Timewarp Attacks and Long-Term Timelocked Script Paths

Timewarp Attacks and Long-Term Timelocked Script Paths

Original Postby Antoine Riard

Posted on: April 9, 2024 21:40 UTC

The discussion revolves around the security and operational aspects of vaults and time-locked wallets in the context of blockchain technology.

Specifically, there is a focus on the vulnerability of these systems to timewarp attacks and the different mechanisms that have been proposed over the years to safeguard digital assets.

One of the notable methods for protecting digital assets, particularly in a scenario like inheritance, involves the use of a dead man's switch mechanism within time-locked wallets. This approach relies on pre-signed, absolute timelocked transactions that are stored on online hosts. The fundamental idea is that if the original coin owner does not perform an action (such as transferring the coins to a new address to reset the timelock), the transaction can be automatically broadcasted to transfer the ownership of the coins. However, this setup could potentially expose the system to timewarp attacks by miners, who might attempt to prematurely broadcast high-fee transactions.

In contrast, vaults, especially those implementing the OP_VAULT protocol described in literature, incorporate a recovery path secured by a specific type of scriptpubkey, which provides a broader spectrum of scripting possibilities including n-of-m or hash-lock conditions. This design aims to accommodate multi-stakeholder scenarios where subsets of stakeholders control certain witness components, sometimes under conditions of relative or absolute timelocks. Despite these features, there remains a lack of comprehensive documentation on key operational aspects of OP_VAULT usage, such as the process for generating and validating the transaction trees and scriptpubkeys endpoints (referred to as "key-ceremony") and policies for recovery responses in anomalous situations.

Furthermore, while there is confidence in the security of cryptographic schemes against unauthorized signing by miners without access to private keys, concerns persist regarding the potential for miners to exploit temporal dimensions introduced by recovery policies. Specifically, by predicting or manipulating the timing conditions (relative timelocks) based on recovery scriptpubkey templates, miners could feasibly launch timewarp attacks without needing majority control of the network's hash rate. This hypothesis suggests a nuanced vulnerability within vaulting infrastructure that could be exploited by a minority coalition of miners, underscoring the need for further analysis and protective measures against such attack vectors.

For additional insights into the discussions on time-locked wallets and their security implications, the archive at bitcoin serves as a valuable resource (bitcoin archive).