[Lightning-dev] New form of 51% attack via lightning's revocation system possible?

Tue Mar 13 18:30:19 UTC 2018

On Tue, Mar 13, 2018 at 06:07:48PM +0100, René Pickhardt via Lightning-dev wrote:
> Hey Christian,
> I agree with you on almost anything you said. however I disagree that in the
> lightning case it produces just another double spending. I wish to to emphasize
> on my statement that the in the case with lightning such a 51% attack can steal
> way more BTC than double spending my own funds.

I think you can get a simpler example:

 * I setup a channel, funding it with 10 BTC (ie, balance is 100% on my side)

 * Someone else sets up a channel with me, funding it with 5 BTC
   (balance is 100% on their side)

 * I route 5 BTC to myself from the first channel through the second:
    aj -> X -> ... -> victim -> aj
 * I save the state that says I own all 5BTC in the victim <-> aj channel

 * I route 5 BTC to myself from the second channel throught the first:
    aj -> victim -> ... -> X -> aj
 * At this point I'm back to having 10 BTC (minus some small amont
   of lightning fees) in the first channel

 * I use 51% hashing power to mine a secret chain that uses the saved
   state to close the victim<->aj channel. Once that chain is long enough
   that I can claim the funds I do so. Once I have claimed the funds on
   my secret chain and the secret chain has more work than the public
   chain, I publish it, causing a reorg.

 * At this point I still have 10 BTC in the original channel, and I have
   the victim's 5 BTC.

I can parallelise this attack as well: before doing any private mining or
closing the victim's channel, I can do the same thing with another victim,
allowing me to collect old states worth many multiples of up to 10 BTC, and
mine them at once, leaving with my original 10BTC minus fees, plus n*10BTC
stolen from victims.

This becomes more threatening if you add in conspiracy theories about
there already being a miner with >51% hashpower, who has financial
interests in seeing lightning fail...

The main limitation is that it still only allows a 51% miner to steal
funds from channels they participate in, so creating channels with
identifiable entities with whom you have an existing relationship (as
opposed to picking random anonymous nodes) is a defense against this
attack. Also, if 51% of hashpower is mining in secret for an extended
period, that may be detectable, which may allow countermeasures to
be taken?

You could also look at this the other way around: at the point when
lightning is widely deployed, this attack vector seems like it gives an
immediate, personal, financial justification for large economic actors
to ensure that hash rate is very decentralised.

> In particular I could run for a decade on stable payment channels
> storing old state and at some point realizing it would be a really big
> opportunity secretly cashing in all those old transactions which can't be
> revoked.

(I'd find it surprising if many channels stayed open for a decade; if
nothing else, I'd expect deflation over that time to cause people to
want to close channels)

Cheers,
aj