Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Author

Topic: RBF Spam (Read 134 times)

becoin
legendary
Activity: 3431
Merit: 1233
RBF Spam
December 18, 2023, 04:51:41 AM
#13
Quote from: nc50lc on December 17, 2023, 10:26:59 PM
You mentioned that it's a "clear pattern", are there a lot of transactions that has that same behavior?

Go to https://mempool.space/rbf and you'll see this pattern. Every tx that has replacement intervals about 40 seconds is the same kind of tx. In time of fee spikes these txs are more than 50% of all rbf txs.
ranochigo
legendary
Activity: 2954
Merit: 4158
Re: RBF Spam
December 17, 2023, 11:41:40 PM
#12
Quote from: becoin on December 17, 2023, 12:12:17 PM
This is the final replacement that got finally confirmed:

https://mempool.space/tx/b5fe2c4891cba365c0863b8645a7e7a4c7e7191804508f4549f870be6012102f

I've counted more than 30 replacements of the original tx that were done within 40 seconds intervals on average. This kind of txs have only one input and only one output. This is why they are cheap since their size is ~109 vB. There are many of them and increase in their number coincides with tx fee spikes.

Looks like this is a job of a mining cartel as it tricks Bitcoin Core's fee estimation algorithm.
It doesn't. RBF transactions are always replaced by wallets who uses mempool size as the calculation algorithm. You can't inflate your mempool count this way because transactions spending the same inputs are getting kicked when another one comes in. Bitcoin Core only considers the moving average of confirmed transactions, which would mean that the replaced transactions has no impact on fee estimates.

Hence to effectively trick Bitcoin Core's fee estimation, it would be better to intentionally include only high paying transactions. This looks like someone trying to use RBF to ensure that their transaction has the best chances of getting confirmed within a short timeframe.
philipma1957
legendary
Activity: 4102
Merit: 7765
'The right to privacy matters'
Re: RBF Spam
December 17, 2023, 11:34:54 PM
#11
Well 6.25 blocks drop to 3.125 blocks.

I feel there are lots of patterns showing fee gaming by large players in the mining ⛏️ section.

This appears to be yet again one more experiment on how to keep fees elavated.
nc50lc
legendary
Activity: 2394
Merit: 5531
Self-proclaimed Genius
Re: RBF Spam
December 17, 2023, 10:26:59 PM
#10
Quote from: ranochigo on December 17, 2023, 12:03:39 PM
Quote from: nc50lc on December 17, 2023, 11:01:16 AM
But I'm not sure if the fee of the replaced transactions that a node relayed wont be removed from its "bucket" and if those will still be counted to its fee estimation after the last replacement is confirmed though.
Doesn't Bitcoin Core look at the amount of time transactions take to confirm with the historical statistics? Ie. Sorting transactions into buckets, analyze fees from a new block by looking at which bucket it is in. If it only considers the fees of transactions which are eventually included into a block, then it would mean that any transactions which are replaced would not matter since it wouldn't be confirmed.
Yes, that is why I need clarification in that matter.
To see if that weird transaction is actually targeting a bug or just a user playing with rbf.

Quote from: becoin on December 17, 2023, 12:12:17 PM
Looks like this is a job of a mining cartel as it tricks Bitcoin Core's fee estimation algorithm.
Mine is just a guess, we can't jump to conclusions because of one wild guess.

You mentioned that it's a "clear pattern", are there a lot of transactions that has that same behavior?
o_e_l_e_o
legendary
Activity: 2268
Merit: 18509
Re: RBF Spam
December 17, 2023, 12:33:21 PM
#9
My hypothesis is that it is a user that really wanted to get their transaction confirmed in the next block, but they wanted to pay the minimum fee required to do so.

Every replaced transaction has the same fingerprint - same version, same locktime, same nSequence, etc., suggesting they were all made by the same wallet. Further, every receiving address on all the intermediate transactions is a fresh unused address, and none of them are repeated. If this were bots trying to steal an output, then you would expect them to try to send to the same address or have different fingerprints. And all the transactions are opted in to RBF.

The first transaction in the chain was broadcast a couple of minutes after the last block (821,597) was mined. Given this transaction is a CPFP, then the effective fee rate for this initial transaction was 602 sats/vbyte, which was just under 1 MvB from the tip of the mempool. There was then a delay of 29 minutes until the next block, and during this time the fee was continually bumped to keep the parent and child transactions just under 1 MvB from the tip of the mempool. By the time the final transaction confirmed with an effective fee rate of 642 sats/vbyte, this was just above the minimum of 632 sats/vbyte to get in to that block.
becoin
legendary
Activity: 3431
Merit: 1233
Re: RBF Spam
December 17, 2023, 12:12:17 PM
#8
Quote from: nc50lc on December 17, 2023, 11:01:16 AM
But I'm not sure if the fee of the replaced transactions that a node relayed wont be removed from its "bucket" and if those will still be counted to its fee estimation after the last replacement is confirmed though.

This is the final replacement that got finally confirmed:

https://mempool.space/tx/b5fe2c4891cba365c0863b8645a7e7a4c7e7191804508f4549f870be6012102f

I've counted more than 30 replacements of the original tx that were done within 40 seconds intervals on average. This kind of txs have only one input and only one output. This is why they are cheap since their size is ~109 vB. There are many of them and increase in their number coincides with tx fee spikes.

Looks like this is a job of a mining cartel as it tricks Bitcoin Core's fee estimation algorithm.
ranochigo
legendary
Activity: 2954
Merit: 4158
Re: RBF Spam
December 17, 2023, 12:03:39 PM
#7
Quote from: nc50lc on December 17, 2023, 11:01:16 AM
Interesting...
I'm not too familiar in Bitcoin Core's fee estimation algorithm but my initial guess is it's trying to trick the fee estimation by continuously broadcasting high fee replacement transactions with enough delay for the previous transaction to propagate.
Since it's a replacement, each relayed replacement is cheap since it'll only need to add a few satoshi on top of the transaction that it replaced.

But I'm not sure if the fee of the replaced transactions that a node relayed wont be removed from its "bucket" and if those will still be counted to its fee estimation after the last replacement is confirmed though.
If it is, that could be the purpose of those rbf spam.
Doesn't Bitcoin Core look at the amount of time transactions take to confirm with the historical statistics? Ie. Sorting transactions into buckets, analyze fees from a new block by looking at which bucket it is in. If it only considers the fees of transactions which are eventually included into a block, then it would mean that any transactions which are replaced would not matter since it wouldn't be confirmed.

Quote from: Zaguru12 on December 17, 2023, 11:18:35 AM
But if you make non-RBF transaction can’t it still be replaced if the server or node is full RBF opt in? Or is there  way to know maybe a node isn’t full RBF so one can change server when looking to make a non-RBF transaction
Trying to replace a non-RBF transaction would only result in poor propagation. Nodes or miners who do not care about the RBF flag can still relay or confirm your transactions.

hosseinimr93
legendary
Activity: 2380
Merit: 5213
Re: RBF Spam
December 17, 2023, 11:40:52 AM
#6
Quote from: Zaguru12 on December 17, 2023, 11:18:35 AM
that’s why we are always hoping that scammers do not have this tech knowledge equivalent to people like you.
My point was that if the private key had been leaked and multiple people had access to it, there would be probably someone making a non-RBF transaction.
There are many wallets that don't flag transactions as non-RBF.


Quote from: Zaguru12 on December 17, 2023, 11:18:35 AM
But if you make non-RBF transaction can’t it still be replaced if the server or node is full RBF opt in?
With full-RBF, it's possible to replace the transaction with a new one even if it hasn't been flagged as RBF, but I doubt there's any SPV wallet allowing doing so.

If you want to replace a non-RBF transaction with a new one, you need to broadcast it using your own node or build the raw transaction and use a tool with enabled full RBF setting. That's not easy for everyone.
Zaguru12
hero member
Activity: 672
Merit: 855
Re: RBF Spam
December 17, 2023, 11:18:35 AM
#5
Quote from: hosseinimr93 on December 17, 2023, 10:45:50 AM
But if I had the private key of someone's address and I wanted to steal the fund, I would make a non-RBF transaction.

Haha 😂 that’s why we are always hoping that scammers do not have this tech knowledge equivalent to people like you.

But if you make non-RBF transaction can’t it still be replaced if the server or node is full RBF opt in? Or is there  way to know maybe a node isn’t full RBF so one can change server when looking to make a non-RBF transaction
nc50lc
legendary
Activity: 2394
Merit: 5531
Self-proclaimed Genius
Re: RBF Spam
December 17, 2023, 11:01:16 AM
#4
Quote from: becoin on December 17, 2023, 06:35:27 AM
What is it used for? What is the logic behind it?
Interesting...
I'm not too familiar in Bitcoin Core's fee estimation algorithm but my initial guess is it's trying to trick the fee estimation by continuously broadcasting high fee replacement transactions with enough delay for the previous transaction to propagate.
Since it's a replacement, each relayed replacement is cheap since it'll only need to add a few satoshi on top of the transaction that it replaced.

But I'm not sure if the fee of the replaced transactions that a node relayed wont be removed from its "bucket" and if those will still be counted to its fee estimation after the last replacement is confirmed though.
If it is, that could be the purpose of those rbf spam.
hosseinimr93
legendary
Activity: 2380
Merit: 5213
Re: RBF Spam
December 17, 2023, 10:45:50 AM
#3
Quote from: Zaguru12 on December 17, 2023, 10:26:38 AM
This is what transactional replacement mean. This process can be done using either of the two bumping feature; RBF or CPFP.
With using RBF feature, you can replace a transaction with a new one paying higher fee. But in CPFP, you make a new transaction spending the fund received in the unconfirmed transaction.
In CPFP method, you don't make any replacement.


Quote from: Zaguru12 on December 17, 2023, 10:26:38 AM
The series of replacement looks like it is a hack attempt on that wallet.
Maybe, the private key had been compromised and there were some people competing to steal the fund.
But if I had the private key of someone's address and I wanted to steal the fund, I would make a non-RBF transaction.
Zaguru12
hero member
Activity: 672
Merit: 855
Re: RBF Spam
December 17, 2023, 10:26:38 AM
#2
This is what transactional replacement mean. This process can be done using either of the two bumping feature; RBF or CPFP. This transaction pass through many replacement which was to different addresses. The cony aspect of this transaction is that the initial transaction was even more than enough to get the transaction confirmed in the next block. The series of replacement looks like it is a hack attempt on that wallet.
becoin
legendary
Activity: 3431
Merit: 1233
Re: RBF Spam
December 17, 2023, 06:35:27 AM
#1
Not sure if this is the right thread to ask this question. Mods, please feel free to move it to the right place.

Looking at the latest tx fee surge a clear pattern is spotted. Fees are surging when the number of txs with 8-9 or more tx replacements surges. Lets take for example this tx:

https://mempool.space/tx/396e5f826f8d6fbeb8358843d3708e32c014ca97d7d0917bfceeb011f099211d

What is it used for? What is the logic behind it?
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: