A Free-Relay Attack Exploiting RBF Rule #6

Posted by Antoine Riard

Mar 29, 2024/20:48 UTC

The discussion begins with a consideration of the SPV (Simplified Payment Verification) validation in relation to scaling Bitcoin payments, especially for users on low-cost Android mobiles with limited resources. The importance of not disregarding SPV validation is emphasized due to the unsolved challenges of scaling Bitcoin payments across diverse user segments. The conversation then shifts towards the cost of security attacks, suggesting that creating fake blocks at the current difficulty adjustment level might be a probable threat scenario. This leads to the recommendation that evaluating whether a design is reckless should involve a cost-based threat model and a comparative analysis with alternative designs.

Further, the dialogue addresses issues related to security disclosures within the Bitcoin Core community. It highlights the need for modifying the SECURITY.md file to ensure that reports of findings with technical proofs are acknowledged within approximately 72 hours. This suggestion aims to improve the communication between researchers reporting vulnerabilities and the software maintainers, enhancing the overall state of Bitcoin security problem handling.

The correspondence also touches upon the responsibilities of software maintainers or vendors when dealing with technical reports from security researchers. It criticizes the disregard of credible reports due to hidden social reasons and suggests the possibility of disclosing under a pseudonym to protect professional reputations. Additionally, the email recounts personal experiences with disclosing serious issues within the Lightning network, specifically mentioning time-dilation attacks and RBF-pinning on second-stage HTLC, both disclosed without a formal process but within a responsible timeframe.

Lastly, the discussion delves into the technicalities of managing bandwidth in the context of broadcasting conflicts within the Bitcoin network. It distinguishes between transaction-announcement bandwidth and transaction-fetching bandwidth, proposing a refined adversarial scenario to assess the DoS impact more accurately based on the unique proof-of-UTXO. This segment underscores the complexity of managing network resources efficiently to mitigate potential security risks.

Link to Raw Post
Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback