I believe that anyone attempting a DOS by forcing on-chain settlement can
do it just as easily with asymmetric delays than with symmetric delays.
If my goal is to waste the time-value of your money in a channel, in a
world with symmetric delays, I could just publish the commitment
transaction and you would have to wait the full delay for access to your
funds. True. But with delays asymmetric as they are now, I can just as
easily refuse to participate in a mutual close, forcing you to close
on-chain. This is just as bad. In fact, I'd argue that it is worse, because
I lose less by doing this (in the sense that I as the attacker get
immediate access to my funds). So in my assessment, it is a very active
attack and symmetric delays are something of a mitigation. You are right
that the balance of funds in the channel becomes a factor too, but note
that there is the reserve balance, so I'm always losing access to some
funds for some time.
On Sun, Apr 15, 2018 at 6:35 AM, ZmnSCPxj <zmnsc...@protonmail.com> wrote:
> Good morning Daniel,
> This makes a lot of sense to me as a way to correct the incentives for
> closing channels. I figure that honest nodes that have truly gone offline
> will not require (or be able to take advantage of) immediate access to
> their balance, such that this change shouldn't cause too much inconvenience.
> I was trying to think if this could open up a DOS vector - dishonest nodes
> performing unilateral closes even when mutual closes are possible just to
> lock up the other side's coins - but it seems like not much of a concern. I
> figure it's hard to pull off on a large scale.
> Now that you bring this up, I think, it is indeed a concern, and one we
> should not take lightly.
> As a purely selfish rational being, it matters not to me whether my
> commitment transaction will delay your output or not; all that matters is
> that it delays mine, and that is enough for me to prefer a bilateral close
> if possible. I think we do not need to change commitment transactions to
> be symmetrical then --- it is enough that the one holding the commitment
> transaction has its own outputs delayed.
> If I had a goal to disrupt rather than cooperate with the Lightning
> Network, and commitment transactions would also delay the side not holding
> the commitment transaction (i.e. "symmetrical delay" commitments), I would
> find it easier to disrupt cheaply if I could wait for a channel to be
> unbalanced in your favor (i.e. you own more money on it than I do), then
> lock up both our funds by doing a unilateral transaction. Since it is
> unbalanced in your favor, you end up losing more utility than I do.
> Indeed, in the situation where you are funding a new channel to me, I have
> 0 satoshi on the channel and can perform this attack costlessly.
> Now perhaps one may argue, in the case of asymmetric delays, that if I
> were evil, I could still disrupt the network by misbehaving and forcing the
> other side to push its commitment transaction. Indeed I could even just
> accept a channel and then always fail to forward any payment you try to
> make over it, performing a disruption costlessly too (as I have no money in
> this). But this attack is somewhat more passive than the above attack
> under a symmetrical delay commitment transaction scheme.
Lightning-dev mailing list