[Lightning-dev] Oversize preimage attack.
rusty at rustcorp.com.au
Mon May 2 05:07:22 UTC 2016
I'm about to modify the HTLC scripts for the first time in a while to
prepend: "OP_SIZE 32 OP_EQUALVERIFY". It means that even timing out an
HTLC requires a 32 byte value (say, all-zeroes), but it's the simplest
and shortest change.
Without this, the length of a scriptsig which redeems a transaction
was ill-defined. The wire protocol requires a 32-byte R preimage to
redeem a HTLC, but there was no such on-chain restriction. An attacker
could create an HTLC which requires a different-size preimage to redeem,
then drop the commit tx to the blockchain and redeem it. A node
couldn't use that preimage via the wire protocol.
Or require a 110k preimage to redeem, drop to the blockchain, then
redeem it by sending direct to a miner. A node trying to use that
preimage would create a non-standard transaction, which may not
propagate. Similarly with an almost 4MB preimage which requires you
to grind out a tiny signature to redeem in a tx small enough...
I'm also dropping the per-side HTLC limit from 1500 to 450 in BOLT
#2. This means that a single "steal" transaction which spends all the
inputs is still under 400k cost (thanks segwit!), simplifying the
More information about the Lightning-dev