From nicolas.dorier at gmail.com Wed Nov 29 07:40:13 2017 From: nicolas.dorier at gmail.com (Nicolas Dorier) Date: Wed, 29 Nov 2017 16:40:13 +0900 Subject: [Lightning-dev] BOLT3: Commitment Transaction Outputs is weak to malleability In-Reply-To: References: Message-ID: Actually this was merged as policy rules in 0.14, not 0.15.1. Not as bad as I thought, but still a bit uneasy about someone malleating my transaction. Another way to fix the situation which would not require the BOLT to change is to enable RBF of the Penalty transaction so Eve transaction would be replaced by the initial one. Nicolas, On Wed, Nov 29, 2017 at 4:11 PM, Nicolas Dorier wrote: > I noticed the Commitment Transaction Output script is weak to > malleability, this can be used to delay confirmation of the revocation. > Luckily, fixing the situation does not require lots of development. > > ``` > OP_IF > # Penalty transaction > > OP_ELSE > `to_self_delay` > OP_CSV > OP_DROP > > OP_ENDIF > OP_CHECKSIG > ``` > > An attacker can delay the Penalty Transaction by malleating it. Which can > lead to very bad outcome as Lightning dependant on time locks. > > The penalty transaction would have. > > ``` > 1 > ``` > > Problem is that Eve could malleate OP_1 into a positive, huge number. This > would have for effect to fill the mempool of nodes/miners with the > malleated version which will have an higher fee rate, delaying the > confirmation of the penalty transaction. > > Now, there is a policy rule called SCRIPT_VERIFY_MINIMALIF by jl2012 which > was merged into v0.15.1. (https://github.com/bitcoin/bi > tcoin/commit/c72c5b1e3bd42e84465677e94aa83316ff3d9a14) > > I guess that by the time LN is ready, 0.15.1 will be spread enough among > miners, but still I think a 2 bytes overhead is well worth the fix. > > ``` > 1 OP_EQUAL OP_IF > # Penalty transaction > > OP_ELSE > `to_self_delay` > OP_CSV > OP_DROP > > OP_ENDIF > OP_CHECKSIG > ``` > > Nicolas, > -------------- next part -------------- An HTML attachment was scrubbed... URL: