Combined summary - Malleability issues when creating shared transactions with segwit v0

Combined summary - Malleability issues when creating shared transactions with segwit v0

In the evolving landscape of cryptocurrency, Layer 2 contracts have significantly enhanced transaction capabilities, facilitating intricate exchanges between parties that may not inherently trust one another.

These contracts typically necessitate participants to pre-sign a refund transaction. This serves as a safeguard, ensuring they can reclaim their funds if collaborative efforts fail. However, this system is not without its vulnerabilities, particularly concerning the malleability of transaction IDs (txid). If a txid is altered post-approval by the involved parties, the efficacy of the pre-signed refund transaction could be compromised, potentially leading to situations where malicious entities could exploit this weakness for financial gain.

A specific instance where this vulnerability is pronounced is within the Lightning Network's interactive-tx transactions, especially noted in scenarios involving dual-funding and splicing. A detailed examination of this issue can be found in the lightning/bolts pull request. The problem arises when collaborators, such as Alice and Bob, engage in funding a Lightning channel. They add inputs through tx_add_input messages which are expected to contain only Segregated Witness (segwit) compatible scriptPubKeys, negating the risk of malleability. However, if one party clandestinely employs a non-segwit scriptPubKey, they can alter the txid after signing the funding transaction. This action invalidates the commitment transactions of the other party, effectively trapping their funds.

Segregated Witness version 1 (segwit v1), as outlined in BIP 341, proposes a solution to this predicament by mandating the inclusion of amounts and scriptPubKeys of all inputs in the signature hash. This requirement binds signatures unequivocally to the specific inputs used, thereby mitigating the risk of txid malleability. However, completely eliminating the prevtx from the transaction process remains unsafe under certain conditions. For maximum protection against these vulnerabilities, it is recommended that each participant ensures at least one input utilizes segwit v1.

The decision to exclude the prevtx field is deemed secure primarily in two scenarios: when conducting a splice transaction within a taproot channel that features a shared input requiring signatures from all parties, or when every participant includes at least one taproot input in the transaction. Adhering to these guidelines ensures that all inputs are securely tied to the transaction, effectively guarding against malleability and promoting the security and integrity of transactions within the Lightning Network ecosystem.

Discussion History

tbast Original Post
January 30, 2024 09:32 UTC
February 13, 2024 16:04 UTC