From rusty at rustcorp.com.au Wed Aug 12 01:06:57 2015 From: rusty at rustcorp.com.au (Rusty Russell) Date: Wed, 12 Aug 2015 10:36:57 +0930 Subject: [Lightning-dev] Attacking the lightning network In-Reply-To: <20150811201547.GA6503@lightning.network> References: <20150811201547.GA6503@lightning.network> Message-ID: <87fv3pl3gu.fsf@rustcorp.com.au> Joseph Poon writes: > Hi Anthony, > > Yes, reorg attacks are definitely a known with Bitcoin. You can send > money to an exchange and then double-spend withdraw several > confirmations later if you have infinite hashrate. > > With lightning, I think to fund the channel, the minimum confirmation > times should be fairly high (even above 6 confirms). I'm not so sure: speed matters, and I expect that there will be some competition on this basis. There's a significant benefit in taking single-block confirms under normal circumstances: the median wait will be 3.5 minutes. With 6 blocks, it's closer to 53 minutes (I think?) You don't need to allow them to spend their entire anchor from the start though, I guess. Risk management *handwave* Cheers, Rusty. I assumed you'd > > The nice thing about payment channels is that after it's set up, you > don't worry about confirmation times if it's off-chain. For that reason, > confirmation times (and block mining rate, ~10 minutes) matters a lot > less. > > On Wed, Aug 12, 2015 at 03:38:16AM +0800, Anthony Towns wrote: >> Hi, >> >> This is probably just stating the obvious. Sometimes that's useful though, >> and maybe this is one of those times! >> >> When setting up a new channel with an untrusted counterparty, you will wait >> for N confirmations of their anchor transactions. Further, N might be well >> known and common amongst a lot of lightning hubs (if it's not, then it will >> be hard to know how long setting up a channel will take). What if N is too >> small, and I can afford to do a double-spend despite M (M > N) >> confirmations as long as it gains me $X? >> >> Then I do the following: >> >> - I open one or more anonymous channels, capable of receiving at least $X >> - I start the doublespend fork >> - I then simultaneously construct multiple lightning channels, funding >> them at $d each. >> - I wait for N confirmations so my new channels are active. >> - I quickly route multiple payments from my new channels to my anonymous >> channels until I can't send anymore >> - I publish the doublespending fork, so that my $d*n never got spent >> - I close my original anonymous channels gaining $X <= $d*n >> >> The only people worse off are the ones who opened the $d channels after N >> confirmations -- any intermediary hubs are fine. Those hubs didn't have to >> commit any funds to the new channels for the attack to work; the money they >> lose was that in other channels they used to route my payments forwards. >> >> With onion routing, none of the ripped off hubs need know where the money >> ended up, so there's not a lot of potential to do iron pipe cryptography to >> get your money back. >> >> The only constraints here (I think) are: >> >> - how many channels you can open in M-N blocks >> - you have to have >$X funds available in the first place to commit to the >> double spend >> - how much capacity the lightning network actually has in routable bitcoin >> >> If it costs 1.4*25*M bitcoin to mount a doublespend attack over M blocks >> (ie bribing 67% of hashpower for the time it normally takes to do 2*M >> blocks), and you can open 2000 channels per block, then that gives >> >> X > 1.4*25*M >> n < 2000*(M-N) >> >> X < d*n = d*2000*(M-N) >> >> 1.4*25*M < X < d*2000*(M-N) >> 35/2000 * M < d * (M-N) >> 35/2000 * (1 + N/(M-N)) < d??? >> >> Setting N = 12, M = 15 gives: >> >> d = 35/2000 * (1+4) = 7/80 >> n = 6000 >> >> so you're putting up 525 bitcoin by flooding the blockchain with anchor >> transactions, sending it to yourself over lightning, then doublespending >> the original 525 btc at a cost of spending ~505 btc on hashpower. Expensive >> ($157k capital to make $6k profit), but still worthwhile (3.8% ROI in ~6 >> hours is 16% a day, or about 5e25 % annualised...) >> >> Maybe if you make N depend on d you could mitigate this though -- something >> like, if you to put "$d" on your side of the channel, you'll have to wait >> for 5+(d*2000/25)*2 confirmations. So a $50 channel is d=.2 BTC, which is >> ~37 confirmations, or about 6 hours. Increasing the blocksize (number of >> channels openable per block) or lowering the block reward (decreasing the >> cost of a doublespend fork) increases the confirmations required though... >> >> Cheers, >> aj >> >> -- >> Anthony Towns > >> _______________________________________________ >> Lightning-dev mailing list >> Lightning-dev at lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev > > > -- > Joseph Poon > _______________________________________________ > Lightning-dev mailing list > Lightning-dev at lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev