Require to claim revoked local output in its own penalty tx post-anchor #803
Conversation
|
I think we can allow spending them all in a single tx, but perhaps recommend something like "if confirmation doesn't happen within X blocks from expiry, to_local should be swept separately as it might be pinned etc". |
|
I agree with @halseth, it's worth mentioning this potential attack (good find!) but we should be more permissive with implementers. |
05-onchain.md
Outdated
| Note: if `option_anchor_outputs` applies, the cheating node can pin spends of its | ||
| HTLC-timeout/HTLC-success outputs thanks to SIGHASH_SINGLE malleability. | ||
| Using a single penalty transaction for all revoked outputs is thus unsafe as it | ||
| could be blocked to propagate long enough for the `_local node's main output_ 's |
There was a problem hiding this comment.
IMO it's worth nothing more of the subtly here. If they're pinning, then in order to even get into the mempool, they're likely paying a relatively high fee, which means that if they do confirm, then there's the CSV period on the second level. Also the defender can mix things up themselves, by only sweeping one of the HTLC outputs, which would then invalidate the entire "tree" (possibly needing to pay high enough fees?) of the attacker.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
05-onchain.md
Outdated
| @@ -513,7 +513,10 @@ A local node: | |||
| using the revocation private key. | |||
| - SHOULD extract the payment preimage from the transaction input witness, if | |||
| it's not already known. | |||
| - MAY use a single transaction to *resolve* all the outputs. | |||
| - if `option_anchor_outputs` applies: | |||
| - MUST *resolve* the _local node's main output_ in its own penalty transaction | |||
There was a problem hiding this comment.
Perhaps this should be "should" instead? As there're other ways to defend against this, for example: sweep every output in its own transaction.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
|
OK, lots of good discussion at meeting about this. The spec says MAY, because if you do make one bit tx, you need to split (as HTLC txs can race you), but you also need to split because your big tx might be pinned. It's worth noting this, for sure, but I think we can be simpler; also why pick on the to-local output? In theory any output could be largest, and you want that one. |
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
This comment was marked as abuse.
05-onchain.md
Outdated
| - MAY use a single transaction to *resolve* all the outputs. | ||
| - if confirmation doesn't happen before reaching `security_delay` blocks from | ||
| expiry: | ||
| - MUST *resolve* revoked outputs in their own, separate penalty transactions. A previous |
There was a problem hiding this comment.
Feels like SHOULD is more correct here, since the sweeping node is aware of the risk and should be allowed to do as it pleases.
There was a problem hiding this comment.
I agree, @ariard I think this is the last pending point before we merge, what do you think?
There was a problem hiding this comment.
We've got the ACKs on this, should we wait til this is addressed? paging @ariard
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
If `option_anchor_outputs` applies, the cheating node can pin spends of its HTLC-timeout/HTLC-success outputs thanks to SIGHASH_SINGLE malleability. Using a single penalty transaction for all revoked outputs is thus unsafe as it could be blocked to propagate long enough for the `_local node's main output_ 's relative timelock to expire and the cheating party escaping the penalty on this output.
This comment was marked as abuse.
This comment was marked as abuse.
|
Merging as agreed during the last spec meeting. |
See lightning/bolts#803 This protect the justice claim of counterparty revoked output. As otherwise if the all the revoked outputs claims are batched in a single transaction, low-feerate HTLCs transactions can delay our honest justice claim transaction until BREAKDOWN_TIMEOUT expires.
If
option_anchor_outputsapplies, the cheating node can pin spends of itsHTLC-timeout/HTLC-success outputs thanks to SIGHASH_SINGLE malleability.
Using a single penalty transaction for all revoked outputs is thus unsafe as it
could be blocked to propagate long enough for the `local node's main output 's
relative timelock to expire and the cheating party escaping the penalty on this
output.
I think we may just make this an unconditional requirement, indifferently of anchors.