Combined summary - OP_VAULT comments

Combined summary - OP_VAULT comments

The discussion surrounding the proposed BIP345 `OP_VAULT` feature surfaces potential vulnerabilities in vault security, particularly when an attacker gains access to a user's trigger authorization key.

The concern centers on the feasibility of recovery actions when small amounts of funds are stolen from a vault. It is posited that if an attacker, referred to as Mallory, steals only a minor sum and revaults the rest, the victim (Bob) may find it economically unfeasible to initiate a recovery transaction due to high fees, potentially leading to a decision to forgo recovery of the stolen amount.

An advanced attack strategy involves Mallory creating numerous low-value transactions from Bob's vault without paying fees, then mining these transactions in one block during periods of low feerate, effectively stealing funds while making the cost of recovery for Bob prohibitive. This strategy not only affects Bob but also presents challenges for watchtowers that must maintain large reserves in their hot wallet to cover potential batch recovery fees. These could be substantial, with estimates suggesting reserves could be more than 0.3 BTC to ensure robust theft response capabilities. The required reserve size increases with the number of watchtowers involved, amplifying the risk proportionally.

To counter such exploits, a proposal has been made to include a relative block delay between respends from the same vault output. This would prevent Mallory from making multiple uneconomic withdrawals, allowing Bob to secure his funds after the first attack attempt. However, this safeguard comes at the cost of reduced flexibility for frequent spending and additional complexity in composing scripts for contract protocols.

In scenarios where vaults contain less than 0.3 BTC, the security offered by the vault mechanism itself might not be significantly greater than that provided by the trigger authorization script alone. An attacker could potentially render the entire vault uneconomical to recover, thus gaining from the attack despite the nominal value involved. This raises fundamental questions about the economic incentives and practical security of using vaults for safeguarding funds under the current implementation of the OP_VAULT proposal.

Discussion History

harding Original Post
February 5, 2024 23:45 UTC
February 6, 2024 03:29 UTC
February 6, 2024 14:10 UTC