that my transaction has been evicted from my mempool because its feerate was too low. I could think "Great, that means I don't have to apply BIP 125 restrictions, I can just fund this transaction as if it were a new one!". But actually I do, because my transaction could still be in miner's mempools and I have no way of knowing it...this means that whenever I have broadcast a transaction, I must assume that I will always need to abide by whatever replacement rules the network applies. Fortunately, as far as I understand it, this rule only exists because of a previous implementation detail of bitcoin core, so there's simply no good reason to keep it. The second biggest pain point is rule 3. It prevents me from efficiently using my capital while it's unconfirmed. Whenever I'm using a big utxo to fund a transaction, I will get a big change output, and it would really be a waste to be unable to use that change output to fund other transactions. In order to be capital-efficient, I will end up creating descendant trees for my time-sensitive transactions. But as Gloria explained, replacing all my children will cost me an absurdly large amount of fees. So what I'm actually planning to do instead is to RBF one of the descendants high enough to get the whole tree confirmed. But if those descendants' timeouts were far in the future, that's a waste, I paid a lot more fees for them than I should have. I'd like to just replace my transaction and republish the invalidated children independently. Rule 4 doesn't hurt as much as the two previous ones, I don't have too much to say about it. To be fair to the BIP 125 authors, all of these scenarios were very hard to forecast at the time this BIP was created. We needed years to build on those rules to get a better understanding of their limitations and if the rationale behind them made sense in the long term. ## Proposals I believe that now is a good time to re-think those, and I really like Gloria's categorization of the design constraints. I'd like to propose a different way of looking at descendants that makes it easier to design the new rules. The way I understand it, limiting the impact on descendant transactions is only important for DoS protection, not for incentive compatibility. I would argue that after evictions, descendant transactions will be submitted again (because they represent transactions that people actually want to make), so evicting them does not have a negative impact on mining incentives (in a world where blocks are full most of the time). I'm curious to hear other people's thoughts on that. If it makes sense, I would propose the following very simple rules: 1. The transaction's ancestor absolute fees must be X% higher than the previous transaction's ancestor fees 2. The transaction's ancestor feerate must be Y% higher than the previous transaction's ancestor feerate I believe it's completely ok to require increasing both the fees and feerate if we don't take descendants into account, because you control your ancestor set - whereas the descendant set may be completely out of your control. This is very easy to use by wallets, because the ancestor set is easy to obtain. And an important point is that the ancestor set is the same in every mempool, whereas the descendant set is not (your mempool may have rejected the last descendants, while other people's mempools may still contain them). Because of that reason, I'd like to avoid having a rule that relies on some size of the replaced descendant set: it may be valid in your mempool but invalid in someone else's, which makes it exploitable for pinning attacks. I believe these rules are incentive compatible (again, if you accept the fact that the descendants will be re-submitted and mined as well, so their fees aren't lost). Can we choose X and Y so that these two rules are also DoS-resistant? Unfortunately I'm not sure, so maybe we'll need to add a third rule to address that. But before we do, can someone detail what it costs for a node to evict a descendant tree? Given that bitcoin core doesn't allow chains of more than 25 transactions, the maximum number of transactions being replaced will be bounded by 25 * N (where N is the number of outputs of the transaction being replaced). If it's just O(n) pruning of a graph, maybe that's ok? Or maybe we make X or Y depend on the number of outputs of the transaction being replaced (this would need very careful thoughts)? If you made it this far, thanks for reading! A couple of comments on the previous messages: > Currently, if we see a transaction > that has the same txid as one in the mempool, we reject it as a > duplicate, even if the feerate is much higher. It's unclear to me if > we have a very strong reason to change this, but noting it as a > limitation of our current replacement policy. I don't see a strong reason from an L2 protocol's point of view yet, but there are many unkown unknowns. But from a miner incentive's point of view, we should keep the transaction with the higher feerate, shouldn't we? In that case it's also a more efficient use of on-chain space, which is a win, right? > We might have a more-or-less long transition period during which we support both... Yes, this is a long term thing. Even if bitcoin core releases a new version with updated RBF rules, as a wallet you'll need to keep using the old rules for a long time if you want to be safe. But it's all the more reason to try to ship this as soon as possible, this way maybe our grand-children will be able to benefit from it ;) (just kidding on the timespan obviously). Cheers, Bastien Le lun. 31 janv. 2022 =C3=A0 00:11, Antoine Riard via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > Hi Gloria, > > Thanks for this RBF sum up. Few thoughts and more context comments if it > can help other readers. > > > For starters, the absolute fee pinning attack is especially > > problematic if we apply the same rules (i.e. Rule #3 and #4) in > > Package RBF. Imagine that Alice (honest) and Bob (adversary) share a > > LN channel. The mempool is rather full, so their pre-negotiated > > commitment transactions' feerates would not be considered high > > priority by miners. Bob broadcasts his commitment transaction and > > attaches a very large child (100KvB with 100,000sat in fees) to his > > anchor output. Alice broadcasts her commitment transaction with a > > fee-bumping child (200vB with 50,000sat fees which is a generous > > 250sat/vB), but this does not meet the absolute fee requirement. She > > would need to add another 50,000sat to replace Bob's commitment > > transaction. > > Solving LN pinning attacks, what we're aiming for is enabling a fair > feerate bid between the counterparties, thus either forcing the adversar= y > to overbid or to disengage from the confirmation competition. If the > replace-by-feerate rule is adopted, there shouldn't be an incentive for B= ob > to > pick up the first option. Though if he does, that's a winning outcome for > Alice, as one of the commitment transactions confirms and her > time-sensitive second-stage HTLC can be subsequently confirmed. > > > It's unclear to me if > > we have a very strong reason to change this, but noting it as a > > limitation of our current replacement policy. See [#24007][12]. > > Deployment of Taproot opens interesting possibilities in the > vaults/payment channels design space, where the tapscripts can commit to > different set of timelocks/quorum of keys. Even if the pre-signed states > stay symmetric, whoever is the publisher, the feerate cost to spend can > fluctuate. > > > While this isn't completely broken, and the user interface is > > secondary to the safety of the mempool policy > > I think with L2s transaction broadcast backend, the stability and clarity > of the RBF user interface is primary. What we could be worried about is a > too-much complex interface easing the way for an attacker to trigger your > L2 node to issue policy-invalid chain of transactions. Especially, when w= e > consider that an attacker might have leverage on chain of transactions > composition ("force broadcast of commitment A then commitment B, knowing > they will share a CPFP") or even transactions size ("overload commitment = A > with HTLCs"). > > > * If the original transaction is in the top {0.75MvB, 1MvB} of the > > mempool, apply the current rules (absolute fees must increase and > > pay for the replacement transaction's new bandwidth). Otherwise, use a > > feerate-only rule. > > How this new replacement rule would behave if you have a parent in the > "replace-by-feerate" half but the child is in the "replace-by-fee" one ? > > If we allow the replacement of the parent based on the feerate, we might > decrease the top block absolute fees. > > If we block the replacement of the parent based on the feerate because th= e > replacement absolute fees aren't above the replaced package, we still > preclude a pinning vector. The child might be low-feerate junk and even > attached to a low ancestor-score branch. > > If I'm correct on this limitation, maybe we could turn off the > "replace-by-fee" behavior as soon as the mempool is fulfilled with a few > blocks ? > > > * Rate-limit how many replacements we allow per prevout. > > Depending on how it is implemented, though I would be concerned it > introduces a new pinning vector in the context of shared-utxo. If it's a > hardcoded constant, it could be exhausted by an adversary starting at the > lowest acceptable feerate then slowly increasing while still not reaching > the top of the mempool. Same if it's time-based or block-based, no > guarantee the replacement slot is honestly used by your counterparty. > > Further, an above-the-average replacement frequency might just be the > reflection of your confirmation strategy reacting to block schedule or > mempools historical data. As long as the feerate penalty is paid, I lean = to > allow replacement. > > (One solution could be to associate per-user "tag" to the LN transactions= , > where each "tag" would have its own replacement slots, but privacy?) > > > * Rate-limit transaction validation in general, per peer. > > I think we could improve on the Core's new transaction requester logic. > Maybe we could bind the peer announced flow based on the feerate score > (modulo validation time) of the previously validated transactions from th= at > peer ? That said, while related to RBF, it sounds to me that enhancing > Core's rate-limiting transaction strategy is a whole discussion in itself > [0]. Especially ensuring it's tolerant to the specific requirements of LN= & > consorts. > > > What should they be? We can do some arithmetic to see what happens if > > you start with the biggest/lowest feerate transaction and do a bunch > > of replacements. Maybe we end up with values that are high enough to > > prevent abuse and make sense for applications/users that do RBF. > > That's a good question. > > One observation is that the attacker can always renew the set of DoSy > utxos to pursue the attack. So maybe we could pick up constants scaled on > the block size ? That way an attacker would have to burn fees, thus > deterring them from launching an attack. Even if the attackers are miners= , > they have to renounce their income to acquire new DoSy utxos. If a low-fe= e > period, we could scale up the constants ? > > > Overall, I think there is the deployment issue to warn of. Moving to a ne= w > set of RBF rules implies for a lot of Bitcoin applications to rewrite the= ir > RBF logics. We might have a more-or-less long transition period during > which we support both... > > Cheers, > Antoine > > [0] https://github.com/bitcoin/bitcoin/pull/21224 > > Le jeu. 27 janv. 2022 =C3=A0 09:10, Gloria Zhao via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit : > >> Hi everyone, >> >> This post discusses limitations of current Bitcoin Core RBF policy and >> attempts to start a conversation about how we can improve it, >> summarizing some ideas that have been discussed. Please reply if you >> have any new input on issues to be solved and ideas for improvement! >> >> Just in case I've screwed up the text wrapping again, another copy can b= e >> found here: >> https://gist.github.com/glozow/25d9662c52453bd08b4b4b1d3783b9ff >> >> ## Background >> >> Please feel free to skip this section if you are already familiar >> with RBF. >> >> Nodes may receive *conflicting* unconfirmed transactions, aka >> "double spends" of the same inputs. Instead of always keeping the >> first transaction, since v0.12, Bitcoin Core mempool policy has >> included a set of Replace-by-Fee (RBF) criteria that allows the second >> transaction to replace the first one and any descendants it may have. >> >> Bitcoin Core RBF policy was previously documented as BIP 125. >> The current RBF policy is documented [here][1]. In summary: >> >> 1. The directly conflicting transactions all signal replaceability >> explicitly. >> >> 2. The replacement transaction only includes an unconfirmed input if >> that input was included in one of the directly conflicting >> transactions. >> >> 3. The replacement transaction pays an absolute fee of at least the >> sum paid by the original transactions. >> >> 4. The additional fees pays for the replacement transaction's >> bandwidth at or above the rate set by the node's *incremental relay >> feerate*. >> >> 5. The sum of all directly conflicting transactions' descendant counts >> (number of transactions inclusive of itself and its descendants) >> does not exceed 100. >> >> We can split these rules into 3 categories/goals: >> >> - **Allow Opting Out**: Some applications/businesses are unable to >> handle transactions that are replaceable (e.g. merchants that use >> zero-confirmation transactions). We (try to) help these businesses by >> honoring BIP125 signaling; we won't replace transactions that have not >> opted in. >> >> - **Incentive Compatibility**: Ensure that our RBF policy would not >> accept replacement transactions which would decrease fee profits >> of a miner. In general, if our mempool policy deviates from what is >> economically rational, it's likely that the transactions in our >> mempool will not match the ones in miners' mempools, making our >> fee estimation, compact block relay, and other mempool-dependent >> functions unreliable. Incentive-incompatible policy may also >> encourage transaction submission through routes other than the p2p >> network, harming censorship-resistance and privacy of Bitcoin payments. >> >> - **DoS Protection**: Limit two types of DoS attacks on the node's >> mempool: (1) the number of times a transaction can be replaced and >> (2) the volume of transactions that can be evicted during a >> replacement. >> >> Even more abstract: our goal is to make a replacement policy that >> results in a useful interface for users and safe policy for >> node operators. >> >> ## Motivation >> >> There are a number of known problems with the current RBF policy. >> Many of these shortcomings exist due to mempool limitations at the >> time RBF was implemented or result from new types of Bitcoin usage; >> they are not criticisms of the original design. >> >> ### Pinning Attacks >> >> The most pressing concern is that attackers may take advantage of >> limitations in RBF policy to prevent other users' transactions from >> being mined or getting accepted as a replacement. >> >> #### SIGHASH_ANYONECANPAY Pinning >> >> BIP125#2 can be bypassed by creating intermediary transactions to be >> replaced together. Anyone can simply split a 1-input 1-output >> transaction off from the replacement transaction, then broadcast the >> transaction as is. This can always be done, and quite cheaply. More >> details in [this comment][2]. >> >> In general, if a transaction is signed with SIGHASH\_ANYONECANPAY, >> anybody can just attach a low feerate parent to this transaction and >> lower its ancestor feerate. Even if you require SIGHASH\_ALL which >> prevents an attacker from changing any outputs, the input can be a >> very low amount (e.g. just above the dust limit) from a low-fee >> ancestor and still bring down the ancestor feerate of the transaction. >> >> TLDR: if your transaction is signed with SIGHASH\_ANYONECANPAY and >> signals replaceability, regardless of the feerate you broadcast at, an >> attacker can lower its mining priority by adding an ancestor. >> >> #### Absolute Fee >> >> The restriction of requiring replacement transactions to increase the >> absolute fee of the mempool has been described as "bonkers." If the >> original transaction has a very large descendant that pays a large >> amount of fees, even if it has a low feerate, the replacement >> transaction must now pay those fees in order to meet Rule #3. >> >> #### Package RBF >> >> There are a number of reasons why, in order to enable Package RBF, we >> cannot use the same criteria. >> >> For starters, the absolute fee pinning attack is especially >> problematic if we apply the same rules (i.e. Rule #3 and #4) in >> Package RBF. Imagine that Alice (honest) and Bob (adversary) share a >> LN channel. The mempool is rather full, so their pre-negotiated >> commitment transactions' feerates would not be considered high >> priority by miners. Bob broadcasts his commitment transaction and >> attaches a very large child (100KvB with 100,000sat in fees) to his >> anchor output. Alice broadcasts her commitment transaction with a >> fee-bumping child (200vB with 50,000sat fees which is a generous >> 250sat/vB), but this does not meet the absolute fee requirement. She >> would need to add another 50,000sat to replace Bob's commitment >> transaction. >> >> Disallowing new unconfirmed inputs (Rule #2) in Package RBF would be >> broken for packages containing transactions already in the mempool, >> explained [here][7]. >> >> Note: I originally [proposed][6] Package RBF using the same Rule #3 >> and #4 before I realized how significant this pinning attack is. I'm >> retracting that proposal, and a new set of Package RBF rules would >> follow from whatever the new individual RBF rules end up being. >> >> #### Same Txid Different Witness >> >> Two transactions with the same non-witness data but different >> witnesses have the same txid but different wtxid, and the same fee but >> not necessarily the same feerate. Currently, if we see a transaction >> that has the same txid as one in the mempool, we reject it as a >> duplicate, even if the feerate is much higher. It's unclear to me if >> we have a very strong reason to change this, but noting it as a >> limitation of our current replacement policy. See [#24007][12]. >> >> ### User Interface >> >> #### Using Unconfirmed UTXOs to Fund Replacements >> >> The restriction of only allowing confirmed UTXOs for funding a >> fee-bump (Rule #2) can hurt users trying to fee-bump their >> transactions and complicate wallet implementations. If the original >> transaction's output value isn't sufficient to fund a fee-bump and/or >> all of the user's other UTXOs are unconfirmed, they might not be able >> to fund a replacement transaction. Wallet developers also need to >> treat self-owned unconfirmed UTXOs as unusable for fee-bumping, which >> adds complexity to wallet logic. For example, see BDK issues [#144][4] >> and [#414][5]. >> >> #### Interface Not Suitable for Coin Selection >> >> Currently, a user cannot simply create a replacement transaction >> targeting a specific feerate or meeting a minimum fee amount and >> expect to meet the RBF criteria. The fee amount depends on the size of >> the replacement transaction, and feerate is almost irrelevant. >> >> Bitcoin Core's `bumpfee` doesn't use the RBF rules when funding the >> replacement. It [estimates][13] a feerate which is "wallet incremental >> relay fee" (a conservative overestimation of the node's incremental >> relay fee) higher than the original transaction, selects coins for >> that feerate, and hopes that it meets the RBF rules. It never fails >> Rule #3 and #4 because it uses all original inputs and refuses to >> bump a transaction with mempool descendants. >> >> This is suboptimal, but is designed to work with the coin selection >> engine: select a feerate first, and then add fees to cover it. >> Following the exact RBF rules would require working the other way >> around: based on how much fees we've added to the transaction and its >> current size, calculate the feerate to see if we meet Rule #4. >> >> While this isn't completely broken, and the user interface is >> secondary to the safety of the mempool policy, we can do much better. >> A much more user-friendly interface would depend *only* on the >> fee and size of the original transactions. >> >> ### Updates to Mempool and Mining >> >> Since RBF was first implemented, a number of improvements have been >> made to mempool and mining logic. For example, we now use ancestor >> feerates in mining (allowing CPFP), and keep track of ancestor >> packages in the mempool. >> >> ## Ideas for Improvements >> >> ### Goals >> >> To summarize, these seem to be desired changes, in order of priority: >> >> 1. Remove Rule #3. The replacement should not be *required* to pay >> higher absolute fees. >> >> 2. Make it impossible for a replacement transaction to have a lower >> mining score than the original transaction(s). This would eliminate >> the `SIGHASH\_ANYONECANPAY` pinning attack. >> >> 3. Remove Rule #2. Adding new unconfirmed inputs should be allowed. >> >> 4. Create a more helpful interface that helps wallet fund replacement >> transactions that aim for a feerate and fee. >> >> ### A Different Model for Fees >> >> For incentive compatibility, I believe there are different >> formulations we should consider. Most importantly, if we want to get >> rid of the absolute fee rule, we can no longer think of it as "the >> transaction needs to pay for its own bandwidth," since we won't always >> be getting additional fees. That means we need a new method of >> rate-limiting replacements that doesn't require additional fees every >> time. >> >> While it makes sense to think about monetary costs when launching a >> specific type of attack, given that the fees are paid to the miner and >> not to the mempool operators, maybe it doesn't make much sense to >> think about "paying for bandwidth". Maybe we should implement >> transaction validation rate-limiting differently, e.g. building it >> into the P2P layer instead of the mempool policy layer. >> >> Recently, Suhas gave a [formulation][8] for incentive compatibility >> that made sense to me: "are the fees expected to be paid in the next >> (N?) blocks higher or lower if we process this transaction?" >> >> I started by thinking about this where N=3D1 or `1 + p`. >> Here, a rational miner is looking at what fees they would >> collect in the next block, and then some proportion `p` of the rest of >> the blocks based on their hashrate. We're assuming `p` isn't *so high* >> that they would be okay with lower absolute fees in the next 1 block. >> We're also assuming `p` isn't *so low* that the miner doesn't care >> about what's left of the mempool after this block. >> >> A tweak to this formulation is "if we process this transaction, would >> the fees in the next 1 block higher or lower, and is the feerate >> density of the rest of the mempool higher or lower?" This is pretty >> similar, where N=3D1, but we consider the rest of the mempool by feerate >> rather than fees. >> >> ### Mining Score of a Mempool Transaction >> >> We are often interested in finding out what >> the "mining score" of a transaction in the mempool is. That is, when >> the transaction is considered in block template building, what is the >> feerate it is considered at? >> >> Obviously, it's not the transaction's individual feerate. Bitcoin Core >> [mining code sorts][14] transactions by their ancestor feerate and >> includes them packages at a time, keeping track of how this affects the >> package feerates of remaining transactions in the mempool. >> >> *ancestor feerate*: Ancestor feerate is easily accessible information, >> but it's not accurate either, because it doesn't take into account the >> fact that subsets of a transaction's ancestor set can be included >> without it. For example, ancestors may have high feerates on their own >> or we may have [high feerate siblings][8]. >> >> TLDR: *Looking at the current ancestor feerate of a transaction is >> insufficient to tell us what feerate it will be considered at when >> building a block template in the future.* >> >> *min(individual feerate, ancestor feerate)*: Another >> heuristic that is simple to calculate based on current mempool tooling >> is to use the [minimum of a transaction's individual score and its >> ancestor score][10] as a conservative measure. But this can >> overestimate as well (see the example below). >> >> *min ancestor feerate(tx + possible ancestor subsets)* We can also >> take the minimum of every possible ancestor subset, but this can be >> computationally expensive since there can be lots and lots of ancestor >> subsets. >> >> *max ancestor feerate(tx + possible descendant subsets)*: Another idea >> is to use the [maximum ancestor score of the transaction + each of its >> descendants][9]. This doesn't work either; it has the same blindspot >> of ancestor subsets being mined on their own. >> >> #### Mining Score Example >> >> Here's an example illustrating why mining score is tricky to >> efficiently calculate for mempool transactions: >> >> Let's say you have same-size transactions A (21sat/vB), B (1sat/vB), >> C(9sat/vB), D(5sat/vB). >> The layout is: grandparent A, parent B, and two children C and D. >> >> ``` >> A >> ^ >> B >> ^ ^ >> C D >> ``` >> >> A miner using ancestor packages to build block templates will first >> include A with a mining score of 21. Next, the miner will include B and >> C with a mining score of 6. This leaves D, with a mining score of 5. >> >> Note: in this case, mining by ancestor feerate results in the most >> rational decisions, but [a candidate set-based approach][10] which >> makes ancestor feerate much less relevant could >> be more advantageous in other situations. >> >> Here is a chart showing the "true" mining score alongside the values >> calculating using imperfect heuristics described above. All of them >> can overestimate or underestimate. >> >> ``` >> A B C D >> mining score | 21 | 6 | 6 | 5 | >> ancestor feerate | 21 | 11 | 10.3 | 9 | >> min(individual, ancestor) | 21 | 1 | 9 | 5 | >> min(tx + ancestor subsets) | 21 | 1 | 5 | 3 | >> max(tx + descendants subsets) | 21 | 9 | 9 | 5 | >> >> ``` >> >> Possibly the best solution for finding the "mining score" of a >> transaction is to build a block template, see what feerate each >> package is included at. Perhaps at some cutoff, remaining mempool >> transactions can be estimated using some heuristic that leans >> {overestimating, underestimating} depending on the situation. >> >> Mining score seems to be relevant in multiple places: Murch and I >> recently [found][3] that it would be very important in >> "ancestor-aware" funding of transactions (the wallet doesn't >> incorporate ancestor fees when using unconfirmed transactions in coin >> selection, which is a bug we want to fix). >> >> In general, it would be nice to know the exact mining priority of >> one's unconfirmed transaction is. I can think of a few block/mempool >> explorers who might want to display this information for users. >> >> ### RBF Improvement Proposals >> >> After speaking to quite a few people, here are some suggestions >> for improvements that I have heard: >> >> * The ancestor score of the replacement must be {5, 10, N}% higher >> than that of every original transaction. >> >> * The ancestor score of the replacement must be 1sat/vB higher than >> that of every original transaction. >> >> * If the original transaction is in the top {0.75MvB, 1MvB} of the >> mempool, apply the current rules (absolute fees must increase and >> pay for the replacement transaction's new bandwidth). Otherwise, use a >> feerate-only rule. >> >> * If fees don't increase, the size of the replacement transaction must >> decrease by at least N%. >> >> * Rate-limit how many replacements we allow per prevout. >> >> * Rate-limit transaction validation in general, per peer. >> >> Perhaps some others on the mailing list can chime in to throw other >> ideas into the ring and/or combine some of these rules into a sensible >> policy. >> >> #### Replace by Feerate Only >> >> I don't think there's going to be a single-line feerate-based >> rule that can incorporate everything we need. >> On one hand, a feerate-only approach helps eliminate the issues >> associated with Rule #3. On the other hand, I believe the main concern >> with a feerate-only approach is how to rate limit replacements. We >> don't want to enable an attack such as: >> >> 1. Attacker broadcasts large, low-feerate transaction, and attaches a >> chain of descendants. >> >> 2. The attacker replaces the transaction with a smaller but higher >> feerate transaction, attaching a new chain of descendants. >> >> 3. Repeat 1000 times. >> >> #### Fees in Next Block and Feerate for the Rest of the Mempool >> >> Perhaps we can look at replacements like this: >> >> 1. Calculate the directly conflicting transactions and, with their >> descendants, the original transactions. Check signaling. Limit the >> total volume (e.g. can't be more than 100 total or 1MvB or something). >> >> 2. Find which original transactions would be in the next ~1 block. The >> replacement must pay at least this amount + X% in absolute fees. This >> guarantees that the fees of the next block doesn't decrease. >> >> 3. Find which transactions would be left in the mempool after that ~1 >> block. The replacement's feerate must be Y% higher than the maximum >> mining score of these transactions. This guarantees that you now have >> only *better* candidates in your after-this-block mempool than you did >> before, even if the size and fees the transactions decrease. >> >> 4. Now you have two numbers: a minimum absolute fee amount and a >> minimum feerate. Check to see if the replacement(s) meet these >> minimums. Also, a wallet would be able to ask the node "What fee and >> feerate would I need to put on a transaction replacing this?" and use >> this information to fund a replacement transaction, without needing to >> guess or overshoot. >> >> Obviously, there are some magic numbers missing here. X and Y are >> TBD constants to ensure we have some kind of rate limiting for the >> number of replacements allowed using some set of fees. >> >> What should they be? We can do some arithmetic to see what happens if >> you start with the biggest/lowest feerate transaction and do a bunch >> of replacements. Maybe we end up with values that are high enough to >> prevent abuse and make sense for applications/users that do RBF. >> >> ### Mempool Changes Need for Implementation >> >> As described in the mining score section above, >> we may want additional tooling to more accurately assess >> the economic gain of replacing transactions in our mempool. >> >> A few options have been discussed: >> >> * Calculate block templates on the fly when we need to consider a >> replacement. However, since replacements are [quite common][11] >> and the information might be useful for other things as well, >> it may be worth it to cache a block template. >> >> * Keep a persistent block template so that we know what transactions >> we would put in the next block. We need to remember the feerate >> at which each transaction was included in the template, because an >> ancestor package may be included in the same block template in >> multiple subsets. Transactions included earlier alter the ancestor >> feerate of the remaining transactions in the package. We also need >> to keep track of the new feerates of transactions left over. >> >> * Divide the mempool into two layers, "high feerate" and "low >> feerate." The high feerate layer contains ~1 block of packages with >> the highest ancestor feerates, and the low feerate layer contains >> everything else. At the edge of a block, we have a Knapsacky problem >> where the next highest ancestor feerate package might not fit, so we >> would probably want the high feerate layer ~2MvB or something to avoid >> underestimating the fees. >> >> ## Acknowledgements >> >> Thank you to everyone whose RBF-related suggestions, grievances, >> criticisms and ideas were incorporated in this document: >> Andrew Chow, Matt Corallo, Suhas Daftuar, Christian Decker, >> Mark Erhardt, Lloyd Fournier, Lisa Neigut, John Newbery, >> Antoine Poinsot, Antoine Riard, Larry Ruane, >> S3RK and Bastien Teinturier. >> >> Thanks for reading! >> >> Best, >> Gloria >> >> [1]: >> https://github.com/bitcoin/bitcoin/blob/master/doc/policy/mempool-replac= ements.md >> [2]: https://github.com/bitcoin/bitcoin/pull/23121#issuecomment-92947599= 9 >> [3]: >> https://github.com/Xekyo/bitcoin/commit/d754b0242ec69d42c570418aebf9c133= 5af0b8ea >> [4]: https://github.com/bitcoindevkit/bdk/issues/144 >> [5]: https://github.com/bitcoindevkit/bdk/issues/414 >> [6]: >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-September/0= 19464.html >> [7]: >> https://gist.github.com/glozow/dc4e9d5c5b14ade7cdfac40f43adb18a#new-unco= nfirmed-inputs-rule-2 >> [8]: https://github.com/bitcoin/bitcoin/pull/23121#discussion_r777131366 >> [9]: https://github.com/bitcoin/bitcoin/pull/22290#issuecomment-86588792= 2 >> [10]: >> https://gist.github.com/Xekyo/5cb413fe9f26dbce57abfd344ebbfaf2#file-cand= idate-set-based-block-building-md >> [11]: >> https://github.com/bitcoin/bitcoin/pull/22539#issuecomment-885763670 >> [12]: https://github.com/bitcoin/bitcoin/pull/24007 >> [13]: >> https://github.com/bitcoin/bitcoin/blob/1a369f006fd0bec373b95001ed84b480= e852f191/src/wallet/feebumper.cpp#L114 >> [14]: >> https://github.com/bitcoin/bitcoin/blob/cf5bb048e80d4cde8828787b266b7f5f= 2e3b6d7b/src/node/miner.cpp#L310-L320 >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000008240c605d6e2d9c0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Gloria,

Many thanks for raising awareness on the= se issues and constantly pushing
towards finding a better model. This wo= rk will highly improve the
security of any multi-party contract trying t= o build on top of bitcoin
(because most multi-party contracts will need = to have timeout conditions
and participants will need to make some trans= actions confirm before a
timeout happens - otherwise they may lose funds= ).

For starters, let me quickly explain why the current rules are ha= rd to
work with in the context of lightning (but I believe most L2 proto= cols
will have the same issues). Feel free to skip this part if you are<= br>already convinced.

## Motivation

The biggest pain point is= BIP 125 rule 2.
If I need to increase the fees of a time-sensitive tran= saction because
the feerate has been rising since I broadcast it, I may = need to also pay
high fees just to produce a confirmed utxo that I can u= se. I'm actually
paying a high fee twice instead of once (and needle= ssly using on-chain
space, our scarcest asset, because we could have avo= ided that additional
transaction!).

It also has some annoying &qu= ot;non-determinism".
Imagine that my transaction has been evicted f= rom my mempool because its
feerate was too low. I could think "Grea= t, that means I don't have to
apply BIP 125 restrictions, I can just= fund this transaction as if it
were a new one!". But actually I do= , because my transaction could still
be in miner's mempools and I ha= ve no way of knowing it...this means that
whenever I have broadcast a tr= ansaction, I must assume that I will
always need to abide by whatever re= placement rules the network applies.

Fortunately, as far as I unders= tand it, this rule only exists because of
a previous implementation deta= il of bitcoin core, so there's simply no
good reason to keep it.
=
The second biggest pain point is rule 3. It prevents me from efficientl= y
using my capital while it's unconfirmed. Whenever I'm using a = big utxo
to fund a transaction, I will get a big change output, and it w= ould
really be a waste to be unable to use that change output to fund ot= her
transactions. In order to be capital-efficient, I will end up creati= ng
descendant trees for my time-sensitive transactions. But as Gloriaexplained, replacing all my children will cost me an absurdly large
amo= unt of fees. So what I'm actually planning to do instead is to RBF
o= ne of the descendants high enough to get the whole tree confirmed.
But i= f those descendants' timeouts were far in the future, that's a
w= aste, I paid a lot more fees for them than I should have. I'd like tojust replace my transaction and republish the invalidated children
ind= ependently.

Rule 4 doesn't hurt as much as the two previous ones= , I don't have too
much to say about it.

To be fair to the BI= P 125 authors, all of these scenarios were very hard
to forecast at the = time this BIP was created. We needed years to build
on those rules to ge= t a better understanding of their limitations and if
the rationale behin= d them made sense in the long term.

## Proposals

I believe th= at now is a good time to re-think those, and I really like
Gloria's = categorization of the design constraints.

I'd like to propose a = different way of looking at descendants that makes
it easier to design t= he new rules. The way I understand it, limiting the
impact on descendant= transactions is only important for DoS protection,
not for incentive co= mpatibility. I would argue that after evictions,
descendant transactions= will be submitted again (because they represent
transactions that peopl= e actually want to make), so evicting them does
not have a negative impa= ct on mining incentives (in a world where blocks
are full most of the ti= me).

I'm curious to hear other people's thoughts on that. If= it makes sense,
I would propose the following very simple rules:
1. The transaction's ancestor absolute fees must be X% higher than the=
previous transaction's ancestor fees
2. The transaction's an= cestor feerate must be Y% higher than the
previous transaction's anc= estor feerate

I believe it's completely ok to require increasing= both the fees and
feerate if we don't take descendants into account= , because you control
your ancestor set - whereas the descendant set may= be completely out of
your control.

This is very easy to use by w= allets, because the ancestor set is easy to
obtain. And an important poi= nt is that the ancestor set is the same in
every mempool, whereas the de= scendant set is not (your mempool may have
rejected the last descendants= , while other people's mempools may still
contain them).

Beca= use of that reason, I'd like to avoid having a rule that relies on
s= ome size of the replaced descendant set: it may be valid in your
mempool= but invalid in someone else's, which makes it exploitable for
pinni= ng attacks.

I believe these rules are incentive compatible (again, i= f you accept
the fact that the descendants will be re-submitted and mine= d as well,
so their fees aren't lost).

Can we choose X and Y = so that these two rules are also DoS-resistant?
Unfortunately I'm no= t sure, so maybe we'll need to add a third rule to
address that. But= before we do, can someone detail what it costs for a
node to evict a de= scendant tree? Given that bitcoin core doesn't allow
chains of more = than 25 transactions, the maximum number of transactions
being replaced = will be bounded by 25 * N (where N is the number of
outputs of the trans= action being replaced). If it's just O(n) pruning of
a graph, maybe = that's ok? Or maybe we make X or Y depend on the number
of outputs o= f the transaction being replaced (this would need very
careful thoughts)= ?

If you made it this far, thanks for reading!
A couple of commen= ts on the previous messages:

> Currently, if we see a transaction=
> that has the same txid as one in the mempool, we reject it as a> duplicate, even if the feerate is much higher. It's unclear to me= if
> we have a very strong reason to change this, but noting it as a=
> limitation of our current replacement policy.

I don't s= ee a strong reason from an L2 protocol's point of view yet, but
ther= e are many unkown unknowns. But from a miner incentive's point of
vi= ew, we should keep the transaction with the higher feerate, shouldn'twe? In that case it's also a more efficient use of on-chain space, wh= ich
is a win, right?

> We might have a more-or-less long trans= ition period during which we support both...

Yes, this is a long ter= m thing.
Even if bitcoin core releases a new version with updated RBF ru= les, as a
wallet you'll need to keep using the old rules for a long = time if you
want to be safe.

But it's all the more reason t= o try to ship this as soon as possible,
this way maybe our grand-childre= n will be able to benefit from it ;)
(just kidding on the timespan obvio= usly).

Cheers,
Bastien

Le=C2=A0lun. 31 janv. 2022 =C3= =A0=C2=A000:11, Antoine Riard via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org&g= t; a =C3=A9crit=C2=A0:
Hi Gloria,

Thanks for this RBF sum up. = Few thoughts and more context comments if it can help other readers.
> For starters, the absolute fee pinning attack is especially
> p= roblematic if we apply the same rules (i.e. Rule #3 and #4) in
> Pack= age RBF. Imagine that Alice (honest) and Bob (adversary) share a
> LN= channel. The mempool is rather full, so their pre-negotiated
> commi= tment transactions' feerates would not be considered high
> prior= ity by miners.=C2=A0 Bob broadcasts his commitment transaction and
> = attaches a very large child (100KvB with 100,000sat in fees) to his
>= anchor output. Alice broadcasts her commitment transaction with a
> = fee-bumping child (200vB with 50,000sat fees which is a generous
> 25= 0sat/vB), but this does not meet the absolute fee requirement. She
> = would need to add another 50,000sat to replace Bob's commitment
>= transaction.

Solving LN pinning attacks, what we're aiming for = is enabling a fair feerate bid between the=C2=A0 counterparties, thus eithe= r forcing the adversary to overbid or to disengage from the confirmation co= mpetition. If the replace-by-feerate rule is adopted, there shouldn't b= e an incentive for Bob to
pick up the first option. Though if he does, t= hat's a winning outcome for Alice, as one of the commitment transaction= s confirms and her time-sensitive second-stage HTLC can be subsequently con= firmed.

> It's unclear to me if
> we have a very strong= reason to change this, but noting it as a
> limitation of our curren= t replacement policy. See [#24007][12].

Deployment of Taproot opens = interesting possibilities in the vaults/payment channels design space, wher= e the tapscripts can commit to different set of timelocks/quorum of keys. E= ven if the pre-signed states stay symmetric, whoever is the publisher, the = feerate cost to spend can fluctuate.

> While this isn't compl= etely broken, and the user interface is
> secondary to the safety of = the mempool policy

I think with L2s transaction broadcast backend, t= he stability and clarity of the RBF user interface is primary. What we coul= d be worried about is a too-much complex interface easing the way for an at= tacker to trigger your L2 node to issue policy-invalid chain of transaction= s. Especially, when we consider that an attacker might have leverage on cha= in of transactions composition ("force broadcast of commitment A then = commitment B, knowing they will share a CPFP") or even transactions si= ze ("overload commitment A with HTLCs").

> * If the ori= ginal transaction is in the top {0.75MvB, 1MvB} of the
> =C2=A0 mempo= ol, apply the current rules (absolute fees must increase and
> pay fo= r the replacement transaction's new bandwidth). Otherwise, use a
>= ; feerate-only rule.

How this new replacement rule would behave if y= ou have a parent in the "replace-by-feerate" half but the child i= s in the "replace-by-fee" one ?

If we allow the replacemen= t of the parent based on the feerate, we might decrease the top block absol= ute fees.

If we block the replacement of the parent based on the fee= rate because the replacement absolute fees aren't above the replaced pa= ckage, we still preclude a pinning vector. The child might be low-feerate j= unk and even attached to a low ancestor-score branch.

If I'm cor= rect on this limitation, maybe we could turn off the "replace-by-fee&q= uot; behavior as soon as the mempool is fulfilled with a few blocks ?
> * Rate-limit how many replacements we allow per prevout.

Depe= nding on how it is implemented, though I would be concerned it introduces a= new pinning vector in the context of shared-utxo. If it's a hardcoded = constant, it could be exhausted by an adversary starting at the lowest acce= ptable feerate then slowly increasing while still not reaching
the top o= f the mempool. Same if it's time-based or block-based, no guarantee the= replacement slot is honestly used by your counterparty.

Further, an= above-the-average replacement frequency might just be the reflection of yo= ur confirmation strategy reacting to block schedule or mempools historical = data. As long as the feerate penalty is paid, I lean to allow replacement.<= br>
(One solution could be to associate per-user "tag" t= o the LN transactions, where each "tag" would have its own replac= ement slots, but privacy?)

> * Rate-limit transaction valida= tion in general, per peer.

I think we could improve on the Core'= s new transaction requester logic. Maybe we could bind the peer announced f= low based on the feerate score (modulo validation time) of the previously v= alidated transactions from that peer ? That said, while related to RBF, it = sounds to me that enhancing Core's rate-limiting transaction strategy i= s a whole discussion in itself [0]. Especially ensuring it's tolerant t= o the specific requirements of LN & consorts.

> What should t= hey be? We can do some arithmetic to see what happens if
> you start = with the biggest/lowest feerate transaction and do a bunch
> of repla= cements. Maybe we end up with values that are high enough to
> preven= t abuse and make sense for applications/users that do RBF.

That'= s a good question.

One observation is that the attacker can always = renew the set of DoSy utxos to pursue the attack. So maybe we could pick up= constants scaled on the block size ? That way an attacker would have to bu= rn fees, thus deterring them from launching an attack. Even if the attacker= s are miners, they have to renounce their income to acquire new DoSy utxos.= If a low-fee period, we could scale up the constants ?


Overall,= I think there is the deployment issue to warn of. Moving to a new set of R= BF rules implies for a lot of Bitcoin applications to rewrite their RBF log= ics. We might have a more-or-less long transition period during which we su= pport both...

Cheers,
Antoine

[0] https://github.com/bitc= oin/bitcoin/pull/21224

Le=C2=A0jeu. 27 janv. 2022 =C3=A0=C2=A0= 09:10, Gloria Zhao via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.or= g> a =C3=A9crit=C2=A0:
Hi everyone,

This post discusses limi= tations of current Bitcoin Core RBF policy and
attempts to start a conve= rsation about how we can improve it,
summarizing some ideas that have be= en discussed. Please reply if you
have any new input on issues to be sol= ved and ideas for improvement!

Just in case I've screwed up the = text wrapping again, another copy can be
found here: = https://gist.github.com/glozow/25d9662c52453bd08b4b4b1d3783b9ff

= ## Background

Please feel free to skip this section if you are alrea= dy familiar
with RBF.

Nodes may receive *conflicting* unconfirmed= transactions, aka
"double spends" of the same inputs. Instead= of always keeping the
first transaction, since v0.12, Bitcoin Core memp= ool policy has
included a set of Replace-by-Fee (RBF) criteria that allo= ws the second
transaction to replace the first one and any descendants i= t may have.

Bitcoin Core RBF policy was previously documented as BIP= 125.
The current RBF policy is documented [here][1]. In summary:
1. The directly conflicting transactions all signal replaceability
=C2= =A0 =C2=A0explicitly.

2. The replacement transaction only includes a= n unconfirmed input if
=C2=A0 =C2=A0that input was included in one of th= e directly conflicting
transactions.

3. The replacement transacti= on pays an absolute fee of at least the
=C2=A0 =C2=A0sum paid by the ori= ginal transactions.

4. The additional fees pays for the replacement = transaction's
=C2=A0 =C2=A0bandwidth at or above the rate set by the= node's *incremental relay
feerate*.

5. The sum of all direct= ly conflicting transactions' descendant counts
=C2=A0 =C2=A0(number = of transactions inclusive of itself and its descendants)
does not exceed= 100.

We can split these rules into 3 categories/goals:

- **A= llow Opting Out**: Some applications/businesses are unable to
=C2=A0 han= dle transactions that are replaceable (e.g. merchants that use
zero-conf= irmation transactions). We (try to) help these businesses by
honoring BI= P125 signaling; we won't replace transactions that have not
opted in= .

- **Incentive Compatibility**: Ensure that our RBF policy would no= t
=C2=A0 accept replacement transactions which would decrease fee profit= s
=C2=A0 of a miner. In general, if our mempool policy deviates from wha= t is
economically rational, it's likely that the transactions in our=
mempool will not match the ones in miners' mempools, making our
= fee estimation, compact block relay, and other mempool-dependent
functio= ns unreliable. Incentive-incompatible policy may also
encourage transact= ion submission through routes other than the p2p
network, harming censor= ship-resistance and privacy of Bitcoin payments.

- **DoS Protection*= *: Limit two types of DoS attacks on the node's
=C2=A0 mempool: (1) = the number of times a transaction can be replaced and
(2) the volume of = transactions that can be evicted during a
replacement.

Even more = abstract: our goal is to make a replacement policy that
results in a use= ful interface for users and safe policy for
node operators.

## Mo= tivation

There are a number of known problems with the current RBF p= olicy.
Many of these shortcomings exist due to mempool limitations at th= e
time RBF was implemented or result from new types of Bitcoin usage;they are not criticisms of the original design.

### Pinning Attacks=

The most pressing concern is that attackers may take advantage oflimitations in RBF policy to prevent other users' transactions frombeing mined or getting accepted as a replacement.

#### SIGHASH_ANY= ONECANPAY Pinning

BIP125#2 can be bypassed by creating intermediary = transactions to be
replaced together. Anyone can simply split a 1-input = 1-output
transaction off from the replacement transaction, then broadcas= t the
transaction as is. This can always be done, and quite cheaply. Mor= e
details in [this comment][2].

In general, if a transaction is s= igned with SIGHASH\_ANYONECANPAY,
anybody can just attach a low feerate = parent to this transaction and
lower its ancestor feerate.=C2=A0 Even if= you require SIGHASH\_ALL which
prevents an attacker from changing any o= utputs, the input can be a
very low amount (e.g. just above the dust lim= it) from a low-fee
ancestor and still bring down the ancestor feerate of= the transaction.

TLDR: if your transaction is signed with SIGHASH\_= ANYONECANPAY and
signals replaceability, regardless of the feerate you b= roadcast at, an
attacker can lower its mining priority by adding an ance= stor.

#### Absolute Fee

The restriction of requiring replacem= ent transactions to increase the
absolute fee of the mempool has been de= scribed as "bonkers." If the
original transaction has a very l= arge descendant that pays a large
amount of fees, even if it has a low f= eerate, the replacement
transaction must now pay those fees in order to = meet Rule #3.

#### Package RBF

There are a number of reasons = why, in order to enable Package RBF, we
cannot use the same criteria.
For starters, the absolute fee pinning attack is especially
problem= atic if we apply the same rules (i.e. Rule #3 and #4) in
Package RBF. Im= agine that Alice (honest) and Bob (adversary) share a
LN channel. The me= mpool is rather full, so their pre-negotiated
commitment transactions= 9; feerates would not be considered high
priority by miners.=C2=A0 Bob b= roadcasts his commitment transaction and
attaches a very large child (10= 0KvB with 100,000sat in fees) to his
anchor output. Alice broadcasts her= commitment transaction with a
fee-bumping child (200vB with 50,000sat f= ees which is a generous
250sat/vB), but this does not meet the absolute = fee requirement. She
would need to add another 50,000sat to replace Bob&= #39;s commitment
transaction.

Disallowing new unconfirmed inputs = (Rule #2) in Package RBF would be
broken for packages containing transac= tions already in the mempool,
explained [here][7].

Note: I origin= ally [proposed][6] Package RBF using the same Rule #3
and #4 before I re= alized how significant this pinning attack is. I'm
retracting that p= roposal, and a new set of Package RBF rules would
follow from whatever t= he new individual RBF rules end up being.

#### Same Txid Different W= itness

Two transactions with the same non-witness data but different=
witnesses have the same txid but different wtxid, and the same fee but<= br>not necessarily the same feerate. Currently, if we see a transaction
= that has the same txid as one in the mempool, we reject it as a
duplicat= e, even if the feerate is much higher. It's unclear to me if
we have= a very strong reason to change this, but noting it as a
limitation of o= ur current replacement policy. See [#24007][12].

### User Interface<= br>
#### Using Unconfirmed UTXOs to Fund Replacements

The restric= tion of only allowing confirmed UTXOs for funding a
fee-bump (Rule #2) c= an hurt users trying to fee-bump their
transactions and complicate walle= t implementations. If the original
transaction's output value isn= 9;t sufficient to fund a fee-bump and/or
all of the user's other UTX= Os are unconfirmed, they might not be able
to fund a replacement transac= tion. Wallet developers also need to
treat self-owned unconfirmed UTXOs = as unusable for fee-bumping, which
adds complexity to wallet logic. For = example, see BDK issues [#144][4]
and [#414][5].

#### Interface N= ot Suitable for Coin Selection

Currently, a user cannot simply creat= e a replacement transaction
targeting a specific feerate or meeting a mi= nimum fee amount and
expect to meet the RBF criteria. The fee amount dep= ends on the size of
the replacement transaction, and feerate is almost i= rrelevant.

Bitcoin Core's `bumpfee` doesn't use the RBF rule= s when funding the
replacement. It [estimates][13] a feerate which is &q= uot;wallet incremental
relay fee" (a conservative overestimation of= the node's incremental
relay fee) higher than the original transact= ion, selects coins for
that feerate, and hopes that it meets the RBF rul= es. It never fails
Rule #3 and #4 because it uses all original inputs an= d refuses to
bump a transaction with mempool descendants.

This is= suboptimal, but is designed to work with the coin selection
engine: sel= ect a feerate first, and then add fees to cover it.
Following the exact = RBF rules would require working the other way
around: based on how much = fees we've added to the transaction and its
current size, calculate = the feerate to see if we meet Rule #4.

While this isn't complete= ly broken, and the user interface is
secondary to the safety of the memp= ool policy, we can do much better.
A much more user-friendly interface w= ould depend *only* on the
fee and size of the original transactions.
=
### Updates to Mempool and Mining

Since RBF was first implemente= d, a number of improvements have been
made to mempool and mining logic. = For example, we now use ancestor
feerates in mining (allowing CPFP), and= keep track of ancestor
packages in the mempool.

## Ideas for Imp= rovements

### Goals

To summarize, these seem to be desired ch= anges, in order of priority:

1. Remove Rule #3. The replacement shou= ld not be *required* to pay
higher absolute fees.

2. Make it impo= ssible for a replacement transaction to have a lower
mining score than t= he original transaction(s). This would eliminate
the `SIGHASH\_ANYONECAN= PAY` pinning attack.

3. Remove Rule #2. Adding new unconfirmed input= s should be allowed.

4. Create a more helpful interface that helps w= allet fund replacement
transactions that aim for a feerate and fee.
<= br>### A Different Model for Fees

For incentive compatibility, I bel= ieve there are different
formulations we should consider.=C2=A0 Most imp= ortantly, if we want to get
rid of the absolute fee rule, we can no long= er think of it as "the
transaction needs to pay for its own bandwid= th," since we won't always
be getting additional fees. That mea= ns we need a new method of
rate-limiting replacements that doesn't r= equire additional fees every
time.

While it makes sense to think = about monetary costs when launching a
specific type of attack, given tha= t the fees are paid to the miner and
not to the mempool operators, maybe= it doesn't make much sense to
think about "paying for bandwidt= h". Maybe we should implement
transaction validation rate-limiting = differently, e.g. building it
into the P2P layer instead of the mempool = policy layer.

Recently, Suhas gave a [formulation][8] for incentive = compatibility
that made sense to me: "are the fees expected to be p= aid in the next
(N?) blocks higher or lower if we process this transacti= on?"

I started by thinking about this where N=3D1 or `1 + p`.Here, a rational miner is looking at what fees they would
collect in t= he next block, and then some proportion `p` of the rest of
the blocks ba= sed on their hashrate. We're assuming `p` isn't *so high*
that t= hey would be okay with lower absolute fees in the next 1 block.
We'r= e also assuming `p` isn't *so low* that the miner doesn't care
a= bout what's left of the mempool after this block.

A tweak to thi= s formulation is "if we process this transaction, would
the fees in= the next 1 block higher or lower, and is the feerate
density of the res= t of the mempool higher or lower?" This is pretty
similar, where N= =3D1, but we consider the rest of the mempool by feerate
rather than fee= s.

### Mining Score of a Mempool Transaction

We are often int= erested in finding out what
the "mining score" of a transactio= n in the mempool is. That is, when
the transaction is considered in bloc= k template building, what is the
feerate it is considered at?

Obv= iously, it's not the transaction's individual feerate. Bitcoin Core=
[mining code sorts][14] transactions by their ancestor feerate and
i= ncludes them packages at a time, keeping track of how this affects the
p= ackage feerates of remaining transactions in the mempool.

*ancestor = feerate*: Ancestor feerate is easily accessible information,
but it'= s not accurate either, because it doesn't take into account the
fact= that subsets of a transaction's ancestor set can be included
withou= t it. For example, ancestors may have high feerates on their own
or we m= ay have [high feerate siblings][8].

TLDR: *Looking at the current an= cestor feerate of a transaction is
insufficient to tell us what feerate = it will be considered at when
building a block template in the future.*<= br>
*min(individual feerate, ancestor feerate)*: Another
heuristic th= at is simple to calculate based on current mempool tooling
is to use the= [minimum of a transaction's individual score and its
ancestor score= ][10] as a conservative measure.=C2=A0 But this can
overestimate as well= (see the example below).

*min ancestor feerate(tx + possible ances= tor subsets)* We can also
take the minimum of every possible ancestor su= bset, but this can be
computationally expensive since there can be lots = and lots of ancestor
subsets.

*max ancestor feerate(tx + possible= descendant subsets)*: Another idea
is to use the [maximum ancestor scor= e of the transaction + each of its
descendants][9]. This doesn't wor= k either; it has the same blindspot
of ancestor subsets being mined on t= heir own.

#### Mining Score Example

Here's an example ill= ustrating why mining score is tricky to
efficiently calculate for mempoo= l transactions:

Let's say you have same-size transactions A (21s= at/vB), B (1sat/vB),
C(9sat/vB), D(5sat/vB).
The layout is: grandpare= nt A, parent B, and two children C and D.

```
=C2=A0 =C2=A0 A
= =C2=A0 =C2=A0 ^
=C2=A0 =C2=A0 B
=C2=A0 =C2=A0^ ^
=C2=A0 =C2=A0C D<= br>```

A miner using ancestor packages to build block templates will= first
include A with a mining score of 21. Next, the miner will include= B and
C with a mining score of 6. This leaves D, with a mining score of= 5.

Note: in this case, mining by ancestor feerate results in the mo= st
rational decisions, but [a candidate set-based approach][10] whichmakes ancestor feerate much less relevant could
be more advantageous in= other situations.

Here is a chart showing the "true" mini= ng score alongside the values
calculating using imperfect heuristics des= cribed above. All of them
can overestimate or underestimate.

```<= br> =C2=A0 =C2=A0A =C2=A0 =C2=A0 B =C2=A0 =C2=A0 =C2=A0 C =C2=A0 =C2= =A0 D
mining score | =C2=A0 21 =C2=A0 | =C2=A0 6 =C2=A0 | =C2=A0 6 =C2= =A0 | =C2=A0 5 =C2=A0 |
ancestor feerate =C2=A0 | =C2=A0 21 =C2=A0 | = =C2=A011 =C2=A0 | 10.3 =C2=A0| =C2=A0 9 =C2=A0 |
min(individual, ancesto= r) | =C2=A0 21 =C2=A0 | =C2=A0 1 =C2=A0 | =C2=A0 9 =C2=A0 | =C2=A0 5 =C2=A0= |
min(tx + ancestor subsets) =C2=A0 =C2=A0 =C2=A0| =C2=A0 21 =C2=A0 | = =C2=A0 1 =C2=A0 | =C2=A0 5 =C2=A0 | =C2=A0 3 =C2=A0 |
max(tx + descendan= ts subsets) | =C2=A0 21 =C2=A0 | =C2=A0 9 =C2=A0 | =C2=A0 9 =C2=A0 | =C2=A0= 5 =C2=A0 |

```

Possibly the best solution for finding the &q= uot;mining score" of a
transaction is to build a block template, se= e what feerate each
package is included at. Perhaps at some cutoff, rema= ining mempool
transactions can be estimated using some heuristic that le= ans
{overestimating, underestimating} depending on the situation.
Mining score seems to be relevant in multiple places: Murch and I
recen= tly [found][3] that it would be very important in
"ancestor-aware&q= uot; funding of transactions (the wallet doesn't
incorporate ancesto= r fees when using unconfirmed transactions in coin
selection, which is a= bug we want to fix).

In general, it would be nice to know the exact= mining priority of
one's unconfirmed transaction is.=C2=A0 I can th= ink of a few block/mempool
explorers who might want to display this info= rmation for users.

### RBF Improvement Proposals

After speaki= ng to quite a few people, here are some suggestions
for improvements tha= t I have heard:

* The ancestor score of the replacement must be {5, = 10, N}% higher
=C2=A0 than that of every original transaction.

* = The ancestor score of the replacement must be 1sat/vB higher than
=C2=A0= that of every original transaction.

* If the original transaction i= s in the top {0.75MvB, 1MvB} of the
=C2=A0 mempool, apply the current ru= les (absolute fees must increase and
pay for the replacement transaction= 's new bandwidth). Otherwise, use a
feerate-only rule.

* If f= ees don't increase, the size of the replacement transaction must
=C2= =A0 decrease by at least N%.

* Rate-limit how many replacements we a= llow per prevout.

* Rate-limit transaction validation in general, pe= r peer.

Perhaps some others on the mailing list can chime in to thro= w other
ideas into the ring and/or combine some of these rules into a se= nsible
policy.

#### Replace by Feerate Only

I don't th= ink there's going to be a single-line feerate-based
rule that can in= corporate everything we need.
On one hand, a feerate-only approach helps= eliminate the issues
associated with Rule #3. On the other hand, I beli= eve the main concern
with a feerate-only approach is how to rate limit r= eplacements. We
don't want to enable an attack such as:

1. At= tacker broadcasts large, low-feerate transaction, and attaches a
chain o= f descendants.

2. The attacker replaces the transaction with a small= er but higher
feerate transaction, attaching a new chain of descendants.=

3. Repeat 1000 times.

#### Fees in Next Block and Feerate fo= r the Rest of the Mempool

Perhaps we can look at replacements like t= his:

1. Calculate the directly conflicting transactions and, with th= eir
descendants, the original transactions. Check signaling. Limit thetotal volume (e.g. can't be more than 100 total or 1MvB or something)= .

2. Find which original transactions would be in the next ~1 block.= The
replacement must pay at least this amount + X% in absolute fees. Th= is
guarantees that the fees of the next block doesn't decrease.
<= br>3. Find which transactions would be left in the mempool after that ~1block. The replacement's feerate must be Y% higher than the maximummining score of these transactions. This guarantees that you now have
o= nly *better* candidates in your after-this-block mempool than you did
be= fore, even if the size and fees the transactions decrease.

4. Now yo= u have two numbers: a minimum absolute fee amount and a
minimum feerate.= Check to see if the replacement(s) meet these
minimums. Also, a wallet = would be able to ask the node "What fee and
feerate would I need to= put on a transaction replacing this?" and use
this information to = fund a replacement transaction, without needing to
guess or overshoot.
Obviously, there are some magic numbers missing here. X and Y are
= TBD constants to ensure we have some kind of rate limiting for the
numbe= r of replacements allowed using some set of fees.

What should they b= e? We can do some arithmetic to see what happens if
you start with the b= iggest/lowest feerate transaction and do a bunch
of replacements. Maybe = we end up with values that are high enough to
prevent abuse and make sen= se for applications/users that do RBF.

### Mempool Changes Need for = Implementation

As described in the mining score section above,
we= may want additional tooling to more accurately assess
the economic gain= of replacing transactions in our mempool.

A few options have been d= iscussed:

* Calculate block templates on the fly when we need to con= sider a
=C2=A0 replacement. However, since replacements are [quite commo= n][11]
=C2=A0 and the information might be useful for other things as we= ll,
=C2=A0 it may be worth it to cache a block template.

* Keep = a persistent block template so that we know what transactions
=C2=A0 we = would put in the next block. We need to remember the feerate
at which ea= ch transaction was included in the template, because an
ancestor package= may be included in the same block template in
multiple subsets. Transac= tions included earlier alter the ancestor
feerate of the remaining trans= actions in the package. We also need
to keep track of the new feerates o= f transactions left over.

* Divide the mempool into two layers, &qu= ot;high feerate" and "low
=C2=A0 feerate." The high feera= te layer contains ~1 block of packages with
the highest ancestor feerate= s, and the low feerate layer contains
everything else. At the edge of a = block, we have a Knapsacky problem
where the next highest ancestor feera= te package might not fit, so we
would probably want the high feerate lay= er ~2MvB or something to avoid
underestimating the fees.

## Ackno= wledgements

Thank you to everyone whose RBF-related suggestions, gri= evances,
criticisms and ideas were incorporated in this document:
And= rew Chow, Matt Corallo, Suhas Daftuar, Christian Decker,
Mark Erhardt, L= loyd Fournier, Lisa Neigut, John Newbery,
Antoine Poinsot, Antoine Riard= , Larry Ruane,
S3RK and Bastien Teinturier.

Thanks for reading!

Best,
Gloria

[1]: https://github.com/bi= tcoin/bitcoin/blob/master/doc/policy/mempool-replacements.md
[2]: https://github.com/bitcoin/bitcoin/pull/23121#issueco= mment-929475999
[3]: https://git= hub.com/Xekyo/bitcoin/commit/d754b0242ec69d42c570418aebf9c1335af0b8ea[4]: https://github.com/bitcoindevkit/bdk/issues/144
[5]: = https://github.com/bitcoindevkit/bdk/issues/414
[6]: https://lists.linuxfoundation.org/pipermail/bitcoin-= dev/2021-September/019464.html
[7]: https://gist.github.com/glozow/dc4e9d5c5b14ade7cdfac40f43a= db18a#new-unconfirmed-inputs-rule-2
[8]: http= s://github.com/bitcoin/bitcoin/pull/23121#discussion_r777131366
[9]:= https://github.com/bitcoin/bitcoin/pull/22290#issu= ecomment-865887922
[10]: https://gist.github.com/Xekyo/5cb413fe9f26dbce57abfd344eb= bfaf2#file-candidate-set-based-block-building-md
[11]: https://github.com/bitcoin/bitcoin/pull/22539#issuecomment-8857= 63670
[12]: https://github.com/bitcoin/bitcoin/pull/24007
[1= 3]: https= ://github.com/bitcoin/bitcoin/blob/1a369f006fd0bec373b95001ed84b480e852f191= /src/wallet/feebumper.cpp#L114
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000008240c605d6e2d9c0--