On Tue, Mar 13, 2018 at 06:07:48PM +0100, René Pickhardt via Lightning-dev wrote: > Hey Christian, > I agree with you on almost anything you said. however I disagree that in the > lightning case it produces just another double spending. I wish to to > emphasize > on my statement that the in the case with lightning such a 51% attack can > steal > way more BTC than double spending my own funds.
I think you can get a simpler example: * I setup a channel, funding it with 10 BTC (ie, balance is 100% on my side) * Someone else sets up a channel with me, funding it with 5 BTC (balance is 100% on their side) * I route 5 BTC to myself from the first channel through the second: aj -> X -> ... -> victim -> aj * I save the state that says I own all 5BTC in the victim <-> aj channel * I route 5 BTC to myself from the second channel throught the first: aj -> victim -> ... -> X -> aj * At this point I'm back to having 10 BTC (minus some small amont of lightning fees) in the first channel * I use 51% hashing power to mine a secret chain that uses the saved state to close the victim<->aj channel. Once that chain is long enough that I can claim the funds I do so. Once I have claimed the funds on my secret chain and the secret chain has more work than the public chain, I publish it, causing a reorg. * At this point I still have 10 BTC in the original channel, and I have the victim's 5 BTC. I can parallelise this attack as well: before doing any private mining or closing the victim's channel, I can do the same thing with another victim, allowing me to collect old states worth many multiples of up to 10 BTC, and mine them at once, leaving with my original 10BTC minus fees, plus n*10BTC stolen from victims. This becomes more threatening if you add in conspiracy theories about there already being a miner with >51% hashpower, who has financial interests in seeing lightning fail... The main limitation is that it still only allows a 51% miner to steal funds from channels they participate in, so creating channels with identifiable entities with whom you have an existing relationship (as opposed to picking random anonymous nodes) is a defense against this attack. Also, if 51% of hashpower is mining in secret for an extended period, that may be detectable, which may allow countermeasures to be taken? You could also look at this the other way around: at the point when lightning is widely deployed, this attack vector seems like it gives an immediate, personal, financial justification for large economic actors to ensure that hash rate is very decentralised. > In particular I could run for a decade on stable payment channels > storing old state and at some point realizing it would be a really big > opportunity secretly cashing in all those old transactions which can't be > revoked. (I'd find it surprising if many channels stayed open for a decade; if nothing else, I'd expect deflation over that time to cause people to want to close channels) Cheers, aj _______________________________________________ Lightning-dev mailing list Lightning-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev