Abstract
As the Bitcoin mining landscape becomes more competitive, analyzing potential attacks under the assumption of rational miners becomes increasingly relevant. In the rational setting, blockchain users can bribe miners to reap an unfair benefit. Established protocols such as Duplex Micropayment Channels and Lightning Channels are susceptible to bribery, which upends their financial guarantees. Indeed, we prove that in a two-party contract in which the honest party can spend an output right away, whereas the malicious can only spend the same output after a timelock, the latter party can promise a high fee to the miners, who then intentionally ignore the transaction of the honest party in anticipation of the higher fee. This effectively prevents a valid transaction from ever entering the blockchain, resulting in potentially severe financial losses for the honest and considerable gains for the malicious party.
We expand previous results on timelock bribes to more realistic blockchains, proving that a general class of contracts are susceptible. We then apply our results to Duplex Micropayment Channels and Lightning Channels, providing exact bounds on their safe operating region. Furthermore, we enhance the Bitcoin Script of Duplex Micropayment Channels so that the coins of a party that attempts to bribe are given to the miners as fees, therefore effectively disincentivizing bribes. Our solution, named Suborn channels, is implemented as a proof-of-concept. We also propose a small change to Lightning Channels that achieves a similar effect. Moreover, we formally express the exact circumstances under which our two proposals ensure alignment of miner incentives with the prescribed protocol outcome.
O.S. Thyfronitis Litos—Work done while the author was at the University of Edinburgh.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Lightning network specification, BOLT #3: bitcoin transaction and script formats. https://github.com/lightning/bolts/blob/master/03-transactions.md
Aumayr, L., et al.: Generalized bitcoin-compatible channels. Cryptology ePrint Archive, Report 2020/476 (2020). https://eprint.iacr.org/2020/476
Aumayr, L., et al.: Bitcoin-compatible virtual channels. In: IEEE Symposium on Security and Privacy, Oakland, USA, 23 May 2021–27 May (2021). https://eprint.iacr.org/2020/554.pdf
Aumayr, L., Moreno-Sanchez, P., Kate, A., Maffei, M.: Donner: utxo-based virtual channels across multiple hops. Cryptology ePrint Archive, Report 2021/855 (2021). https://eprint.iacr.org/2021/855
Avarikioti, Z., Kogias, E.K., Wattenhofer, R., Zindros, D.: Brick: asynchronous incentive-compatible payment channels. In: International Conference on Financial Cryptography and Data Security (2021)
Avarikioti, Z., Thyfronitis Litos, O.S., Wattenhofer, R.: Cerberus channels: incentivizing watchtowers for bitcoin. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 346–366. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_19
Burchert, C., Decker, C., Wattenhofer, R.: Scalable funding of bitcoin micropayment channel networks. In: The Royal Society (2018)
Chakravarty, M.M.T., et al.: Hydra: fast isomorphic state channels. Cryptology ePrint Archive, Report 2020/299 (2020). https://eprint.iacr.org/2020/299
Croman, K., et al.: On scaling decentralized blockchains. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 106–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_8
Decker, C., Russell, R., Osuntokun, O.: eltoo: a simple layer2 protocol for bitcoin. https://blockstream.com/eltoo.pdf
Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_1
Dong, M., Liang, Q., Li, X., Liu, J.: Celer network: bring internet scale to every blockchain (2018)
Dziembowski, S., Eckey, L., Faust, S., Malinowski, D.: Perun: virtual payment hubs over cryptocurrencies. In: 2019 2019 IEEE Symposium on Security and Privacy (SP), pp. 344–361, Los Alamitos, CA, USA, IEEE Computer Society, May 2019
Dziembowski, S., Faust, S., Hostáková, K.: General state channel networks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 949–966 (2018)
Egger, C., Moreno-Sanchez, P., Maffei, M.: Atomic multi-channel updates with constant collateral in bitcoin-compatible payment-channel networks. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 801–815, New York, Association for Computing Machinery (2019)
Herlihy, M.: Atomic cross-chain swaps. In: Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, PODC 2018, Egham, United Kingdom, 23–27 July 2018, pp. 245–254 (2018)
Jourenko, M., Larangeira, M., Tanaka, K.: Lightweight virtual payment channels. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 365–384. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5_18
Kiayias, A., Thyfronitis Litos, O.S.: A composable security treatment of the lightning network. In: 33rd IEEE Computer Security Foundations Symposium, pp. 334–349. IEEE (2020)
Liao, K., Katz, J.: Incentivizing blockchain forks via whale transactions. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 264–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_17
Miller, A.: Feather-forks: enforcing a blacklist with sub-50% hash power. https://bitcointalk.org/index.php?topic=312668.0. Accessed 22 Nov 2020
Miller, A., Bentov, I., Kumaresan, R., Cordi, C., McCorry, P.: Sprites and state channels: payment networks that go faster than lightning. arXiv preprint arXiv:1702.05812 (2017)
Nadahalli, T., Khabbazian, M., Wattenhofer, R.: Timelocked bribing. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12674, pp. 53–72. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64322-8_3
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments, January 2016. https://lightning.network/lightning-network-paper.pdf
Spilman, J.: Anti dos for tx replacement. https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2013-April/002433.html. Accessed 22 Nov 2020
Tsabary, I., Yechieli, M., Eyal, I.: MAD-HTLC: because HTLC is crazy-cheap to attack. In: IEEE S &P (2021)
Winzer, F., Herd, B., Faust, S.: Temporary censorship attacks in the presence of rational miners. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS & PW), pp. 357–366. IEEE (2019)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper (2014)
Zhao, L., et al.: Sok: hardware security support for trustworthy execution (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Suborn Transactions Script for Incentivized DMC
B Omitted Proofs
Proof of Lemma 1. For round \(k \in [T]\), the game is either \(\varGamma _k\) or \(\varGamma ^*_k\). If a miner attempts to mine \(\texttt {tx}_{1}\) in round k, the maximum value she can extract is if she chooses to mine \(\texttt {txs}^*_{1}\) and fill the remaining \(N-m\) slots with unrelated transactions. There is no benefit to be gained in this or later rounds if a different way of including \(\texttt {tx}_{1}\) is chosen, so we ignore such other options. The expected fee she gains from this round is \(\lambda _i (f_1 + (N-m)f)\) in the first case and 0 in the second (as her block would be invalid). If instead she attempts to mine only unrelated transactions, her expected gains from this round are \(\lambda _i N f\). It is \(mf> f_1 \Leftrightarrow Nf> f_1 + (N-m)f \Leftrightarrow \lambda _i Nf > \lambda _i(f_1 + (N-m)f)\) and \(\lambda _i Nf > 0\), so attempting to mine only unrelated transactions offers higher value in both cases. Since the expected utility is the sum of the expected gains of all rounds, attempting to mine \(\texttt {txs}^*_{1}\) in any round is strictly dominated by attempting to mine \(\texttt {txs}_{u}\) in their place. \(\square \)
Proof of Lemma 2. Since O is spent, all remaining valid transactions offer fee f. Therefore the i-th miner has a probability \(\lambda _i\) to obtain fee Nf for each of the remaining \(T-k+1\) rounds, for a total expected utility \(u_i(\sigma , \varGamma ) = \lambda _i(T-k+1)Nf\). \(\square \)
Proof of Theorem 1. We will prove the theorem using induction and iterated elimination of strictly dominated strategies.
First of all, we note that
The first inequality stems directly from the theorem precondition, whereas the second arises when we solve \(\frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf > f_1\) for \(f_1\) while keeping in mind that \(0< \lambda _{\textrm{min}} < 1\).
Consider now the i-th miner, \(i \in [n]\) when she decides which transaction to include for the last round, T. If O is unspent, then
From inequalities (1) we deduce that \(\sigma _i^T = \texttt {txs}^*_{2} \cup \texttt {txs}_{u}\) is a strictly dominant strategy for any \(i \in [n]\), so \(\overline{\sigma }^T = (\underbrace{(\texttt {txs}^*_{2} \cup \texttt {txs}_{u}), \dots , (\texttt {txs}^*_{2} \cup \texttt {txs}_{u})}_n)\) in subgame \(\varGamma _T\) with \(u_i(\overline{\sigma }^T, \varGamma _T) = \lambda _i (f_2 + (N-m)f)\).
We will now prove via induction that \(\overline{\sigma }^{1 \dots T-1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)^{T-1}\) for subgame \(\varGamma _k\), in other words that the Nash equilibrium in all rounds prior to the last one in which O is unspent is for all players to attempt to mine only unrelated transactions.
The base of the induction is \(k=T-1\). For \(i \in [n]\), it is either \(\sigma ^{T-1}_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u}\) or \(\sigma ^{T-1}_i = \texttt {txs}_{u}\) (as in the proof of Lemma 1, we ignore all configurations that include \(\texttt {tx}_{1}\) except for \(\texttt {txs}^*_{1}\)). Let \(\sigma ^{T-1}_{-i} \in \varSigma ^{T-1}_{-i}\) and \(\lambda _u\) the sum of mining power of miners who try to mine only unrelated transactions in round \(T-1\), excluding the i-th miner. If \(\texttt {tx}_{1}\) is mined, then the last round is \(\varGamma _T^*\) and by Lemma 2 the utility obtained by the i-th miner at the last round is \(\lambda _i N f\). It is
It is
It is \(\frac{f_1 - mf}{\lambda _i} + mf \le \frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf\) so the above is true. Therefore \(\overline{\sigma }^{T-1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\), thus \(\lambda _u = 1-\lambda _i\) and \(u_i(\overline{\sigma }^{T-1 \dots T}, \varGamma _{T-1}) = \lambda _i(Nf + \lambda _i (f_2 + (N-m)f) + (1-\lambda _i)\lambda _i (f_2 + (N-m)f) = \lambda _i((2N-m)f + f_2)\).
Let \(k \in [T-2]\). The inductive assumption for \(k+1\) is firstly that \(\overline{\sigma }^{k+1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\) and secondly \(u_i(\overline{\sigma }^{k+1 \dots T}, \varGamma _{k+1}) = \lambda _i((T-k)Nf + f_2 - mf)\).
For the inductive step, let once again \(i \in [n]\). It is either \(\sigma ^k_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u}\) or \(\sigma ^k_i = \texttt {txs}_{u}\) (again ignoring suboptimal transaction sets that include \(\texttt {tx}_{1}\) but are not \(\texttt {txs}^*_{1}\)). Let \(\sigma ^k_{-i} \in \varSigma ^k_{-i}\) and \(\lambda _u\) the sum of mining power of miners who try to mine only unrelated transactions in round k, excluding the i-th miner. If \(\texttt {tx}_{1}\) is mined, then the next round is \(\varGamma _{k+1}^*\) and by Lemma 2 the utility obtained by the i-th miner from all rounds after k is \(\lambda _i(T-k)Nf\). It is
It is
Like in the induction base, it is \(\frac{f_1 - mf}{\lambda _i} + mf \le \frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf\) so the above is true. Therefore \(\overline{\sigma }^k = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\), thus \(\lambda _u = 1 - \lambda _i\) and
We have proven that \(\forall k \in [T-1]\) it is \(\overline{\sigma }^k = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\) thus we deduce that \(\overline{\sigma } = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)^{T-1}(\underbrace{\texttt {txs}^*_{2} \cup \texttt {txs}_{u}, \dots , \texttt {txs}^*_{2} \cup \texttt {txs}_{u}}_n)\). \(\square \)
Proof of Lemma 3. Let \(m \in [N-1]\).
The latter is true, thus the proof is complete. \(\square \)
Proof of Theorem 2. \(P_2\) publishes the refund transaction, along with a transaction \(\texttt {tx}_{b}\) that spends her \(c_{r, 2}\) coins, transferring some of them to a new address that belongs to \(P_2\) and offering the rest as fee \(f_b\), such that \(f_r + f_b > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2f\). Due to Theorem 1, miners will ignore the update transaction, wait for the timelock of the refund transaction to expire and mine it along with \(\texttt {tx}_{b}\). In order for this timelock bribe to be beneficial to \(P_2\), it must hold that \(c_{r, 2} - f_b> c_{u, 2} \Leftrightarrow c_{r,2} - c_{u,2} > f_b\). Therefore, a suitable \(f_b\) exists if \(c_{r, 2} - c_{u, 2} > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2f - f_r\). \(\square \)
Proof of Theorem 3. More specifically, consider \(P_2\) evaluating whether to timelock bribe. Publishing the refund transaction and \(\texttt {tx}_{b}\) offers to miners a total fee \(f_r + f_b\), of which \(f_b\) is taken from \(c_{r,2}\), therefore bribing makes sense only if \(c_{r,2} - f_b> c_{u,2} \Leftrightarrow c_{r,2} - c_{u,2} > f_b\). In that case the published update transaction offers an effective fee of \(f_u + c_{u,2}\). Leveraging Theorem 1, we deduce that miners will accept the bribe if \(f_r + f_b> \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f \Leftrightarrow f_b > \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r\). Therefore, a suitable \(f_b\) exists if and only if \(c_{r,2} - c_{u,2}> \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r \Leftrightarrow c_{r,2} - c_{u,2}(1+\frac{1}{\lambda _{\textrm{min}}}) > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r\). \(\square \)
Proof of Theorem 4. For each \(k \in [k_l - 1]\), \(P_2\) prefers the update transaction of \((1 \rightarrow 2)\) and the refund transaction of \((2 \rightarrow 1)\) k-th leaf to the update transactions of the currently valid leaf if \(c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - f_b> c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1} \Leftrightarrow c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - (c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1}) > f_b\). Since branches k and \(k_l\) have j distinct opt-in transactions, then \(j+3\) transactions are implicated in the bribe. Thus, according to Theorem 1 miners will choose the bribe if \(jf_o + f_r + f_u + f_b> \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f \Leftrightarrow f_b > \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f - jf_o - f_r - f_u\). Therefore, a compatible fee \(f_b\) exists if \(c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - (c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1}) > \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f - jf_o - f_r - f_u\). \(\square \)
Proof of Theorem 5. For the bribe to be profitable for \(P_2\), it must be \(c_{\textrm{old}} - f_b> c_{\textrm{new}} - f \Leftrightarrow c_{\textrm{old}} - c_{\textrm{new}} - f > f_b\) – the fee f is included because this is the minimum fee \(P_2\) would have to pay anyway in order to use its \(c_{\textrm{new}}\) coins. By applying Theorem 1, we deduce that miners will accept the bribe if \(f_b > \frac{f_r - f}{\lambda _{\textrm{min}}} + f\), therefore a suitable \(f_b\) exists if and only if \(c_{\textrm{old}} - c_{\textrm{new}} - f> \frac{f_r - f}{\lambda _{\textrm{min}}} + f \Leftrightarrow c_{\textrm{old}} - c_{\textrm{new}} > \frac{f_r - f}{\lambda _{\textrm{min}}} + 2f\). \(\square \)
Proof of Theorem 6. To discourage bribes, from Theorem 5, the fee of the honest party should satisfy the following: \(c_{\textrm{old}} - c_{\textrm{new}} \le \frac{f_r' - f}{\lambda _{\textrm{min}}} + 2f\). This means that \(f_r' \ge f + \lambda _{\textrm{min}}(c_{\textrm{old}} - c_{\textrm{new}} - 2f)\). We will now ensure that this \(f_r'\) does not lead to loss of coins for \(P_1\). Let c be the total channel value, which stays constant throughout the channel lifetime. \(P_1\) has to own enough coins in the old state, so that their sum with the counterparty’s coins minus the fee \(f_r'\) exceeds or matches \(P_1\)’s coins in the latest state. Formally, \(c - c_{\textrm{old}} + c_{\textrm{old}} - f_r' \ge c - c_{\textrm{new}} \Leftrightarrow c_{\textrm{new}} \ge f_r'\). Combining the above, it has to be \(c_{\textrm{new}} \ge f + \lambda _{\textrm{min}}(c_{\textrm{old}} - c_{\textrm{new}} - 2f) \Leftrightarrow \lambda _{\textrm{min}} \le \frac{c_{\textrm{new}} - f}{c_{\textrm{old}} - c_{\textrm{new}} - 2f}\). The last step is valid since \(c_{\textrm{old}} - c_{\textrm{new}} - 2f > 0\). This is true since, as we saw above, \(P_2\) only attempts to bribe if \(c_{\textrm{old}} - c_{\textrm{new}} - f > f_b\) and we know that \(f_b \ge f\). \(\square \)
Rights and permissions
Copyright information
© 2022 International Financial Cryptography Association
About this paper
Cite this paper
Avarikioti, Z., Thyfronitis Litos, O.S. (2022). Suborn Channels: Incentives Against Timelock Bribes. In: Eyal, I., Garay, J. (eds) Financial Cryptography and Data Security. FC 2022. Lecture Notes in Computer Science, vol 13411. Springer, Cham. https://doi.org/10.1007/978-3-031-18283-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-031-18283-9_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-18282-2
Online ISBN: 978-3-031-18283-9
eBook Packages: Computer ScienceComputer Science (R0)