Mats Jerratsch [ARCHIVE] on Nostr: š Original date posted:2015-09-22 š Original message: So far my impression was ...
š
Original date posted:2015-09-22
š Original message:
So far my impression was that an attacker that only stops one payment
is just a nuisance, as the system can self-correct. The payer and
payee can set a timeout. If the payment has not arrived after the
timeout the payee can issue a refund back to the payer. The refund
will pay to the same secret hash as the initial payment, and it will
pay an amount that is sufficient such that the payer will receive his
initial payment completely back. (That is, he might end up paying more
refund than actual payment)
When the payer does receive the refund in his channel, he can be sure
that the payment got invalidated. The payee must not reveal the
secret, and even if he does, the funds will just circle back again.
(plus the payee will pay fees for both transactions as a disincentive)
This concept has been around already, at least I read it somewhere.
However, I recently thought about it and got a couple of unresolved
issues:
(1)
How do we resolve the complete chain to remove both, the refund and
the payment completely? Do we just wait until they timeout? This does
not seem very efficient and it would maximise the damage the attacker
would do to the network - that is, he is locking up the payment amount
for N1 nodes on the first route and N2 nodes on the refund route for
the maximum amount of time. I thought about letting the nodes resolve
this on their own, but this would need cooperation from the very node
that isn't relaying the payment in the first place.
Lets assume A wants to pay E, and it chose the route
A->B->C->D->E.
However, C is uncooperative in that he does accept the payment in the
channel he has with B, but he is not relaying it further to D. (for
whatever reason)
So we end up with
A->B->C
Now the timeout hits and E is making the refund payment
E->D->F->B->A
with the same secret hash.
A and B can resolve this, both payments are the same amount (as
described above), so the payments net-worth is zero for both parties.
Now B has a binding payment towards C for X-a bitcoin, and he receives
X+a bitcoin from F. (with some fees a)
>From the point of view of B, this is just a normal payment from F
towards C with 2a in fees. And while B can drop the payment he gets
from F (they can just update the channel and remove the payment if B
agrees), he still has a binding agreement towards the payment to C.
Without C agreeing to drop the payment as well, B isn't in the
position to drop the payment towards F, keeping up the complete chain.
(2)
How do we resolve the case, where the refund gets stuck as well? Let's
assume the same case as above, but this time F is uncooperative too.
We end up with two chains of payments, where both payees don't get the
payment:
A->B->C
E->D->F
where C and F are both uncooperative. From the point of view of A, he
has made a final payment that he cannot revoke on his own. He further
has made the payment due to some contract, to which he expects some
kind of service/good. Waiting out one day till the lightning timeout
might not be an option for A.
The same is true other way round, where E has issued the refund and is
awaiting a new payment. Both parties can not sufficiently prove to the
other party they haven't received the payment, and even if they could,
the initial payment could still route correctly after some delay while
the refund doesn't.
Thinking about it, I guess E could give out multiple refunds via other
routes, until one finally arrives at the payer. As he is obliged to
not reveal the secret anyways, these are just for resolving the issue
at hand. However, this would again maximise the damage, as all
additional refunds would need to timeout. Furthermore, a malicious
payer could just claim he never received any refund, locking up lots
of funds of the payee with very few efforts...
š Original message:
So far my impression was that an attacker that only stops one payment
is just a nuisance, as the system can self-correct. The payer and
payee can set a timeout. If the payment has not arrived after the
timeout the payee can issue a refund back to the payer. The refund
will pay to the same secret hash as the initial payment, and it will
pay an amount that is sufficient such that the payer will receive his
initial payment completely back. (That is, he might end up paying more
refund than actual payment)
When the payer does receive the refund in his channel, he can be sure
that the payment got invalidated. The payee must not reveal the
secret, and even if he does, the funds will just circle back again.
(plus the payee will pay fees for both transactions as a disincentive)
This concept has been around already, at least I read it somewhere.
However, I recently thought about it and got a couple of unresolved
issues:
(1)
How do we resolve the complete chain to remove both, the refund and
the payment completely? Do we just wait until they timeout? This does
not seem very efficient and it would maximise the damage the attacker
would do to the network - that is, he is locking up the payment amount
for N1 nodes on the first route and N2 nodes on the refund route for
the maximum amount of time. I thought about letting the nodes resolve
this on their own, but this would need cooperation from the very node
that isn't relaying the payment in the first place.
Lets assume A wants to pay E, and it chose the route
A->B->C->D->E.
However, C is uncooperative in that he does accept the payment in the
channel he has with B, but he is not relaying it further to D. (for
whatever reason)
So we end up with
A->B->C
Now the timeout hits and E is making the refund payment
E->D->F->B->A
with the same secret hash.
A and B can resolve this, both payments are the same amount (as
described above), so the payments net-worth is zero for both parties.
Now B has a binding payment towards C for X-a bitcoin, and he receives
X+a bitcoin from F. (with some fees a)
>From the point of view of B, this is just a normal payment from F
towards C with 2a in fees. And while B can drop the payment he gets
from F (they can just update the channel and remove the payment if B
agrees), he still has a binding agreement towards the payment to C.
Without C agreeing to drop the payment as well, B isn't in the
position to drop the payment towards F, keeping up the complete chain.
(2)
How do we resolve the case, where the refund gets stuck as well? Let's
assume the same case as above, but this time F is uncooperative too.
We end up with two chains of payments, where both payees don't get the
payment:
A->B->C
E->D->F
where C and F are both uncooperative. From the point of view of A, he
has made a final payment that he cannot revoke on his own. He further
has made the payment due to some contract, to which he expects some
kind of service/good. Waiting out one day till the lightning timeout
might not be an option for A.
The same is true other way round, where E has issued the refund and is
awaiting a new payment. Both parties can not sufficiently prove to the
other party they haven't received the payment, and even if they could,
the initial payment could still route correctly after some delay while
the refund doesn't.
Thinking about it, I guess E could give out multiple refunds via other
routes, until one finally arrives at the payer. As he is obliged to
not reveal the secret anyways, these are just for resolving the issue
at hand. However, this would again maximise the damage, as all
additional refunds would need to timeout. Furthermore, a malicious
payer could just claim he never received any refund, locking up lots
of funds of the payee with very few efforts...