|
| 1 | +--- |
| 2 | +title: Expiration floods |
| 3 | + |
| 4 | +## Optional. Shorter name to use for reference style links e.g., "foo" |
| 5 | +## will allow using the link [topic foo][]. Not case sensitive |
| 6 | +# shortname: foo |
| 7 | + |
| 8 | +## Optional. An entry will be added to the topics index for each alias |
| 9 | +aliases: |
| 10 | + - Forced expiration spam |
| 11 | + - Flood and loot |
| 12 | + |
| 13 | +## Required. At least one category to which this topic belongs. See |
| 14 | +## schema for options |
| 15 | +categories: |
| 16 | + - Contract Protocols |
| 17 | + - Lightning Network |
| 18 | + - Security Problems |
| 19 | + - Security Enhancements |
| 20 | + |
| 21 | +## Optional. Produces a Markdown link with either "[title][]" or |
| 22 | +## "[title](link)" |
| 23 | +primary_sources: |
| 24 | + - title: "The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments" |
| 25 | + link: https://lightning.network/lightning-network-paper.pdf |
| 26 | + |
| 27 | + - title: "Flood & Loot: A Systemic Attack On The Lightning Network" |
| 28 | + link: https://arxiv.org/abs/2006.08513 |
| 29 | + |
| 30 | +## Optional. Each entry requires "title" and "url". May also use "feature: |
| 31 | +## true" to bold entry and "date" |
| 32 | +optech_mentions: |
| 33 | + - title: LN developer discussion about flood and loot attacks |
| 34 | + url: /en/newsletters/2020/08/05/#chicago-meetup-discussion |
| 35 | + |
| 36 | + - title: Concern about forced expiration spam in very large channel factories |
| 37 | + url: /en/newsletters/2023/09/27/#using-covenants-to-improve-ln-scalability |
| 38 | + |
| 39 | + - title: Mitigating expiration floods with fee-depedent timelocks |
| 40 | + url: /en/newsletters/2024/01/03/#fee-dependent-timelocks |
| 41 | + |
| 42 | +## Optional. Same format as "primary_sources" above |
| 43 | +see_also: |
| 44 | + - title: HTLCs |
| 45 | + link: topic htlc |
| 46 | + |
| 47 | + - title: PTLCs |
| 48 | + link: topic ptlc |
| 49 | + |
| 50 | +## Optional. Force the display (true) or non-display (false) of stub |
| 51 | +## topic notice. Default is to display if the page.content is below a |
| 52 | +## threshold word count |
| 53 | +#stub: false |
| 54 | + |
| 55 | +## Required. Use Markdown formatting. Only one paragraph. No links allowed. |
| 56 | +## Should be less than 500 characters |
| 57 | +excerpt: > |
| 58 | + **Expiration floods** occur when many timelock-contingent payments are |
| 59 | + broadcast simultaneously. If not all of them can fit into blocks |
| 60 | + before their timelocks begin expiring, users are guaranteed to lose |
| 61 | + money. |
| 62 | +
|
| 63 | +--- |
| 64 | +For example, Mallory runs a very popular LN node with many users. Each |
| 65 | +channel has the maximum-allowed number of incoming and outgoing pending |
| 66 | +[HTLCs][topic htlc], making the cost to resolve each of those channels |
| 67 | +onchain around 100,000 vbytes. A full block can only fit about 10 of |
| 68 | +those channels. If the most critical [timelocks][topic timelocks] on |
| 69 | +some of the HTLCs might expire in 10 blocks or less, Mallory can force |
| 70 | +close more than 100 of those channels to eliminate the guarantee that |
| 71 | +her honest counterparties will receive their money. |
| 72 | + |
| 73 | +Although an expiration flood can be triggered deliberately by a |
| 74 | +malicious counterparty, it can also happen accidentally either by |
| 75 | +coincidence or by a situation that causes many users to attempt to close |
| 76 | +their channels simultaneously, e.g. a bug in a software implementation. |
| 77 | +In the accidental case, some honest users will get their money and other |
| 78 | +honest users may not, even though they all followed the protocol |
| 79 | +faithfully. |
| 80 | + |
| 81 | +Expiration floods were described in the original [Lightning Network |
| 82 | +paper][] under the name **forced expiration spam**. A later |
| 83 | +[paper][flood and loot] called the attack **flood and loot**. Concern |
| 84 | +about expiration floods has heavily influenced the development of LN and |
| 85 | +other offchain protocols. |
| 86 | + |
| 87 | +Mitigations that don't require consensus changes include: |
| 88 | + |
| 89 | +- **Minimizing onchain enforcement data:** designing protocols and |
| 90 | + setting limits so that timelock-contingent payments are small. For |
| 91 | + example, many LN implementations default to accepting and creating |
| 92 | + much less than the protocol-allowed maximum number of pending HTLCs. |
| 93 | + (That also helps mitigate other attacks.) |
| 94 | + |
| 95 | +- **Using long timelocks when possible:** in our example above, Mallory |
| 96 | + needs to close at least 100 channels with 10-block timelocks. If the |
| 97 | + timelocks were 100 blocks, she'd need to close 1,000 channels |
| 98 | + simultaneously. It would take more effort on her part to find that |
| 99 | + many victims and get their channels into an exploitable state. |
| 100 | + |
| 101 | +- **Improving counterparty decentralization:** someone who is a |
| 102 | + counterparty to 100 users has more power to execute an expiration |
| 103 | + flood attack than someone who is only counterparty to 10 users. |
| 104 | + This suggests that a less centralized distribution of counterparties |
| 105 | + might be safer against deliberately triggered expiration floods. |
| 106 | + Of course, in privacy-protecting protocols, it may be impossible to |
| 107 | + prove that two counterparties are distinct entities and not colluding. |
| 108 | + |
| 109 | +Proposed mitigations that require consensus changes include: |
| 110 | + |
| 111 | +- **Dynamic bounded block sizes:** this would allow miners to create larger |
| 112 | + blocks during high periods of demand so that they can confirm more |
| 113 | + transactions during an expiration flood. [Proposals][friedenbach |
| 114 | + dynamic] of this [nature][maxwell dynamic] |
| 115 | + usually require miners to pay a cost for creating higher blocks, such |
| 116 | + as destroying bitcoins are generating more proof of work. The lost |
| 117 | + bitcoins and work are expected to be compensated for by the extra fee |
| 118 | + income they will receive from confirming urgent transactions. |
| 119 | + |
| 120 | +- **Fee-dependent timelocks:** [this][fdt] would prevent a timelock from |
| 121 | + expiring when feerates were above a specified amount. If too many |
| 122 | + timelock-contingent payments entered the mempool at once; the users |
| 123 | + would bid up their feerates in competition with each other to get |
| 124 | + their transactions confirmed before the regular timelocks expired. |
| 125 | + When feerates exceeded the fee-dependent timelock, expiration of those |
| 126 | + timelocks would be delayed, keeping those users safe until feerates |
| 127 | + reduced. As long as the user paid a feerate above their fee-dependent |
| 128 | + timelock amount, their transaction should confirm before the timelock |
| 129 | + expires, ensuring the user's desired transaction gets confirmed before |
| 130 | + the timelock expires. |
| 131 | + |
| 132 | +{% include references.md %} |
| 133 | +{% include linkers/issues.md issues="" %} |
| 134 | +[lightning network paper]: https://lightning.network/lightning-network-paper.pdf |
| 135 | +[flood and loot]: https://arxiv.org/abs/2006.08513 |
| 136 | +[friedenbach dynamic]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-May/008017.html |
| 137 | +[maxwell dynamic]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-May/008038.html |
| 138 | +[fdt]: /en/newsletters/2024/01/03/#fee-dependent-timelocks |
0 commit comments