by Zeta Avarikioti @zetavar and Orfeas Stefanos Thyfronitis Litos @orfeas
TLDR
- We examine the behavior of rational miners that can be bribed to censor transactions for a specific period, and its effect on mechanisms that employ timelocks for safety such as payment channels.
- In a general class of two-party contracts in which the honest party can spend an output right away, whereas the malicious can spend the same output only after a timelock, we prove that the latter can pledge a high fee (bribe) to the miners, who then actively ignore the honest transaction to obtain the bribe. This effectively prevents a valid transaction from entering the blockchain, resulting in substantial monetary losses for the honest and gains for the malicious party.
- We apply our result to Duplex Micropayment Channels and Lightning Channels, providing exact bounds on their safe operating region in the presence of such timelock bribes. Furthermore, we propose modifications that effectively disincentivize bribes. Moreover, we formally express the operating circumstances under which our two proposals ensure alignment of miner incentives with the prescribed protocol outcome.
Core Research Question
Which are the operating circumstances under which blockchain users can bribe rational miners to censor a specific transaction until a competing timelocked transaction becomes valid, and can we modify Duplex Micropayment Channels and Lightning Channels to disincentivize such bribes?
Citation
Zeta Avarikioti and Orfeas Stefanos Thyfronitis Litos, “Suborn channels: Incentives Against Timelock Bribes” in International Conference on Financial Cryptography and Data Security, May 2-6, 2022, Grenada.
Background
- Rational miners: The miners that operate the blockchain may deviate from the correct protocol execution if they can increase their utility, e.g. if they can gain more profit.
- Smart contracts: Blockchains like Bitcoin and Ethereum enable smart contracts, i.e., programmable scripts that attach a wide variety of rules which must be satisfied to spend coins. In Bitcoin, coins are attached to Unspent Transaction Outputs (UTXOs), which in turn are locked with a specific script. Bitcoin smart contracts commonly employ the use of multisignatures, timelocks, and hashlocks.
- Signatures are the most commonly used smart contract and they ensure that the coins of interest are exclusively owned by whoever knows the associated private key. An m-of-n multisignature is a contract that demands at least m signatures that correspond to any m of the n predefined public keys.
- Hashlocks ensure that a transaction is spendable only if the pre-image of the specific hash is presented.
- Timelocked outputs can only be spent after a specified time in the future.
- Hash Timelock Contracts (HTLCs) combine hashlocks and timelocks to ensure that the receiver of payment either acknowledges receiving the payment before a deadline by providing the pre-image of a specific hash or forfeit the ability to claim the payment, returning it to the payer.
- Payment channels
- The core idea behind payment channels is the same across different constructions: two parties may lock coins on an escrow on the blockchain, or a so-called channel, and then perform arbitrarily many transactions off-chain. Each off-chain transaction is a signed message that depicts the current balance of coins between the parties.
- Any party can close the channel at any time, either in collaboration with the counterparty, or unilaterally by publishing the last message signed by both parties.
- Therefore, the blockchain is only used to open and close the channel, and to resolve potential conflicts between parties. The conflict resolution mechanism differs significantly among channel constructions.
- Duplex Micropayment Channels (DMC)
- A DMC between parties P_1 and P_2 works as follows:
- At first the parties agree on a setup transaction, which spends their initial coins and moves them to an output locked with a 2-of-2 multisig.
- They then establish a series of opt-in transactions. These transactions form a chain of a pre-agreed length and are all timelocked until a common pre-agreed future time T_{max}.
- The first transaction consumes the setup transaction output and provides a similar 2-of-2 multisig output. Each subsequent transaction consumes the output of the previous opt-in transaction and provides a similar 2-of-2 multisig output, except the last one.
- This opt-in transaction has two 2-of-2 multisig outputs instead, each carrying coins equal to one party’s initial coins. Each of the two last outputs constitutes the setup output for a simple micropayment channel (not to be confused with the setup transaction of the DMC itself).
- A simple channel can only facilitate payments in one direction, so there is one channel for each direction. We here explain briefly how the channel in which P_2 pays P_1 functions; the other one is symmetric.
- The channel starts with P_1 and P_2 agreeing on a refund transaction that is timelocked until T_{max}, spends the setup output, and provides one output that carries P_2 ’s initial coins that are spendable by P_2 alone.
- Once both parties know the relevant opt-in and refund transactions along with the necessary signatures by their counterparty, they only need to put the DMC setup transaction on-chain to open the DMC.
- When P_2 wants to pay P_1, P_2 signs and sends to P_1 an update transaction which has no timelock, spends the setup output and has one output per party; P_1 ’s output is increased by the transaction amount while P_2 ’s output is equally reduced. Note that P_1 can put on-chain any update transaction if needed, so he prefers the latest update transaction in which he has the most coins (replace by incentive).
- If one of the two simple channels is depleted, the parties invalidate them along with the last opt-in transaction by creating a new competing opt-in transaction with a lower timelock.
- This opt-in transaction provides two new simple micropayment channels, each initially containing the sum of the payer’s coins in the just invalidated simple channels. In case the timelock of the new opt-in transaction is smaller than a pre-agreed value T_{min}, the two parties replace the last two opt-in transactions instead.
- Both new opt-in transactions use the same timelock, which is lower than the timelock of the second-last opt-in transaction in the old chain. The same replacement logic, called replace by timelock, can be extended backwards to the entire length of the opt-in transactions’ chain.
- This way, an invalidation tree is created that consists of opt-in transactions as non-leaf nodes and pairs of simple micropayment channels as leaves. Figure 1 depicts this process on a DMC channel.
- Figure 1: Deplex Micropayment Channels
- Lightning Network (LN)
-
To open a lightning payment channel, the parties lock their coins in the so-called funding transaction, the output of which is a 2-of-2 multisig.
-
Thereby, every time the parties execute a transaction, they update the distribution of coins among them by signing a commitment transaction that spends the funding output (different for each party).
-
The commitment transaction allows the party that holds it to close the channel unilaterally but can only spend its coins after a pre-agreed time period enforced via a timelock (revocation period). The coins of the counterparty are spendable immediately.
-
When signing a new commitment transaction each party also reveals to its counterparty a secret that allows the counterparty to sign a revocation transaction that spends the output of the previous commitment transaction that belongs to the cheating party.
-
The revocation transaction must be published during the revocation period else the cheating party can claim its coins. Figure 2 illustrates this process on a two-party lightning channel.
-
Figure 2: Lightning Channels
-
Prior Work on Incentive Analysis
- MAD-HTLC: Because HTLC is Crazy-Cheap to Attack
- In this work, bribing attacks against standard HTLC contracts are analyzed, bribing ranges beyond which the attack succeeds are provided, an extension to the Bitcoin Core code that allows miners to specify arbitrary strategies is implemented and a collateral-based modification of HTLC that provably withstands bribing attacks is built.
- Our incentive analysis constitutes a generalization of that approach. We further apply our analysis to both DMC and LN. We also provide an alternative method to discourage bribes, which does not employ collateral.
- Timelocked Bribing
- This work focuses on the resilience of the HTLC smart contract under a timelock bribe, which is analyzed in the context of LN and Cross-Chain Atomic Swaps under the assumption of rational miners and for all possible ranges of bribe values.
- A simple utility function is used, as it only considers the miners’ payouts of the competing bribing and honest transactions, not taking into account fees offered by candidate unrelated transactions that could be included instead in a block.
- Modulo these differences, the subset of their analysis that treats the same bribe ranges as ours is indeed compatible with the results of the current work.
- For smaller bribes, the authors conclude that no opportunity for bribery exists given that the timelock is long enough – its exact length depends on the honest transaction fee, the bribe, and the mining power distribution.
- Given the results of their analysis, the authors provide recommendations on safe parameters for LN and Atomic Swaps.
Summary
- As the Bitcoin mining landscape becomes more competitive, analyzing potential attacks under the assumption of rational miners becomes increasingly relevant.
- In the rational setting, blockchain users can bribe miners to reap an unfair benefit. Established protocols such as Duplex Micropayment Channels and Lightning Channels are susceptible to bribery, which upends their financial guarantees.
- We prove that in a two-party contract in which the honest party can spend an output right away, whereas the malicious can only spend the same output after a timelock, the latter party can promise a high fee to the miners, who then intentionally ignore the transaction of the honest party in anticipation of the higher fee.
- This effectively prevents a valid transaction from ever entering the blockchain, resulting in potentially severe financial losses for the honest and considerable gains for the malicious party.
- We expand previous results on timelock bribes to more realistic blockchains, proving that a general class of contracts is susceptible.
- We formally define the problem as a “conditionally timelocked” game and determine under which circumstances it is a strictly dominant strategy for miners to censor the currently spendable transaction in order to include the future one.
- We then apply our results to Duplex Micropayment Channels and Lightning Channels, providing exact bounds on their safe operating region.
- Furthermore, we enhance the Bitcoin Script of Duplex Micropayment Channels so that the coins of a party that attempts to bribe are given to the miners as fees, therefore effectively disincentivizing bribes. Our solution, named Suborn channels, is implemented as a proof-of-concept.
- We also propose a small change to Lightning Channels that achieves a similar effect. Moreover, we formally express the exact circumstances under which our two proposals ensure the alignment of miner incentives with the prescribed protocol outcome.
Method
- We formally express the main research question as a game, which we term conditionally timelocked game, in order to conduct a game theoretic analysis of the miners’ behavior. We notice that the parameters that affect our game are the bribing fee of the timelocked transaction, the fee of the competing transaction, the fixed transaction fee of any other transaction, and the mining power of the smallest mining pool.
- We then use logical proofs to bound the parameter regions for which bribing is possible for DMC and LN. We introduce a novel channel primitive, termed Suborn channels, which mitigates the bribery susceptibility of DMC and provides a proof-of-concept implementation on Bitcoin. Lastly, we use logical proofs to determine the parameter regions for which Suborn channels, as well as a proposed modification of LN channels, are secure against timelock bribes.
Results
-
We formally describe the dynamics governing miners’ choices on whether to mine a future transaction with a high fee or a currently spendable but conflicting transaction with a smaller fee. To this end, we perform a game-theoretic analysis.
-
We formulate and prove under which circumstances it is a strictly dominant strategy for miners to ignore the currently spendable transaction in favor of the future one (main theorem). At a high level, miners prefer the future transaction if it offers a very high fee (a.k.a. bribe) compared to the currently spendable transaction. The exact bound depends also on the fees paid by ordinary transactions and the mining power of the weakest miner but, somewhat surprisingly, is independent of the length of the timelock for large enough bribes.
-
We apply our main theorem to DMC, providing exact bounds on the cases in which a timelock bribe is possible.
-
We modify the DMC protocol and propose a new scheme which we term Suborn channels in order to greatly expand those bounds. The core idea is that Suborn channels allow miners to claim the coins the briber owns in the channel when the honest party proves the briber cheated (Figure 3).
-
We provide a proof of concept implementation for Suborn channels on Bitcoin (Orfeas Stefanos Thyfronitis Litos / incentivized-dmc · GitLab).
- Figure 3: Suborn Channels
- Figure 3: Suborn Channels
-
We apply our main theorem to LN, characterizing exactly when a timelock bribe is beneficial.
-
We then propose a straightforward change to the protocol that completely nullifies timelock bribes; we simply increase the transaction fees to include the coins owned by the briber (Figure 4). We further analyze the circumstances under which our proposal would not cost money to the honest party and recommend how the honest party can avoid cost-inducing situations entirely. We note that no change in LN Script is necessary for implementing our proposal.
- Figure 4: Modified Lightning Channels
- Figure 4: Modified Lightning Channels
Discussion and Key Takeaways
- General two-party contracts that base their security on timelocks, hence on miners not censoring a transaction, are not secure a priori, because the financial incentives must be taken into account as miners act for profit.
- We study the circumstances under which security is guaranteed in such contracts under rational miners and users that may bribe them to censor.
- We apply our findings to provide bounds on the applicability of timelock bribes to DMC and LN channels – their security mainly depends on the power of the smallest mining pool, the bribing amount, and the fee of the revocation transaction.
- We introduce modifications for LN channels and introduce Suborn channels to replace DMC channels in order to reduce the opportunities for timelock bribes compared to the original constructions and effectively expand their safe operating region.
Implications and Follow-Ups
- Our work highlights security concerns that may arise in two-party contracts that employ timelocks for safety when miners act for profit. It is imperative such financial analysis is performed when designing new schemes that employ timelocks to avoid future attacks.
- In this work, we expand the safe region of operation for both LN and DMC channels. However, our analysis does not cover the entire parameter region. In particular, a formal analysis of miner incentives when \frac{f_h−f + f}{\lambda_{min}}+f > f_b > f_h, where f_h is the fee of the timelock-free transaction, f_b is the bribe, f the fee of \lambda_{min} every other transaction, and λmin is the proportion of mining power of the weakest miner in the network, is still lacking. Such a study would highlight opportunities for cheaper bribing, formulate the effects of the transition of the bribe value from one regimen to the other in a unified framework, and examine the effectiveness of our proposals against such lower bribe values.
- HTLCs, which are used both in DMC and LN for multi-hop atomic payments, leverage timelocks for their functionality. The methodology used in this work can be extended to techniques for mitigating timelock bribing for HTLCs as well.
Applicability
- In this work, we present a security concern that may arise with the rise of cryptocurrencies in any type of contract that two parties engage in a timelocked transaction and a competing non-timelocked transaction. As such it is important that the security of these schemes, as described by the timelock game, are financially incentivized. This is critical in the design phase of timelocked contracts such that users are aware of the risks. We expect such analysis will be performed in the future when designing timelock contracts, utilizing our presented work.
- We also provide some solutions that expand the safe operation of DMC and LN channels along with a proof of concept implementation on Bitcoin. We demonstrate our work can be applied to any timelock contract that falls under our study, even with a limited script like Bitcoin. As such, we expect our ideas and protocols, or consequent expansions, to be deployed in existing blockchains and replace protocols that are less secure.