-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOS proofs for anti-DOS #50
Comments
Unfortunately I thought of a way to break this. A malicious Alice wants to damage the reputation of Carol. Alice just sends money to a 2of2 address and then spends from it using the refund tx. Carol never had a chance to complete the coinswap protocol but Alice now has an unfair proof that Carol DOS'd. Alice only has to pay two miner fees to create this unfair proof. |
I thought of a way to fix the break above, which would allow true DOS proofs. The downside is it opens up a JoinMarket-Org/joinmarket#156 attack on coinswap (Which could be mitigated but not solved with podle commitments like joinmarket does). Transactions are labeled using the same conventions as in the coinswap_new.pdf). Here's how it works:
A DOS can still happen after both TX-0 and TX-1 have been mined, but it will cost money. Carol can force Alice to waste miner fees on the refund transaction TX-2, but only by having herself waste miner fees on her TX-3. Therefore this is not a DOS problem because the cost is symmetric, DOS is only a problem if one side can force the other to waste resources at little cost to itself. Obviously all mined transactions can be accompanied with merkle proofs, so a pruned full node can still be convinced that they exist. The 156-style attack comes from the fact that Alice has information about some of Carol's UTXOs because she knows the unsigned TX-1, so Alice could halt the protocol after step 2 and use the information to unmix Carol's later coinswaps. |
Although there are timeouts in coinswap, the failure/backout case still means miner fees and time are wasted, which is a DOS opportunity.
There is an observation I've been thinking about which could be useful: proof that a DOS happened.
If the coinswap server maker (Carol) has a long-running identity (e.g. with #51), it's possible to prove that Carol once DOS'd an Alice by not following the coinswap protocol and forcing Alice to use the timeout branch to get her coins back.
When Alice obtains Carol's public key and the refund transaction (TX-2/3 from the coinswap doc), Alice should also get a digital signature proving that Carol really owns the pubkey she gave.
A DOS proof is simply that proof that Carol owned a pubkey, plus proof on the blockchain that there was a 2-of-2 address paid into, plus a later transaction spending from that 2-of-2 address via the timeout branch. The proof could then be spread around to damage the reputation of Carol. Carol would then need a costly new identity to carry on DOSing.
This proof is compatible with pruning, because the transactions can be accompanied by merkle proofs which prove that they were mined into a block.
The text was updated successfully, but these errors were encountered: