Return-Path: <lf-lists@mattcorallo.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 8EB13C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 23 Apr 2022 18:24:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 66FC260B5C
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 23 Apr 2022 18:24:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level: 
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=mattcorallo.com
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id iNTLJsK7V8fW
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 23 Apr 2022 18:24:05 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mail.as397444.net (mail.as397444.net [69.59.18.99])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 4E44560B47
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Sat, 23 Apr 2022 18:24:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=mattcorallo.com; s=1650736864; h=In-Reply-To:From:References:To:Subject:
 From:Subject:To:Cc:Cc:Reply-To;
 bh=tlcqmWNsSjcoL8YqBUnEQTZRXvSp1powdJ2JHjBaEjg=; b=OoDMIxaaJk9igWiWaAnKpOYSgG
 1NAKjUyn8726q8DJ4mI1zj44XSBL16jTvcilE6dYRQJvX45sj5XuqCQrMbLO5AoX9ZahZzvcLU1VU
 0BUYl7Ff9mk1MKmqQmAuu2WBnoafCdRJ+NJT/+ypJM0WGBjwYMROi0kM5i5UyXSwp2win/kmaqM68
 tyb1yHgT+FFgPaxZuCPRvzgBsyhDqcKhDPWbd9go2YRJv6WiVQtHfz+ruMsqBdDuME3TTWbYDjzi/
 xgBo+bUlHAAT6NVojmd8TSYUd6/gBleXWa/7GtdA0u9MRbGGA2W272yLG6Rbo0TuFpxpcuVOhZexo
 y7ztDB3g==;
Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim)
 (envelope-from <lf-lists@mattcorallo.com>)
 id 1niKQL-000fFj-PQ; Sat, 23 Apr 2022 18:24:01 +0000
Message-ID: <48a4546c-85b3-e9ff-83b5-60ba4eae2c76@mattcorallo.com>
Date: Sat, 23 Apr 2022 11:24:01 -0700
MIME-Version: 1.0
Content-Language: en-US
To: Russell O'Connor <roconnor@blockstream.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <64a34b4d46461da322be51b53ec2eb01@dtrt.org>
 <d95eec37-269d-eefb-d191-e8234e4faed3@mattcorallo.com>
 <4b252ef6f86bbd494a67683f6113f3fe@dtrt.org>
 <c779648c-891d-b920-f85f-c617a0448997@mattcorallo.com>
 <CAPfvXfJe6YHViquT8i+Kq2QUjZDZyUq24nKkJd2a6dYKgygxNQ@mail.gmail.com>
 <CAMZUoK=GONdGwj34PcqjV5sFJBg+XqiSOHFk4aQoTgy00YFG=Q@mail.gmail.com>
From: Matt Corallo <lf-lists@mattcorallo.com>
In-Reply-To: <CAMZUoK=GONdGwj34PcqjV5sFJBg+XqiSOHFk4aQoTgy00YFG=Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-DKIM-Note: Keys used to sign are likely public at
 https://as397444.net/dkim/mattcorallo.com
X-DKIM-Note: For more info, see https://as397444.net/dkim/
Subject: Re: [bitcoin-dev] Vaulting (Was: Automatically reverting
 ("transitory") soft forks)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2022 18:24:06 -0000

Still trying to make sure I understand this concern, let me know if I get this all wrong.

On 4/22/22 10:25 AM, Russell O'Connor via bitcoin-dev wrote:
> It's not the attackers *only choice to succeed*.  If an attacker steals the hot key, then they have 
> the option to simply wait for the user to unvault their funds of their own accord and then race / 
> outspend the users transaction with their own.  Indeed, this is what we expect would happen in the 
> dark forest.

Right, a key security assumption of the CTV-based vaults would be that you MUST NOT EVER withdraw 
more in one go than your hot wallet risk tolerance, but given that your attack isn't any worse than 
simply stealing the hot wallet key immediately after a withdraw.

It does have the drawback that if you ever get a hot wallet key stole you have to rotate all of your 
CTV outputs and your CTV outputs must never be any larger than your hot wallet risk tolerance 
amount, both of which are somewhat frustrating limitations, but not security limitations, only 
practical ones.

> And that's not even mentioning the issues already noted by the document regarding fee management, 
> which would likely also benefit from a less constrained design for covenants.

Of course I've always been in favor of a less constrained covenants design from day one for ten 
reasons, but that's a whole other rabbit hole :)