Mar 18 - Mar 28, 2024
It underscores the complexity of assessing potential attack costs on the system, stressing the need for a comprehensive threat model to compare various design alternatives. The importance of improving communication between security researchers and maintainers is highlighted, with suggestions for modifications to Bitcoin Core's SECURITY.md to ensure technical reports are acknowledged within approximately 72 hours.
Antoine Riard raises concerns about how software maintainers respond to security reports, advocating for the option to report vulnerabilities anonymously or under a pseudonym to protect professional reputation. He reflects on past instances where significant security issues were disclosed without a formal process, suggesting a standardized two-week period for vendors to engage in mitigation before public disclosure.
The conversation delves into bandwidth utilization in transaction relay networks and the economic aspects of securing incoming liquidity on the Lightning Network (LN). It discusses the limitations imposed by current protocol specifications, such as the inability to change the dust_limit_satoshis value for existing channels. Additionally, the potential consequences of large mempools on network operations are examined.
An innovative technique for managing transaction fees within the LN framework is explored, involving the implementation of feerate ascending LN states by adjusting dust_limit_satoshis. This approach aligns with BOLT2's specifications and represents ongoing efforts to optimize LN implementations.
Mempool management strategies are analyzed, focusing on objectives like increasing block template efficiency and ensuring adequate validation times for BIP152 compact blocks. The dialogue suggests that incorporating a proof-of-UTXO mechanism could strengthen the network against attacks, while also acknowledging the economic challenges in making such mechanisms unfeasible for attackers.
David A. Harding shares his experiences with the bitcoin-security mailing list, highlighting the need for better acknowledgment of reported security issues. His narrative emphasizes the complexities and emotional toll involved in the vulnerability disclosure process.
The correspondence touches on the necessity of balancing public vulnerability disclosure with responsible reporting to prevent exploitation. It advocates for open discourse as a strategy for dealing with vulnerabilities and emphasizes the delicate balance required to ensure network security.
Antoine Riard discusses modifying Bitcoin Core, stressing the importance of structured disclosure timelines and ethical standards in technology practices. He encourages active participation in vulnerability reporting and patch coordination.
Boris Nagaev critiques a proposed solution to replacement attacks, advocating for distributing all transactions to every node to avoid selective targeting during an attack. He highlights the practical challenges of this approach, such as the risk of DoS attacks through bandwidth overload or memory exhaustion.
The discussion extends to transaction identifier (txid) variations, considering strategies to either exacerbate or mitigate bandwidth challenges within Bitcoin’s network. Peter Todd offers further insights on this subject at his website, available here.
Finally, the Replace-By-Fee Rate (RBFR) rule discussion examines challenges blockchain nodes face in managing transactions within mempools. A proposal involves using dual priority queues in nodes for incoming and broadcasting transactions to reduce the spread of spam and maintain mempool efficiency. Public discussions and resources on these topics, including analyses of one-shot replace-by-fee-rate mechanisms and their success rates, are accessible online, highlighting ongoing efforts to improve the Bitcoin network’s transaction handling processes. Relevant links include Original Full-RBF opt-in pull request, One-shot replace-by-fee-rate - the status quo, and Replace-by-fee-rate success rate.
Thread Summary (21 replies)
Mar 18 - Mar 28, 2024
22 messages • 21 replies
TLDR
We’ll email you summaries of the latest discussions from high signal bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.
We'd love to hear your feedback on this project.
Give Feedback