Published on: 2023-07-06T17:24:47+00:00
User alicexbt raised concerns about the acceptance of unconfirmed inputs in a coinjoin transaction, as it could potentially invalidate the coinjoin. The user also mentioned that the coordinator B should not accept the unconfirmed UTXO from step 2 because it is unaware of that transaction and has zero fee. They noted that a similar attack could be carried out by registering the same UTXO with multiple coordinators without package relay. However, they acknowledged the benefits of package relay, such as the ability for any participant to rebroadcast the coinjoin with a further Child Pays for Parent (CPFP) if it falls below the minimum relay fee. The user also mentioned upcoming proposals for Replace-By-Fee (RBF) in package transactions, which could eliminate the need for all participants to re-sign the coinjoin for RBF. Overall, the user highlighted concerns about the acceptance of unconfirmed inputs in coinjoins and discussed the potential benefits of package relay and upcoming RBF proposals for improving security and efficiency.The user informed Bitcoin Developers about a potential vulnerability in coinjoin related to the use of the package relay feature. They explained that this vulnerability could be exploited for a Denial of Service (DoS) attack and emphasized its significance, comparing it to a soft fork. The user provided an example of the attack involving two coinjoin implementations, A and B, where the attacker registers an input in implementation A, double-spends the same input with zero fees to their own address, and registers the unconfirmed UTXO from step 2 in implementation B. This results in implementation B relaying a package containing a coinjoin transaction that pays for the double-spent input. Both users and implementation B have incentives to engage in this type of attack. The user also mentioned an alternative approach where the attacker registers the same input in both implementations A and B, but highlighted the tradeoffs associated with this approach. They stressed the importance of addressing this vulnerability promptly and provided a link to the package relay proposal for further details.The email was signed by /dev/fd0floppy disk guy using Proton Mail secure email.
Updated on: 2023-08-11T15:34:40.119121+00:00