summaryrefslogtreecommitdiff
path: root/72/2df9ec1aa8b352eccc413f228fb30671cee5c9
blob: 36d8cc17edacf49e7adea13ae2a33de5c0f8b471 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <pete@petertodd.org>) id 1XFC7q-0000D3-Vc
	for bitcoin-development@lists.sourceforge.net;
	Thu, 07 Aug 2014 01:04:15 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org
	designates 62.13.148.112 as permitted sender)
	client-ip=62.13.148.112; envelope-from=pete@petertodd.org;
	helo=outmail148112.authsmtp.co.uk; 
Received: from outmail148112.authsmtp.co.uk ([62.13.148.112])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1XFC7p-0008DA-Ek for bitcoin-development@lists.sourceforge.net;
	Thu, 07 Aug 2014 01:04:14 +0000
Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235])
	by punt17.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s771474l022440;
	Thu, 7 Aug 2014 02:04:07 +0100 (BST)
Received: from localhost.localdomain (ns308995.ip-94-23-241.eu [94.23.241.205])
	(authenticated bits=128)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s7713sQx072694
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
	Thu, 7 Aug 2014 02:04:03 +0100 (BST)
Date: Thu, 7 Aug 2014 01:03:50 +0000
From: Peter Todd <pete@petertodd.org>
To: bitcoin-development@lists.sourceforge.net
Message-ID: <20140807010350.GC9272@localhost.localdomain>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="32u276st3Jlj2kUU"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: bab0158b-1dce-11e4-b396-002590a15da7
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	aAdMdgUUGUATAgsB AmIbW1ZeUFl7WWU7 Yg5PbwZDYE5PQQdq
	VVdMSlVNFUsrBhsA BV1/Ghl1dQNPfDBx ZU5rXT4JDRZ6dEN1
	EFNVQT5TeGZhPWQC AkNRcR5UcAFPdx8U a1UrBXRDAhxwHgsD
	PzgaGQEWGxh0AQJt azBFIEIOW09DHzgk WgwZVRkoJgUMWzk6 JB9O
X-Authentic-SMTP: 61633532353630.1023:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 94.23.241.205/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
X-Headers-End: 1XFC7p-0008DA-Ek
Subject: [Bitcoin-development] SIGHASH_ANYONECANPAY extra inputs DoS attack
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 01:04:15 -0000


--32u276st3Jlj2kUU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

tl;dr: Transactions with SIGHASH_ANYONECANPAY-using inputs can be DoS
attacked by attackers adding extra inputs to them that make the fee/byte
paid unfavorable to miners, while still being high enough to be relayed.
While just a nuisance DoS attack, this is a serious obstacle towards
using ANYONECANPAY.


Background: What uses ANYONECANPAY?
-----------------------------------

1) Crowdfunds/assurance contracts: e.g. Hearn's upcoming Lighthouse, as
well as Armory's implementation.

2) Fee bumping: receiver or sender can add inputs w/ ANYONECANPAY to get
a tx confirmed without the (expensive) overhead of a second CPFP tx.

3) Privacy: inputs are more deniable in some cases, e.g. dust used for
fees, which anyone could have added.

4) Replace-by-fee scorched earth: best implementations(1) depend on fee
bumping.


Partial defense: replace-by-fee
-------------------------------

The attacker's modified transaction will usually, but not always, be
replaced by the intended one as the latter will have higher fees.
However replace-by-fee implementations must charge adequately for
network bandwidth consumed, so there will be edge-cases where the
replacement does not happen.


Transaction fee/byte optimization
---------------------------------

Each input that does not use SIGHASH_ALL can be evaluated in terms of
whether or not it increases the fees/byte paid by the transaction. Thus
we can optimize a transaction to pay the highest fees/byte by doing the
following:

    def optimize_tx(tx):
        tx2 = CTransaction(vin=[], vout=tx.vout, nLockTime=tx.nLockTime)

        for txin in <tx.vin sorted by fees/byte>:
            if <txin depends on other txins>:
                continue

            if <tx2 is valid>:
                prev_fee_per_byte = tx2.fees / len(tx2.serialized())
                tx2.vin.append(txin)
                if tx2.fees / len(tx2.serialized()) < prev_fee_per_byte:
                    # adding txin decreased fees/byte
                    tx2.vin.pop()
                    return tx2

            else:
                tx2.vin.append(txin)

        return tx

Essentially txin's that reduce the profitability of the transaction are
dropped, including the attacker's added txins. Meanwhile txins that
increase the profitability can be added by anyone.


1) "[Bitcoin-development] Replace-by-fee scorched-earth without child-pays-for-parent",
   Apr 28th 2014, Peter Todd,
   https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg05211.html


--32u276st3Jlj2kUU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJT4tB0AAoJEH+rEUJn5PoEG/kH/2WZsBsdwjtplpPpf/Wv7VKM
uN0wrkXiaboYHMoCw5qXXgl+ehvMeDq3OBh1pweQN4XJbJKcyMt5OwbFD5eS/bCh
ZzssZcXvlMNYZKRYWnrSXfdm/CLD6DrhhG2Qj2oxpUpWzoVbFvC89JFbsdO4BwgA
SKDS486j6zzirG2reaJwqU+uMipQZW9aOg4aHP0jqCvY4OsC4hNHr3W7PZLIBJ0y
M0HoECI+WHEvEUFkmJsjHRmNbrAkEtzlp8vA/xqly2CTWaXeLaM3bPAACUzKNe8/
trLWclZpgvjDMQmw+OsCWZ56Ytl6P0pORO4gZIW9rUsxd9OnVAoXbafBcpyGoBE=
=VC4C
-----END PGP SIGNATURE-----

--32u276st3Jlj2kUU--