Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: Full RBF - page 7. (Read 3063 times)

BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
November 02, 2022, 10:34:06 AM
#43
Pretty searing discussion there. Essentially and summarily, there are mainly two groups; those who find it only theoretically possible to have zeroconf transactions double-spent, and those who find it both practically and theoretically possible.

Pro-full-RBF users' arguments are:
  • It's the natural state of the network.
  • It's a false sense of security, because miners must be considered to always have full RBF enabled, because they follow profit.
  • Defends against CoinJoin and Lightning related DoS attacks.

Pro-postponing-full-RBF users' arguments are
  • Some businesses accept zeroconf as settled, and must either move to Lightning or withdraw this policy.
  • Lightning and CoinJoin software needs upgrade.

(Anti-full-RBF users' arguments are mostly invalid IMO, especially due to complete dependence of transaction fees after a few decades)


I'm of the latter. We should postpone it for a little longer, at least until significantly used wallet software such as Muun upgrade. Most Internet-based businesses will have to switch from zeroconf to Lightning this year.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
November 02, 2022, 08:11:36 AM
#42
Bump.

There's been another recent flurry of discussion regarding this on the mailing list and GitHub, which stemmed from this post by one of the developers of Muun wallet: [Opt-in full-RBF] Zero-conf apps in immediate danger

His concerns are essentially that full RBF means all their zero confirmation functionality, include submarine swaps and various instant Lightning sends, become too risky and they would have to cease immediately. This spawned a lot of discussion which you can read if you are interested. There is a good summary of the whole issue from Gloria Zhao available here: https://github.com/glozow/bitcoin-notes/blob/full-rbf/full-rbf.md

The discussion spawned several more pull requests:
https://github.com/bitcoin/bitcoin/pull/26287 - remove the full RBF option from 24.0 entirely, and potentially introduce it in 25.0 with a default setting of true
https://github.com/bitcoin/bitcoin/pull/26305 - leave the full RBF option in 24.0 with a default setting of false, and turn the default setting to true in 25.0
https://github.com/bitcoin/bitcoin/pull/26323 - leave the full RBF option in 24.0 but change the default setting to true, but it does not activate until May 1st, 2023
https://github.com/bitcoin/bitcoin/pull/26438 - remove full RBF option entirely

It's not clear yet what the final outcome here is going to be. There seems to be consensus for the full RBF option defaulting to true at some point in the future, but not clear yet if that will be 25.0, a future version, a fixed date 6/12/18 months in the future, or some other point depending on network uptake. Whether or not 24.0 still ships with the full RBF option included but set to false by default is not so clear at the moment, but I suspect it will go ahead as was originally planned.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
July 03, 2022, 03:14:44 AM
#41
Quote from: garlonicon on July 02, 2022, 02:48:54 PM
It is about joining and splitting one-input-one-output entries, where all participants can do that, but if things will finalize, then they will look like any ordinary SIGHASH_ALL transaction.
I still don't think that solves the problem. Even if we ignore the fact that contributing one input and one output makes it almost trivial to deanonymize you simply by matching output amounts to input amounts, then Carol can still attack the process. Even if the other parties can simply remove Carol's contribution to the transaction and try again, then she has still succeeded in wasting their time. A large enough entity (think another coinjoin provider attacking their competition) could easily spam enough inputs to make this happen over and over and over.
garlonicon
copper member
Activity: 821
Merit: 1992
Re: Full RBF
July 02, 2022, 02:48:54 PM
#40
Quote
Can't we implement some sort of OP_IF, OP_ELSE penalty mechanism for this matter? It'd increase the transaction fee, though.
We can, and it currently exists. It is called SIGHASH. So, by signing your CoinJoin with SIGHASH_ANYONECANPAY, you sign only your input, and all outputs. That means, Alice and Bob can detach Carol if needed, and attach some other source of coins, but then the destination has to remain the same (which means Carol will be paid, so that's not the solution). Because if you have CoinJoin, you have to sign all outputs, if you sign only some of them, then you have no privacy boost, because it is possible to link your coins.

So, to solve the problem of CoinJoin, there is a need to construct transactions in a non-interactive way (and to provide that, transaction joining (and splitting) needs to be implemented). A good start is SIGHASH_SINGLE|SIGHASH_ANYONECANPAY, each participant could sign a single input and a single output in this way. What is needed, is taking N such entries, and make signatures in a way, where they could be turned into SIGHASH_ALL, to be indistinguishable from any normal transaction. It is about joining and splitting one-input-one-output entries, where all participants can do that, but if things will finalize, then they will look like any ordinary SIGHASH_ALL transaction.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
July 02, 2022, 01:55:11 PM
#39
Quote from: BlackHatCoiner on June 27, 2022, 10:32:56 AM
Creates a fine mess on the network, defeating essentially the purpose of non-RBF; especially due to the former.
This will indeed be the beginning of the end for non-RBF transactions, as I suspect before long most miners will choose to look at mempools which have enabled full RBF to allow them to maximize their profits from fees. I guess zero confirmations transactions will be a thing of the past unless the two parties involved completely trust each other.

Here are the final commits to be merged in to the main branch: https://github.com/bitcoin/bitcoin/pull/25353/commits

If all goes to plan then this will be live in the next version of Core, 24.0.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 27, 2022, 10:32:56 AM
#38
Quote from: buwaytress on June 27, 2022, 10:02:09 AM
[...]
Any merchant who's using BitPay should switch to BTCPay Server the soonest possible. It doesn't make sense to use an intermediary for this purpose when the currency's software already exists for eliminating this kind of third parties.

I have never used BitPay, but I'd read somewhere that they even demanded KYC for a purchase. Unbelievable or just reasonable and probable considering today's sniffing standards?

Quote from: o_e_l_e_o on June 27, 2022, 10:11:53 AM
But it is neither a rule nor being enforced.
It isn't enforced, but having it as an option officially on Bitcoin Core rather than as a potential change that requires altering the source code:

  • Encourages the miners to switch to it.
  • Creates a fine mess on the network, defeating essentially the purpose of non-RBF; especially due to the former.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
June 27, 2022, 10:11:53 AM
#37
Quote from: LoyceV on June 27, 2022, 08:57:24 AM
I don't really see how this is a problem: if a part of the "joined" transaction becomes invalid, I assume the coinjoin can just recreate a new transaction without that input and broadcast it again, right?
Maybe. Or maybe a malicious attacker (maybe some other coinjoin wallet who wants to attack their competitors) is flooding your coinjoin service with inputs that they are double spending, so it happens again on your next attempt, and your next one, and your next one, rendering it impossible for you to coinjoin any coins at all. The same could apply to any custodial Lightning wallet, as another example.

Quote from: BlackHatCoiner on June 27, 2022, 09:46:43 AM
While I do acknowledge the problem here, I don't like that a possible attack on CoinJoin or Lightning transactions can be resolved only by enforcing a rule on all the transactions.
But it is neither a rule nor being enforced. This is a change with the Bitcoin Core software, not the Bitcoin protocol, giving node operators the easy option to accept replacements for all transactions in their mempool. Node operators can already do this if they wish, and some alternative full node software (such as Knots) have had this option for years already.

Quote from: BlackHatCoiner on June 27, 2022, 09:46:43 AM
Point of sale unconfirmed transactions become less attractive for the merchants, pushing them to adopting off-chain solutions. The question is if, say, Lightning is ready to be adopted by every merchant.
This is my main concern too.

Quote from: buwaytress on June 27, 2022, 10:02:09 AM
Trying to see if BitPay will make allowances for this then finally but don't see anything to suggest it on their site -- In fact, the latest RBF threads updated in June on their FAQs still show you how to disable them.
Given how long it took BitPay to get on board with things like segwit, then there is exactly zero chance they are going to react to upcoming changes before they have even been finalized yet, let alone released.
buwaytress
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
Re: Full RBF
June 27, 2022, 10:02:09 AM
#36
Trying to see if BitPay will make allowances for this then finally but don't see anything to suggest it on their site -- In fact, the latest RBF threads updated in June on their FAQs still show you how to disable them.

They've been forcing people to overpay on fees (and rejecting RBF-enabled ones so you're forced to finalise a fee), one of the few things I put up with for the sake of spending that Bitcoin on pizza where I live. Or is that merely merchant settings on their end of BitPay?

I see this as a win, maybe one reason it's happening? To push merchants to accept a tool designed to help users compensate for miscalculations?
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 27, 2022, 09:46:43 AM
#35
Quote from: o_e_l_e_o on June 27, 2022, 08:09:55 AM
By making it far more costly an attack to perform, and by giving the coinjoin transaction the ability to overcome the blockage.
Right.

Quote from: o_e_l_e_o on June 27, 2022, 08:09:55 AM
I don't see how you could. By the time you come to punishing Carol for it, she has already achieved what she wanted to achieve - wasting the time and/or money of the other participants.
She won't dare to cheat if a fairness protocol she uses disincentivizes her do so. I can neither think of a script that does it, I was just saying. Even if there is, that I doubt, it'll increase the size of all CoinJoin and Lightning transactions, making things more costly to operate.

While I do acknowledge the problem here, I don't like that a possible attack on CoinJoin or Lightning transactions can be resolved only by enforcing a rule on all the transactions. Point of sale unconfirmed transactions become less attractive for the merchants, pushing them to adopting off-chain solutions. The question is if, say, Lightning is ready to be adopted by every merchant. I was thinking of a rather slower and smoother transition.
LoyceV
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Re: Full RBF
June 27, 2022, 08:57:24 AM
#34
Quote from: o_e_l_e_o on June 27, 2022, 06:31:40 AM
Here is an example of this attack happening on a Wasabi coinjoin (on testnet)
~
the same input which was used in the attempted coinjoin transaction
Isn't that risk inherent of "joining" your transaction with someone else's? I don't really see how this is a problem: if a part of the "joined" transaction becomes invalid, I assume the coinjoin can just recreate a new transaction without that input and broadcast it again, right?
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
June 27, 2022, 08:09:55 AM
#33
Quote from: BlackHatCoiner on June 27, 2022, 07:21:02 AM
So, how does mandatory RBF help the situation?
By making it far more costly an attack to perform, and by giving the coinjoin transaction the ability to overcome the blockage.

At present, Carol can attack by broadcasting a non-RBF transaction at 1 sat/vbyte. It doesn't matter what fee the coinjoin pays; the malicious double spend will not be replaced. With full RBF, Carol must be willing to pay a much higher fee. If she only says 1 sat/vbyte, then the coinjoin can be bumped to an equivalent of 1.1 sats/vbyte and displace her malicious double spend. Further, at present, Carol can leave her 1 sat/vbyte transaction in the mempool as long as she wants, and let the coinjoin operator repeatedly attempt to bump the coinjoin with a higher and higher fee, with effectively no limit (other than the limit of what the participants would find acceptable). With full RBF, the coinjoin operator only ever needs to bump the fee as high as the fee on Carol's double spend (+ 0.1 sats/vbyte).

Quote from: BlackHatCoiner on June 27, 2022, 07:21:02 AM
Can't we implement some sort of OP_IF, OP_ELSE penalty mechanism for this matter? It'd increase the transaction fee, though.
I don't see how you could. By the time you come to punishing Carol for it, she has already achieved what she wanted to achieve - wasting the time and/or money of the other participants.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 27, 2022, 07:21:02 AM
#32
Quote from: o_e_l_e_o on June 25, 2022, 03:06:12 AM
While the MPFT is being created, a malicious party can double spends their input to prevent the MPFT from being broadcast. This double spend can include a different input with an RBF-enabled unconfirmed parent, which allows the double spend to be easily invalidated in the future.
I see the problem. The CoinJoin makers have to either bump their fees with CPFP or have their CoinJoin rejected. So, how does mandatory RBF help the situation? The attacker wants to make us spend more in fees or delay our mixing.

  • Suppose we have Alice, Bob and Carol, with their respective inputs A, B and C.
  • Carol is the attacker.
  • Alice, Bob and Carol sign the CoinJoin transaction, and it's ready to be broadcasted.
  • Carol has signed a transaction wherein she replaced CoinJoin with her reversal.
  • Both are broadcasted, but Carol's transaction replaces the CoinJoin.
  • Alice and Bob can either raise their fees or let Carol's replacement transaction become confirmed and create another CoinJoin later.

Can't we implement some sort of OP_IF, OP_ELSE penalty mechanism for this matter? It'd increase the transaction fee, though.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
June 27, 2022, 06:31:40 AM
#31
Here is an example of this attack happening on a Wasabi coinjoin (on testnet) which developer /dev/fd0 just shared with the mailing list and on their Twitter:

Quote from: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020601.html
In Wasabi an attacker can broadcast a transaction spending input used in coinjoin after sending signature in the round. This would result in a coinjoin tx which never gets relayed: https://nitter.net/1440000bytes/status/1540727534093905920

You can see the double spend transaction here: https://mempool.space/testnet/tx/a57e46e8a69752802ca83caa37b32bebcaa2965b5572fa805f2b48f1846fd3df
The third input in this transaction for 0.00006561 tBTC was the same input which was used in the attempted coinjoin transaction as you can see from the screenshots.

The Wasabi client reported the invalid coinjoin as "broadcast".
o_e_l_e_o
legendary
Activity: 2268
Merit: 18748
Re: Full RBF
June 25, 2022, 03:06:12 AM
#30
Quote from: BlackHatCoiner on June 24, 2022, 10:37:21 AM
If each of the inputs that are used in the RBF-disabled CoinJoin don't have an RBF-enabled unconfirmed parent, then what's the problem?
The inputs used in the multi-party funded transaction (MPFT) are all confirmed. While the MPFT is being created, a malicious party can double spends their input to prevent the MPFT from being broadcast. This double spend can include a different input with an RBF-enabled unconfirmed parent, which allows the double spend to be easily invalidated in the future.

Quote from: BlackHatCoiner on June 24, 2022, 11:50:34 AM
Is that correct?
Yes, you've got it now.

Quote from: BlackHatCoiner on June 24, 2022, 04:19:22 PM
The thing I don't understand is why can't the software (of CoinJoin or Lightning) warn the users for RBF-enabled unconfirmed parents. If the users are afraid of being victimized in this way, they only have to avoid dealing with inputs whose parents are RBF-enabled and unconfirmed.
Because, again, the inputs to the MPFT are all confirmed. It is only the malicious double spend which has the unconfirmed parent, which will obviously not be known about at the time of creating the the MPFT.

Here is another post from Riard in the mailing list which explains things in yet another way: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020595.html

Quote
Here the DoS attack situation :
- Alice, Bob and Caroll would like to coinjoin 3 inputs to 3 outputs
- Each of the input is singly controlled by one party, e.g Alice owns input A, Bob owns input B, ...
- Alice, Bob and Caroll exchanges a PSBT to build a multi-party funded transaction (the coinjoin_tx)
- Alice is elected as the multi-party transaction broadcaster once the signatures have been exchanged
- The block feerate is around 10sat/vb
- One of the transaction input signals opt-in RBF, the transaction is attached a compelling feerate 10sat/vb
- Caroll broadcasts a double-spend of her own input C, the double-spend is attached with a low-fee (1sat/vb) and it does _not_ signal opt-in RBF
- Alice broadcasts the multi-party transaction, it is rejected by the network mempools because Alice Caroll double-spend is already present
- Two alternatives are offered to the coinjoin participants :

Alternative A)
- They estimate the multi-party feerate as not high enough
- They fee-bump at 20sat/vb
- Caroll double-spend one of the input of her malicious double-spend to eject it from the network mempools
- The multi-party transaction is confirmed at a block feerare far above what was necessary
- Alice, Bob, Caroll have loss fee-bumping value without compensation
- Note, even if Caroll is attacker and assuming the fee-bumping burden is fairly spread among participants, the economic loss inflicted is asymmetric

Alternative B)
- They wait until some time-out
- They double-spend their own inputs, Alice double-spend utxo A, Bob double-spend utxo B
- They wasted the timevalue of their inputs for the time-out delay
- Note, even if Caroll is attacker and loss some timevalue too, the economic loss inflicted is asymmetric

Let me know if you see any error or wrong in this DoS scenario exposure. I believe it's fairly simple to execute for a medium-skilled attacker.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 24, 2022, 04:19:22 PM
#29
The thing I don't understand is why can't the software (of CoinJoin or Lightning) warn the users for RBF-enabled unconfirmed parents. If the users are afraid of being victimized in this way, they only have to avoid dealing with inputs whose parents are RBF-enabled and unconfirmed.

I'm not convinced that this change will have a good impact, unless there's another danger I haven't thought of (or understood). Sure, nodes could replace non-RBF transactions since 2009 if their owners changed the source code, but it feels like we're now moving into something else.

Quote from: hosseinimr93 on June 24, 2022, 12:07:28 PM
For being successful, it's needed that majority of nodes see transaction_2 first and the honest party (the one who does CPFP) sees transaction_1 first.
I guess the attacker knows the victim's node URI?
hosseinimr93
legendary
Activity: 2380
Merit: 5213
Re: Full RBF
June 24, 2022, 12:07:28 PM
#28
Quote from: BlackHatCoiner on June 24, 2022, 11:50:34 AM
Is that correct?
Yes.
The thing I don't understand is how the attacker can manage to do this and that's why I said it's very very unlikely.
For being successful, it's needed that majority of nodes see transaction_2 first and the honest party (the one who does CPFP) sees transaction_1 first.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 24, 2022, 11:50:34 AM
#27
Let me sum things up.

We have transaction_1. It is non-RBF, it uses UTXO A as an input (along with others) and it's a CoinJoin transaction.
We have transaction_2. It is non-RBF, it has two inputs; UTXO A and UTXO B.
We have transaction_0. It has RBF enabled, it creates UTXO B, it's currently unconfirmed. We call this the parent of transaction_2.

We send transaction_1 in node_1 and transaction_2 in node_2 at the same time.
The network is split to those who have transaction_1 and to those who have transaction_2 in their mempools.

One of the CoinJoin makers wants to speed up the confirmation (of transaction_1) and does CPFP.
The attacker sees that CoinJoin is overspent in fees and reverses transaction_0.
Now that transaction_0 is invalidated (because it's opted-in to RBF and is double-spent), transaction_2 is also invalidated, because it's its child.

Now (all) nodes have transaction_1 in their mempool, but it's overspent in fees.


Is that correct?
hosseinimr93
legendary
Activity: 2380
Merit: 5213
Re: Full RBF
June 24, 2022, 11:28:03 AM
#26
Quote from: BlackHatCoiner on June 24, 2022, 10:37:21 AM
If each of the inputs that are used in the RBF-disabled CoinJoin don't have an RBF-enabled unconfirmed parent, then what's the problem?
The coinjoin transaction is using UTXO A and is non-RBF. UTXO A doesn't have any unconfirmed parent and there is no problem here.
There's another transaction made using UTXO A. In this transaction, there's another input which is UTXO B. This transaction is also non-RBF.

The two above transactions have been made at the same time. So, some nodes (including the other party of the coinjoin transaction) see the coinjoin transaction first and some nodes see the other one first.

The transaction that has created UTXO B is still unconfirmed. This transaction has been flagged as RBF. As this transaction is RBF-enabled, the sender can easily double-spend that.
With doing this, the transaction spending UTXO A and UTXO B is invalidated and now the coinjoin transaction is the only transaction that uses UTXO A. Now, the coinjoin transaction can be propagated and confirmed without any problem.

Note that the attacker isn't trying to invalidate the coinjoin transaction at all.
The attacker is only trying to force the other party to pay more fee for the coinjoin transaction. (The other party doesn't know what's causing the issue and think that the problem is with the low fee.)

Again, this is what I understood from o_e_l_e_o's post and I think it's very very unlikely that the attacker can succeed.


Quote from: BlackHatCoiner on June 24, 2022, 10:37:21 AM
The CoinJoin transaction is consisted of some parties' inputs. One of those inputs might be an RBF-enabled unconfirmed parent, which can be abused by an attacker to disrupt mixing.
From my understanding, this is not the case here.
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: Full RBF
June 24, 2022, 10:37:21 AM
#25
Quote from: hosseinimr93 on June 24, 2022, 09:30:44 AM
The UTXO used in the coinjoin transaction doesn't have any unconfirmed parent at all.
If each of the inputs that are used in the RBF-disabled CoinJoin don't have an RBF-enabled unconfirmed parent, then what's the problem?

Quote from: hosseinimr93 on June 24, 2022, 09:30:44 AM
That UTXO was combined with another UTXO in a different transaction at the same time as the coinjoin transaction.
The CoinJoin transaction is consisted of some parties' inputs. One of those inputs might be an RBF-enabled unconfirmed parent, which can be abused by an attacker to disrupt mixing. Can't you give a solution to this if you make CoinJoin unavailable for RBF-enabled unconfirmed inputs?

I must have messed things up.
hosseinimr93
legendary
Activity: 2380
Merit: 5213
Re: Full RBF
June 24, 2022, 09:30:44 AM
#24
Quote from: BlackHatCoiner on June 24, 2022, 08:13:31 AM
In this case, shouldn't the CoinJoin/Lightning software warn for unconfirmed parent(s)?
The UTXO used in the coinjoin transaction doesn't have any unconfirmed parent at all.
That UTXO was combined with another UTXO in a different transaction at the same time as the coinjoin transaction. This is the transaction which was invalided with doubling-spending its parent.
As both transactions have been made at the same time, it's possible that the client see the coinjoin transaction before the other one and doesn't understand what's causing the issue.
This is my understanding from o_e_l_e_o's post and I really don't know how likely this is.

Quote from: BlackHatCoiner on June 24, 2022, 08:13:31 AM
I wouldn't accept a non-RBF transaction which has an unconfirmed RBF-enabled parent as "settled".
Me too.


Quote from: BlackHatCoiner on June 24, 2022, 08:13:31 AM
You mean can't be propagated and confirmed?
No.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: