[bitcoin-dev] OP_BEFOREBLOCKVERIFY - discussing and opcode that invalidates a spend path after a certain block

Billy Tetrud billy.tetrud at gmail.com
Sun Jun 13 22:12:21 UTC 2021


I've thought of a third mitigation I think might be sufficient for you,
Russell, even if neither changing what receivers of coins define as a
finalized transaction nor disallowing block height from be specified by the
script witness are not sufficient for some reason.

Consider a rule increasing the weight of a transaction using OP_BBV by 1%
for each block within 100 blocks that the transaction is mined into. Eg, if
a spend-path using OP_BBV is mined into a block that is greater than 100
blocks before the expiry, no additional weight is added, if the block is
exactly 100 blocks from expiry the weight is increased by 1%, if the block
is 6 blocks away from expiry the weight is 2.54 times as large (1.01^94),
etc. This way, if someone tried to program the passive auto-double-spend
wallet, they'd have to spend over 2 times as much in fees as they would
otherwise. Also, since the increase in weight is only about 6% over the
span of 6 blocks, that is unlikely to affect the transaction's
profitability to mine much, so it would be ineffective to program the
auto-double-spend wallet to simply send transactions that expire within 101
blocks, because miners would highly likely still mine in that transaction
in subsequent blocks during a reorg.

In any case, I see 3 different solutions to the attack vector you brought
up (modifying receiver finalization definition, disallowing inputs to the
script to determine block height, and gradual transaction weight increase
near expiry). Any one of them seems to solve the problem you presented.

On Sat, Jun 12, 2021 at 11:48 AM Billy Tetrud <billy.tetrud at gmail.com>
wrote:

> >  I'll just send my about-to-expire transactions directly to miners and
> they will probably mine them because they are, in fact, valid, and pay
> fees.  Why wouldn't they mine it?
>
> You've misunderstood me. When I said "change what counts as finalization",
> what I meant is for the receiver of coins, not for mining or relay. For
> example, if you buy coffee with an OP_BBV output that expires in the next
> block, the merchant will be able to see that there's one confirmation on
> your transaction. But they should also be able to see a warning saying that
> the transaction has not finalized and they must wait for 6 confirmations
> before treating payment as complete. This way, in the case that a reorg
> happens and it doesn't contain the transaction, the merchant will not have
> given the coffee yet, and their software will be able to tell them that the
> payment has been reversed.
>
> > I think the RBF flag ought to be removed from consideration and every
> transaction should be considered RBFable
>
> I agree with that. Making the assumption that a non-RBF transaction won't
> be replaced isn't a great assumption.
>
> > This indirection is how OP_CLTV and OP_CSV work
>
> I see. Thanks for the explanation.
>
>
> On Sat, Jun 12, 2021 at 8:58 AM Russell O'Connor <roconnor at blockstream.com>
> wrote:
>
>>
>> On Sat, Jun 12, 2021 at 3:59 AM Billy Tetrud <billy.tetrud at gmail.com>
>> wrote:
>>
>>> >  taproot annex
>>>
>>> From what I can tell, the annex is basically additional inputs to a
>>> script that might have additional constraints put on it. Is that right? I
>>> don't quite follow how moving the max height to the annex helps script
>>> caching here. I wasn't able to find much information on how the annex is
>>> envisioned to be used. Would you mind elaborating on how this would work?
>>>
>>> Also, I think the proposal as it stands already addresses script caching
>>> (in the Transaction Evaluation section
>>> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/bbv/bip-beforeblockverify.md#transaction-evaluation>).
>>> The result of the script can be cached as long as the cache item also
>>> contains information requiring just the OP_BBV to be re-evaluated (for the
>>> relevant block).
>>>
>>
>> The normal approach for this problem would be a design that adds an
>> "annex field" (where the details on how to delimit annex fields is not yet
>> standardized) for a maxheight value, and add a consensus rule that
>> transaction with one (or more?) maxheight fields are invalid in blocks
>> whose height exceeds this (or any) maxheight value.  Then you could/would
>> add an OP code to push a copy of the (smallest) maxheight value from the
>> annex onto the stack or maybe an opcode to compare a stack item with this
>> (every) maxheight value from the annex.  This indirection is how OP_CLTV
>> and OP_CSV work and this indirection makes script validity cacheable
>> because script remains a function of the transaction data only.  Since
>> transaction data doesn't change, neither does the outcome of script
>> evaluation. The rule that invalidates late transactions looks only at the
>> annex and is independent of any script evaluation considerations.
>>
>>
>>> > this auto-double-spend wallet would send every payment with an annex value
>>> that limits the payment to being valid only up to the next block
>>>
>>> One possible solution to that would be to require that the input to
>>> OP_BBV to be in the script itself and not originate from the witness.
>>>
>>> Regardless, I think the ideal solution is to not have any of these such
>>> rules if we can simply change the definition for what counts as
>>> finalization to account for the fact that BBV transactions mined close to
>>> their expiration. Is there a reason this finalization-redefinition is not
>>> an adequate solution?
>>>
>>
>> Generally speaking, you cannot solve security problems through optional
>> and completely voluntary transaction relay policy.  I'll just send my
>> about-to-expire transactions directly to miners and they will probably mine
>> them because they are, in fact, valid, and pay fees.  Why wouldn't they
>> mine it?
>>
>> (Yes, I know this logic also applies to RBF flagged transactions.
>> Indeed, you cannot rely on an RBF flag to prevent double spending,  Yes I
>> think the RBF flag ought to be removed from consideration and every
>> transaction should be considered RBFable.  Maybe that even happens to be my
>> own node's relay policy.)
>>
>> I apologize, but I don't think I have further time to engage in an idea
>> that I don't consider likely to achieve broad community support.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210613/c5131f01/attachment.html>


More information about the bitcoin-dev mailing list