Which ephemeral anchor script should lightning use?

The discussion revolves around the comparative safety of different options for handling HTLC (Hashed Time-Locked Contracts) in the context of blockchain and cryptocurrency transactions, highlighting the inherent risks and vulnerabilities associated with specific approaches. The primary concern is with the method known as P2A (option 1), which is argued to be safer than other considered alternatives due to two main vulnerabilities present in options 2, 3, and 4.

Firstly, there is a risk associated with the theft of trimmed HTLC value. This issue arises when a counterparty manages to receive the trimmed value of an HTLC if they force close a channel while it is still pending in the mempool, the space used by a blockchain to hold transactions before they are confirmed. This vulnerability is exacerbated by the fact that the average time a transaction remains in the mempool can be significantly reduced, to about 10 minutes, by opting to pay a higher fee for the next block confirmation. An example provided illustrates a scenario where an individual, referred to as Bob, has a predictable schedule for taking his node offline, which is exploited by another party, Mallory, to forward maximum trimmed HTLC value through Bob's node to her own, before force closing the channel during his downtime. By doing so at a time when the full value of the keyed anchor is less than its maximum, Mallory stands to profit from the difference.

Secondly, there is a concern regarding the reduction in reorg safety. This is particularly relevant in situations where a counterparty colludes with a miner to redirect the full value of a keyed anchor to their wallet, effectively leaving both the commitment transaction and the Child Pays for Parent (CPFP) transaction without a fee in the event of a block. In the case of a natural reorganization of the blockchain, rational miners would be disinclined to include these zero-fee transactions in the newly reorganized blocks. This could potentially reopen a channel that was previously considered closed, increasing the risk of value theft from regular HTLCs in the reopened channel, especially if the reorg is lengthy enough. While long reorganizations bring their own set of challenges and problems, the point made is that out-of-band fee payments should not decrease the likelihood of a commitment transaction being re-mined in the event of a reorg, indicating a preference for approaches that maintain or enhance transaction reorg safety.