Suborn Channels: Incentives Against Timelock Bribes

Abstract

As the Bitcoin mining landscape becomes more competitive, analyzing potential attacks under the assumption of rational miners becomes increasingly relevant. In the rational setting, blockchain users can bribe miners to reap an unfair benefit. Established protocols such as Duplex Micropayment Channels and Lightning Channels are susceptible to bribery, which upends their financial guarantees. Indeed, we prove that in a two-party contract in which the honest party can spend an output right away, whereas the malicious can only spend the same output after a timelock, the latter party can promise a high fee to the miners, who then intentionally ignore the transaction of the honest party in anticipation of the higher fee. This effectively prevents a valid transaction from ever entering the blockchain, resulting in potentially severe financial losses for the honest and considerable gains for the malicious party.

We expand previous results on timelock bribes to more realistic blockchains, proving that a general class of contracts are susceptible. We then apply our results to Duplex Micropayment Channels and Lightning Channels, providing exact bounds on their safe operating region. Furthermore, we enhance the Bitcoin Script of Duplex Micropayment Channels so that the coins of a party that attempts to bribe are given to the miners as fees, therefore effectively disincentivizing bribes. Our solution, named Suborn channels, is implemented as a proof-of-concept. We also propose a small change to Lightning Channels that achieves a similar effect. Moreover, we formally express the exact circumstances under which our two proposals ensure alignment of miner incentives with the prescribed protocol outcome.

O.S. Thyfronitis Litos—Work done while the author was at the University of Edinburgh.

Appendices

A Suborn Transactions Script for Incentivized DMC

(Figs. 7, 8 and 9)

Fig. 5.

Script for \(P_{3-i}\)’s output of \(P_i\)’s update transactions, \(i \in \{1, 2\}\)

Fig. 6.

Script for \(P_i\)’s output in \(P_i\)’s refund and update transactions, \(i \in \{1, 2\}\)

Fig. 7.

Witness script spending honest (“IF”) branch of Fig. 5 script

Fig. 8.

Witness script spending Fig. 6 script

Fig. 9.

Witness script spending punishment (“ELSE”) branch of Fig. 5 script

B Omitted Proofs

Proof of Lemma 1. For round \(k \in [T]\), the game is either \(\varGamma _k\) or \(\varGamma ^*_k\). If a miner attempts to mine \(\texttt {tx}_{1}\) in round k, the maximum value she can extract is if she chooses to mine \(\texttt {txs}^*_{1}\) and fill the remaining \(N-m\) slots with unrelated transactions. There is no benefit to be gained in this or later rounds if a different way of including \(\texttt {tx}_{1}\) is chosen, so we ignore such other options. The expected fee she gains from this round is \(\lambda _i (f_1 + (N-m)f)\) in the first case and 0 in the second (as her block would be invalid). If instead she attempts to mine only unrelated transactions, her expected gains from this round are \(\lambda _i N f\). It is \(mf> f_1 \Leftrightarrow Nf> f_1 + (N-m)f \Leftrightarrow \lambda _i Nf > \lambda _i(f_1 + (N-m)f)\) and \(\lambda _i Nf > 0\), so attempting to mine only unrelated transactions offers higher value in both cases. Since the expected utility is the sum of the expected gains of all rounds, attempting to mine \(\texttt {txs}^*_{1}\) in any round is strictly dominated by attempting to mine \(\texttt {txs}_{u}\) in their place.    \(\square \)

Proof of Lemma 2. Since O is spent, all remaining valid transactions offer fee f. Therefore the i-th miner has a probability \(\lambda _i\) to obtain fee Nf for each of the remaining \(T-k+1\) rounds, for a total expected utility \(u_i(\sigma , \varGamma ) = \lambda _i(T-k+1)Nf\).    \(\square \)

Proof of Theorem 1. We will prove the theorem using induction and iterated elimination of strictly dominated strategies.

First of all, we note that

$$\begin{aligned} f_2> f_1 > mf \,\,. \end{aligned}$$

(1)

The first inequality stems directly from the theorem precondition, whereas the second arises when we solve \(\frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf > f_1\) for \(f_1\) while keeping in mind that \(0< \lambda _{\textrm{min}} < 1\).

Consider now the i-th miner, \(i \in [n]\) when she decides which transaction to include for the last round, T. If O is unspent, then

$$\begin{aligned} \begin{array}{c} \forall \sigma _{-i}^T \in \varSigma _{-i}^T \,\, \text {it is} \\ u_i(\sigma _{-i}^T; \sigma _i^T = \texttt {txs}_{u}, \varGamma _T) = \lambda _i N f \,\, , \\ u_i(\sigma _{-i}^T; \sigma _i^T = (\texttt {txs}^*_{1} \cup \texttt {txs}_{u}), \varGamma _T) = \lambda _i (f_1 + (N-m)f)\,\, , \\ u_i(\sigma _{-i}^T; \sigma _i^T = (\texttt {txs}^*_{2} \cup \texttt {txs}_{u}), \varGamma _T) = \lambda _i (f_2 + (N-m)f) \,\, . \end{array} \end{aligned}$$

From inequalities (1) we deduce that \(\sigma _i^T = \texttt {txs}^*_{2} \cup \texttt {txs}_{u}\) is a strictly dominant strategy for any \(i \in [n]\), so \(\overline{\sigma }^T = (\underbrace{(\texttt {txs}^*_{2} \cup \texttt {txs}_{u}), \dots , (\texttt {txs}^*_{2} \cup \texttt {txs}_{u})}_n)\) in subgame \(\varGamma _T\) with \(u_i(\overline{\sigma }^T, \varGamma _T) = \lambda _i (f_2 + (N-m)f)\).

We will now prove via induction that \(\overline{\sigma }^{1 \dots T-1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)^{T-1}\) for subgame \(\varGamma _k\), in other words that the Nash equilibrium in all rounds prior to the last one in which O is unspent is for all players to attempt to mine only unrelated transactions.

The base of the induction is \(k=T-1\). For \(i \in [n]\), it is either \(\sigma ^{T-1}_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u}\) or \(\sigma ^{T-1}_i = \texttt {txs}_{u}\) (as in the proof of Lemma 1, we ignore all configurations that include \(\texttt {tx}_{1}\) except for \(\texttt {txs}^*_{1}\)). Let \(\sigma ^{T-1}_{-i} \in \varSigma ^{T-1}_{-i}\) and \(\lambda _u\) the sum of mining power of miners who try to mine only unrelated transactions in round \(T-1\), excluding the i-th miner. If \(\texttt {tx}_{1}\) is mined, then the last round is \(\varGamma _T^*\) and by Lemma 2 the utility obtained by the i-th miner at the last round is \(\lambda _i N f\). It is

It is

$$\begin{aligned} \begin{array}{c} u_i((\sigma ^{T-1}_{-i}; \sigma ^{T-1}_i = \texttt {txs}_{u})\overline{\sigma }^T, \varGamma _{T-1})> u_i((\sigma ^{T-1}_{-i}; \sigma ^{T-1}_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u})\overline{\sigma }^T, \varGamma _{T-1}) \\ \Leftrightarrow \lambda _i(Nf + \lambda _i (f_2 + (N-m)f))> \lambda _i((f_1 + (N-m)f) + \lambda _i N f) \\ \Leftrightarrow f_2 > \frac{f_1 - mf}{\lambda _i} + mf \,\,. \end{array} \end{aligned}$$

It is \(\frac{f_1 - mf}{\lambda _i} + mf \le \frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf\) so the above is true. Therefore \(\overline{\sigma }^{T-1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\), thus \(\lambda _u = 1-\lambda _i\) and \(u_i(\overline{\sigma }^{T-1 \dots T}, \varGamma _{T-1}) = \lambda _i(Nf + \lambda _i (f_2 + (N-m)f) + (1-\lambda _i)\lambda _i (f_2 + (N-m)f) = \lambda _i((2N-m)f + f_2)\).

Let \(k \in [T-2]\). The inductive assumption for \(k+1\) is firstly that \(\overline{\sigma }^{k+1} = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\) and secondly \(u_i(\overline{\sigma }^{k+1 \dots T}, \varGamma _{k+1}) = \lambda _i((T-k)Nf + f_2 - mf)\).

For the inductive step, let once again \(i \in [n]\). It is either \(\sigma ^k_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u}\) or \(\sigma ^k_i = \texttt {txs}_{u}\) (again ignoring suboptimal transaction sets that include \(\texttt {tx}_{1}\) but are not \(\texttt {txs}^*_{1}\)). Let \(\sigma ^k_{-i} \in \varSigma ^k_{-i}\) and \(\lambda _u\) the sum of mining power of miners who try to mine only unrelated transactions in round k, excluding the i-th miner. If \(\texttt {tx}_{1}\) is mined, then the next round is \(\varGamma _{k+1}^*\) and by Lemma 2 the utility obtained by the i-th miner from all rounds after k is \(\lambda _i(T-k)Nf\). It is

It is

$$\begin{aligned} \begin{array}{c} u_i((\sigma ^k_{-i}; \sigma ^k_i = \texttt {txs}_{u})\overline{\sigma }^{k+1 \dots T}, \varGamma _k)> u_i((\sigma ^k_{-i}; \sigma ^k_i = \texttt {txs}^*_{1} \cup \texttt {txs}_{u})\overline{\sigma }^{k+1 \dots T}, \varGamma _k)\\ \Leftrightarrow \lambda _i(Nf+\lambda _i((T-k)Nf + f_2 - mf))> \lambda _i(f_1 + (N-m)f + \lambda _i(T-k)Nf) \\ \Leftrightarrow f_2 > \frac{f_1 - mf}{\lambda _i} + mf \,\,. \end{array} \end{aligned}$$

Like in the induction base, it is \(\frac{f_1 - mf}{\lambda _i} + mf \le \frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf\) so the above is true. Therefore \(\overline{\sigma }^k = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\), thus \(\lambda _u = 1 - \lambda _i\) and

We have proven that \(\forall k \in [T-1]\) it is \(\overline{\sigma }^k = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)\) thus we deduce that \(\overline{\sigma } = (\underbrace{\texttt {txs}_{u}, \dots , \texttt {txs}_{u}}_n)^{T-1}(\underbrace{\texttt {txs}^*_{2} \cup \texttt {txs}_{u}, \dots , \texttt {txs}^*_{2} \cup \texttt {txs}_{u}}_n)\).    \(\square \)

Proof of Lemma 3. Let \(m \in [N-1]\).

$$\begin{aligned} \begin{array}{c} \frac{f_1 - mf}{\lambda _{\textrm{min}}} + mf< \frac{(f_1 + f) - (m+1)f}{\lambda _{\textrm{min}}} + (m+1)f \\ \Leftrightarrow \frac{f_1 - mf}{\lambda _{\textrm{min}}}< \frac{f_1 - mf}{\lambda _{\textrm{min}}} + f \Leftrightarrow 0 < f \end{array} \end{aligned}$$

The latter is true, thus the proof is complete.    \(\square \)

Proof of Theorem 2. \(P_2\) publishes the refund transaction, along with a transaction \(\texttt {tx}_{b}\) that spends her \(c_{r, 2}\) coins, transferring some of them to a new address that belongs to \(P_2\) and offering the rest as fee \(f_b\), such that \(f_r + f_b > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2f\). Due to Theorem 1, miners will ignore the update transaction, wait for the timelock of the refund transaction to expire and mine it along with \(\texttt {tx}_{b}\). In order for this timelock bribe to be beneficial to \(P_2\), it must hold that \(c_{r, 2} - f_b> c_{u, 2} \Leftrightarrow c_{r,2} - c_{u,2} > f_b\). Therefore, a suitable \(f_b\) exists if \(c_{r, 2} - c_{u, 2} > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2f - f_r\).    \(\square \)

Proof of Theorem 3. More specifically, consider \(P_2\) evaluating whether to timelock bribe. Publishing the refund transaction and \(\texttt {tx}_{b}\) offers to miners a total fee \(f_r + f_b\), of which \(f_b\) is taken from \(c_{r,2}\), therefore bribing makes sense only if \(c_{r,2} - f_b> c_{u,2} \Leftrightarrow c_{r,2} - c_{u,2} > f_b\). In that case the published update transaction offers an effective fee of \(f_u + c_{u,2}\). Leveraging Theorem 1, we deduce that miners will accept the bribe if \(f_r + f_b> \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f \Leftrightarrow f_b > \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r\). Therefore, a suitable \(f_b\) exists if and only if \(c_{r,2} - c_{u,2}> \frac{f_u + c_{u,2} - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r \Leftrightarrow c_{r,2} - c_{u,2}(1+\frac{1}{\lambda _{\textrm{min}}}) > \frac{f_u - 2f}{\lambda _{\textrm{min}}} + 2 f - f_r\).    \(\square \)

Proof of Theorem 4. For each \(k \in [k_l - 1]\), \(P_2\) prefers the update transaction of \((1 \rightarrow 2)\) and the refund transaction of \((2 \rightarrow 1)\) k-th leaf to the update transactions of the currently valid leaf if \(c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - f_b> c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1} \Leftrightarrow c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - (c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1}) > f_b\). Since branches k and \(k_l\) have j distinct opt-in transactions, then \(j+3\) transactions are implicated in the bribe. Thus, according to Theorem 1 miners will choose the bribe if \(jf_o + f_r + f_u + f_b> \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f \Leftrightarrow f_b > \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f - jf_o - f_r - f_u\). Therefore, a compatible fee \(f_b\) exists if \(c_{k, u, 2}^{1 \rightarrow 2} + c_{k, r, 2}^{2 \rightarrow 1} - (c_{k_l, u, 2}^{1 \rightarrow 2} + c_{k_l, u, 2}^{2 \rightarrow 1}) > \frac{1}{\lambda _{\textrm{min}}}(jf_o + 2f_u + c_{k_l,u,2}^{2 \rightarrow 1} + c_{k_l,u,2}^{1 \rightarrow 2} - (j+3)f) + (j+3)f - jf_o - f_r - f_u\).    \(\square \)

Proof of Theorem 5. For the bribe to be profitable for \(P_2\), it must be \(c_{\textrm{old}} - f_b> c_{\textrm{new}} - f \Leftrightarrow c_{\textrm{old}} - c_{\textrm{new}} - f > f_b\) – the fee f is included because this is the minimum fee \(P_2\) would have to pay anyway in order to use its \(c_{\textrm{new}}\) coins. By applying Theorem 1, we deduce that miners will accept the bribe if \(f_b > \frac{f_r - f}{\lambda _{\textrm{min}}} + f\), therefore a suitable \(f_b\) exists if and only if \(c_{\textrm{old}} - c_{\textrm{new}} - f> \frac{f_r - f}{\lambda _{\textrm{min}}} + f \Leftrightarrow c_{\textrm{old}} - c_{\textrm{new}} > \frac{f_r - f}{\lambda _{\textrm{min}}} + 2f\).    \(\square \)

Proof of Theorem 6. To discourage bribes, from Theorem 5, the fee of the honest party should satisfy the following: \(c_{\textrm{old}} - c_{\textrm{new}} \le \frac{f_r' - f}{\lambda _{\textrm{min}}} + 2f\). This means that \(f_r' \ge f + \lambda _{\textrm{min}}(c_{\textrm{old}} - c_{\textrm{new}} - 2f)\). We will now ensure that this \(f_r'\) does not lead to loss of coins for \(P_1\). Let c be the total channel value, which stays constant throughout the channel lifetime. \(P_1\) has to own enough coins in the old state, so that their sum with the counterparty’s coins minus the fee \(f_r'\) exceeds or matches \(P_1\)’s coins in the latest state. Formally, \(c - c_{\textrm{old}} + c_{\textrm{old}} - f_r' \ge c - c_{\textrm{new}} \Leftrightarrow c_{\textrm{new}} \ge f_r'\). Combining the above, it has to be \(c_{\textrm{new}} \ge f + \lambda _{\textrm{min}}(c_{\textrm{old}} - c_{\textrm{new}} - 2f) \Leftrightarrow \lambda _{\textrm{min}} \le \frac{c_{\textrm{new}} - f}{c_{\textrm{old}} - c_{\textrm{new}} - 2f}\). The last step is valid since \(c_{\textrm{old}} - c_{\textrm{new}} - 2f > 0\). This is true since, as we saw above, \(P_2\) only attempts to bribe if \(c_{\textrm{old}} - c_{\textrm{new}} - f > f_b\) and we know that \(f_b \ge f\).    \(\square \)