[Lightning-dev] HTLCs using OP_CHECKSEQUENCEVERIFY/OP_LOCKTIMEVERIFY and revocation hashes.

CJP cjp at ultimatestunts.nl
Mon Feb 8 22:07:53 UTC 2016


> See:
> 
>         https://github.com/ElementsProject/lightning/blob/master/doc/deployable-lightning.pdf

Sorry for replying to a very old e-mail, but I've finally had a really
close look at this, and the way I see it, there could be a potential
problem.

Suppose Eve (E) has two channels with Alice (A). She intends to steal
funds from Alice. This is what she does:

She performs a payment to herself, routed through Alice with the two
channels. When the funds are locked in the two channels, she is supposed
to reveal the transaction R value as a payee, but she doesn't. So, the
transaction times out on both channels, leading to a channel update on
both: the HTLCs are removed, reverting back to the original situation. 

The following actions primarily take place on the channel where Eve was
on the RECEIVING side of the transaction. First, Eve spends all her
coins on that channel, e.g. by sending them to herself on the other
channel. This way, she doesn't risk losing them.

Next, on the channel where Eve was on the RECEIVING side of the
transaction, Eve signs and broadcasts the version of the commit
transaction that contained the HTLC. Of course, since revocation
pre-images have been exchanged, Alice can immediately spend the HTLC,
using either the HTLC-TIMEOUT & SIG-PAYER clause or the REVOCATION-E &
SIG A clause. However, this is not guaranteed to work: Eve has the
transaction R value, so Eve can *also* try to spend it, using the
R-VALUE & SIG-PAYEE clause. In fact, since Eve knows sooner about the
commit transaction than Alice, Eve is more likely to be the first to
spend the HTLC, especially when Alice is offline for a moment (Eve can
know that).

Now, if Eve succeeds in spending the HTLC, what can Alice do? She can of
course claim her own balance, and using the revocation pre-image, claim
Eve's balance in the commit transaction, but that way, she receives less
than the total channel capacity, which is what she should have received.

On the other channel, Alice could try to perform the same trick on Eve
that Eve performed on her, since Alice now has the transaction R value.
However, that is not guaranteed to work. Worse: Eve could also have
depleted her own balance on *that* channel, e.g. with a payment to
herself through a third party. That way, Alice will never be able to get
all the funds that belong to her, and Eve gets more than she deserves.

How to solve this issue? My first thought was that we should add an
OP_CSV to the R-VALUE & SIG-PAYEE clause, but that would break its
legitimate use. I don't see how this can be solved without having a
two-transaction set-up, and hence something like SIGHASH_NOINPUT (or
maybe SegWitness?). So it would have to be a bit more like "Poon-Dryja
channels".

Maybe a "never completely deplete the channel" rule could be a
work-around? You could define a maximum for the sum of all active HTLCs
in one direction in a commit transaction, and require the other side to
always have at least one or two times that maximum as remaining balance.
Would that work?

BTW, apologies if this was already known. In that case, my question is:
where can I find an updated design?

CJP




More information about the Lightning-dev mailing list