MIME-Version: 1.0
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
 <ZTMWrJ6DjxtslJBn@petertodd.org>
 <CALZpt+GQ9g-uwAGYogdaJcinVHRxs4=67hML78KbramJg=davA@mail.gmail.com>
 <ZUNBHsw2BldPLvPc@petertodd.org>
 <CALZpt+GBcqquPtf0YB07Rcy2OS0kUhv86s6g=69VrfSE72cYJQ@mail.gmail.com>
 <ZUXyICh45JP6OnDu@petertodd.org>
 <CALZpt+GXGBbo0JjOyMr3B-3dVY2Q_DuzF6Sn3xE5W24x77PRYg@mail.gmail.com>
 <iBopsZOx5TRDjjfxSLo9GLa00c7Jk0uMSae6_EPsPjnd10Aa87-lxVIZnL37GwEM3ppemBAxCwkv7r4w5AfDjLkKo0OhIpdB0jK0_OTRqf4=@protonmail.com>
In-Reply-To: <iBopsZOx5TRDjjfxSLo9GLa00c7Jk0uMSae6_EPsPjnd10Aa87-lxVIZnL37GwEM3ppemBAxCwkv7r4w5AfDjLkKo0OhIpdB0jK0_OTRqf4=@protonmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Tue, 7 Nov 2023 15:44:21 +0000
Message-ID: <CALZpt+EZqfj=G=E37hA+k9pKYfvE0jkc3UU+H8sJVm=H3CO-JA@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: multipart/alternative; boundary="000000000000dab734060991d8c8"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
 "lightning-dev\\\\\\\\@lists.linuxfoundation.org"
 <lightning-dev@lists.linuxfoundation.org>, security@ariard.me
Subject: Re: [bitcoin-dev] [Lightning-dev] OP_Expire and Coinbase-Like
 Behavior: Making HTLCs Safer by Letting Transactions Expire Safely
Precedence: list

--000000000000dab734060991d8c8
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Zeeman,

> Neither can Bob replace-recycle out the commitment transaction itself,
because the commitment transaction is a single-input transaction, whose
sole input requires a signature from
> Bob and a signature from Carol --- obviously Carol will not cooperate on
an attack on herself.

The replacement cycling happens on the commitment transaction spend itself,
not the second stage, which is effectively locked until block 100.

If the commitment transaction is pre-signed with 0 sat / vb and all the
feerate / absolute fee is provided by a CPFP on one of the anchor outputs,
Bob can replace the CPFP itself. After replacement of its child, the
commitment transaction has a package feerate of 0 sat / vb and it will be
trimmed out of the mempool.

This is actually the scenario tested here on the nversion =3D 3 new mempool
policy branch  (non-deployed yet):
https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2

As of today commitment transactions might not propagate if dynamic mempool
min fee is above pre-signed commitment transaction, which is itself unsafe.
I think this behavior can currently be opportunistically exploited by
attackers.

In a post-package relay world, I think this is possible. And that
replacement cycling attacks are breaking future dynamic fee-bumping of
pre-signed transactions concerns me a lot.

Best,
Antoine

Le mar. 7 nov. 2023 =C3=A0 11:12, ZmnSCPxj <ZmnSCPxj@protonmail.com> a =C3=
=A9crit :

> Good morning Antoine,
>
>
> > Once the HTLC is committed on the Bob-Caroll link, Caroll releases the
> preimage off-chain to Bob with an `update_fulfill_htlc` message, though B=
ob
> does _not_ send back his signature for the updated channel state.
> >
> > Some blocks before 100, Caroll goes on-chain to claim the inbound HTLC
> output with the preimage. Her commitment transaction propagation in netwo=
rk
> mempools is systematically "replaced cycled out" by Bob.
>
> I think this is impossible?
>
> In this scenario, there is an HTLC offered by Bob to Carol.
>
> Prior to block 100, only Carol can actually create an HTLC-success
> transaction.
> Bob cannot propagate an HTLC-timeout transaction because the HTLC timeloc=
k
> says "wait till block 100".
>
> Neither can Bob replace-recycle out the commitment transaction itself,
> because the commitment transaction is a single-input transaction, whose
> sole input requires a signature from Bob and a signature from Carol ---
> obviously Carol will not cooperate on an attack on herself.
>
> So as long as Carol is able to get the HTLC-success transaction confirmed
> before block 100, Bob cannot attack.
> Of course, once block 100 is reached, `OP_EXPIRE` will then mean that
> Carol cannot claim the fund anymore.
>
> Regards,
> ZmnSCPxj
>

--000000000000dab734060991d8c8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Zeeman,<div><br></div><div>&gt; Neither can Bob replace=
-recycle out the commitment transaction itself, because the commitment tran=
saction is a single-input transaction, whose sole input requires a signatur=
e from</div><div>&gt; Bob and a signature from Carol --- obviously Carol wi=
ll not cooperate on an attack on herself.<br><div><br></div><div><div>The r=
eplacement cycling happens on the commitment transaction spend itself, not =
the second stage, which is effectively locked until block 100.</div></div><=
div><br></div><div>If the commitment transaction is pre-signed with 0 sat /=
 vb and all the feerate / absolute fee is provided=C2=A0by a CPFP on one of=
 the anchor outputs, Bob can replace the CPFP itself. After replacement of =
its child, the commitment transaction has a package feerate of 0 sat / vb a=
nd it will be trimmed out of the mempool.</div><div><br></div><div>This is =
actually the scenario tested here on the nversion =3D 3 new mempool policy =
branch =C2=A0(non-deployed yet):</div><div><a href=3D"https://github.com/ar=
iard/bitcoin/commits/2023-10-test-mempool-2">https://github.com/ariard/bitc=
oin/commits/2023-10-test-mempool-2</a><br></div><div><br></div><div>As of t=
oday commitment transactions might not propagate if dynamic mempool min fee=
 is above pre-signed commitment transaction, which is itself unsafe. I thin=
k this behavior can currently be opportunistically exploited by attackers.=
=C2=A0</div><div><br></div></div><div><div><div>In a post-package relay wor=
ld, I think this is possible. And that replacement cycling attacks are brea=
king future dynamic fee-bumping of pre-signed transactions concerns me a lo=
t.</div></div><div><br></div><div>Best,</div><div>Antoine</div></div></div>=
<br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=
=A0mar. 7 nov. 2023 =C3=A0=C2=A011:12, ZmnSCPxj &lt;<a href=3D"mailto:ZmnSC=
Pxj@protonmail.com">ZmnSCPxj@protonmail.com</a>&gt; a =C3=A9crit=C2=A0:<br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,=
204);padding-left:1ex">Good morning Antoine,<br>
<br>
<br>
&gt; Once the HTLC is committed on the Bob-Caroll link, Caroll releases the=
 preimage off-chain to Bob with an `update_fulfill_htlc` message, though Bo=
b does _not_ send back his signature for the updated channel state.<br>
&gt; <br>
&gt; Some blocks before 100, Caroll goes on-chain to claim the inbound HTLC=
 output with the preimage. Her commitment transaction propagation in networ=
k mempools is systematically &quot;replaced cycled out&quot; by Bob.<br>
<br>
I think this is impossible?<br>
<br>
In this scenario, there is an HTLC offered by Bob to Carol.<br>
<br>
Prior to block 100, only Carol can actually create an HTLC-success transact=
ion.<br>
Bob cannot propagate an HTLC-timeout transaction because the HTLC timelock =
says &quot;wait till block 100&quot;.<br>
<br>
Neither can Bob replace-recycle out the commitment transaction itself, beca=
use the commitment transaction is a single-input transaction, whose sole in=
put requires a signature from Bob and a signature from Carol --- obviously =
Carol will not cooperate on an attack on herself.<br>
<br>
So as long as Carol is able to get the HTLC-success transaction confirmed b=
efore block 100, Bob cannot attack.<br>
Of course, once block 100 is reached, `OP_EXPIRE` will then mean that Carol=
 cannot claim the fund anymore.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
</blockquote></div>

--000000000000dab734060991d8c8--