<div dir="ltr">(tl;dr Ideally network mempools should be an efficient marketplace leading to discovery of best-feerate blockspace demand by miners. It's not due to current anti-DoS rules assumptions and it's quite harmful for shared-utxo protocols like LN)<br><div><br>Hello all,<br><br><div>Lightning security model relies on the unilateral capability
for a channel participant to confirm transactions, like timing out an
outgoing HTLC, claiming an incoming HTLC or punishing a revoked
commitment transaction and thus enforcing onchain a balance negotiated
offchain. This security model is actually turning back the double-spend
problem to a private matter, making the duty of each channel participant
to timely enforce its balance against the competing interest of its
counterparties. Or laid out otherwise, contrary to a miner violating a
consensus rules, base layer peers don't care about your LN node failing
to broadcast a justice transaction before the corresponding timelock
expiration (CSV delay).<br><br>Ensuring effective propagation and timely
confirmation of LN transactions is so a critical-safety operation. Its efficiency should be always evaluated with regards
to base layer network topology, tx-relay propagation rules, mempools
behaviors, consistent policy applied by majority of nodes and ongoing
blockspace demand. All these components are direct parameters of LN
security. Due to the network being public, a malicious channel
counterparty do have an incentive to tweak them to steal from you.<br><br>The
pinning attacks which have been discussed since a few months are a
direct illustration of this model. Before digging into each pinning
scenario, few properties of the base layer components should be evocated [0].<br><br>Network mempools aren't guaranteed to be convergent, the local
order of events determines the next events accepted. I.e Alice may
observe tx X, tx Y, tx Z and Bob may observe tx Z, tx X, tx Y. If tx Z
disable-RBF and tx X try to replace Z, Alice accepts X and Bob rejects
it. This divergence may persevere until a new block.<br><br>Tx-relay
topology can be observed by spying nodes [1]. An attacker can exploit
this fact to partition network mempools in different subset and hamper
propagation across them of same-spending output concurrent transactions. If subset X
observes Alice commitment transaction and subset Y observes Bob
commitment transaction, Alice's HTLC-timeout spending her commitment
won't propagate beyond the X-Y set boundaries. An attacker can always win the propagation race through massive connections or bypassing tx-relay privacy timers.<br><br>Miners mempools
are likely identifiable, you could announce a series of conflicting
transactions to different subsets of the network and observe "tainted"
block composition to assign to each subset a miner mempool. I'm not
aware of any research on this, but it sounds plausible to identify all
power-miner mempool, i.e the ones likely to mine a block during the
block delay of the timelock you're looking to exploit. If you can't bid a transaction in such miner mempools your channel state will stale and your funds may be in danger.<br><br>### Scenario 1) HTLC-Preimage Pinning<br><br>As
Matt previously explained in his original mail on RBF-pinning, a
malicious counterparty has an interest to pin a low-feerate
HTLC-preimage transaction in some network mempools and thus preventing a
honest HTLC-timeout to confirm. For details, refer to Optech newsletter
[2].<br><br>This scenario doesn't bear any risk to the attacker, is
easy to execute and has double-digit rate of success. You don't assume
network topologies manipulation, mempools partitions or
LN-node-to-full-node mapping [3] That said this should be solved
by implementing and deploying anchor outputs, which effectively allows a
party to unilaterally bump feerate of its HTLC-timeout transactions.<br><br>### The Anchor Output Proposal <br><br>Anchor
Output proposal is a current spec object implemented by the LN dev
community, it introduces the ability to _unilaterally_ and
_dynamically_ bump feerate of any commitment transaction. It also opened
the way to bump local 2nd-stage transactions.<br><br>Beyond solving
scenario 1), it makes LN node safe with regards to unexpected mempool
congestion. If your commitment transaction is stucking in network mempools you can bump its feerate by attaching a CPFP on the new `to_local` anchor. If the remote commitment gets stuck in network mempools, you're able to bump it by attaching a CPFP on the `to_remote` anchor. This should keep your safe against an unresponsive or lazy counterparty in case of onchain funds to claim.<br></div><div><br>IMO, it comes with
a trade-off as it introduces a mapping oracle, i.e a linking vector between a LN node and its full-node. In this case, a spying node may establish a dummy, low-value channel with a probed LN node, break it by broadcasting thousands of different versions of the (revoked) commitment and observes which one broadcast a CPFP first on the p2p layer. Obviously, you can mitigate it by not chasing after low-value HTLC, but that is a small risk of money loss. As of today, this oracle can be seen as
acceptable as we have other ones and we may get rid of it in the future.<br><br>### Scenario 2a) Revoked Commitment Transaction Pinning<br><br>Digging
further, we found that there are more concerning scenarios of pinning,
at the commitment-tx level. At a period of low-feerate, a malicious
party incessantly updates a channel until to obtain ~10k revoked
commitment transactions.<br><br>At a period of mempool-congestion, by
having setup a fine-grained `dust_limit_satoshis` and at same-time
circulary routing HTLCs, our malicious party can inflate absolute fee of
its own commitment bounded while breaking channel in the middle of an
update sequence, ensuring it has a higher-fee than the commitment of the
honest counterparty. As channel opener, the attacker has the amplitude of malleating the victim's commitment such to keep it equal or under revoked feerate.<br><br>Then our malicious party broadcast to each
base layer public peer one of the revoked commitment transactions,
that way partitioning the network mempools in 10k subset. Even assuming
anchor output a honest LN node won't be able to confirm the remote
commitment through a CPFP, this one failing to cross subset boundaries,
the parent txid being different at each.<br><br>Broadcasting the honest
commitment transaction will fail, its feerate being known and malleable
it won't RBF already-in-mempool remote commitment transactions. This
prevents an honest party to timely timeout an outgoing HTLC or an
incoming HTLC.<br><br>This scenario does bear a low-risk to the
attacker, is easy to execute and has a likely double-digit rate of
success once you tune feerate malleability. You assume mempools
partitions but not any network topologies discovery. We underscore there is no current p2p/mempool mechanism to learn about conflicting transactions, even learning about near-topology conflicts don't guarantee you that a propagation path is uniform to make your CPFP successful.<br><br>### Scenario 2b) Previous-Latest Commitment Transaction Pinning<br><br>A
variant of commitment-tx pinning is to rely only on valid commitment
transactions. Channel update sequence not being atomic, you can legally
own 2 valid commitment transactions. An attacker can successfully map a
LN-node's full-node and such, announce one of them and the other one to
the rest of the network. A honest peer will fail to leverage the
`to_remote` anchor output as its CPFP won't propagate again over network
mempools partitions.<br><br>This scenario doesn't bear a risk to the
attacker, is medium to execute and has a likely double-digit rate of
success. You assume mempools partitions and inter-layer mapping. How
hard is it to map a LN-node to a full-node ? Actually you can use the
fact that a LN-node's full-node is monitoring the mempool for a preimage
of interest and observe the announcement of such preimage on the
offchain layer. As post-anchor HTLC-Success transactions are malleable
you can once again create mass-conflicts to isolate the full-node and
improve the probe with high certainty.<br><br>### Where Package Relay helps <br><br>Solving
scenario 2a) and 2b) in the most efficient way is likely to require
package relay support on the Core side. Package relay would extend the
notion of a mempool package (topologically ordered bundles of transactions) to introduce a new
class of p2p traffic. So far its implementation has been delayed due to
refactoring mempool internals, ensuring a DoS-robust design and a p2p PR pipeline already congested. <br><br>Once
deployed, a LN node would be able to join a commitment transaction and a
CPFP together and make them evaluated atomically by network mempools
such to evict any malicious remote commitment assuming a higher feerate.<br><br>### Scenario 3) Network-Topology-Aware Pinning for Propagation Obstruction<br><br>Let's assume the following base layer tx-relay topology:<br><br> Alice ---> Bob ---> Caroll<br><br>Alice
wants to send her package relay to Caroll the miner to get her
commitment transaction confirmed. A malicious counterparty could throw
remote commitment W in Bob mempool and remote commitment X in Caroll
mempool. Transaction W would be attached to a high-fee CPFP Y.
Transaction X would be attached to a low-fee CPFP Z such that X pins in
Caroll mempool. CPFP Y and CPFP Z would be crafted such as both
incorporating a conflicting parent to prevent Bob and Caroll mempool
convergence. It looks like the following:<br><br></div><div>Bob's mempool:<br></div><div>tx W ---> tx Y</div><div>parent 1 ---> tx Y</div><div><br></div><div>Caroll's mempool:</div><div>tx X ---> tx Z</div><div>parent 2 ---> tx Z<br><br></div><div>Bob's mempool would announce and send package "tx W + tx Y + parent 1" to Caroll's one and due to parent 1 and parent 2 spending the same output package would be rejected. High-fee package W will prevent Alice to
successfully broadcast her package to Caroll. This fee can be higher
than the maximum one that Alice would pay to confirm her transaction, as
due to conflicts, it won't be _effectively_ paid by the malicious counterparty.<br><br>This
scenario does bear a risk to the attacker only if miner mempools haven't been well-mapped and high-fee package leak into them, is hard to execute but has a likely double-digit rate
of success. It assumes mempool partitions, network topology knowledge
and inter-layer mapping.<br><br>### Current Mempool Design Flaws in the lights of Contracting Applications with Competing Interests<br><br>Scenario
3) does illustrate a current flaw of mempool with regards to
contracting applications with competing interests. A counterparty can
leverage network propagation rules to prevent miners' mempools to
discover the best feerate package and thus not having to pay the real
fee price to successfully obstrucate broadcast of honest package relay
spending the same output.<br><br>These network propagation rules, namely
RBF opt-in, have been designed to protect network mempools
against any DoS but don't protect a single-party against its shared-utxo
co-owners. Amending these rules to enable mempool-convergence based on
feerate will enable a honest bid market for contracting applications and
ensure network-wise higher feerate. Getting this right will require significant study as you may allow total mempool fees to decrease when the transactions are near the bottom of the mempool. At first sight, it sounds incentives-compatible, as miner a) gets the highest fee bid b) an attacker does have to compete on feerate to attempt stealing. <br></div><div><br></div><div>Assuming a basic package relay to evict low-feerate malicious commitment, an alternative proposal could be to introduce outbound tx-relay peers rotation to sweep and reach ~80% of the network in less than HTLC timelocks. Your LN node's full node will _probabilistically_ connect to a miner mempool and announce to it the best feerate package. Making the tx-relay topology more dynamic would make it harder for an attacker to make package obstruction effective. IMHO, it sounds easier on the engineering-side, but likely worse for privacy due to the aggressive broadcast pattern.<br><br></div><div>Another alternative could be to have more ad hoc privacy-preserving redundant tx-broadcast.<br><br></div><div>A fourth proposal, Matt's one, is to design some blind-CPFP package relay with a pointer to original funding outpoint to rebind on-the-flight but it does assume noinput.<br></div><div><br>### Conclusion<br></div><div><br>To the
best of my knowledge, assuming mempools congestion levels we have seen in
the past months, currently deployed LN peers aren't secure against
scenario 2a) and 2b) to any motivated attackers with a decent knowledge
of both layers. Further, ensuring scenario 3) security requires heavy,
long-term work at the base layer.<br><br>IMO, we should a) go forward with anchor proposal implementation, it comes with trade-off but enables mempool-congestion safety, b) work on package relay to solve commitment-level pinning, c) study best base layer mechanism to ensure best feerate package discovery by any miner's mempools and d) in the meanwhile increase delta and deadline timelocks.<br><br></div><div>Thoughts ?<br></div><div><br></div><div>Thanks to Matt and t-bast for conversations.<br></div><div><br>Cheers,<br><br>Antoine <br></div><div><br></div><div>[0] For newcomers, see also t-bast's great piece on LN's transactions : <a href="https://github.com/t-bast/lightning-docs/blob/master/lightning-txs.md">https://github.com/t-bast/lightning-docs/blob/master/lightning-txs.md</a></div><div><br>[1] And current state of opinions is obfuscating tx-relay topology is a hard problem <br><a href="https://github.com/bitcoin/bitcoin/pull/15759#issuecomment-480398802" target="_blank">https://github.com/bitcoin/bitcoin/pull/15759#issuecomment-480398802</a><br><br>[2] <a href="https://bitcoinops.org/en/newsletters/2020/04/29/#new-attack-against-ln-payment-atomicity" target="_blank">https://bitcoinops.org/en/newsletters/2020/04/29/#new-attack-against-ln-payment-atomicity</a><br><br>[3] Obviously all these scenarios do have a setup cost scoping channel opening onchain fees and<br>rebalancing but it's order(s) of magnitude lower if you can steal from meaningful channels.</div></div></div>