[Lightning-dev] BOLT3: Commitment Transaction Outputs is weak to malleability

Nicolas Dorier nicolas.dorier at gmail.com
Wed Nov 29 07:11:33 UTC 2017


I noticed the Commitment Transaction Output script is weak to malleability,
this can be used to delay confirmation of the revocation.
Luckily, fixing the situation does not require lots of development.

```
OP_IF
    # Penalty transaction
    <revocationkey>
OP_ELSE
    `to_self_delay`
    OP_CSV
    OP_DROP
    <local_delayedkey>
OP_ENDIF
OP_CHECKSIG
```

An attacker can delay the Penalty Transaction by malleating it. Which can
lead to very bad outcome as Lightning dependant on time locks.

The penalty transaction would have.

```
<revocation_sig> 1
```

Problem is that Eve could malleate OP_1 into a positive, huge number. This
would have for effect to fill the mempool of nodes/miners with the
malleated version which will have an higher fee rate, delaying the
confirmation of the penalty transaction.

Now, there is a policy rule called SCRIPT_VERIFY_MINIMALIF by jl2012 which
was merged into v0.15.1. (
https://github.com/bitcoin/bitcoin/commit/c72c5b1e3bd42e84465677e94aa83316ff3d9a14
)

I guess that by the time LN is ready, 0.15.1 will be spread enough among
miners, but still I think a 2 bytes overhead is well worth the fix.

```
1 OP_EQUAL OP_IF
    # Penalty transaction
    <revocationkey>
OP_ELSE
    `to_self_delay`
    OP_CSV
    OP_DROP
    <local_delayedkey>
OP_ENDIF
OP_CHECKSIG
```

Nicolas,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20171129/50ea31fc/attachment.html>


More information about the Lightning-dev mailing list