Auto-freezing of address reuse below a threshold. #471
Conversation
|
A small technical point, but the function which does fast sync of addresses and indices in the wallet is renamed to There may be some exceptional case where a bot quits early and the utxo doesn't get frozen in time to be persisted for the next run. I'm not sure how much we need to worry about this, although it could certainly be looked at. Tests OK on CLI and Qt; i tested below and above the threshold, but so far only on regtest. |
|
The code looks fine to me. But I disagree with the use of the phrase "dust attack". Because in bitcoin the term "dust" is also used for very low valued UTXOs (for example 1 satoshi) which are uneconomic to spend. If a "dust attack" actually used "dust" then the attack would fail, because no wallet would actually spend the uneconomic UTXOs. Also the name is not very descriptive and almost negative-helpful in understanding the issue. I'd prefer the phrase "forced address reuse". |
|
Good point; "dust attack" not only doesn't capture the phenomenon, but is even, by a reasonable argument, totally wrong. |
|
In my mind the "forced" part refers to the sending to rather than spending from. "incentivized address reuse" is also a good name, it captures the idea that these attacks economically are a bribe to the user in exchange for their privacy-relevant information. |
|
The algorithm behind this PR could be improved like this:
If an address has UTXOs on it then this PR will freeze any additional UTXOs and keep them cluttering up the wallet and UTXO set, and leaving on the table the free money. Its probably better to spend them but make sure that all UTXOs from one address get spent in the same transaction. However I appreciate this might significantly complicate the code so maybe it's not worth it. EDIT: maybe it's not too complicated of an edit, you just need to access the wallet's list of UTXOs to tell whether to freeze a new UTXO or not, and in the input-choosing routine add code which spends all UTXOs on one address together. No extra lists or dicts are needed I think. |
I'm presuming you don't mean unconditionally do this? i.e. still with a filter as per the existing setup in the PR?
I think I misunderstood your implicit context here, but the main thing that required any real coding in this PR is that we can't only use utxos to check usage, but have to check history to see if that first condition applies. The "spend all at once" idea is interesting, but my spidey sense is tingling a bit that we're making things a bit more complicated. We're changing selection algos. I think what's in the PR is a decent first cut algorithm-wise. Freezing utxos isn't that big of a deal after all; it's like 2 mouse clicks in the GUI to reverse it, and it'll happen extremely infrequently that this causes a disruption for a user (and only if they screw up). |
|
I should add test code for it though; I actually just forgot. |
yes, I include the amount filter thing, I just didn't mention it.
For this part I meant: you check the wallet UTXO list to tell whether a newly-arriving UTXO on an already-used address is arriving to a spent-from-and-empty address or an address with UTXOs still unspent.
Sure understood. It's worth noting that this feature already exists in Bitcoin Core 0.17 https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.17.0.md#partial-spend-avoidance |
AdamISZ
force-pushed
the
anti-dust-attack
branch
from
42a9b18
to
315e98e
Compare
Right, understood, we do need history (I was asking because you said we just need ... which made me think you were implying we only need utxo info, not history). |
jmclient/test/test_walletservice.py
Outdated
| load_program_config() | ||
| old_config = jm_single().config | ||
| def reset_config(): | ||
| jm_single().config = old_config |
There was a problem hiding this comment.
Does this actually work? I would've thought wouldn't work because python uses pass-by-reference.
There was a problem hiding this comment.
Oh, that was dumb of me, nice spot, thanks.
I was going to deepcopy to resolve this but it turns out it's not at all so simple for these configparser objects, so I've gone back to the less clever version, updating just this one changed variable. Seems to work fine as of 794726a
|
Added some comments to the test code |
|
Should I change |
|
Any more thoughts on this? I'll probably change the above var name but I think it's done apart from that, @chris-belcher ? |
|
Yes, remove and rephrase all mentions of the phrase "dust attack" from the code and config file. |
|
Replaced references to 'dust attack' with 'forced address reuse' and linked to the Privacy wiki in the config. |
|
@chris-belcher OK after b9f97bc ? I'll squash and merge if so. |
|
Looks good to me |
AdamISZ
force-pushed
the
anti-dust-attack
branch
from
c7f843f
to
0d86205
Compare
Closes #274. Utxos are disabled if they are sent to a reused address, and are below a threshold set by the value `max_sats_freeze_reuse` in the `POLICY` section of the config file. If the value is -1, such utxos are always frozen irrespective of the value. Users are prompted with a warning level logging message on CLI and a popup on Joinmarket-Qt. Such disabled utxos can of course be re-enabled by the existing methods. Also adds test case for address reuse freezing function.
AdamISZ
force-pushed
the
anti-dust-attack
branch
from
0d86205
to
d719ff2
Compare
d719ff2 Auto-freezing of address reuse below a threshold. (Adam Gibson)
Closes #274. Utxos are disabled if they are sent
to a reused address, and are below a threshold
set by the value
min_sats_freeze_reusein thePOLICYsection of the config file. If the valueis -1, such utxos are always frozen irrespective of
the value.
Users are prompted with a warning level logging message
on CLI and a popup on Joinmarket-Qt. Such disabled utxos
can of course be re-enabled by the existing methods.