Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 559D3C0032; Tue, 17 Oct 2023 17:10:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 115B741E59; Tue, 17 Oct 2023 17:10:57 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 115B741E59 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=T7vpcCRI X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gs5YW1C-aNiy; Tue, 17 Oct 2023 17:10:56 +0000 (UTC) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by smtp4.osuosl.org (Postfix) with ESMTPS id B1EC541690; Tue, 17 Oct 2023 17:10:55 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B1EC541690 Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-9c603e235d1so151063966b.3; Tue, 17 Oct 2023 10:10:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697562654; x=1698167454; darn=lists.linuxfoundation.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=frQjBBkSsQtp4uCFoaUALtsYZe6dj6POlIRFHb3raSI=; b=T7vpcCRIzwBrcP0hzmzjEzTkyav6rA9nC3HrTu5eGu7VNqftXNjTMOW0QtBKLzaJxk YXe+K1rOHQGo0y91jsNtOxyQH7cLfSuX7vRz8n+gYQkYms2+/DhggVooIjdD/EVS0fds prJUH55l6k2UiZKq13DQDhkYaQRnIunTosaYzSJb7Vhr9TKL30ZV/Q4NTZmhpg/xnvHz /EOnnXNhNastrIIxXBM14WfqabkZBZnt+76UsB/DjmSYP2ocxTmSZ03XvQhmHkW05Hut KQtEdkCkUfHSAr4aITw+Bbzz/OuyFl2Iv7JWWs/vhN/rOyLuFiDbvBUV31ADyN6NiWtE WDqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697562654; x=1698167454; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=frQjBBkSsQtp4uCFoaUALtsYZe6dj6POlIRFHb3raSI=; b=IRZ13dwdOpzIOm6NaE++lYQ2c5dOLHbY6QQFbXXgxs1MLrAgLEyriNYxbUP+enFmFu IdUiRvr5pR6NjzyXl7973y+OpbDPOkJnBKqO8eVED7Vnua7c+VRnDtSjv/D/Izx04P+I R4NOzfjO0MGm1yOh1Bw5goBpk5ruTe2aqGJ0IdwymP01oFcQvPPclMXid8tfaMKpYFCc dtE7petUXwPabvdCqstPncSjEEVxHVkEegJ9U3BBybpcIOjQVQcMueXn1Ce+4S41HnCV WLPbqIuyCs6RflSTIaW0dZ7oDW7hiBUjfGJI9OQmDQ8Bg7thS5dpyJMVHyOzpHt/79Vu 10sQ== X-Gm-Message-State: AOJu0Yw9J2+4iG8KWoFk1UZwQ5x4BdWLzlTND4gX41IYmo7Mh/4RLOrB ZTwIFb4y6Qxu8ESd92CWnRakEhBrWpwCxBPl9bk= X-Google-Smtp-Source: AGHT+IET2S/JGhKx0uRDyDGGceRUc0fYETdFmyb8SvrUs+FLfYIH20MLeOzne4265TD7gauUuv5Gfzw1EHUTqIPMlN0= X-Received: by 2002:a17:907:6096:b0:9ae:522e:8f78 with SMTP id ht22-20020a170907609600b009ae522e8f78mr2492888ejc.74.1697562653563; Tue, 17 Oct 2023 10:10:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Greg Sanders Date: Tue, 17 Oct 2023 13:10:42 -0400 Message-ID: To: ZmnSCPxj , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000f31f6b0607ec9a2d" Cc: "lightning-dev\\\\\\\\@lists.linuxfoundation.org" Subject: Re: [bitcoin-dev] Batch exchange withdrawal to lightning requires covenants X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2023 17:10:57 -0000 --000000000000f31f6b0607ec9a2d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > I do not know if existing splice implementations actually perform such a check. Unless all splice implementations do this, then any kind of batched splicing is risky. As long as the implementation decides to splice again at some point when a prior splice isn't confirming, it will self-resolve once any subsequent splice is confirmed. Cheers, Greg On Tue, Oct 17, 2023 at 1:04=E2=80=AFPM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good morning Bastien, > > I have not gotten around to posting it yet, but I have a write-up in my > computer with the title: > > > Batched Splicing Considered Risky > > The core of the risk is that if: > > * I have no funds right now in a channel (e.g. the LSP allowed me to have > 0 reserve, or this is a newly-singlefunded channel from the LSP to me). > * I have an old state (e.g. for a newly-singlefunded channel, it could > have been `update_fee`d, so that the initial transaction is old state). > > Then if I participate in a batched splice, I can disrupt the batched > splice by broadcasting the old state and somehow convincing miners to > confirm it before the batched splice. > > Thus, it is important for *any* batched splicing mechanism to have a > backout, where if the batched splice transaction can no longer be confirm= ed > due to some participant disrupting it by posting an old commitment > transaction, either a subset of the splice is re-created or the channels > revert back to pre-splice state (with knowledge that the post-splice stat= e > can no longer be confirmed). > > I know that current splicing tech is to run both the pre-splice and > post-splice state simultaneously until the splicing transaction is > confirmed. > However we need to *also* check if the splicing transaction *cannot* be > confirmed --- by checking if the other inputs to the splice transaction > were already consumed by transactions that have deeply confirmed, and in > that case, to drop the post-splice state and revert to the pre-splice sta= te. > I do not know if existing splice implementations actually perform such a > check. > Unless all splice implementations do this, then any kind of batched > splicing is risky. > > Regards, > ZmnSCPxj > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000f31f6b0607ec9a2d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> I do not know if existing splice implementations actu= ally perform such a check.
Unless all splice implementations do this, th= en any kind of batched splicing is risky.

As long as the= implementation decides to splice again at some point when a prior
splice isn't confirming, it will self-resolve once any subsequent spl= ice is confirmed.

Cheers,
Greg

On T= ue, Oct 17, 2023 at 1:04=E2=80=AFPM ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linuxfound= ation.org> wrote:
Good morning Bastien,

I have not gotten around to posting it yet, but I have a write-up in my com= puter with the title:

> Batched Splicing Considered Risky

The core of the risk is that if:

* I have no funds right now in a channel (e.g. the LSP allowed me to have 0= reserve, or this is a newly-singlefunded channel from the LSP to me).
* I have an old state (e.g. for a newly-singlefunded channel, it could have= been `update_fee`d, so that the initial transaction is old state).

Then if I participate in a batched splice, I can disrupt the batched splice= by broadcasting the old state and somehow convincing miners to confirm it = before the batched splice.

Thus, it is important for *any* batched splicing mechanism to have a backou= t, where if the batched splice transaction can no longer be confirmed due t= o some participant disrupting it by posting an old commitment transaction, = either a subset of the splice is re-created or the channels revert back to = pre-splice state (with knowledge that the post-splice state can no longer b= e confirmed).

I know that current splicing tech is to run both the pre-splice and post-sp= lice state simultaneously until the splicing transaction is confirmed.
However we need to *also* check if the splicing transaction *cannot* be con= firmed --- by checking if the other inputs to the splice transaction were a= lready consumed by transactions that have deeply confirmed, and in that cas= e, to drop the post-splice state and revert to the pre-splice state.
I do not know if existing splice implementations actually perform such a ch= eck.
Unless all splice implementations do this, then any kind of batched splicin= g is risky.

Regards,
ZmnSCPxj

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000f31f6b0607ec9a2d--