Abstract
A Hashed Time Lock Contract (HTLC) is a central concept in cryptocurrencies where some value can be spent either with the preimage of a public hash by one party (Bob) or after a timelock expires by another party (Alice). We present a bribery attack on HTLC’s where Bob’s hash-protected transaction is censored by Alice’s timelocked transaction. Alice incentivizes miners to censor Bob’s transaction by leaving almost all her value to miners in general. Miners follow (or refuse) this bribe if their expected payoff is better (or worse). We explore conditions under which this attack is possible, and how HTLC participants can protect themselves against the attack. Applications like Lightning Network payment channels and Cross-Chain Atomic Swaps use HTLC’s as building blocks and are vulnerable to this attack. Our proposed solution uses the hashpower share of the weakest known miner to derive parameters that make these applications robust against this bribing attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., Felten, E.W.: SOK: research perspectives and challenges for bitcoin and cryptocurrencies. In: 2015 IEEE Symposium on Security and Privacy, pp. 104–121. IEEE (2015)
Miller, A.: Feather-forks: enforcing a blacklist with sub-50% hash power. https://bitcointalk.org/index.php?topic=312668.0. Accessed 7 May 2020
Liao, K., Katz, J.: Incentivizing blockchain forks via whale transactions. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 264–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_17
McCorry, P., Hicks, A., Meiklejohn, S.: Smart Contracts for Bribing Miners. Cryptology ePrint Archive, Report 2018/581. https://eprint.iacr.org/2018/581
Nakamoto, S.: bitcoin core source code, version 0.1.0. https://bitcointalk.org/index.php?topic=68121.0. Accessed 7 May 2020
Friedenbach, M., BtcDrak, Dorier, N., kinoshitajona: BIP68: Relative lock-time using consensus-enforced sequence numbers. https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki. Accessed 7 May 2020
Todd, P.: BIP68: CHECKLOCKTIMEVERIFY. https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki. Accessed 7 May 2020
BtcDrak, Friedenbach, M., Lombrozo, E.: BIP112: Checksequenceverify. https://github.com/bitcoin/bips/blob/master/bip-0112.mediawiki. Accessed 7 May 2020
Daian, P., et al.: Flash boys 2.0: frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 910–927. IEEE (2020)
Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_1
Poon, J., Dryja, T.: The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments (2016)
BOLT Authors: Lightning Network Specifications, Bolt 3. https://github.com/lightningnetwork/lightning-rfc/blob/master/03-transactions.md. Accessed 7 May 2020
Herlihy, M.: Atomic cross-chain swaps. In: Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, pp. 245–254. ACM (2018)
Han, R., Lin, H., Yu, J.: On the optionality and fairness of atomic swaps. In: Proceedings of the 1st ACM Conference on Advances in Financial Technologies, pp. 62–75. AFT 2019, Association for Computing Machinery (2019). https://doi.org/10.1145/3318041.3355460
Atomic Swaps: https://bitcointalk.org/index.php?topic=193281.msg2224949 Accessed 7 May 2020
1ML: https://1ml.com/. Accessed 7 May 2020
BOLT Authors: Lightning Network Specifications, Bolt 2. https://github.com/lightningnetwork/lightning-rfc/blob/master/02-peer-protocol.md. Accessed 7 May 2020
C-Lightning Authors: c-lightning - a Lightning Network implementation in C. https://github.com/ElementsProject/lightning. Accessed 7 May 2020
LND Authors: LND: The Lightning Network Daemon. https://github.com/lightningnetwork/lnd. Accessed 7 May 2020
Atomic Swaps Explained: The Ultimate Beginner’s Guide. https://komodoplatform.com/atomic-swaps/. Accessed 7 May 2020
BitMEX Research: Atomic Swaps and Distributed Exchanges: The Inadvertent Call Option. https://blog.bitmex.com/atomic-swaps-and-distributed-exchanges-the-inadvertent-call-option/. Accessed 7 May 2020
Robinson, D.: HTLCs Considered Harmful. https://cyber.stanford.edu/sites/g/files/sbiybj9936/f/htlcs_considered_harmful.pdf. Accessed 7 May 2020
Winzer, F., Herd, B., Faust, S.: Temporary censorship attacks in the presence of rational miners. In: IEEE Security & Privacy on the Blockchain (IEEE S & B) (2019). https://eprint.iacr.org/2019/748
Judmayer, A., et al.: Pay-To-Win: Incentive Attacks on Proof-of-Work Cryptocurrencies. Cryptology ePrint Archive, Report 2019/775. https://eprint.iacr.org/2019/775
Tsabary, I., Yechieli, M., Eyal, I.: MAD-HTLC: Because HTLC is Crazy-Cheap to Attack (2020)
Transaction Pinning. https://bitcoinops.org/en/topics/transaction-pinning/. Accessed 7 May 2020
CPFP Carve-out. https://bitcoinops.org/en/topics/cpfp-carve-out/. Accessed 7 May 2020
Anchor Outputs. https://github.com/lightningnetwork/lightning-rfc/pull/688. Accessed 7 May 2020
An orphan block on the bitcoin (btc) blockchain. https://en.cryptonomist.ch/2019/05/28/orphan-block-bitcoin-btc-blockchain/. Accessed 7 May 2020
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A Transactions in Pseudo Bitcoin Script
HTLC Transaction:
Seller Transaction, spending from the hashlocked path:
Refund Transaction, spending from the timelocked path: REFUND_TXN:
Bribe Transaction, which leaves the output values to miners: BRIBE_TXN:
Appendix B Iterated Removal of Dominated Strategies
The FIND_T procedure receives as input a list of mining hashpowers (leader selection probabilities), and the values of parameters f and b. As output, it returns the lowest value of T such that all miners refuse the bribe in the first stage of the game. It uses the inner procedure CALCULATE_BRIBERY_MATRIX to determine the behavior of more strong miners at each block when less strong miners’ strategies get dominated (Fig. 1).
Example (Table 2): Let’s take the case of 4 miners with hashpower shares \(\mathbb {P} = [0.1, 0.2, 0.3, 0.4]\), \(f = 11, b = 100\). Applying Theorem 1, we get an upper bound of T to be 21. Running the procedure CALCULATE_BRIBERY_MATRIX returns the matrix shown in Table 2, with “1” standing for refuse and “0” standing for follow. Note that this matrix shows the conservative scenario of T = 21 blocks (as given by Theorem 1. The aim of this algorithm is to find a more aggressive (lower) value of T which we get if we eliminate dominated strategies of strong miners. We now go through the actions of each miner.
The miner with hashpower 0.1 (\(p_0\)) will play refuse at every block because we have \(T > \frac{\log \frac{f}{b}}{\log (1-p_w)}\). The miner with hashpower 0.2 (\(p_1\)) will play refuse as long as the expected bribe (payable at \(T+1\)) calculated at a particular block is lower than the fees that they would earn if they mine that block. In this case, \((1- p_w)^t \cdot p_1 \cdot b < f\) till \(t = 6\) for values of \(f = 11, b = 100, p_w = 0.1\). This means that \(p_1\) will start playing follow as we get closer to \(t = T\) (specifically when we are 5 blocks away from T). The miner with hashpower 0.3 (\(p_3\)) will play refuse along similar lines, by looking at the actions of miners \(p_0\) and \(p_1\) over the different blocks. One thing to notice is that at block #16, \(p_2\) will act assuming that \(p_0\) and \(p_1\) will both play refuse. At block #17, \(p_2\) will act assuming that \(p_0\) will play refuse and \(p_1\) will play follow. This is implemented in the algorithm by using the 0’s and 1’s in the bribery matrix and using them as factors in line #13 of the CALCULATE_BRIBERY_MATRIX procedure. This way, on line #13, we only use miners who play refuse at each block to calculate the expected bribe.
In the main procedure FIND_T, we then find the last block in which all miners play refuse and return that as the result. In the real world, we can give a 5–6 block cushion on top of this, and it will still be significantly lower than the upper bound of T.
Appendix C Risk Free Atomic Swaps
Please check the IACR Eprint version of this paper for pseudo-code transactions and flow chart of the risk free atomic swap.
Rights and permissions
Copyright information
© 2021 International Financial Cryptography Association
About this paper
Cite this paper
Nadahalli, T., Khabbazian, M., Wattenhofer, R. (2021). Timelocked Bribing. In: Borisov, N., Diaz, C. (eds) Financial Cryptography and Data Security. FC 2021. Lecture Notes in Computer Science(), vol 12674. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-64322-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-64322-8_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-64321-1
Online ISBN: 978-3-662-64322-8
eBook Packages: Computer ScienceComputer Science (R0)