[Lightning-dev] Broken Factory Attack

Alejandro Ranchal Pedrosa a.ranchalpedrosa at gmail.com
Tue Apr 16 00:14:59 UTC 2019


Hi all,

This is the second of three related different emails on the topic, 
through which I will explain what, to my understanding, is the state of 
the construction of channel factories.

Knowing what a stale factory situation is, let's have a look at the only 
off-chain proposal that claims to solve this situation: the splice-out 
mechanism [1]. I will explain why this mechanism can be easily attacked 
in what we call the Broken Factory attack [2].

Suppose a factory created between Alice, Bob, Carol and Dave, with 
channels F_{AC}, F_{AB}, F_{BC} and F_{CD} (F for "funding"), for instance:

      Alice    Bob    Carol    Dave

         \      \       /      /

           \     \     /      /

             \    |    |    /

                 H_{ABCD}

                    |

                 A^0_{ABCD}

              /   |       |   \

            /     |       |     \

          /       |       |       \

      F_{AC}    F_{AB}   F_{BC}   F_{CD}

     /            |       |          |

R^1_{AC}      R^1_{AB} R^1_{BC}   R^1_{CD}

Where H_{ABCD} and A^0_{ABCD} refer to the Hook and Allocation 
transactions of the factory, the equivalents of the Funding and 
Refunding transactions of channels, respectively.

Suppose now that Dave, meaning that they cannot update the channel 
factory. If they wanted to perform a factory-level update, the 
splice-out mechanism should let them do that by redirecting outputs of 
the channels of the factory a new factory (sort of creating a factory 
within the factory):

      Alice    Bob    Carol    Dave

         \      \       /      /

           \     \     /      /

             \    |    |    /

                 H_{ABCD}

                    |

                 A^0_{ABCD}

              /   |       |   \

            /     |       |     \

          /       |       |       \

      F_{AC}    F_{AB}   F_{BC}   F_{CD}

     /            |       |          |

R^1_{AC}      #R^1_{AB}# R^1_{BC}   R^1_{CD}
       \           |      |

          \        |     /

            \      |    /

               *H_{ABC}*


And within this new Hook, Alice Bob and Carol can reorder the funds in 
new channels as they lack. However, notice that the new Hook (marked 
with "*") takes the outputs of 2-party off-chain channels. Suppose now 
that, after creating the new hook, Alice and Bob pay in this new factory 
to Carol, through some new channels they created. Carol believes the 
splice-out mechanism works and so accepts these off-chain payments.

Right after, Alice and Bob can update their former channel state (marked 
with "#" in the above image) and invalidate the state R^1_{AB}, making 
it older than a new state R^2_{AB}. This invalidates one of the inputs 
of the new Hook H_{ABC}, invalidating the transaction and the whole new 
factory. Therefore, Alice and Bob have stolen from Carol. This is what 
we call a Broken Factory, and which proves that the splice-out mechanism 
is not possible, at least without a race condition.

-- 
Alejandro Ranchal-Pedrosa


[1]: Scalable Funding of Bitcoin MicropaymentChannel Networks
  
[2]: Scalable Lightning Factories for Bitcoin



More information about the Lightning-dev mailing list