From a.ranchalpedrosa at gmail.com Tue Apr 16 00:14:59 2019 From: a.ranchalpedrosa at gmail.com (Alejandro Ranchal Pedrosa) Date: Tue, 16 Apr 2019 10:14:59 +1000 Subject: [Lightning-dev] Broken Factory Attack Message-ID: Hi all, This is the second of three related different emails on the topic, through which I will explain what, to my understanding, is the state of the construction of channel factories. Knowing what a stale factory situation is, let's have a look at the only off-chain proposal that claims to solve this situation: the splice-out mechanism [1]. I will explain why this mechanism can be easily attacked in what we call the Broken Factory attack [2]. Suppose a factory created between Alice, Bob, Carol and Dave, with channels F_{AC}, F_{AB}, F_{BC} and F_{CD} (F for "funding"), for instance: ???? Alice??? Bob??? Carol??? Dave ??????? \????? \?????? /????? / ????????? \???? \???? /????? / ??????????? \??? |??? |??? / ??????????????? H_{ABCD} ?????????????????? | ??????????????? A^0_{ABCD} ???????????? /?? |?????? |?? \ ?????????? /???? |?????? |???? \ ???????? /?????? |?????? |?????? \ ???? F_{AC}??? F_{AB}?? F_{BC}?? F_{CD} ??? /??????????? |?????? |????????? | R^1_{AC}????? R^1_{AB} R^1_{BC}?? R^1_{CD} Where H_{ABCD} and A^0_{ABCD} refer to the Hook and Allocation transactions of the factory, the equivalents of the Funding and Refunding transactions of channels, respectively. Suppose now that Dave, meaning that they cannot update the channel factory. If they wanted to perform a factory-level update, the splice-out mechanism should let them do that by redirecting outputs of the channels of the factory a new factory (sort of creating a factory within the factory): ???? Alice??? Bob??? Carol??? Dave ??????? \????? \?????? /????? / ????????? \???? \???? /????? / ??????????? \??? |??? |??? / ??????????????? H_{ABCD} ?????????????????? | ??????????????? A^0_{ABCD} ???????????? /?? |?????? |?? \ ?????????? /???? |?????? |???? \ ???????? /?????? |?????? |?????? \ ???? F_{AC}??? F_{AB}?? F_{BC}?? F_{CD} ??? /??????????? |?????? |????????? | R^1_{AC}????? #R^1_{AB}# R^1_{BC}?? R^1_{CD} ????? \?????????? |????? | ???????? \??????? |???? / ?????????? \????? |??? / ????????????? *H_{ABC}* And within this new Hook, Alice Bob and Carol can reorder the funds in new channels as they lack. However, notice that the new Hook (marked with "*") takes the outputs of 2-party off-chain channels. Suppose now that, after creating the new hook, Alice and Bob pay in this new factory to Carol, through some new channels they created. Carol believes the splice-out mechanism works and so accepts these off-chain payments. Right after, Alice and Bob can update their former channel state (marked with "#" in the above image) and invalidate the state R^1_{AB}, making it older than a new state R^2_{AB}. This invalidates one of the inputs of the new Hook H_{ABC}, invalidating the transaction and the whole new factory. Therefore, Alice and Bob have stolen from Carol. This is what we call a Broken Factory, and which proves that the splice-out mechanism is not possible, at least without a race condition. -- Alejandro Ranchal-Pedrosa [1]: Scalable Funding of Bitcoin MicropaymentChannel Networks [2]: Scalable Lightning Factories for Bitcoin