Topic: Lightning Network fraud possible? (Read 329 times)

Sorry i wasn't being specific, what i meant was both parties share all commitment/updated transaction which happen on LN/off-chain. IMO someone can't manipulate the auditor by only show commitment transaction which give him/her advantage since the other would do the opposite or being honest.
But this won't work if both parties cooperate to manipulate the auditor or only one people who want to show the commitment transaction.

Also, as i mentioned before, few users might think about their privacy/anonymity if the auditor decide to use method that i just mentioned. Please CMIIW.

I'm not concerned about privacy, but few users surely have privacy concern. Even though they should privacy-focused cryptocurrency.


With the combination of other scaling solution such as Schnorr Signature (aka Signature Aggression), Channel Factories and eltoo, these will reduce total on-chain transaction count/size significantly.

Schnorr Signature basically makes transaction with multiple inputs only require 1 signature (which created from multiple input signature) which reduce TX size.
I barely understand about Channel Factories and eltoo, so i suggest you to check these site if you curious :
https://bitcoin.stackexchange.com/questions/67158/what-are-channel-factories-and-how-do-they-work/67187
https://blockstream.com/2018/04/30/eltoo-next-lightning.html

No, it is not about anonymity and privacy, remember with on-chain tx's all the tx's are recorded on the Blockchain, so it is easy for someone to audit the tx history. Will the LN add another layer of anonymity to your tx's, acting as some kind of mixer service, where tx's are done off-chain?

How will my auditors be able to audit my books, if I only provided them with a opening tx and a closing tx on the Blockchain?

Right, you beat me to it; by summarizing you probably meant something like this:


Anyway, this is really really fun. LN seems to be going places.

There are only 2 transactions to be broadcasted: 1 when opening a channel and 1 then closing the channel.
You can do multiple (off-chain) transactions between those 2 (on-chain) transactions. You will have to pay a negligible fee (which is way smaller than the on-chain fee) for routing the payment.

This allows you to do X transactions (depending on the other party and capacity of the channel/route) for the fee of 2 * on-chain fee + X * off-chain fee (very small; currently 0)
The bigger the amount of transactions, the cheaper each tx is (on average).




No. When someone decides to close the channel there will be 1 transactions (combining all previously made LN transactions) settled on chain.
The TX mostly will only have 1 output (the address you withdraw to)




If this would be the case, yes.
But since all off-chain transactions (via HTLCs) are being summarized to one transaction (last state is being published), this is not an issue.

Hmm, now I have a question. If all transactions eventually need to be settled on the blockchain anyway, how does it affect the fees and the scalability? Usually, LN is positioned as a way to send a lot more transactions than the current blockchain capacity, and send them cheaper. And I kinda understood why, but now with the introduction of HTLCs I'm not that certain anymore:

1. Fees: I thought that one can save on fees by sending several payments to the same hub that will distribute the payments further. Since it's all happening inside the channel, it will be registered as one big transaction to this hub rather than several. But my understanding is that HTLC requires a separate transaction output, does it not? The end result would be a transaction with one input and a lot of outputs with hash locks. And since it's different hash/preimage for each LN payment, it would require a separate spending transaction per each payment, right? Then the fees must add to the same amount anyway?

2. Scalability: I thought more scalability can be achieved by transacting off-chain, but if, when closing the channels, we must broadcast the same amount of on-chain transactions to spending funds from off-chain hash-locked outputs, won't it choke the blockchain all the same when we attempt to close the channels this way?

Sorry if the questions are invalid, I've learned about the use of HTLCs in LN just now, so I'm pretty much saying things off the top of my head at this point. But maybe someone already knows the answer.

Upd: actually, having thought about it, something like this would be neat: if someone sends me the correct preimage, I'll just replace my puzzle output of this amount with a simple output giving him the funds, since I know he can take them anyway, since he knows the preimage. But this would clean up the outputs and consolidate them, so that when the channel closes, it's just one clean transaction signed by me and him without any hash puzzles.

You can wait until the channels close (they eventually will, and maybe even faster than their expiration date), and then you'll see your transaction broadcasted on the blockchain, since it's the only way for them to get your funds.
Or in the case of "pay-per-minute streaming content", you stop streaming to them and ban the peer if they don't send the micropayment in time.

In this case, request the payment before providing the service, it's as simple as that. Large companies can afford running a Lightning Network node 24/7 so they won't even need watchtowers in case someone attempts to cheat by broadcasting an old state of the channel.


The nodes which route the payment don't know who initiated the transaction and what the destination is (assuming that they are not the first and the last node). Sharing the transaction history would be enough (more specifically - payment preimage is needed for each transaction since it's a proof of successful payment). Why are you so concerned about privacy when anyone can view the details of on-chain transactions? The Lightning Network helps to increase the level of privacy, but don't expect to be completely safe.

Ah, Ok.. I also understand this much better now. I think the main problem I have with this, is the total transparency of the transactions. The only tx that will be auditable will be the settlement tx on the Blockchain and the tx when the channel is opened. The 1000s of tx's that are done with the channel is not auditable. 

How will this be handled in a dispute?    

Ah, that's spot on! Haven't noticed this part. Very cool.

Alice can easily circumvent being defrauded by choosing a timelock (between Alice and Bob) < timelock between You and Alice.


As i have mentioned in my example:


Your approach of defrauding alice would not have worked here.
Since we are talking about bi-directional channels, the locktime is going to be decreased each 'hop'.

---

Edit:

From the whitepaper of the LN (source: https://lightning.network/lightning-network-paper.pdf):

Figured out the solution: to subvert the attack, each node must make sure that the channel towards the sender side expires later than the one towards the recipient side. Since the channels in question are opened on both sides of that node, it always knows the exact transaction scripts and is always able to verify this condition.

Hopefully, this is already included in the emerging LN standards.

Thanks for helping me figure out how it all works.

Understood this part, using HTLCs is a brilliant idea. Just can't figure out this one edge case in my head:


What if Bob doesn't share the secret right away, but waits until Alice's channel with me expires (our channel with him is set up for a longer period of time), I take away all the funds in the channel with Alice (she can't do anything, because she doesn't know R), and then Bob publishes tx with R when it's too late for her but not too late for him, thus he also takes away funds from Alice in his channel? We've successfully defrauded Alice, haven't we?

Also very clever, thanks for the reference, doesn't address this case though, if I understood correctly.
In 'Broken channel' paragraph there's an assumption that the secret has been voluntarily given up by the last participant.
In 'Rerouting', it is assumed that the immediate neighbor cooperates and creates a negating transaction, rebalancing the channels.

You didn't create a signed transaction and sent to her.

The whole process starts with the recipient (Bob) creating a secret R and sharing its hash with the sender (you).
Then, based on this you are going to create a HTLC with a timelock. This basically says 'I (you) pay X btc to Alice if she finds the secret R during the next Y blocks. If not, the funds return to me'.

Afterwards Alice (using the same hash) creates a HTLC with Bob where she pays Bob X (- fee) btc. The HTLC basically says 'I (Alice) pay X btc to Bob if he finds the secret R during the next Y-1 blocks. If not, the funds return to me'.

Now Bob is able to retrieve the X BTC using the secret R. And as soon as he does, the secret will become available to Alice as well.

---

You might want to read this: https://softblocks.co/lightning-network-in-depth-part-2-htlc-and-payment-routing/

The 'Broken channel'- and 'Rerouting'-part should clear your concerns.

Oh, that's smart, I get it now. And I've read bob123's link, same thing. Thank you folks, just what I needed.

Now the only concern is that if Alice-Bob channel expires earlier than Bob-Charlie's, Charlie can maliciously withhold the preimage until A-B channel expires (and Bob can't take Alice's funds, because he can't provide the correct preimage to form the unlocking script, and Alice takes them all because the timelock expired), while Charlie publishes the preimage in time after that to grab Bob's payment; but that 1) requires conspiracy between Alice and Charlie, and 2) we can probably check this condition somehow, by requiring access to and validating all channels in the chain.

Upd: Actually, can we do 2)? I know we're deep into the woods at this point, but I would appreciate if anybody shares their ideas on how this attack can be mitigated.

That's why Hashed Timelock Contracts are used in the payment channels.

Hi Bob :-)

Well, I've signed the money over to her, and I signed it with my key. Now if she signs it and broadcasts it, 2-of-2 multisig is unlocked.

If an earlier state could be published by me, can't I then defraud an honest Alice and publish the earlier state after she sends money to Bob? I thought the clever idea of channels was that only the second person can actually finish the multisignature and so he's the only one that can broadcast and publish the final state, the latest with the most funds signed over to him.

I'll take a look, thank you.

The problem is that someone might not want to route your payment because it has an impact on every channel that takes part in routing. You can set the fees really high if you don't want to bother with re-balancing your channel in the future. This should not be a problem if you have only one channel open. I have read it once again, I described a different problem.


You would have to find another route and you would get your money back. We can't force people to route your payment, we can observe the same thing by looking at Bitcoin mining. Mining pools can choose which transactions they want to include in the block (e.g. the ones with higher fees)

It is not like you are sending Alice the payment and hope that she will send it to Bob.
The funds get locked in a multi-sig. If Alice would 'refuse' to pay Bob she wouldn't gain any advantage since she can't get the funds out of the 2-of-2 multisig.

When a channel is open you are basically sending signed transactions back and forth.
If an malicious actor 'breakes the rules', an earlier state is going to be published, which depending on the case, can lead to the attacker losing all of his coins.
This leads to no trust being required into the 'middlemen' to process the payment.


To get a slightly more detailed explanation, visit https://thecoinoffering.com/learn/what-is-the-lightning-network/ and scroll down to the part with 3 people involved.

Refuses to do what? I ask about LN because only LN tries to link together several channels. But it seems you can be easily defrauded since there's trust involved, unlike on vanilla Bitcoin.

No, they're much older. Adam and Eve of cryptography :-)
https://en.wikipedia.org/wiki/Alice_and_Bob