1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
Return-Path: <ZmnSCPxj@protonmail.com>
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 3649EC0733
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 4 Jul 2020 21:05:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id 329248756A
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 4 Jul 2020 21:05:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id JSZQvUgn0tUm
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 4 Jul 2020 21:05:44 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40140.protonmail.ch (mail-40140.protonmail.ch
[185.70.40.140])
by fraxinus.osuosl.org (Postfix) with ESMTPS id 7DA8687516
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 4 Jul 2020 21:05:44 +0000 (UTC)
Date: Sat, 04 Jul 2020 21:05:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail; t=1593896742;
bh=n0bpSf6255ksZNzT822HVkY4fxoU5c31aTrEfTVBDYU=;
h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
b=VNvrVd6AbjF/ky/R7cJjbogj8H/ehZe8cmztI3bfcD2hKX4bfDh3mhNUd3V922AHw
XCZi7bWnB7uW+L6IfZvHMB5IXRPxHO6hOPAOOCJ3+bwwYzNVd2BAYAEWeZqvVSiYGR
ek4LzW5rSFIetnZ4X/ZvOqFwC2ZXYSF/Y9b9IeqQ=
To: "David A. Harding" <dave@dtrt.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <iywK1t3ddjnrn5h4bhLTHNJdKJpCjn9PmuI4eueLw_QOEgEovahDvdbm4gd74roj5eq5KT6b2oXRCNdi8omn0E4pTaRL_wxpOxvifY2l5wE=@protonmail.com>
In-Reply-To: <20200628164132.mmpimgcrxpai2gnb@ganymede>
References: <CABT1wW=X35HRVGuP-BHUhDrkBEw27+-iDkNnHWjRU-1mRkn0JQ@mail.gmail.com>
<CABT1wW=KWtoo6zHs8=yUQ7vAYcFSdAzdpDJ9yfw6sJrLd6dN5A@mail.gmail.com>
<ahTHfoyyTpBrMiKdJWMn9Qa8CMCEd1-y8OXPSjsDmttTOVC3zGuDoSHkm_oOe5mBYgIAY7jOPocQhLW29n544xFsqVyq51NFApvaFYYSvFY=@protonmail.com>
<CABT1wWknczx62uCpJPWku-KeYuaFvJHrvOS74YzqfoVe5x=edg@mail.gmail.com>
<20200628164132.mmpimgcrxpai2gnb@ganymede>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Matan Yehieli <matany@campus.technion.ac.il>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Itay Tsabary <sitay@campus.technion.ac.il>
Subject: Re: [bitcoin-dev] MAD-HTLC
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2020 21:05:46 -0000
Good morning Dave,
> > > - Inputs:
> > > - Bob 1 BTC - HTLC amount
> > > - Bob 1 BTC - Bob fidelity bond
> > > - Cases:
> > > - Alice reveals hashlock at any time:
> > > - 1 BTC goes to Alice
> > > - 1 BTC goes to Bob (fidelity bond refund)
> > > - Bob reveals bob-hashlock after time L:
> > > - 2 BTC goes to Bob (HTLC refund + fidelity bond refund)
> > > - Bob cheated, anybody reveals both hashlock and bob-hashlock:
> > > - 2 BTC goes to miner
> > >
> > > [...]
> >
> > The cases you present are exactly how MAD-HTLC works. It comprises two
> > contracts (UTXOs):
> >
> > - Deposit (holding the intended HTLC tokens), with three redeem paths=
:
> > - Alice (signature), with preimage "A", no timeout
> > - Bob (signature), with preimage "B", timeout T
> > - Any entity (miner), with both preimages "A" and "B", no timeout
> > - Collateral (the fidelity bond, doesn't have to be of the same amoun=
t)
> > - Bob (signature), no preimage, timeout T
> > - Any entity (miner), with both preimages "A" and "B", timeout T
>
> I'm not these are safe if your counterparty is a miner. Imagine Bob
> offers Alice a MAD-HTLC. Alice knows the payment preimage ("preimage
> A"). Bob knows the bond preimage ("preimage B") and he's the one making
> the payment and offering the bond.
>
> After receiving the HTLC, Alice takes no action on it, so the timelock
> expires. Bob publicly broadcasts the refund transaction with the bond
> preimage. Unbeknownst to Bob, Alice is actually a miner and she uses her
> pre-existing knowledge of the payment preimage plus her received
> knowledge of the bond preimage to privately attempt mining a transaction
> that pays her both the payment ("deposit") and the bond ("collateral").
>
> Assuming Alice is a non-majority miner, she isn't guaranteed to
> succeed---her chance of success depends on her percentage of the network
> hashrate and how much fee Bob paid to incentivize other miners to
> confirm his refund transaction quickly. However, as long as Alice has a
> non-trivial amount of hashrate, she will succeed some percentage of the
> time in executing this type of attack. Any of her theft attempts that
> fail will leave no public trace, perhaps lulling users into a false
> sense of security.
This note seems to have gotten missed in discussion.
Another note is that from what I can tell, the preimages "A" and "B" can be=
provided by any miner.
If the fund value plus the collateral is large enough, it may incentivize c=
ompeting miners to reorg the chain, redirecting the funds of the MAD-HTLC t=
o themselves, rather than advance the blockchain state, at least until alte=
rnative transctions bump their fees up enough that the collateral + fund is=
matched.
This may not apply to Lightning at least if you do not go beyond the Wumbo =
limit, but *could* apply to e.g. SwapMarket, if it uses MAD-HTLCs.
Regards,
ZmnSCPxj
|
