-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recover possible transaction in conflicted cache when RBF #4561
Recover possible transaction in conflicted cache when RBF #4561
Conversation
ed82636
to
75d237d
Compare
75d237d
to
db66275
Compare
it is ready to be merged, since #4291 is merged. |
conflicts_cache: LruCache::new(CONFLICTES_CACHE_SIZE), | ||
conflicts_outputs_cache: lru::LruCache::new(CONFLICTES_INPUTS_CACHE_SIZE), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we may add two config options for CONFLICTES_CACHE_SIZE
and CONFLICTES_INPUTS_CACHE_SIZE
Some tradeoff for current solution:
|
What problem does this PR solve?
When we replace some transactions in RBF, some old transactions may be okay to be recovered, since there are no conflicts after removing transactions.
If we don't recover these transactions, it may introduce a scenario of a possible cycling attack in lightning network.
In the Lightning Network, the flow of funds across multiple hops is achieved through HTLCs. If an intermediate node discovers that the subsequent node has not acted as agreed, it can issue a timeout transaction, and after a certain waiting period, reclaim its own funds.
Assume A -> B -> C, where the attacker controls both A and C, and attempts to prevent B's timeout transaction from being confirmed on-chain while stealing B's money through a preimage transaction.
The attack method can be described as follows:
B1 is a transaction that is prepared to spend B0. B0 has already been included in a block, and B1 is in the transaction pool. Here, B1 is a timeout transaction.
A1 and A2 are two chained transactions that are prepared to spend A0. A0 has already been included in a block, and A1 and A2 are in the transaction pool.
Construct a B2 transaction, which spends B0 and A1.
As long as B2’s feerate is higher than B1's and A2's, it will evict B1 and A2 from the transaction:
Construct an A3 transaction, which spends A0 and has a feerate higher than A1's and B2's. It will evict A1 and B2 from the transaction pool:
In this way, both B1 and B2 will disappear from the transaction pool. By carefully timing the submission of the transactions, B2 will also not be broadcast to the network.
More reference:
https://blog.satsbridge.com/lightning-replacement-cycling-attack-explained-45636e41bc6f
https://twitter.com/mononautical/status/1715736832950825224
What is changed and how it works?
What's Changed:
Add
conflicts_outputs_cache
to track the relationship ofinput -> tx
in RBF, then add possible transactions into the verify pool, so that they may be recovered.This PR is based on the
new-verify
branch, one reason is we can not recursively callsubmit_entry
in async. Another reason isnew-verify
's worker-consumer model is more suitable for retrying submit transactions.Related changes
owner/repo
:Check List
Tests
Side effects
Release note