bitcoin-dev
A Free-Relay Attack Exploiting RBF Rule #6
Posted on: March 29, 2024 20:48 UTC
The discussion begins with a consideration of the SPV (Simplified Payment Verification) validation in relation to scaling Bitcoin payments, especially for users on low-cost Android mobiles with limited resources.
The importance of not disregarding SPV validation is emphasized due to the unsolved challenges of scaling Bitcoin payments across diverse user segments. The conversation then shifts towards the cost of security attacks, suggesting that creating fake blocks at the current difficulty adjustment level might be a probable threat scenario. This leads to the recommendation that evaluating whether a design is reckless should involve a cost-based threat model and a comparative analysis with alternative designs.
Further, the dialogue addresses issues related to security disclosures within the Bitcoin Core community. It highlights the need for modifying the SECURITY.md
file to ensure that reports of findings with technical proofs are acknowledged within approximately 72 hours. This suggestion aims to improve the communication between researchers reporting vulnerabilities and the software maintainers, enhancing the overall state of Bitcoin security problem handling.
The correspondence also touches upon the responsibilities of software maintainers or vendors when dealing with technical reports from security researchers. It criticizes the disregard of credible reports due to hidden social reasons and suggests the possibility of disclosing under a pseudonym to protect professional reputations. Additionally, the email recounts personal experiences with disclosing serious issues within the Lightning network, specifically mentioning time-dilation attacks and RBF-pinning on second-stage HTLC, both disclosed without a formal process but within a responsible timeframe.
Lastly, the discussion delves into the technicalities of managing bandwidth in the context of broadcasting conflicts within the Bitcoin network. It distinguishes between transaction-announcement bandwidth and transaction-fetching bandwidth, proposing a refined adversarial scenario to assess the DoS impact more accurately based on the unique proof-of-UTXO. This segment underscores the complexity of managing network resources efficiently to mitigate potential security risks.