Good morning Bastien,

> Thanks for the detailed write-up on how it affects incentives and 
> centralization,
> these are good points. I need to spend more time thinking about them.
> > This is one reason I suggested using independent pay-to-preimage
> > transactions[1]
> While this works as a technical solution, I think it has some incentives 
> issues too.
> In this attack, I believe the miners that hide the preimage tx in their 
> mempool have
> to be accomplice with the attacker, otherwise they would share that tx with 
> some of
> their peers, and some non-miner nodes would get that preimage tx and be able 
> to
> gossip them off-chain (and even relay them to other mempools).

I believe this is technically possible with current mempool rules, without 
miners cooperating with the attacker.

Basically, the attacker releases two transactions with near-equal fees, so that 
neither can RBF the other.
It releases the preimage tx near miners, and the timelock tx near non-miners.

Nodes at the boundaries between those that receive the preimage tx and the 
timelock tx will receive both.
However, they will receive one or the other first.
Which one they receive first will be what they keep, and they will reject the 
other (and *not* propagate the other), because the difference in fees is not 
enough to get past the RBF rules (which requires not just a feerate increase, 
but also an increase in absolute fee, of at least the minimum relay feerate 
times transaction size).

Because they reject the other tx, they do not propagate the other tx, so the 
boundary between the two txes is inviolate, neither can get past that boundary, 
this occurs even if everyone is running 100% unmodified Bitcoin Core code.

I am not a mempool expert and my understanding may be incorrect.

bitcoin-dev mailing list

Reply via email to