[bitcoin-dev] A Comparison Of LN and Drivechain Security In The Presence Of 51% Attackers

ZmnSCPxj ZmnSCPxj at protonmail.com
Thu Feb 24 12:49:00 UTC 2022 

Good morning lightning-dev and bitcoin-dev,

Recently, some dumb idiot, desperate to prove that recursive covenants are somehow a Bad Thing (TM), [necromanced Drivechains][0], which actually caused Paul Sztorc to [revive][1] and make the following statement:

> As is well known, it is easy for 51% hashrate to double-spend in the LN, by censoring 'justice transactions'. Moreover, miners seem likely to evade retribution if they do this, as they can restrain the scale, timing, victims, circumstances etc of the attack.

Let me state that, as a supposed expert developer of the Lightning Network (despite the fact that I probably spend more time ranting on the lists than actually doing something useful like improve C-Lightning or CLBOSS), the above statement is unequivocally ***true***.

However, I believe that the following important points must be raised:

* A 51% miner can only attack LN channels it is a participant in.
* A 51% miner can simultaneously attack all Drivechain-based sidechains and steal all of their funds.

In order for "justice transactions" to come into play, an attacker has to have an old state of a channel.
And only the channel participants have access to old state (modulo bugs and operator error on not being careful of toxic waste, but those are arguably as out of scope as operator error not keeping your privkey safe, or bugs that reveal your privkey).

If the 51% miner is not a participant on a channel, then it simply has no access to old state of the channel and cannot even *start* the above theft attack.
If the first step fails, then the fact that the 51% miner can perform the second step is immaterial.

Now, this is not a perfect protection!
We should note that miners are anonymous and it is possible that there is already a 51% miner, and that that 51% miner secretly owns almost all nodes on the LN.
However, even this also means there is some probability that, if you picked a node at random to make a channel with, then there is some probability that it is *not* a 51% miner and you are *still* safe from the 51% miner.

Thus, LN usage is safer than Drivechain usage.
On LN, if you make a channel to some LN node, there is a probability that you make a channel with a non-51%-miner, and if you luck into that, your funds are still safe from the above theft attack, because the 51% miner cannot *start* the attack by getting old state and publishing it onchain.
On Drivechain, if you put your funds in *any* sidechain, a 51% miner has strong incentive to attack all sidechains and steal all the funds simultaneously.

--

Now, suppose we have:

* a 51% miner
* Alice
* Bob

And that 51% miner != Alice, Alice != Bob, and Bob != 51% miner.

We could ask: Suppose Alice wants to attack Bob, could Alice somehow convince 51% miner to help it steal from Bob?

First, we should observe that *all* economically-rational actors have a *time preference*.
That is, N sats now is better than N sats tomorrow.
In particular, both the 51% miner *and* Alice the attacker have this time preference, as does victim Bob.

We can observe that in order for Alice to benefit from the theft, it has to *wait out* the `OP_CSV` before it can finalize the theft.
Alice can offer fees to the miner only after the `OP_CSV` delay.

However, Bob can offer fees *right now* on the justice transaction.
And the 51% miner, being economically rational, would prefer the *right now* funds to the *maybe later* promise by Alice.

Indeed, if Bob offered a justice transaction paying the channel amount minus 1 satoshi (i.e. Bob keeps 1 satoshi), then Alice has to beat that by offering the entire channel amount to the 51% miner.
But the 51% miner would then have to wait out the `OP_CSV` delay before it gets the funds.
Its time preference may be large enough (if the `OP_CSV` delay is big enough) that it would rather side with Bob, who can pay channel amount - 1 right now, than Alice who promises to pay channel amount later.

"But Zeeman, Alice could offer to pay now from some onchain funds Alice has, and Alice can recoup the losses later!"
But remember, Alice *also* has a time preference!
Let us consider the case where Alice promises to bribe 51% miner *now*, on the promise that 51% miner will block the Bob justice transaction and *then* Alice gets to enjoy the entire channel amount later.
Bob can counter by offering channel amount - 1 right now on the justice transaction.
The only way for Alice to beat that is to offer channel amount right now, in which case 51% miner will now side with Alice.

But what happens to Alice in that case?
It loses out on channel amount right now, and then has to wait `OP_CSV` delay, to get the exact same amount later!
It gets no benefit, so this is not even an investment.
It is just enforced HODLing, but Alice can do that using `OP_CLTV` already.

Worse, Alice has to trust that 51% miner will indeed block the justice transaction.
But if 51% miner is unscrupulous, it could do:

* Get the bribe from Alice right now.
* After the bribe from Alice confirms, confirm the justice transaction (which has a bribe from Bob).
* Thus:
  * Alice loses the channel amount.
  * Bob keeps 1 satoshi.
  * 51% miner gets channel amount + channel amount - 1.

Now of course, we can eliminate the need for trust by using some kind of smart contract.
Unfortunately for Alice, there is no contract that Alice and 51% miner can engage in, to ensure that 51% miner will block the justice transaction, which itself does *not* require that 51% miner wait out the `OP_CSV` delay.
Either the payment from Alice to 51% miner is delayed (and the 51% miner suffers the time preference discount) or the 51% miner has to offer a bond that only gets released after the Alice theft succeeds (and again the 51% miner suffers the time preference discount on that bond).

Thus, due to the `OP_CSV` delay, the honest participant always has the upper hand, even in a 51% miner scenario.
If your channel is *not* with the 51% miner, your funds are still safe.

--

Now, we might consider, what if the 51% miner always blocks *all* Lightning-related transactions?
In that case, it loses out on any bribes that any LN participants would offer.

Further, with Taproot, a mutual LN channel close is indistinguishable from a singlesig spend.
Thus, not all LN-related transactions can be censored by the 51% miner.
Extensive use of Taproot Tapleaves can also make it difficult for a 51% miner to differentiate between LN and other protocols (though that *does* mean we should probably e.g. coordiante with other protocols like CoinSwap, CoinPool etc. so that the "shape" of Taproot Tapleaves is consistent across protocols).

--

A final note: in the presence of channel factories, the *entire* factory is at risk if at least one participant is the 51% miner or a sockpuppet thereof.
Thus, channel factories trade off even further scaling, at the cost of reduced protection against 51% miners.


Regards,
ZmnSCPxj

[0]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019976.html
[1]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-February/019978.html

More information about the bitcoin-dev mailing list