Batch exchange withdrawal to lightning requires covenants

The email is a response to an answer given by Bastien regarding a protocol that enables batched withdrawals. The protocol involves sending funds from an exchange to a list of users through channel funding outputs. These outputs are 2-of-2, meaning they require cooperation between two lambda users or a lambda user and a LSP.

The concern raised in the email is that two users could collude maliciously against the batch withdrawal transactions. They could re-sign a CPFP (child-pays-for-parent) from the 2-of-2 and broadcast the batch withdrawal as a higher-fee package. Afterward, they could evict the CPFP, which would cause the batch withdrawal to be evicted out of the mempool. This attack is referred to as a replacement cycling attack.

The sender mentions a test related to non-deployed package acceptance code, which can be found at this link: https://github.com/ariard/bitcoin/commit/19d61fa8cf22a5050b51c4005603f43d72f1efcf

The sender asks for confirmation if their understanding of the protocol and the mentioned test is correct. They also agree with Bastien on the assumptions that the exchange does not have an incentive to double-spend its own withdrawal transactions and that malicious collusion is less plausible if all the batched funding outputs are shared with a LSP.