From rusty at rustcorp.com.au  Mon May  2 05:07:22 2016
From: rusty at rustcorp.com.au (Rusty Russell)
Date: Mon, 02 May 2016 14:37:22 +0930
Subject: [Lightning-dev] Oversize preimage attack.
Message-ID: <871t5lf3p1.fsf@rustcorp.com.au>

Hi all!

   I'm about to modify the HTLC scripts for the first time in a while to
prepend: "OP_SIZE 32 OP_EQUALVERIFY".  It means that even timing out an
HTLC requires a 32 byte value (say, all-zeroes), but it's the simplest
and shortest change.

   Without this, the length of a scriptsig which redeems a transaction
was ill-defined.  The wire protocol requires a 32-byte R preimage to
redeem a HTLC, but there was no such on-chain restriction.  An attacker
could create an HTLC which requires a different-size preimage to redeem,
then drop the commit tx to the blockchain and redeem it.  A node
couldn't use that preimage via the wire protocol.

   Or require a 110k preimage to redeem, drop to the blockchain, then
redeem it by sending direct to a miner.  A node trying to use that
preimage would create a non-standard transaction, which may not
propagate.  Similarly with an almost 4MB preimage which requires you
to grind out a tiny signature to redeem in a tx small enough...

   I'm also dropping the per-side HTLC limit from 1500 to 450 in BOLT
#2.  This means that a single "steal" transaction which spends all the
inputs is still under 400k cost (thanks segwit!), simplifying the
protocol.

Cheers,
Rusty.