From rusty at rustcorp.com.au Mon Mar 28 23:47:24 2016 From: rusty at rustcorp.com.au (Rusty Russell) Date: Tue, 29 Mar 2016 10:17:24 +1030 Subject: [Lightning-dev] Breach tx vulnerability & CPFP attack In-Reply-To: <55C4F22D-C7D0-40E7-8910-B008BA4842C0@gmail.com> References: <55C4F22D-C7D0-40E7-8910-B008BA4842C0@gmail.com> Message-ID: <874mbqcghf.fsf@rustcorp.com.au> J?r?me Legoupil writes: > Alice has a channel with Bob, lets say 50BTC on each side, and after some time, the channel ends up with 100BTC in Bob?s favour (so Alice has 0BTC in that channel) > > Alice broadcasts the obsolete 50/50BTC commitment tx as well as her revocable tx : Multisig tx -> Alice 50BTC, OP_CSV. > > When Bob sees that, he broadcasts his breach tx, put it?s not being picked up in blocks. Why ? Alice followed up by broadcasting (or privately sending to major pools) the tx : Alice 50BTC -> Alice 25BTC. She is offering miners to share Bob?s 50BTC with her. Hi Jerome! Nasty. Fortunately, this attack doesn't work very well without a mining cartel (though it's a very acute demonstration of why censorship avoidance is important!). For miner M, Alice's tx is worth 25BTC * P(M mines block) * P(nobody else mines Bob's tx). If we assume everyone is locally profit maximizing, that last term depends on how many small miners there are (a 0.1% miner might see Alice's tx as worth 0.025 BTC, but they're individually not likely to get a block in the 36-block CSV window). Peter Todd once said small miners are more important than big miners (maybe it was in person; I can't find it with a quick google). This is why. Cheers, Rusty.