Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5F9A6C002D for ; Fri, 21 Oct 2022 14:48:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 3505E60DFD for ; Fri, 21 Oct 2022 14:48:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 3505E60DFD Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=q6jD4sSA X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.838 X-Spam-Level: X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gif1VZhNGvYX for ; Fri, 21 Oct 2022 14:48:05 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 94F5F60E87 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by smtp3.osuosl.org (Postfix) with ESMTPS id 94F5F60E87 for ; Fri, 21 Oct 2022 14:48:04 +0000 (UTC) Received: by mail-ed1-x531.google.com with SMTP id q19so6717887edd.10 for ; Fri, 21 Oct 2022 07:48:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EvXtKPTpyapEZHk+Jd66UzDQ3VSAR7NPgHkn99Li31k=; b=q6jD4sSAUWhOODRz83G7FKTp22TuomcTQmE08XNmo7Bol3gCNnE+IEO1VEDNxnmE5Y nHgiVKlycIAg9X/jBYwaE0YlsvVS1ou8TGHRhjhpSvJVsi5k/b6S0OvAQXdAZFJA0q5k S5Q1pqsIddryVeRk/sy5ik/xJUG2CmRMSOPFZlojIn+FDwPLEZJNHkRUnXWGjT6DEm1C 8pNzWTyfBKB4UQxL7c8mkFCs8elJRWdfpMdFKWIJtAbJNkJhKST7U6EHfTfBsa3vdTMt xTlvuYnZnZHgUX3lC3NFUyKEkPLv/FsYq/VY0uKF7xzy1fqRkxrBChsQKSaIg4OCiyJN 9Srg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EvXtKPTpyapEZHk+Jd66UzDQ3VSAR7NPgHkn99Li31k=; b=JNjBiD15ytwoc1v0fmLUGzpK5qv46WFnQH9QWKOslKes2O3D6Jy8UrEA1B1bLeJxo4 TmlEhVUR+seoga2Mn4JuwTMLioHFgQZxLzcB/7dpxk3/yijOtggb9ZEgKgLWKs38kXF2 tzI1MFC1MKAr2099ivyPrAMcfJSbSwwOLVEWjuMHmxVkI2iin1Xjoq/erDgDflavOPOL RKDlErhEPiMUQVCm0+VOtk+BNy0x6pO7vAvI7s6VpwZRMfxsBz0xOPPoqZR+gOh97Gxe mL+pjYWFz+0UignTQJCtfAiKN5nPjG+imgCpPV9VPGU9+IeuOlSOUeaaK2e4xv2DGJKW atZw== X-Gm-Message-State: ACrzQf3FezSqTso0o5jeb9XCiO2Ji1q9TWf5mi+RIGlg3VbpKjkZSxLw 4SWS91AU2x3P1NRJzzMrao8yTJ+6Vv3tspSRWlM= X-Google-Smtp-Source: AMsMyM5ZruX80r1M13l7T8G3JOhrKb+JzJiGkue2U/UL/ns0/70HZSrxzlOY4YZo3Xxp2utIkwtdpP3azwYcRmrH7W8= X-Received: by 2002:a05:6402:4443:b0:45f:ca04:719b with SMTP id o3-20020a056402444300b0045fca04719bmr9523676edb.171.1666363682443; Fri, 21 Oct 2022 07:48:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Greg Sanders Date: Fri, 21 Oct 2022 10:47:50 -0400 Message-ID: To: Sergej Kotliar Content-Type: multipart/alternative; boundary="0000000000005bd59305eb8c87a2" Cc: Bitcoin Protocol Discussion , Anthony Towns Subject: Re: [bitcoin-dev] [Opt-in full-RBF] Zero-conf apps in immediate danger X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2022 14:48:07 -0000 --0000000000005bd59305eb8c87a2 Content-Type: text/plain; charset="UTF-8" > Yeah, there are several policy features that are not consensus related but end up de facto setting rules for how bitcoin behaves. Yes, it's status quo so wallets "just know" not to do them. The fact that the status quo would be changing is important, in that it may degrade UX for 0-conf deposits. If bip125 was full rbf, the status quo would be the other way around, but here we are. > need to evaluate from several angles first incentives-wise Right, if people have put their heads together and found a few possibilities, we should explore the possibilities. CPFP would be an interesting one used to lock in FX risk, or at least make the double-spender over-pay to exploit the delta, especially for larger amounts/new users with no track record. > I'd also ask if there might also be other solutions for solving the pinning issue as well if we dig deep into it? Perhaps there are those with tradeoffs, but those tradeoffs being less significant than the tradeoffs of rbf policy? There's been a lot of work on crafting an opt-in policy that blunts the edges of pinning attacks, and I think we've gotten to the point where it can be said if you opt into this scheme: "If I have a required key in every transaction input script, I can safely and efficiently fee bump the transaction" through a mixture of RBF/CPFP, depending on structure. Please see https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021036.html and issues linked in that e-mail, if you're interested in the set of policy changes required to get there. Note that these would still all be opt-in. This unfortunately rules out any "coinjoin" like scenario, including dual-funding lightning channels(which is close to landing finally). The good news is that those cases seem to not have theft risk, just normal DoS risk of funds being stuck for potentially weeks. It would also rule out anything like coinpools, or other advanced constructs that don't actually exist yet. Maybe the above proposals make RBF'ing super reliable compared to today, and that changes the calculus for wallet authors, but this is still a ways out as these are still early proposals. > it will hurt whenever it happens Yes it's a risk that this never gets satisfactorily resolved, which is why I was mentioning a potentially long "timeout" being decided in the near-ish future. Let's gather what we can, start building aspirationally towards that, and try to not beat this horse again. Greg On Fri, Oct 21, 2022 at 10:19 AM Sergej Kotliar wrote: > > > On Fri, 21 Oct 2022 at 16:01, Greg Sanders wrote: > >> Full-rbf is an odd duck, because while it is not a consensus issue, it >> does affect a large % of transactions made by wallets already, contrary to >> most policy changes. >> > > Yeah, there are several policy features that are not consensus related but > end up de facto setting rules for how bitcoin behaves. Minrelayfee being > another, and probably other examples out there that I don't know of. > > >> It's also a UX issue, not a safety issue for retail wallet users(except >> Muun, who have given a clear timeline). Clearly considerations would be >> very different otherwise, but retail wallets by and large do not consider >> 0-conf as a valid deposit, or at least put up some warning symbols to that >> effect. >> >> Can only speak for myself, but I am looking for a concrete timeframe from >> 0-conf stakeholders. I have no preference for any particular time frame, as >> long as it can be agreed upon in the near-ish future. This keeps the >> transition technically speaking very simple, and removes uncertainty from >> decision making going forward. >> > > It's hard to give a timeframe because it's not clear what the path forward > for these stakeholders is. Most of what I've heard in this channel is > things like "just use Lightning" but that's contradicted by user data. So > the action becomes "stop accepting payments onchain" which isn't really a > timeframe type issue, it will hurt whenever it happens. Maybe a thorough > discussion for a way forward would be useful here. Jeremy Rubin suggested > an interesting idea for using CPFP to force a transaction to complete. > We'll evaluate it and see if it works in the wild for zero-conf of RBF > today and report findings, need to evaluate from several angles first > incentives-wise. There might also be other solutions. > > I'd also ask if there might also be other solutions for solving the > pinning issue as well if we dig deep into it? Perhaps there are those with > tradeoffs, but those tradeoffs being less significant than the tradeoffs of > rbf policy? > > > Best, > Sergej > >> >> On Fri, Oct 21, 2022 at 8:02 AM Sergej Kotliar >> wrote: >> >>> On Thu, 20 Oct 2022 at 23:07, Greg Sanders wrote: >>> >>>> A large number of coins/users sit on custodial rails and this would >>>> essentially encumber protocol developers to those KYC/AML institutions. If >>>> Binance decides to never support Lightning in favor of BNC-wrapped BTC, >>>> should this be an issue at all for reasoning about a path forward? >>>> >>> >>> This is a big question here, with the caveat that it's not just binance >>> but in fact the majority of wallets and services that people use with >>> bitcoin today. >>> But the question remains as you phrased: At which point do we break >>> backwards compatibility? Another analogy would be to have sunset the old >>> P2PKH addresses during rollout of Segwit - it would certainly have led to >>> Segwit getting rolled out faster. The rbf change actually breaks more >>> things than that, takes more effort to address than just implementing a new >>> address format. Previously in the Bitcoin Core process we've chosen to keep >>> backwards compatibility and only roll out opt-in changes with broad >>> consensus over them, with the default behavior being to not roll out >>> changes that are controversial. At which point it's time to back away from >>> that - I honestly don't know. There is probably such a point, and we should >>> maybe have some kind of discussion around that topic on a higher level, >>> just as you phrased it, and I'll paraphrase: >>> If a majority of bitcoin wallets and services continue using legacy >>> patterns and features, preventing progress, at which point do we want to >>> break compatibility with them? >>> >>> Best, >>> Sergej >>> >>> >>> On Thu, Oct 20, 2022 at 3:59 PM Anthony Towns via bitcoin-dev < >>>> bitcoin-dev@lists.linuxfoundation.org> wrote: >>>> >>>>> On Thu, Oct 20, 2022 at 02:37:53PM +0200, Sergej Kotliar via >>>>> bitcoin-dev wrote: >>>>> > > If someone's going to systematically exploit your store via this >>>>> > > mechanism, it seems like they'd just find a single wallet with a >>>>> good >>>>> > > UX for opt-in RBF and lowballing fees, and go to town -- not >>>>> something >>>>> > > where opt-in rbf vs fullrbf policies make any difference at all? >>>>> > Sort of. But yes once this starts being abused systemically we will >>>>> have to >>>>> > do something else w RBF payments, such as crediting the amount in >>>>> BTC to a >>>>> > custodial account. But this option isn't available to your normal >>>>> payment >>>>> > processor type business. >>>>> >>>>> So, what I'm hearing is: >>>>> >>>>> * lightning works great, but is still pretty small >>>>> * zeroconf works great for txs that opt-out of RBF >>>>> * opt-in RBF is a pain for two reasons: >>>>> - people don't like that it's not treated as zeroconf >>>>> - the risk of fiat/BTC exchange rate changes between >>>>> now and when the tx actually confirms is worrying >>>>> even if it hasn't caused real problems yet >>>>> >>>>> (Please correct me if that's too far wrong) >>>>> >>>>> Maybe it would be productive to explore this opt-in RBF part a bit >>>>> more? ie, see if "we" can come up with better answers to some question >>>>> along the lines of: >>>>> >>>>> "how can we make on-chain payments for goods priced in fiat work well >>>>> for payees that opt-in to RBF?" >>>>> >>>>> That seems like the sort of thing that's better solved by a >>>>> collaboration >>>>> between wallet devs and merchant devs (and protocol devs?), rather than >>>>> just one or the other? >>>>> >>>>> Is that something that we could talk about here? Or maybe it's better >>>>> done via an optech workgroup or something? >>>>> >>>>> If "we'll credit your account in BTC, then work out the USD coversion >>>>> and deduct that for your purchase, then you can do whatever you like >>>>> with any remaining BTC from your on-chain payment" is the idea, maybe >>>>> we >>>>> should just roll with that design, but make it more decentralised: have >>>>> the initial payment setup a lightning channel between the customer and >>>>> the merchant with the BTC (so it's not custodial), but do some magic to >>>>> allow USD amounts to be transferred over it (Taro? something oracle >>>>> based >>>>> so that both parties are confident a fair exchange rate will be used?). >>>>> >>>>> Maybe that particular idea is naive, but having an actual problem to >>>>> solve seems more constructive than just saying "we want rbf" "but we >>>>> want zeroconf" all the time? >>>>> >>>>> (Ideally the lightning channels above would be dual funded so they >>>>> could >>>>> be used for routing more generally; but then dual funded channels are >>>>> one of the things that get broken by lack of full rbf) >>>>> >>>>> > > I thought the "normal" avenue for fooling non-RBF zeroconf was to >>>>> create >>>>> > > two conflicting txs in advance, one paying the merchant, one paying >>>>> > > yourself, connect to many peers, relay the one paying the merchant >>>>> to >>>>> > > the merchant, and the other to everyone else. >>>>> > > I'm just basing this off Peter Todd's stuff from years ago: >>>>> > > >>>>> https://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_todd_with_my_doublespendpy_tool_with/cytlhh0/ >>>>> > > >>>>> https://github.com/petertodd/replace-by-fee-tools/blob/master/doublespend.py >>>>> > Yeah, I know the list still rehashes a single incident from 10 years >>>>> ago to >>>>> > declare the entire practice as unsafe, and ignores real-world data >>>>> that of >>>>> > the last million transactions we had zero cases of this successfully >>>>> > abusing us. >>>>> >>>>> I mean, the avenue above isn't easy to exploit -- you have to identify >>>>> the merchant's node so that they get the bad tx, and you have to >>>>> connect >>>>> to many peers so that your preferred tx propogates to miners first -- >>>>> and probably more importantly, it's relatively easy to detect -- if the >>>>> merchant has a few passive nodes that the attacker doesn't know about >>>>> it, and uses those to watch for attempted doublespends while it tries >>>>> to ensure the real tx has propogated widely. So it doesn't surprise me >>>>> at all that it's not often attempted, and even less often successful. >>>>> >>>>> > > > Currently Lightning is somewhere around 15% of our total bitcoin >>>>> > > > payments. >>>>> > > So, based on last year's numbers, presumably that makes your >>>>> bitcoin >>>>> > > payments break down as something like: >>>>> > > 5% txs are on-chain and seem shady and are excluded from >>>>> zeroconf >>>>> > > 15% txs are lightning >>>>> > > 20% txs are on-chain but signal rbf and are excluded from >>>>> zeroconf >>>>> > > 60% txs are on-chain and seem fine for zeroconf >>>>> > Numbers are right. Shady is too strong a word, >>>>> >>>>> Heh, fair enough. >>>>> >>>>> So the above suggests 25% of payments already get a sub-par experience, >>>>> compared to what you'd like them to have (which sucks, but if you're >>>>> trying to reinvent both money and payments, maybe isn't surprising). >>>>> And >>>>> going full rbf would bump that from 25% to 85%, which would be pretty >>>>> terrible. >>>>> >>>>> > RBF is a strictly worse UX as proven by anyone >>>>> > accepting bitcoin payments at scale. >>>>> >>>>> So let's make it better? Building bitcoin businesses on the lie that >>>>> unconfirmed txs are safe and won't be replaced is going to bite us >>>>> eventually; focussing on trying to push that back indefinitely is just >>>>> going to make everyone less prepared when it eventually happens. >>>>> >>>>> > > > For me >>>>> > > > personally it would be an easier discussion to have when >>>>> Lightning is at >>>>> > > > 80%+ of all bitcoin transactions. >>>>> > > Can you extrapolate from the numbers you've seen to estimate when >>>>> that >>>>> > > might be, given current trends? >>>>> > Not sure, it might be exponential growth, and the next 60% of >>>>> Lightning >>>>> > growth happen faster than the first 15%. Hard to tell. But we're >>>>> likely >>>>> > talking years here.. >>>>> >>>>> Okay? Two years is very different from 50 years, and at the moment >>>>> there's >>>>> not really any data, so people are just going to go with their gut... >>>>> >>>>> If it were growing in line with lightning capacity in BTC, per >>>>> bitcoinvisuals.com/ln-capacity; then 15% now would have grown from >>>>> perhaps 4% in May 2021, so perhaps 8% per year. With linear growth, >>>>> getting from 15% to 80% would then be about 8 years. >>>>> >>>>> Presumably that's a laughably terrible model, of course. But if we had >>>>> some actual numbers where we can watch the progress, it might be a lot >>>>> easier to be patient about waiting for lightning adoption to hit 80% >>>>> or whatever, and focus on productive things in the meantime? >>>>> >>>>> Cheers, >>>>> aj >>>>> _______________________________________________ >>>>> bitcoin-dev mailing list >>>>> bitcoin-dev@lists.linuxfoundation.org >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>>> >>>> >>> >>> -- >>> >>> Sergej Kotliar >>> >>> CEO >>> >>> >>> Twitter: @ziggamon >>> >>> >>> www.bitrefill.com >>> >>> Twitter | Blog >>> | Angellist >>> >>> >> > > -- > > Sergej Kotliar > > CEO > > > Twitter: @ziggamon > > > www.bitrefill.com > > Twitter | Blog > | Angellist > --0000000000005bd59305eb8c87a2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> Yeah, there are several policy features that are not = consensus related but end up de facto setting rules for how bitcoin behaves= .

Yes, it's status quo so wallets "just know&qu= ot; not to do them. The fact that the status quo would be changing is impor= tant, in that it may degrade UX for 0-conf deposits. If bip125 was full rbf= , the status quo would be the other way around, but here we are.
=
> need to evaluate from several angles first incentives-w= ise

Right, if people have put their heads together= and found a few possibilities, we should explore the possibilities. CPFP w= ould be an interesting one used to lock in FX risk, or at least make the do= uble-spender over-pay to exploit the delta, especially for larger amounts/n= ew users with no track record.

> I'd also a= sk if there might also be other solutions for solving the pinning issue as = well if we dig deep into it? Perhaps there are those with tradeoffs, but th= ose tradeoffs being less significant than the tradeoffs of rbf policy?

There's been a lot of work on crafting an opt-in p= olicy that blunts the edges of pinning attacks, and I think we've gotte= n to the point where it can be said if you opt into this scheme: "If I= have a required key in every transaction input script, I can safely and ef= ficiently fee bump the transaction" through a mixture of RBF/CPFP, dep= ending on structure.

Please see=C2=A0https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/0= 21036.html and issues linked in that e-mail, if you're interested i= n the set of policy changes required to get there. Note that these would st= ill all be opt-in.

This unfortunately rules out an= y "coinjoin" like scenario, including dual-funding lightning chan= nels(which is close to landing finally). The good news is that those cases = seem to not have theft risk, just normal DoS risk of funds being stuck for = potentially weeks. It would also rule out anything like coinpools, or other= advanced constructs that don't actually exist yet.

Maybe the above proposals make RBF'ing super reliable compared to= today, and that changes the calculus for wallet authors, but this is still= a ways out as these are still early proposals.

&g= t; it will hurt whenever it happens

Yes it's a= risk that this never gets satisfactorily resolved, which is why I was ment= ioning a potentially long "timeout" being decided in the near-ish= future. Let's gather what we can, start building aspirationally toward= s that, and try to=C2=A0not beat this horse again.

Greg

On Fri, Oct 21, 2022 at 10:19 AM Sergej Kotliar <sergej@bitrefill.com> wrote:


On Fri, 21 Oct 2022 at 16:01, Greg Sanders <gsanders87@gmail.com> wro= te:
Full-rbf is an odd duck, because while it is not a consensus issue, it= does affect a large % of transactions made by wallets already, contrary to= most policy changes.=C2=A0

Yeah, the= re are several policy features that are not consensus related but end up de= facto setting rules for how bitcoin behaves. Minrelayfee being another, an= d probably other examples out there that I don't know of.=C2=A0
=C2=A0
It's also a UX issue, not a safety issue for retail walle= t users(except Muun, who have given a clear timeline). Clearly consideratio= ns would be very different otherwise, but retail wallets by and large do no= t consider 0-conf as a valid deposit,=C2=A0or at least put up some warning = symbols to that effect.

Can only speak for myself, b= ut I am looking for a concrete timeframe from 0-conf stakeholders. I have n= o preference for any particular time frame, as long as it can be agreed upo= n in the near-ish future. This keeps the transition technically speaking ve= ry simple, and removes uncertainty from decision making going forward.

It's hard to give a timef= rame because it's not clear what the path forward for these stakeholder= s is. Most of what I've heard in this channel is things like "just= use Lightning" but that's contradicted by user data. So the actio= n becomes "stop accepting payments onchain" which isn't reall= y a timeframe type issue, it will hurt whenever it happens. Maybe a thoroug= h discussion for a way forward would be useful here. Jeremy Rubin suggested= an interesting idea for using CPFP to force a transaction to complete. We&= #39;ll evaluate it and see if it works in the wild for zero-conf of RBF tod= ay and report findings, need to evaluate from several angles first incentiv= es-wise. There might also be other solutions.=C2=A0

I'd also ask if there might also be other solutions for solving the p= inning issue as well if we dig deep into it? Perhaps there are those with t= radeoffs, but those tradeoffs being less significant than the tradeoffs of = rbf policy?
=C2=A0

Best,=C2=A0
Sergej

On Fri, Oct 21, 2022 at 8:02 AM Sergej Kotliar <sergej@bitrefill.com= > wrote:
On Thu, 20 Oct 2022 at 23:07, Greg Sanders &l= t;gsanders87@gmai= l.com> wrote:
A large number of co= ins/users sit on custodial rails and this would essentially encumber protoc= ol developers to those KYC/AML institutions. If Binance decides to never su= pport Lightning in favor of BNC-wrapped BTC, should this be an issue at all= for reasoning about a path forward?

This is a big question here, with the caveat that it's not just b= inance but in fact the majority of wallets and services that people use wit= h bitcoin today.
But the question remains as you phrased: At whic= h point do we break backwards compatibility? Another analogy would be to ha= ve sunset the old P2PKH addresses during rollout of Segwit - it would certa= inly have led to Segwit getting rolled out faster. The rbf change actually = breaks more things than that, takes more effort to address than just implem= enting a new address format. Previously in the Bitcoin Core process we'= ve chosen to keep backwards compatibility and only roll out opt-in changes = with broad consensus over them, with the default behavior being to not roll= out changes that are controversial. At which point it's time to back a= way from that - I honestly don't know. There is probably such a point, = and we should maybe have some kind of discussion around that topic on a hig= her level, just as you phrased it, and I'll paraphrase:=C2=A0
If a majority of bitcoin wallets and services continue using legacy patter= ns and features, preventing progress, at which point do we want to break co= mpatibility with them?

Best,
Sergej


On T= hu, Oct 20, 2022 at 3:59 PM Anthony Towns via bitcoin-dev <bitcoin-dev@l= ists.linuxfoundation.org> wrote:
On Thu, Oct 20, 2022 at 02:37:53PM +0200, Sergej Ko= tliar via bitcoin-dev wrote:
> > If someone's going to systematically exploit your store via t= his
> > mechanism, it seems like they'd just find a single wallet wit= h a good
> > UX for opt-in RBF and lowballing fees, and go to town -- not some= thing
> > where opt-in rbf vs fullrbf policies make any difference at all?<= br> > Sort of. But yes once this starts being abused systemically we will ha= ve to
> do something else w RBF payments, such as crediting the amount in BTC = to a
> custodial account. But this option isn't available to your normal = payment
> processor type business.

So, what I'm hearing is:

=C2=A0* lightning works great, but is still pretty small
=C2=A0* zeroconf works great for txs that opt-out of RBF
=C2=A0* opt-in RBF is a pain for two reasons:
=C2=A0 =C2=A0 - people don't like that it's not treated as zeroconf=
=C2=A0 =C2=A0 - the risk of fiat/BTC exchange rate changes between
=C2=A0 =C2=A0 =C2=A0 now and when the tx actually confirms is worrying
=C2=A0 =C2=A0 =C2=A0 even if it hasn't caused real problems yet

(Please correct me if that's too far wrong)

Maybe it would be productive to explore this opt-in RBF part a bit
more? ie, see if "we" can come up with better answers to some que= stion
along the lines of:

=C2=A0"how can we make on-chain payments for goods priced in fiat work= well
=C2=A0 for payees that opt-in to RBF?"

That seems like the sort of thing that's better solved by a collaborati= on
between wallet devs and merchant devs (and protocol devs?), rather than
just one or the other?

Is that something that we could talk about here? Or maybe it's better done via an optech workgroup or something?

If "we'll credit your account in BTC, then work out the USD covers= ion
and deduct that for your purchase, then you can do whatever you like
with any remaining BTC from your on-chain payment" is the idea, maybe = we
should just roll with that design, but make it more decentralised: have
the initial payment setup a lightning channel between the customer and
the merchant with the BTC (so it's not custodial), but do some magic to=
allow USD amounts to be transferred over it (Taro? something oracle based so that both parties are confident a fair exchange rate will be used?).

Maybe that particular idea is naive, but having an actual problem to
solve seems more constructive than just saying "we want rbf" &quo= t;but we
want zeroconf" all the time?

(Ideally the lightning channels above would be dual funded so they could be used for routing more generally; but then dual funded channels are
one of the things that get broken by lack of full rbf)

> > I thought the "normal" avenue for fooling non-RBF zeroc= onf was to create
> > two conflicting txs in advance, one paying the merchant, one payi= ng
> > yourself, connect to many peers, relay the one paying the merchan= t to
> > the merchant, and the other to everyone else.
> > I'm just basing this off Peter Todd's stuff from years ag= o:
> > https://np.reddit.com/r/Bitcoin/comments/40ejy8/peter_todd_with_my= _doublespendpy_tool_with/cytlhh0/
> > https://github= .com/petertodd/replace-by-fee-tools/blob/master/doublespend.py
> Yeah, I know the list still rehashes a single incident from 10 years a= go to
> declare the entire practice as unsafe, and ignores real-world data tha= t of
> the last million transactions we had zero cases of this successfully > abusing us.

I mean, the avenue above isn't easy to exploit -- you have to identify<= br> the merchant's node so that they get the bad tx, and you have to connec= t
to many peers so that your preferred tx propogates to miners first --
and probably more importantly, it's relatively easy to detect -- if the=
merchant has a few passive nodes that the attacker doesn't know about it, and uses those to watch for attempted doublespends while it tries
to ensure the real tx has propogated widely. So it doesn't surprise me<= br> at all that it's not often attempted, and even less often successful.
> > > Currently Lightning is somewhere around 15% of our total bit= coin
> > > payments.
> > So, based on last year's numbers, presumably that makes your = bitcoin
> > payments break down as something like:
> >=C2=A0 =C2=A0 5% txs are on-chain and seem shady and are excluded = from zeroconf
> >=C2=A0 =C2=A015% txs are lightning
> >=C2=A0 =C2=A020% txs are on-chain but signal rbf and are excluded = from zeroconf
> >=C2=A0 =C2=A060% txs are on-chain and seem fine for zeroconf
> Numbers are right. Shady is too strong a word,

Heh, fair enough.

So the above suggests 25% of payments already get a sub-par experience,
compared to what you'd like them to have (which sucks, but if you'r= e
trying to reinvent both money and payments, maybe isn't surprising). An= d
going full rbf would bump that from 25% to 85%, which would be pretty
terrible.

> RBF is a strictly worse UX as proven by anyone
> accepting bitcoin payments at scale.

So let's make it better? Building bitcoin businesses on the lie that unconfirmed txs are safe and won't be replaced is going to bite us
eventually; focussing on trying to push that back indefinitely is just
going to make everyone less prepared when it eventually happens.

> > > For me
> > > personally it would be an easier discussion to have when Lig= htning is at
> > > 80%+ of all bitcoin transactions.
> > Can you extrapolate from the numbers you've seen to estimate = when that
> > might be, given current trends?
> Not sure, it might be exponential growth, and the next 60% of Lightnin= g
> growth happen faster than the first 15%. Hard to tell. But we're l= ikely
> talking years here..

Okay? Two years is very different from 50 years, and at the moment there= 9;s
not really any data, so people are just going to go with their gut...

If it were growing in line with lightning capacity in BTC, per
bitcoinvisuals.com/ln-capacity; then 15% now would have gro= wn from
perhaps 4% in May 2021, so perhaps 8% per year. With linear growth,
getting from 15% to 80% would then be about 8 years.

Presumably that's a laughably terrible model, of course. But if we had<= br> some actual numbers where we can watch the progress, it might be a lot
easier to be patient about waiting for lightning adoption to hit 80%
or whatever, and focus on productive things in the meantime?

Cheers,
aj
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev


--


--
--0000000000005bd59305eb8c87a2--