On Tue, Jun 19, 2018 at 04:46:32PM +0200, Christian Decker wrote:
> That is true, we can't prevent S_2 to make it into the blockchain, but
> we can make sure it doesn't have any effect (aside from wasting some
> fees), by simply binding S_3 to it immediately afterwards. 

Right, but I'm picking on the phrasing in the paper here, which seems to
imply that once the final settlement transaction enters the mempool with
a reasonable fee, its confirmation---and the safe close of the
channel---is "certain."  I don't think that's the case and I think the
phrasing might be accidentally misleading to readers who don't have a
good grasp of mempool behavior.

> It should be noted that anyone can perform the rewriting, and it's easy
> to do so, by just following the funding output and knowing the final
> update.

Anyone can rewrite a SIGHASH_NOINPUT input's outpoint, but the actual
transaction containing the settlement is expected to have (at least) two
inputs, with the second one originating the fees.  That second input's
signature is (I assume) using SIGHASH_ALL to commit to all outpoints in
the transaction, so it can't be arbitrarily rewritten by a third-party
to apply to a different state outpoint---and so I think we're dependent
on a motivated person (e.g. one of the channel participants) performing
the rewrite so that the rewritten final settlement transaction pays



Attachment: signature.asc
Description: PGP signature

Lightning-dev mailing list

Reply via email to