-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On mitigating mempool-pinning with option_gc_preimage
#783
Comments
I don't think we can reasonably introduce the assumption that miners/mining-pool will participate in this preimage broadcast. However, even without them, I think this mechanism could be helpful (it's still slightly better than doing nothing). But I'm concerned about the linkability issue you're raising: if broadcasting preimages in lightning makes it easier for attackers to discover your bitcoin full node, LN nodes will be disincentivised from sharing preimages with this mechanism. There are many mitigations we could implement, but it's hard to know if they are going to be effective. For example, you could share preimages only to a random subset of your peers, and after a random delay. Intuitively it makes it harder for an attacker to figure out which LN node discovered this preimage first, but it may not be enough... |
I'm sorry to say, but I disagree on most points @ariard pointed out. Let me
No, we are relying on the fact that at least someone in the wider network is Regarding the inference an attacker can do based on LN gossip: besides the DoS In addition opening a couple of feeler connections, that are not used for
Given the uncertainty we have added by staggering the broadcast, the number of
I'm under no illusion that in order for the attack to be fully mitigated we'll But it must also be said that
Again,
Well, in order to reliably pull this attack off you'd have to predict all
I disagree that we're introducing any new assumptions, we just add redundant P.S.: What's the |
Reporting the IRC discussion from tonight here, so we have a complete track of the discussions so far:
|
IMO, points of discussion:
I think 1) is okay, we will likely need this to keep a non-inflated routing map. 2) a) can be mitigated with random staggering. 3) sounds hard to qualify without further research but if we're honest about the risk of edge-case scenarios that's okay 4) is likely depending on noinput or package relay.
|
By leveraging mempool-pinning [0], a malicious counterparty can stuck and delay its own transactions in network mempools that way blocking a honest party to confirm a timeout transaction and breaking HTLC relay semantic.
During the last IRC meeting, a counter-measure has been suggested by @cdecker , namely
implementing a network-wise mempool monitoring and gossiping about channel close and preimage. This protocol extension,
option_gc_preimages
sounds at first-sight to protect a LN node against enhanced mempool-pinning attacks, where the local full-node mempool is blinded from receiving the preimage tx due to some malicious conflict. Such monitoring, widely-deployed, would be effective if you're connected to a least one peer deploying such measure.IMO, such attactive mitigating raises 2 concerns, a slight one and a more worrying one.
First, you introduce an assumption on the peers you're connected to, that their mempool is well-sized, relay policy is permissive enough, free from blinding conflicts, .... It sounds reasonable if you're connecting to well-known routing nodes, those relying on full-nodes. However, an attacker, by guessing your LN topology (gossips propagation?), can probe and blind their mempool from the interested preimage tx.
Note, I think mapping full/LN nodes sounds far easier if mempool watching is implemented. You can probe throw a test preimage transaction and see if your LN peer announces you this preimage for an offered HTLC in a timely window.
The second concern, push the reasoning further. If you can selectively blind few selected peers
in the network, why not create conflict partitions. Such partitions would isolate miners mempools
from the rest of the network. The miners subset would be feeded with the preimage tx. The leftover subset would be feeded with a conflict to blind them from seeing the preimage tx. This tactic means that
option_gc_preimage
has to be supported by miners to be trustworthy.This introduce a new assumption on miners behavior, you have to convince them to run/maintain
LN-dedicated software along their mining/Bitcoin stack, not only to be passive and not censor
LN transactions. If it's run by a majority, you need a coalition of them to cooperate to let
pinning happen, which sounds reasonable. If it's run by a minority, that sounds like a moral hazard, you rely on few miners to mitigate a class of LN attacks. I don't think reaching for the majority of miners to run LN software is realistic, and being sure in case of miners market/topologies changes we keep doing so.
With regards to identifying miners mempools, you don't need to identify all miners mempool, just
the most meaningful ones, i.e the ones which are highly-likely to mine a block during the timelock
delay you're aiming to exploit. I've not seen any research on it but it seems doable by "tainting"
mempools with conflicts and looking on block composition. Mining pools sadly sign blocks.
If we're at ease with the new strong assumption on miners for the security reduction, I concede
option_gc_preimage
would make this flavor of pinning far harder.[0] https://bitcoinops.org/en/topics/transaction-pinning/
The text was updated successfully, but these errors were encountered: