One-Shot Replace-By-Fee-Rate

An attack was conducted that highlighted the ability to replace a higher fee-rate transaction, referred to as tx_RBFr, with a lower fee-rate and less profitable one named tx_HS. This is particularly concerning as it goes against the expected behavior where only more profitable transactions should replace existing ones.

In response to this issue, there's a mention of sdaufter's "Enforce incentive compatibility" pull request, which is believed to potentially reject such an unprofitable replacement, although it hasn't been tested yet. To address this vulnerability more directly, a commit has been added to the libre-relay-v26.0 branch. This new code change specifically rejects transaction replacements that involve spending unconfirmed inputs when such replacements are in conflict with multiple transactions simultaneously.

This solution is designed to prevent the formation of cycles that could exploit the system by introducing the concept of "fee-rate-depth". This measure pairs the raw fee rate of a transaction with its depth, which is defined by the number of unconfirmed parent transactions that would need to be mined for the transaction to proceed. By adopting a policy whereby a transaction can only replace another if it offers an improved fee-rate-depth—either through a higher fee rate or a reduced depth—the system strengthens its defenses against the identified attack vector.

The discussion also includes a hypothetical scenario of an unconfirmed transaction graph, presumably to illustrate how the fee-rate-depth measurement works. Unfortunately, further details about this example were not provided within the context shared. Nonetheless, the proposed changes aim to enhance the security and reliability of transaction processing within the network by ensuring that only genuinely more profitable transactions can supplant others.