path: root/39/dc1a02dd57c1f811d294b5f7e6385d24e83632

Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 4DB32C000A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 30 Nov 2021 01:44:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 4973D80CE3
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 30 Nov 2021 01:44:08 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id XUGRRBiz9pQ8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 30 Nov 2021 01:44:05 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com
 [IPv6:2a00:1450:4864:20::32c])
 by smtp1.osuosl.org (Postfix) with ESMTPS id A0E2580CD4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 30 Nov 2021 01:44:04 +0000 (UTC)
Received: by mail-wm1-x32c.google.com with SMTP id
 k37-20020a05600c1ca500b00330cb84834fso18286863wms.2
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 29 Nov 2021 17:44:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=+eVLN1f9XOg8fdVwtNZfGMPSPDECgVoLyycfykxHUyU=;
 b=EanCBS4yE1LKIgQW5kBMSYgd2EgzWcgqh9Axo72BPPYSrh9xQl9nOh8TgJN3altvfC
 S74qi1c0iO4NtKVjIIQO8eIRtacI1RTJ/DfSvBIlYZMUdztsc6MrPpP3SIQ35eNGPA75
 OSLOFijEx56VOVImpHyrZG2DdhFy0anLbN7yn899UIRdX1l0tmd65egkjCd8Chzk81RS
 abnYpIxz3wxoJdJ3w+uKsTPkwV9RslxbT7sc+y+VFbFC/OMSwcR9M7+nq5Sz+0dyeyf4
 6oyUqGlokbj41gfsyBri2QOjJUCmtLfyekyxieOZ2TvWbFnEDw56xSZhWgmDCO/C0VFV
 Evww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=+eVLN1f9XOg8fdVwtNZfGMPSPDECgVoLyycfykxHUyU=;
 b=LFUq3FxKgd4fGZU87b5uv9YZyWPBUYq+UCRpaCwj3F1DR2F9BZfxoNBB3xrn49FEig
 2PuSivO/m0kmMGPMSy2kDIaBs8zJ4lqYxL3ABY/qQ++gBMFI9hFX4md7AeK20uLS3e5S
 El8Y0KkNUtl6bFo8gPtTN3CUBdCjztlqC9qxK1mZAOaCPNlRvsczR+0u81s+/dxWdnNZ
 OGIKmULIvZZy0RdsIg+Rrx9oKUSVo0s6UAKcKjqIaFPsqaj/2AUEFdmq183n9v51rSUx
 jHifuzKNqU3WUYVW5l0jVyNHthYm9eGArnrnChGqf2ys0YCJiZtyppo4RwM7LKf4kRLA
 aejg==
X-Gm-Message-State: AOAM530Q5RVnebuKP+gRhmwfIIVb827ekvoQzzelTsDCL5zbb1rQ8BQ3
 zCepKpJpXoaSG6ylJ1W/5+Jcr/S5JGRwIWKKKusQezQAppQ=
X-Google-Smtp-Source: ABdhPJwnXTWKahRruXkap0ndvyR7dVavG9e0oZHd9IRIHPxnl++cDbAvQfspheFdpVCBdQUNO1XM/FstVwItEcVTAfw=
X-Received: by 2002:a7b:c157:: with SMTP id z23mr1677532wmi.113.1638236642443; 
 Mon, 29 Nov 2021 17:44:02 -0800 (PST)
MIME-Version: 1.0
References: <hBx6OYA5Mv9C_anoMQ-s-9l_XNwNFPfDVmOND9pXBJEBi7qsULF3bgPGpagtqjOsKDTXu8iOTVzvOjflz-M6EfnfwVH81Cu-nnai0kakouo=@protonmail.com>
In-Reply-To: <hBx6OYA5Mv9C_anoMQ-s-9l_XNwNFPfDVmOND9pXBJEBi7qsULF3bgPGpagtqjOsKDTXu8iOTVzvOjflz-M6EfnfwVH81Cu-nnai0kakouo=@protonmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Mon, 29 Nov 2021 20:43:49 -0500
Message-ID: <CALZpt+F6h8uLw48e4FRrkjPe2ci6Uqy-o9H=++hu5fx7+bxOZw@mail.gmail.com>
To: darosior <darosior@protonmail.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000002184d405d1f7b1b1"
X-Mailman-Approved-At: Tue, 30 Nov 2021 09:14:39 +0000
Subject: Re: [bitcoin-dev] A fee-bumping model
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 01:44:08 -0000

--0000000000002184d405d1f7b1b1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Darosior,

Nice work, few thoughts binding further your model for Lightning.

> For any delegated vault, ensure the confirmation of a Cancel transaction
in a configured number of
> blocks at any point. In so doing, minimize the overpayments and the UTxO
set footprint. Overpayments
> increase the burden on the watchtower operator by increasing the required
frequency of refills of the
> fee-bumping wallet, which is already the worst user experience. You are
likely to manage a number of
> UTxOs with your number of vaults, which comes at a cost for you as well
as everyone running a full
> node.

For any opened channel, ensure the confirmation of a Commitment transaction
and the children HTLC-Success/HTLC-Timeout transactions. Note, in the
Lightning security game you have to consider (at least) 4 types of players
moves and incentives : your node, your channel counterparties, the miners,
the crowd of bitcoin users. The number of the last type of players is
unknown from your node, however it should not be forgotten you're in
competition for block space, therefore their block demands bids should be
anticipated and reacted to in consequence. With that remark in mind,
implications for your LN fee-bumping strategy will be raised afterwards.

For a LN service provider, on-chain overpayments are bearing on your
operational costs, thus downgrading your economic competitiveness. For the
average LN user, overpayment might price out outside a LN non-custodial
deployment, as you don't have the minimal security budget to be on your own=
.

> This opens up a pinning vector, or at least a significant nuisance: any
other party can largely
> increase the absolute fee without increasing the feerate, leveraging the
RBF rules to prevent you
> from replacing it without paying an insane fee. And you might not see it
in your own mempool and
> could only suppose it's happening by receiving non-full blocks or with
transactions paying a lower
> feerate.

Same issue with Lightning, we can be pinned today on the basis of
replace-by-fee rule 3. We can be also blinded by network mempool
partitions, a pinning counterparty can segregate all the full-nodes  in as
many subsets by broadcasting a revoked Commitment transaction different for
each. For Revault, I think you can also do unlimited partitions by mutating
the ANYONECANPAY-input of the Cancel.

That said, if you have a distributed towers deployment, spread across the
p2p network topology, and they can't be clustered together through
cross-layers or intra-layer heuristics, you should be able to reliably
observe such partitions. I think such distributed monitors are deployed by
few L1 merchants accepting 0-conf to detect naive double-spend.

> Unfortunately i know of no other primitive that can be used by
multi-party (i mean, >2) presigned
> transactions protocols for fee-bumping that aren't (more) vulnerable to
pinning.

Have we already discussed a fee-bumping "shared cache", a CPFP variation ?
Strawman idea: Alice and Bob commit collateral inputs to a separate UTXO
from the main "offchain contract" one. This UTXO is locked by a multi-sig.
For any Commitment transaction pre-signed, also counter-sign a CPFP with
top mempool feerate included, spending a Commitment anchor output and the
shared-cache UTXO. If the fees spike,  you can re-sign a high-feerate CPFP,
assuming interactivity. As the CPFP is counter-signed by everyone, the
outputs can be CSV-1 encumbered to prevent pinnings. If the share-cache is
feeded at parity, there shouldn't be an incentive to waste or maliciously
inflate the feerate. I think this solution can be easily generalized to
more than 2 counterparties by using a multi-signature scheme. Big issue, if
the feerate is short due to fee spikes and you need to re-sign a
higher-feerate CPFP, you're trusting your counterparty to interact, though
arguably not worse than the current update fee mechanism.

> For Lightning, it'd mean keeping an equivalent amount of funds as the sum
of all your
channels balances sitting there unallocated "just in case". This is not
reasonable.

Agree, game-theory wise, you would like to keep a full fee-bumping reserve,
ready to burn as much in fees as the contested HTLC value, as it's the
maximum gain of your counterparty. Though perfect equilibrium is hard to
achieve because your malicious counterparty might have an edge pushing you
to broadcast your Commitment first by witholding HTLC resolution.

Fractional fee-bumping reserves are much more realistic to expect in the LN
network. Lower fee-bumping reserve, higher liquidity deployed, in theory
higher routing fees. By observing historical feerates, average offchain
balances at risk and routing fees expected gains, you should be able to
discover an equilibrium where higher levels of reserve aren't worth the
opportunity cost. I guess this  equilibrium could be your LN fee-bumping
reserve max feerate.

Note, I think the LN approach is a bit different from what suits a custody
protocol like Revault,  as you compute a direct return of the frozen
fee-bumping liquidity. With Revault, if you have numerous bitcoins
protected, it's might be more interesting to adopt a "buy the mempool,
stupid" strategy than risking fund safety for few percentages of interest
returns.

> This is easier to reason about with a per-contract reserve.

For Lightning, this per-channel approach is safer too, as one Commitment
transaction pinned or jammed could affect the confirmation odds of your
remaining LN Commitment transactions.

> For your Lightning channel you would probably take the maximum size of
your commitment transaction
> according to your HTLC exposure settings + the size of as many
`htlc_success` transactions?

Yes, I guess it's your holder's `max_accepted_htcls` * `HTLC-Success
weight` + counterparty's `max_accepted_htlcs` * `HTLC-Timeout weight`
Better to adopt this worst-case as the base transaction weight to fee-bump,
as currently we can't dynamically update channel policies.

> For some other applications with large transactions and lower-value UTxOs
on average it's
> likely that only part of the offchain contracts might be enforceable at a
reasonable feerate. Is it
> reasonable?

This is where the "anticipate the crowd of bitcoin users move" point can be
laid out. As the crowd of bitcoin users' fee-bumping reserves are
ultimately unknown from your node knowledge, you should be ready to be a
bit more conservative than the vanilla fee-bumping strategies shipped by
default. In case of massive mempool congestion, your additional
conservatism might get your time-sensitive transactions and game on the
crowd of bitcoin users. First Problem: if all offchain bitcoin software
adopt that strategy we might inflate the worst-case feerate rate at the
benefit of the miners, without holistically improving block throughput.
Second problem : your class of offchain bitcoin softwares might have
ridiculous fee-bumping reserve compared
to other classes of offchain bitcoin softwares (Revault > Lightning) and
just be priced out bydesign in case of mempool congestion. Third problem :
as the number of offchain bitcoin applications should go up with time, your
fee-bumping reserve levels based from historical data might be always late
by one "bank-run" scenario.

For Lightning, if you're short in fee-bumping reserves you might still do
preemptive channel closures, either cooperatively or unilaterally and get
back the off-chain liquidity to protect the more economically interesting
channels. Though again, that kind of automatic behavior might be compelling
at the individual node-level, but make the mempol congestion worse
holistically.

> First of all, when to fee-bump? At fixed time intervals? At each block
connection?

In case of massive mempool congestion, you might try to front-run the crowd
of bitcoin users relying on block connections for fee-bumping, and thus
start your fee-bumping as soon as you observe feerate groups fluctuations
in your local mempool(s).

Also you might proceed your fee-bumping ticks on a local clock instead of
block connections in case of time-dilation or deeper eclipse attacks of
your local node. Your view of the chain might be compromised but not your
ability to broadcast transactions thanks to emergency channels (in the
non-LN sense...though in fact quid of txn wrapped in onions ?) of
communication.

> You might skew miners incentives in doing
> so: if you increase the fees by a factor of N, any miner with a fraction
larger than 1/N of the
> network hashrate now has an incentive to censor your transaction at first
to get you to panic.

Yes I think miner-harvesting attacks should be weighed carefully in the
design of offchain contracts fee-bumping strategies, at least in the future
when the mining reward exhausts further. I wonder if a more refined formula
should encompass the miner loss for empty blocks and ensure this loss stays
more substantial than the fees increased. So something like computing "for
X censored blocks, the Y average loss should be superior to the Z
fee-bumping increase".

> Of course, given it's all hacks and workarounds and there is no good
answer to "what is a reasonable
> feerate up to which we need to make contracts enforceable onchain?",
there is definitely room for an
> insurance market.

Yes, stay open the question on how you enforce this block insurance market.
Reputation, which might be to avoid due to the latent centralization
effect, might be hard to stack and audit reliably for an emergency
mechanism running, hopefully, once in a halvening period. Maybe maybe some
cryptographic or economically based mechanism on slashing or swaps could be
found...

Antoine

Le lun. 29 nov. 2021 =C3=A0 09:34, darosior via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit :

> Hi everyone,
>
> Fee-bumping is paramount to the security of many protocols building on
> Bitcoin, as they require the
> confirmation of a transaction (which might be presigned) before the
> expiration of a timelock at any
> point after the establishment of the contract.
>
> The part of Revault using presigned transactions (the delegation from a
> large to a smaller multisig)
> is no exception. We have been working on how to approach this for a while
> now and i'd like to share
> what we have in order to open a discussion on this problem so central to
> what seem to be The Right
> Way [0] to build on Bitcoin but which has yet to be discussed in details
> (at least publicly).
>
> I'll discuss what we came up with for Revault (at least for what will be
> its first iteration) but my
> intent with posting to the mailing list is more to frame the questions to
> this problem we are all
> going to face rather than present the results of our study tailored to th=
e
> Revault usecase.
> The discussion is still pretty Revault-centric (as it's the case study)
> but hopefully this can help
> future protocol designers and/or start a discussion around what everyone'=
s
> doing for existing ones.
>
>
> ## 1. Reminder about Revault
>
> The part of Revault we are interested in for this study is the delegation
> process, and more
> specifically the application of spending policies by network monitors
> (watchtowers).
> Coins are received on a large multisig. Participants of this large
> multisig create 2 [1]
> transactions. The Unvault, spending a deposit UTxO, creates an output
> paying either to the small
> multisig after a timelock or to the large multisig immediately. The
> Cancel, spending the Unvault
> output through the non-timelocked path, creates a new deposit UTxO.
> Participants regularly exchange the Cancel transaction signatures for eac=
h
> deposit, sharing the
> signatures with the watchtowers they operate. They then optionally [2]
> sign the Unvault transaction
> and share the signatures with the small multisig participants who can in
> turn use them to proceed
> with a spending. Watchtowers can enforce spending policies (say, can't
> Unvault outside of business
> hours) by having the Cancel transaction be confirmed before the expiratio=
n
> of the timelock.
>
>
> ## 2. Problem statement
>
> For any delegated vault, ensure the confirmation of a Cancel transaction
> in a configured number of
> blocks at any point. In so doing, minimize the overpayments and the UTxO
> set footprint. Overpayments
> increase the burden on the watchtower operator by increasing the required
> frequency of refills of the
> fee-bumping wallet, which is already the worst user experience. You are
> likely to manage a number of
> UTxOs with your number of vaults, which comes at a cost for you as well a=
s
> everyone running a full
> node.
>
> Note that this assumes miners are economically rationale, are incentivize=
d
> by *public* fees and that
> you have a way to propagate your fee-bumped transaction to them. We also
> don't consider the block
> space bounds.
>
> In the previous paragraph and the following text, "vault" can generally b=
e
> replaced with "offchain
> contract".
>
>
> ## 3. With presigned transactions
>
> As you all know, the first difficulty is to get to be able to unilaterall=
y
> enforce your contract
> onchain. That is, any participant must be able to unilaterally bump the
> fees of a transaction even
> if it was co-signed by other participants.
>
> For Revault we can afford to introduce malleability in the Cancel
> transaction since there is no
> second-stage transaction depending on its txid. Therefore it is pre-signe=
d
> with ANYONECANPAY. We
> can't use ANYONECANPAY|SINGLE since it would open a pinning vector [3].
> Note how we can't leverage
> the carve out rule, and neither can any other more-than-two-parties
> contract.
> This has a significant implication for the rest, as we are entirely
> burning fee-bumping UTxOs.
>
> This opens up a pinning vector, or at least a significant nuisance: any
> other party can largely
> increase the absolute fee without increasing the feerate, leveraging the
> RBF rules to prevent you
> from replacing it without paying an insane fee. And you might not see it
> in your own mempool and
> could only suppose it's happening by receiving non-full blocks or with
> transactions paying a lower
> feerate.
> Unfortunately i know of no other primitive that can be used by multi-part=
y
> (i mean, >2) presigned
> transactions protocols for fee-bumping that aren't (more) vulnerable to
> pinning.
>
>
> ## 4. We are still betting on future feerate
>
> The problem is still missing one more constraint. "Ensuring confirmation
> at any time" involves ensuring
> confirmation at *any* feerate, which you *cannot* do. So what's the limit=
?
> In theory you should be ready
> to burn as much in fees as the value of the funds you want to get out of
> the contract. So... For us
> it'd mean keeping for each vault an equivalent amount of funds sitting
> there on the watchtower's hot
> wallet. For Lightning, it'd mean keeping an equivalent amount of funds as
> the sum of all your
> channels balances sitting there unallocated "just in case". This is not
> reasonable.
>
> So you need to keep a maximum feerate, above which you won't be able to
> ensure the enforcement of
> all your contracts onchain at the same time. We call that the "reserve
> feerate" and you can have
> different strategies for choosing it, for instance:
> - The 85th percentile over the last year of transactions feerates
> - The maximum historical feerate
> - The maximum historical feerate adjusted in dollars (makes more sense bu=
t
> introduces a (set of?)
>   trusted oracle(s) in a security-critical component)
> - Picking a random high feerate (why not? It's an arbitrary assumption
> anyways)
>
> Therefore, even if we don't have to bet on the broadcast-time feerate
> market at signing time anymore
> (since we can unilaterally bump), we still need some kind of prediction i=
n
> preparation of making
> funds available to bump the fees at broadcast time.
> Apart from judging that 500sat/vb is probably more reasonable than
> 10sat/vbyte, this unfortunately
> sounds pretty much crystal-ball-driven.
>
> We currently use the maximum of the 95th percentiles over 90-days windows
> over historical block chain
> feerates. [4]
>
>
> ## 5. How much funds does my watchtower need?
>
> That's what we call the "reserve". Depending on your reserve feerate
> strategy it might vary over
> time. This is easier to reason about with a per-contract reserve. For
> Revault it's pretty
> straightforward since the Cancel transaction size is static:
> `reserve_feerate * cancel_size`. For
> other protocols with dynamic transaction sizes (or even packages of
> transactions) it's less so. For
> your Lightning channel you would probably take the maximum size of your
> commitment transaction
> according to your HTLC exposure settings + the size of as many
> `htlc_success` transaction?
>
> Then you either have your software or your user guesstimate how many
> offchain contracts the
> watchtower will have to watch, time that by the per-contract reserve and
> refill this amount (plus
> some slack in practice). Once again, a UX tradeoff (not even mentioning
> the guesstimation UX):
> overestimating leads to too many unallocated funds sitting on a hot
> wallet, underestimating means
> (at best) inability to participate in new contracts or being "at risk"
> (not being able to enforce
> all your contracts onchain at your reserve feerate) before a new refill.
>
> For vaults you likely have large-value UTxOs and small transactions (the
> Cancel is one-in one-out in
> Revault). For some other applications with large transactions and
> lower-value UTxOs on average it's
> likely that only part of the offchain contracts might be enforceable at a
> reasonable feerate. Is it
> reasonable?
>
>
> ## 6. UTxO pool layout
>
> Now that you somehow managed to settle on a refill amount, how are you
> going to use these funds?
> Also, you'll need to manage your pool across time (consolidating small
> coins, and probably fanning
> out large ones).
>
> You could keep a single large UTxO and peel it as you need to sponsor
> transactions. But this means
> that you need to create a coin of a specific value according to your need
> at the current feerate
> estimation, hope to have it confirmed in a few blocks (at least for now!
> [5]), and hope that the
> value won't be obsolete by the time it confirmed. Also, you'd have to do
> that for any number of
> Cancel, chaining feebump coin creation transactions off the change of the
> previous ones or replacing
> them with more outputs. Both seem to become really un-manageable (and
> expensive) in many edge-cases,
> shortening the time you have to confirm the actual Cancel transaction and
> creating uncertainty about
> the reserve (how much is my just-in-time fanout going to cost me in fees
> that i need to refill in
> advance on my watchtower wallet?).
> This is less of a concern for protocols using CPFP to sponsor
> transactions, but they rely on a
> policy rule specific to 2-parties contracts.
>
> Therefore for Revault we fan-out the coins per-vault in advance. We do so
> at refill time so the
> refiller can give an excess to pay for the fees of the fanout transaction
> (which is reasonable since
> it will occur just after the refilling transaction confirms). When the
> watchtower is asked to watch
> for a new delegated vault it will allocate coins from the pool of
> fanned-out UTxOs to it (failing
> that, it would refuse the delegation).
> What is a good distribution of UTxOs amounts per vault? We want to
> minimize the number of coins,
> still have coins small enough to not overpay (remember, we can't have
> change) and be able to bump a
> Cancel up to the reserve feerate using these coins. The two latter
> constraints are directly in
> contradiction as the minimal value of a coin usable at the reserve feerat=
e
> (paying for its own input
> fee + bumping the feerate by, say, 5sat/vb) is already pretty high.
> Therefore we decided to go with
> two distributions per vault. The "reserve distribution" alone ensures tha=
t
> we can bump up to the
> reserve feerate and is usable for high feerates. The "bonus distribution"
> is not, but contains
> smaller coins useful to prevent overpayments during low and medium fee
> periods (which is most of the
> time).
> Both distributions are based on a basic geometric suite [6]. Each value i=
s
> half the previous one.
> This exponentially decreases the value, limiting the number of coins. But
> this also allows for
> pretty small coins to exist and each coin's value is equal to the sum of
> the smaller coins,
> or smaller by at most the value of the smallest coin. Therefore bounding
> the maximum overpayment to
> the smallest coin's value [7].
>
> For the management of the UTxO pool across time we merged the
> consolidation with the fanout. When
> fanning out a refilled UTxO, we scan the pool for coins that need to be
> consolidated according to a
> heuristic. An instance of a heuristic is "the coin isn't allocated and
> would not have been able to
> increase the fee at the median feerate over the past 90 days of blocks".
> We had this assumption that feerate would tend to go up with time and
> therefore discarded having to
> split some UTxOs from the pool. We however overlooked that a large
> increase in the exchange price of
> BTC as we've seen during the past year could invalidate this assumption
> and that should arguably be
> reconsidered.
>
>
> ## 7. Bumping and re-bumping
>
> First of all, when to fee-bump? At fixed time intervals? At each block
> connection? It sounds like,
> given a large enough timelock, you could try to greed by "trying your
> luck" at a lower feerate and
> only re-bumping every N blocks. You would then start aggressively bumping
> at every block after M
> blocks have passed. But that's actually a bet (in disguised?) that the
> next block feerate in M blocks
> will be lower than the current one. In the absence of any predictive mode=
l
> it is more reasonable to
> just start being aggressive immediately.
> You probably want to base your estimates on `estimatesmartfee` and as a
> consequence you would re-bump
> (if needed )after each block connection, when your estimates get updated
> and you notice your
> transaction was not included in the block.
>
> In the event that you notice a consequent portion of the block is filled
> with transactions paying
> less than your own, you might want to start panicking and bump your
> transaction fees by a certain
> percentage with no consideration for your fee estimator. You might skew
> miners incentives in doing
> so: if you increase the fees by a factor of N, any miner with a fraction
> larger than 1/N of the
> network hashrate now has an incentive to censor your transaction at first
> to get you to panic. Also
> note this can happen if you want to pay the absolute fees for the
> 'pinning' attack mentioned in
> section #2, and that might actually incentivize miners to perform it
> themselves..
>
> The gist is that the most effective way to bump and rebump (RBF the Cance=
l
> tx) seems to just be to
> consider the `estimatesmartfee 2 CONSERVATIVE` feerate at every block you=
r
> tx isn't included in, and
> to RBF it if the feerate is higher.
> In addition, we fallback to a block chain based estimation when estimates
> aren't available (eg if
> the user stopped their WT for say a hour and we come back up): we use the
> 85th percentile over the
> feerates in the last 6 blocks. Sure, miners can try to have an influence
> on that by stuffing their
> blocks with large fee self-paying transactions, but they would need to:
> 1. Be sure to catch a significant portion of the 6 blocks (at least 2,
> actually)
> 2. Give up on 25% of the highest fee-paying transactions (assuming they
> got the 6 blocks, it's
>    proportionally larger and incertain as they get less of them)
> 3. Hope that our estimator will fail and we need to fall back to the
> chain-based estimation
>
>
> ## 8. Our study
>
> We essentially replayed the historical data with different deployment
> configurations (number of
> participants and timelock) and probability of an event occurring (event
> being say an Unvault, an
> invalid Unvault, a new delegation, ..). We then observed different metric=
s
> such as the time at risk
> (when we can't enforce all our contracts at the reserve feerate at the
> same time), or the
> operational cost.
> We got the historical fee estimates data from Statoshi [9], Txstats [10]
> and the historical chain
> data from Riccardo Casatta's `blocks_iterator` [11]. Thanks!
>
> The (research-quality..) code can be found at
> https://github.com/revault/research under the section
> "Fee bumping". Again it's very Revault specific, but at least the data ca=
n
> probably be reused for
> studying other protocols.
>
>
> ## 9. Insurances
>
> Of course, given it's all hacks and workarounds and there is no good
> answer to "what is a reasonable
> feerate up to which we need to make contracts enforceable onchain?", ther=
e
> is definitely room for an
> insurance market. But this enters the realm of opinions. Although i do
> have some (having discussed
> this topic for the past years with different people), i would like to kee=
p
> this post focused on the
> technical aspects of this problem.
>
>
>
> [0] As far as i can tell, having offchain contracts be enforceable onchai=
n
> by confirming a
> transaction before the expiration of a timelock is a widely agreed-upon
> approach. And i don't think
> we can opt for any other fundamentally different one, as you want to know
> you can claim back your
> coins from a contract after a deadline before taking part in it.
>
> [1] The Real Revault (tm) involves more transactions, but for the sake of
> conciseness i only
> detailed a minimum instance of the problem.
>
> [2] Only presigning part of the Unvault transactions allows to only
> delegate part of the coins,
> which can be abstracted as "delegate x% of your stash" in the user
> interface.
>
> [3]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-May/017835.h=
tml
>
> [4]
> https://github.com/revault/research/blob/1df953813708287c32a15e771ba74957=
ec44f354/feebumping/model/statemachine.py#L323-L329
>
> [5] https://github.com/bitcoin/bitcoin/pull/23121
>
> [6]
> https://github.com/revault/research/blob/1df953813708287c32a15e771ba74957=
ec44f354/feebumping/model/statemachine.py#L494-L507
>
> [7] Of course this assumes a combinatorial coin selection, but i believe
> it's ok given we limit the
> number of coins beforehand.
>
> [8] Although there is the argument to outbid a censorship, anyone
> censoring you isn't necessarily a
> miner.
>
> [9] https://www.statoshi.info/
>
> [10] https://www.statoshi.info/
>
> [11] https://github.com/RCasatta/blocks_iterator
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--0000000000002184d405d1f7b1b1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Darosior,<br><br>Nice work, few thoughts binding furthe=
r your model for Lightning.<br><br>&gt; For any delegated vault, ensure the=
 confirmation of a Cancel transaction in a configured number of<br>&gt; blo=
cks at any point. In so doing, minimize the overpayments and the UTxO set f=
ootprint. Overpayments<br>&gt; increase the burden on the watchtower operat=
or by increasing the required frequency of refills of the<br>&gt; fee-bumpi=
ng wallet, which is already the worst user experience. You are likely to ma=
nage a number of<br>&gt; UTxOs with your number of vaults, which comes at a=
 cost for you as well as everyone running a full<br>&gt; node.<br><br>For a=
ny opened channel, ensure the confirmation of a Commitment transaction and =
the children HTLC-Success/HTLC-Timeout transactions. Note, in the Lightning=
 security game you have to consider (at least) 4 types of players moves and=
 incentives : your node, your channel counterparties, the miners, the crowd=
 of bitcoin users. The number of the last type of players is unknown from y=
our node, however it should not be forgotten you&#39;re in competition for =
block space, therefore their block demands bids should be anticipated and r=
eacted to in consequence. With that remark in mind, implications for your L=
N fee-bumping strategy will be raised afterwards.<br><br>For a LN service p=
rovider, on-chain overpayments are bearing on your operational costs, thus =
downgrading your economic competitiveness. For the average LN user, overpay=
ment might price out outside a LN non-custodial deployment, as you don&#39;=
t have the minimal security budget to be on your own.<br><br>&gt; This open=
s up a pinning vector, or at least a significant nuisance: any other party =
can largely<br>&gt; increase the absolute fee without increasing the feerat=
e, leveraging the RBF rules to prevent you<br>&gt; from replacing it withou=
t paying an insane fee. And you might not see it in your own mempool and<br=
>&gt; could only suppose it&#39;s happening by receiving non-full blocks or=
 with transactions paying a lower<br>&gt; feerate.<br><br>Same issue with L=
ightning, we can be pinned today on the basis of replace-by-fee rule 3. We =
can be also blinded by network mempool partitions, a pinning counterparty c=
an segregate all the full-nodes=C2=A0 in as many subsets by broadcasting a =
revoked Commitment transaction different for each. For Revault, I think you=
 can also do unlimited partitions by mutating the ANYONECANPAY-input of the=
 Cancel.<br><br>That said, if you have a distributed towers deployment, spr=
ead across the p2p network topology, and they can&#39;t be clustered togeth=
er through cross-layers or intra-layer heuristics, you should be able to re=
liably observe such partitions. I think such distributed monitors are deplo=
yed by few L1 merchants accepting 0-conf to detect naive double-spend.<br><=
br>&gt; Unfortunately i know of no other primitive that can be used by mult=
i-party (i mean, &gt;2) presigned<br>&gt; transactions protocols for fee-bu=
mping that aren&#39;t (more) vulnerable to pinning.<br><br>Have we already =
discussed a fee-bumping &quot;shared cache&quot;, a CPFP variation ? Strawm=
an idea: Alice and Bob commit collateral inputs to a separate UTXO from the=
 main &quot;offchain contract&quot; one. This UTXO is locked by a multi-sig=
. For any Commitment transaction pre-signed, also counter-sign a CPFP with =
top mempool feerate included, spending a Commitment anchor output and the s=
hared-cache UTXO. If the fees spike,=C2=A0 you can re-sign a high-feerate C=
PFP, assuming interactivity. As the CPFP is counter-signed by everyone, the=
 outputs can be CSV-1 encumbered to prevent pinnings. If the share-cache is=
 feeded at parity, there shouldn&#39;t be an incentive to waste or maliciou=
sly inflate the feerate. I think this solution can be easily generalized to=
 more than 2 counterparties by using a multi-signature scheme. Big issue, i=
f the feerate is short due to fee spikes and you need to re-sign a higher-f=
eerate CPFP, you&#39;re trusting your counterparty to interact, though argu=
ably not worse than the current update fee mechanism.<br><br>&gt; For Light=
ning, it&#39;d mean keeping an equivalent amount of funds as the sum of all=
 your<br>channels balances sitting there unallocated &quot;just in case&quo=
t;. This is not reasonable.<br><br>Agree, game-theory wise, you would like =
to keep a full fee-bumping reserve, ready to burn as much in fees as the co=
ntested HTLC value, as it&#39;s the maximum gain of your counterparty. Thou=
gh perfect equilibrium is hard to achieve because your malicious counterpar=
ty might have an edge pushing you to broadcast your Commitment first by wit=
holding HTLC resolution.<br><br>Fractional fee-bumping reserves are much mo=
re realistic to expect in the LN network. Lower fee-bumping reserve, higher=
 liquidity deployed, in theory higher routing fees. By observing historical=
 feerates, average offchain balances at risk and routing fees expected gain=
s, you should be able to discover an equilibrium where higher levels of res=
erve aren&#39;t worth the opportunity cost. I guess this=C2=A0 equilibrium =
could be your LN fee-bumping reserve max feerate.<br><br>Note, I think the =
LN approach is a bit different from what suits a custody protocol like Reva=
ult,=C2=A0 as you compute a direct return of the frozen fee-bumping liquidi=
ty. With Revault, if you have numerous bitcoins protected, it&#39;s might b=
e more interesting to adopt a &quot;buy the mempool, stupid&quot; strategy =
than risking fund safety for few percentages of interest returns.<br><br>&g=
t; This is easier to reason about with a per-contract reserve.<br><br>For L=
ightning, this per-channel approach is safer too, as one Commitment transac=
tion pinned or jammed could affect the confirmation odds of your remaining =
LN Commitment transactions. <br><br>&gt; For your Lightning channel you wou=
ld probably take the maximum size of your commitment transaction<br>&gt; ac=
cording to your HTLC exposure settings + the size of as many `htlc_success`=
 transactions?<br><br>Yes, I guess it&#39;s your holder&#39;s `max_accepted=
_htcls` * `HTLC-Success weight` + counterparty&#39;s `max_accepted_htlcs` *=
 `HTLC-Timeout weight` Better to adopt this worst-case as the base transact=
ion weight to fee-bump, as currently we can&#39;t dynamically update channe=
l policies.<br><br>&gt; For some other applications with large transactions=
 and lower-value UTxOs on average it&#39;s<br>&gt; likely that only part of=
 the offchain contracts might be enforceable at a reasonable feerate. Is it=
<br>&gt; reasonable?<br><br>This is where the &quot;anticipate the crowd of=
 bitcoin users move&quot; point can be laid out. As the crowd of bitcoin us=
ers&#39; fee-bumping reserves are ultimately unknown from your node knowled=
ge, you should be ready to be a bit more conservative than the vanilla fee-=
bumping strategies shipped by default. In case of massive mempool congestio=
n, your additional conservatism might get your time-sensitive transactions =
and game on the crowd of bitcoin users. First Problem: if all offchain bitc=
oin software adopt that strategy we might inflate the worst-case feerate ra=
te at the benefit of the miners, without holistically improving block throu=
ghput. Second problem : your class of offchain bitcoin softwares might have=
 ridiculous fee-bumping reserve compared<br>to other classes of offchain bi=
tcoin softwares (Revault &gt; Lightning) and just be priced out bydesign in=
 case of mempool congestion. Third problem : as the number of offchain bitc=
oin applications should go up with time, your fee-bumping reserve levels ba=
sed from historical data might be always late by one &quot;bank-run&quot; s=
cenario.<br><br>For Lightning, if you&#39;re short in fee-bumping reserves =
you might still do preemptive channel closures, either cooperatively or uni=
laterally and get back the off-chain liquidity to protect the more economic=
ally interesting channels. Though again, that kind of automatic behavior mi=
ght be compelling at the individual node-level, but make the mempol congest=
ion worse holistically.<br><br>&gt; First of all, when to fee-bump? At fixe=
d time intervals? At each block connection?<br><br>In case of massive mempo=
ol congestion, you might try to front-run the crowd of bitcoin users relyin=
g on block connections for fee-bumping, and thus start your fee-bumping as =
soon as you observe feerate groups fluctuations in your local mempool(s).<b=
r><br>Also you might proceed your fee-bumping ticks on a local clock instea=
d of block connections in case of time-dilation or deeper eclipse attacks o=
f your local node. Your view of the chain might be compromised but not your=
 ability to broadcast transactions thanks to emergency channels (in the non=
-LN sense...though in fact quid of txn wrapped in onions ?) of communicatio=
n.<br><br>&gt; You might skew miners incentives in doing<br>&gt; so: if you=
 increase the fees by a factor of N, any miner with a fraction larger than =
1/N of the<br>&gt; network hashrate now has an incentive to censor your tra=
nsaction at first to get you to panic.<br><br>Yes I think miner-harvesting =
attacks should be weighed carefully in the design of offchain contracts fee=
-bumping strategies, at least in the future when the mining reward exhausts=
 further. I wonder if a more refined formula should encompass the miner los=
s for empty blocks and ensure this loss stays more substantial than the fee=
s increased. So something like computing &quot;for X censored blocks, the Y=
 average loss should be superior to the Z fee-bumping increase&quot;.<br><b=
r>&gt; Of course, given it&#39;s all hacks and workarounds and there is no =
good answer to &quot;what is a reasonable<br>&gt; feerate up to which we ne=
ed to make contracts enforceable onchain?&quot;, there is definitely room f=
or an<br>&gt; insurance market. <br><br>Yes, stay open the question on how =
you enforce this block insurance market. Reputation, which might be to avoi=
d due to the latent centralization effect, might be hard to stack and audit=
 reliably for an emergency mechanism running, hopefully, once in a halvenin=
g period. Maybe maybe some cryptographic or economically based mechanism on=
 slashing or swaps could be found...<br><br>Antoine<br></div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=C2=A0lun. 29 nov.=
 2021 =C3=A0=C2=A009:34, darosior via bitcoin-dev &lt;<a href=3D"mailto:bit=
coin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</=
a>&gt; a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">Hi everyone,<br>
<br>
Fee-bumping is paramount to the security of many protocols building on Bitc=
oin, as they require the<br>
confirmation of a transaction (which might be presigned) before the expirat=
ion of a timelock at any<br>
point after the establishment of the contract.<br>
<br>
The part of Revault using presigned transactions (the delegation from a lar=
ge to a smaller multisig)<br>
is no exception. We have been working on how to approach this for a while n=
ow and i&#39;d like to share<br>
what we have in order to open a discussion on this problem so central to wh=
at seem to be The Right<br>
Way [0] to build on Bitcoin but which has yet to be discussed in details (a=
t least publicly).<br>
<br>
I&#39;ll discuss what we came up with for Revault (at least for what will b=
e its first iteration) but my<br>
intent with posting to the mailing list is more to frame the questions to t=
his problem we are all<br>
going to face rather than present the results of our study tailored to the =
Revault usecase.<br>
The discussion is still pretty Revault-centric (as it&#39;s the case study)=
 but hopefully this can help<br>
future protocol designers and/or start a discussion around what everyone&#3=
9;s doing for existing ones.<br>
<br>
<br>
## 1. Reminder about Revault<br>
<br>
The part of Revault we are interested in for this study is the delegation p=
rocess, and more<br>
specifically the application of spending policies by network monitors (watc=
htowers).<br>
Coins are received on a large multisig. Participants of this large multisig=
 create 2 [1]<br>
transactions. The Unvault, spending a deposit UTxO, creates an output payin=
g either to the small<br>
multisig after a timelock or to the large multisig immediately. The Cancel,=
 spending the Unvault<br>
output through the non-timelocked path, creates a new deposit UTxO.<br>
Participants regularly exchange the Cancel transaction signatures for each =
deposit, sharing the<br>
signatures with the watchtowers they operate. They then optionally [2] sign=
 the Unvault transaction<br>
and share the signatures with the small multisig participants who can in tu=
rn use them to proceed<br>
with a spending. Watchtowers can enforce spending policies (say, can&#39;t =
Unvault outside of business<br>
hours) by having the Cancel transaction be confirmed before the expiration =
of the timelock.<br>
<br>
<br>
## 2. Problem statement<br>
<br>
For any delegated vault, ensure the confirmation of a Cancel transaction in=
 a configured number of<br>
blocks at any point. In so doing, minimize the overpayments and the UTxO se=
t footprint. Overpayments<br>
increase the burden on the watchtower operator by increasing the required f=
requency of refills of the<br>
fee-bumping wallet, which is already the worst user experience. You are lik=
ely to manage a number of<br>
UTxOs with your number of vaults, which comes at a cost for you as well as =
everyone running a full<br>
node.<br>
<br>
Note that this assumes miners are economically rationale, are incentivized =
by *public* fees and that<br>
you have a way to propagate your fee-bumped transaction to them. We also do=
n&#39;t consider the block<br>
space bounds.<br>
<br>
In the previous paragraph and the following text, &quot;vault&quot; can gen=
erally be replaced with &quot;offchain<br>
contract&quot;.<br>
<br>
<br>
## 3. With presigned transactions<br>
<br>
As you all know, the first difficulty is to get to be able to unilaterally =
enforce your contract<br>
onchain. That is, any participant must be able to unilaterally bump the fee=
s of a transaction even<br>
if it was co-signed by other participants.<br>
<br>
For Revault we can afford to introduce malleability in the Cancel transacti=
on since there is no<br>
second-stage transaction depending on its txid. Therefore it is pre-signed =
with ANYONECANPAY. We<br>
can&#39;t use ANYONECANPAY|SINGLE since it would open a pinning vector [3].=
 Note how we can&#39;t leverage<br>
the carve out rule, and neither can any other more-than-two-parties contrac=
t.<br>
This has a significant implication for the rest, as we are entirely burning=
 fee-bumping UTxOs.<br>
<br>
This opens up a pinning vector, or at least a significant nuisance: any oth=
er party can largely<br>
increase the absolute fee without increasing the feerate, leveraging the RB=
F rules to prevent you<br>
from replacing it without paying an insane fee. And you might not see it in=
 your own mempool and<br>
could only suppose it&#39;s happening by receiving non-full blocks or with =
transactions paying a lower<br>
feerate.<br>
Unfortunately i know of no other primitive that can be used by multi-party =
(i mean, &gt;2) presigned<br>
transactions protocols for fee-bumping that aren&#39;t (more) vulnerable to=
 pinning.<br>
<br>
<br>
## 4. We are still betting on future feerate<br>
<br>
The problem is still missing one more constraint. &quot;Ensuring confirmati=
on at any time&quot; involves ensuring<br>
confirmation at *any* feerate, which you *cannot* do. So what&#39;s the lim=
it? In theory you should be ready<br>
to burn as much in fees as the value of the funds you want to get out of th=
e contract. So... For us<br>
it&#39;d mean keeping for each vault an equivalent amount of funds sitting =
there on the watchtower&#39;s hot<br>
wallet. For Lightning, it&#39;d mean keeping an equivalent amount of funds =
as the sum of all your<br>
channels balances sitting there unallocated &quot;just in case&quot;. This =
is not reasonable.<br>
<br>
So you need to keep a maximum feerate, above which you won&#39;t be able to=
 ensure the enforcement of<br>
all your contracts onchain at the same time. We call that the &quot;reserve=
 feerate&quot; and you can have<br>
different strategies for choosing it, for instance:<br>
- The 85th percentile over the last year of transactions feerates<br>
- The maximum historical feerate<br>
- The maximum historical feerate adjusted in dollars (makes more sense but =
introduces a (set of?)<br>
=C2=A0 trusted oracle(s) in a security-critical component)<br>
- Picking a random high feerate (why not? It&#39;s an arbitrary assumption =
anyways)<br>
<br>
Therefore, even if we don&#39;t have to bet on the broadcast-time feerate m=
arket at signing time anymore<br>
(since we can unilaterally bump), we still need some kind of prediction in =
preparation of making<br>
funds available to bump the fees at broadcast time.<br>
Apart from judging that 500sat/vb is probably more reasonable than 10sat/vb=
yte, this unfortunately<br>
sounds pretty much crystal-ball-driven.<br>
<br>
We currently use the maximum of the 95th percentiles over 90-days windows o=
ver historical block chain<br>
feerates. [4]<br>
<br>
<br>
## 5. How much funds does my watchtower need?<br>
<br>
That&#39;s what we call the &quot;reserve&quot;. Depending on your reserve =
feerate strategy it might vary over<br>
time. This is easier to reason about with a per-contract reserve. For Revau=
lt it&#39;s pretty<br>
straightforward since the Cancel transaction size is static: `reserve_feera=
te * cancel_size`. For<br>
other protocols with dynamic transaction sizes (or even packages of transac=
tions) it&#39;s less so. For<br>
your Lightning channel you would probably take the maximum size of your com=
mitment transaction<br>
according to your HTLC exposure settings + the size of as many `htlc_succes=
s` transaction?<br>
<br>
Then you either have your software or your user guesstimate how many offcha=
in contracts the<br>
watchtower will have to watch, time that by the per-contract reserve and re=
fill this amount (plus<br>
some slack in practice). Once again, a UX tradeoff (not even mentioning the=
 guesstimation UX):<br>
overestimating leads to too many unallocated funds sitting on a hot wallet,=
 underestimating means<br>
(at best) inability to participate in new contracts or being &quot;at risk&=
quot; (not being able to enforce<br>
all your contracts onchain at your reserve feerate) before a new refill.<br=
>
<br>
For vaults you likely have large-value UTxOs and small transactions (the Ca=
ncel is one-in one-out in<br>
Revault). For some other applications with large transactions and lower-val=
ue UTxOs on average it&#39;s<br>
likely that only part of the offchain contracts might be enforceable at a r=
easonable feerate. Is it<br>
reasonable?<br>
<br>
<br>
## 6. UTxO pool layout<br>
<br>
Now that you somehow managed to settle on a refill amount, how are you goin=
g to use these funds?<br>
Also, you&#39;ll need to manage your pool across time (consolidating small =
coins, and probably fanning<br>
out large ones).<br>
<br>
You could keep a single large UTxO and peel it as you need to sponsor trans=
actions. But this means<br>
that you need to create a coin of a specific value according to your need a=
t the current feerate<br>
estimation, hope to have it confirmed in a few blocks (at least for now! [5=
]), and hope that the<br>
value won&#39;t be obsolete by the time it confirmed. Also, you&#39;d have =
to do that for any number of<br>
Cancel, chaining feebump coin creation transactions off the change of the p=
revious ones or replacing<br>
them with more outputs. Both seem to become really un-manageable (and expen=
sive) in many edge-cases,<br>
shortening the time you have to confirm the actual Cancel transaction and c=
reating uncertainty about<br>
the reserve (how much is my just-in-time fanout going to cost me in fees th=
at i need to refill in<br>
advance on my watchtower wallet?).<br>
This is less of a concern for protocols using CPFP to sponsor transactions,=
 but they rely on a<br>
policy rule specific to 2-parties contracts.<br>
<br>
Therefore for Revault we fan-out the coins per-vault in advance. We do so a=
t refill time so the<br>
refiller can give an excess to pay for the fees of the fanout transaction (=
which is reasonable since<br>
it will occur just after the refilling transaction confirms). When the watc=
htower is asked to watch<br>
for a new delegated vault it will allocate coins from the pool of fanned-ou=
t UTxOs to it (failing<br>
that, it would refuse the delegation).<br>
What is a good distribution of UTxOs amounts per vault? We want to minimize=
 the number of coins,<br>
still have coins small enough to not overpay (remember, we can&#39;t have c=
hange) and be able to bump a<br>
Cancel up to the reserve feerate using these coins. The two latter constrai=
nts are directly in<br>
contradiction as the minimal value of a coin usable at the reserve feerate =
(paying for its own input<br>
fee + bumping the feerate by, say, 5sat/vb) is already pretty high. Therefo=
re we decided to go with<br>
two distributions per vault. The &quot;reserve distribution&quot; alone ens=
ures that we can bump up to the<br>
reserve feerate and is usable for high feerates. The &quot;bonus distributi=
on&quot; is not, but contains<br>
smaller coins useful to prevent overpayments during low and medium fee peri=
ods (which is most of the<br>
time).<br>
Both distributions are based on a basic geometric suite [6]. Each value is =
half the previous one.<br>
This exponentially decreases the value, limiting the number of coins. But t=
his also allows for<br>
pretty small coins to exist and each coin&#39;s value is equal to the sum o=
f the smaller coins,<br>
or smaller by at most the value of the smallest coin. Therefore bounding th=
e maximum overpayment to<br>
the smallest coin&#39;s value [7].<br>
<br>
For the management of the UTxO pool across time we merged the consolidation=
 with the fanout. When<br>
fanning out a refilled UTxO, we scan the pool for coins that need to be con=
solidated according to a<br>
heuristic. An instance of a heuristic is &quot;the coin isn&#39;t allocated=
 and would not have been able to<br>
increase the fee at the median feerate over the past 90 days of blocks&quot=
;.<br>
We had this assumption that feerate would tend to go up with time and there=
fore discarded having to<br>
split some UTxOs from the pool. We however overlooked that a large increase=
 in the exchange price of<br>
BTC as we&#39;ve seen during the past year could invalidate this assumption=
 and that should arguably be<br>
reconsidered.<br>
<br>
<br>
## 7. Bumping and re-bumping<br>
<br>
First of all, when to fee-bump? At fixed time intervals? At each block conn=
ection? It sounds like,<br>
given a large enough timelock, you could try to greed by &quot;trying your =
luck&quot; at a lower feerate and<br>
only re-bumping every N blocks. You would then start aggressively bumping a=
t every block after M<br>
blocks have passed. But that&#39;s actually a bet (in disguised?) that the =
next block feerate in M blocks<br>
will be lower than the current one. In the absence of any predictive model =
it is more reasonable to<br>
just start being aggressive immediately.<br>
You probably want to base your estimates on `estimatesmartfee` and as a con=
sequence you would re-bump<br>
(if needed )after each block connection, when your estimates get updated an=
d you notice your<br>
transaction was not included in the block.<br>
<br>
In the event that you notice a consequent portion of the block is filled wi=
th transactions paying<br>
less than your own, you might want to start panicking and bump your transac=
tion fees by a certain<br>
percentage with no consideration for your fee estimator. You might skew min=
ers incentives in doing<br>
so: if you increase the fees by a factor of N, any miner with a fraction la=
rger than 1/N of the<br>
network hashrate now has an incentive to censor your transaction at first t=
o get you to panic. Also<br>
note this can happen if you want to pay the absolute fees for the &#39;pinn=
ing&#39; attack mentioned in<br>
section #2, and that might actually incentivize miners to perform it themse=
lves..<br>
<br>
The gist is that the most effective way to bump and rebump (RBF the Cancel =
tx) seems to just be to<br>
consider the `estimatesmartfee 2 CONSERVATIVE` feerate at every block your =
tx isn&#39;t included in, and<br>
to RBF it if the feerate is higher.<br>
In addition, we fallback to a block chain based estimation when estimates a=
ren&#39;t available (eg if<br>
the user stopped their WT for say a hour and we come back up): we use the 8=
5th percentile over the<br>
feerates in the last 6 blocks. Sure, miners can try to have an influence on=
 that by stuffing their<br>
blocks with large fee self-paying transactions, but they would need to:<br>
1. Be sure to catch a significant portion of the 6 blocks (at least 2, actu=
ally)<br>
2. Give up on 25% of the highest fee-paying transactions (assuming they got=
 the 6 blocks, it&#39;s<br>
=C2=A0 =C2=A0proportionally larger and incertain as they get less of them)<=
br>
3. Hope that our estimator will fail and we need to fall back to the chain-=
based estimation<br>
<br>
<br>
## 8. Our study<br>
<br>
We essentially replayed the historical data with different deployment confi=
gurations (number of<br>
participants and timelock) and probability of an event occurring (event bei=
ng say an Unvault, an<br>
invalid Unvault, a new delegation, ..). We then observed different metrics =
such as the time at risk<br>
(when we can&#39;t enforce all our contracts at the reserve feerate at the =
same time), or the<br>
operational cost.<br>
We got the historical fee estimates data from Statoshi [9], Txstats [10] an=
d the historical chain<br>
data from Riccardo Casatta&#39;s `blocks_iterator` [11]. Thanks!<br>
<br>
The (research-quality..) code can be found at <a href=3D"https://github.com=
/revault/research" rel=3D"noreferrer" target=3D"_blank">https://github.com/=
revault/research</a> under the section<br>
&quot;Fee bumping&quot;. Again it&#39;s very Revault specific, but at least=
 the data can probably be reused for<br>
studying other protocols.<br>
<br>
<br>
## 9. Insurances<br>
<br>
Of course, given it&#39;s all hacks and workarounds and there is no good an=
swer to &quot;what is a reasonable<br>
feerate up to which we need to make contracts enforceable onchain?&quot;, t=
here is definitely room for an<br>
insurance market. But this enters the realm of opinions. Although i do have=
 some (having discussed<br>
this topic for the past years with different people), i would like to keep =
this post focused on the<br>
technical aspects of this problem.<br>
<br>
<br>
<br>
[0] As far as i can tell, having offchain contracts be enforceable onchain =
by confirming a<br>
transaction before the expiration of a timelock is a widely agreed-upon app=
roach. And i don&#39;t think<br>
we can opt for any other fundamentally different one, as you want to know y=
ou can claim back your<br>
coins from a contract after a deadline before taking part in it.<br>
<br>
[1] The Real Revault (tm) involves more transactions, but for the sake of c=
onciseness i only<br>
detailed a minimum instance of the problem.<br>
<br>
[2] Only presigning part of the Unvault transactions allows to only delegat=
e part of the coins,<br>
which can be abstracted as &quot;delegate x% of your stash&quot; in the use=
r interface.<br>
<br>
[3] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020=
-May/017835.html" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxf=
oundation.org/pipermail/bitcoin-dev/2020-May/017835.html</a><br>
<br>
[4] <a href=3D"https://github.com/revault/research/blob/1df953813708287c32a=
15e771ba74957ec44f354/feebumping/model/statemachine.py#L323-L329" rel=3D"no=
referrer" target=3D"_blank">https://github.com/revault/research/blob/1df953=
813708287c32a15e771ba74957ec44f354/feebumping/model/statemachine.py#L323-L3=
29</a><br>
<br>
[5] <a href=3D"https://github.com/bitcoin/bitcoin/pull/23121" rel=3D"norefe=
rrer" target=3D"_blank">https://github.com/bitcoin/bitcoin/pull/23121</a><b=
r>
<br>
[6] <a href=3D"https://github.com/revault/research/blob/1df953813708287c32a=
15e771ba74957ec44f354/feebumping/model/statemachine.py#L494-L507" rel=3D"no=
referrer" target=3D"_blank">https://github.com/revault/research/blob/1df953=
813708287c32a15e771ba74957ec44f354/feebumping/model/statemachine.py#L494-L5=
07</a><br>
<br>
[7] Of course this assumes a combinatorial coin selection, but i believe it=
&#39;s ok given we limit the<br>
number of coins beforehand.<br>
<br>
[8] Although there is the argument to outbid a censorship, anyone censoring=
 you isn&#39;t necessarily a<br>
miner.<br>
<br>
[9] <a href=3D"https://www.statoshi.info/" rel=3D"noreferrer" target=3D"_bl=
ank">https://www.statoshi.info/</a><br>
<br>
[10] <a href=3D"https://www.statoshi.info/" rel=3D"noreferrer" target=3D"_b=
lank">https://www.statoshi.info/</a><br>
<br>
[11] <a href=3D"https://github.com/RCasatta/blocks_iterator" rel=3D"norefer=
rer" target=3D"_blank">https://github.com/RCasatta/blocks_iterator</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--0000000000002184d405d1f7b1b1--