Author: Antoine Riard 2023-02-08 00:56:30
Published on: 2023-02-08T00:56:30+00:00
Yuval Kogman wrote to the bitcoin-dev mailing list about a potential attack on multiparty transactions, such as CoinJoin or lightning dual funding. Since Taproot spends have variable size depending on the path used, the last input to be signed can use an inflated witness to extract a fee from other parties by reducing the feerate for the transaction. The attacker can broadcast any valid signatures up to maximum weight and minimum relay fees or in collusion with a miner, up to consensus limits. This steals a fee from the other parties as their signatures do not commit to a feerate directly or indirectly.To mitigate this attack, several strategies were suggested. All parties could negotiate transactions ahead of time at a lower feerate, giving a minimum feerate that the attacker can force. Enforcing a minimal weight for all non-witness data in the transaction before it is considered fully constructed can also limit the effectiveness of this attack. In the centralized setting, BIP-322 ownership proofs can be required for participation, and the server can reject signatures that do not exercise the same spend path as the ownership proof. Multiparty protocols with publicly verifiable protocol transcripts or ring signatures from keys used in the transaction can provide weak evidence of honest participation in multiparty transactions. A minimum feerate for the previous transaction or a minimum confirmation age can be required for inputs to be added, and signatures from potentially exploitative inputs can be required ahead of legacy or SegWit v0 ones, with the prescribed order determined based on reputation or costliness.
Updated on: 2023-06-16T15:26:15.516741+00:00