Description
In create_psbt, the current_height provided to apply_anti_fee_sniping is the result of accumulate_max_locktime. In other words, the current_height value might come from a CLTV requirement of an input, and be the minimum required locktime for the transaction to be consensus valid.
In the locktime branch of apply_anti_fee_sniping, there is a 10% change of reducing this locktime (tx.locktime = current_height - r where 0 <= r <= 100). Therefore, tx.locktime might be set to a value that makes a transaction consensus invalid.
Severity
~10% of AFS-locktime-branch txs has an offset applied. If there is an CLTV input whose min locktime is close to the current_height value provided for AFS, create_psbt may create a consensus-invalid transaction.
Proposed Solution
-
Rename PsbtParams::fallback_locktime to min_locktime. This is a better name as it describes a floor to the locktime and that it's a contributor to accumulate_max_locktime.
-
Rename the current_height input of apply_anti_fee_sniping() to tip_height. This signals that it's the tip height.
-
Call accumulate_max_locktime in apply_anti_fee_sniping() to get acc_locktime. tx.locktime should be set to max(acc_locktime, tip_height) where tip_height has a 10% chance of an offset.
This way, CLTV is always respected and min_locktime is always enforced.
Description
In
create_psbt, thecurrent_heightprovided toapply_anti_fee_snipingis the result ofaccumulate_max_locktime. In other words, thecurrent_heightvalue might come from a CLTV requirement of an input, and be the minimum required locktime for the transaction to be consensus valid.In the locktime branch of
apply_anti_fee_sniping, there is a 10% change of reducing this locktime (tx.locktime = current_height - rwhere0 <= r <= 100). Therefore,tx.locktimemight be set to a value that makes a transaction consensus invalid.Severity
~10% of AFS-locktime-branch txs has an offset applied. If there is an CLTV input whose min locktime is close to the
current_heightvalue provided for AFS,create_psbtmay create a consensus-invalid transaction.Proposed Solution
Rename
PsbtParams::fallback_locktimetomin_locktime. This is a better name as it describes a floor to the locktime and that it's a contributor toaccumulate_max_locktime.Rename the
current_heightinput ofapply_anti_fee_sniping()totip_height. This signals that it's the tip height.Call
accumulate_max_locktimeinapply_anti_fee_sniping()to getacc_locktime.tx.locktimeshould be set tomax(acc_locktime, tip_height)wheretip_heighthas a 10% chance of an offset.This way, CLTV is always respected and
min_locktimeis always enforced.