[bitcoin-dev] SAS: Succinct Atomic Swap

[ZmnSCPxj]

Good morning Dmitry,

> I made a version of the TLA+ spec according to the suggested variant,
> as I understood it from your description. This version is in
> the separate branch in the SASwap repo, 'variant_ZmnSCPxj' [1]
>
> If I understood and specified your variant correctly, there is a
> deadlock possible after step 9, if Bob fails to publish success tx in
> time. After refund tx becomes spendable, Alice cannot publish it via
> mempool, because Bob can learn her secret and has a chance invalidate
> her refund tx by giving his success tx to friendly miner, while taking
> back the locked LTC because both secrets are known. At the same time,
> Bob cannot publish success tx via mempool, because then Alice can do
> the same thing, invalidating his success tx with refund tx via friednly
> miner.

Indeed, this is precisely the issue Ruben pointed out.

Rationally, neither side will want this condition due to the deadlock and Bob will strive to avoid this, having a short real-world timeout after which Bob will force publication of the success tx if Alice does not respond in time.
There *is* a reason why it says "Bob claims the BTC funding txo before L1."

Of course, computers do crash occasionally, I am informed, so complete accidents may occur that way.
This can be mitigated by running multiple servers who are given copies of the success tx, and which will publish it regardless after a short sidereal time duration, unless countermanded by the main server (i,e, a dead man switch system).
With sufficient distribution the probability of this occurring can drop to negligible levels compared to other theoretical attacks.

Regards,
ZmnSCPxj