Good morning Dmitry,

> I made a version of the TLA+ spec according to the suggested variant,
> as I understood it from your description. This version is in
> the separate branch in the SASwap repo, 'variant_ZmnSCPxj' [1]
> If I understood and specified your variant correctly, there is a
> deadlock possible after step 9, if Bob fails to publish success tx in
> time. After refund tx becomes spendable, Alice cannot publish it via
> mempool, because Bob can learn her secret and has a chance invalidate
> her refund tx by giving his success tx to friendly miner, while taking
> back the locked LTC because both secrets are known. At the same time,
> Bob cannot publish success tx via mempool, because then Alice can do
> the same thing, invalidating his success tx with refund tx via friednly
> miner.

Indeed, this is precisely the issue Ruben pointed out.

Rationally, neither side will want this condition due to the deadlock and Bob 
will strive to avoid this, having a short real-world timeout after which Bob 
will force publication of the success tx if Alice does not respond in time.
There *is* a reason why it says "Bob claims the BTC funding txo before L1."

Of course, computers do crash occasionally, I am informed, so complete 
accidents may occur that way.
This can be mitigated by running multiple servers who are given copies of the 
success tx, and which will publish it regardless after a short sidereal time 
duration, unless countermanded by the main server (i,e, a dead man switch 
With sufficient distribution the probability of this occurring can drop to 
negligible levels compared to other theoretical attacks.


bitcoin-dev mailing list

Reply via email to