Skip to content

Add liquidity griefing protection for liquidity ads#2982

Merged
t-bast merged 2 commits intomasterfrom
liquidity-ads-utxo-locks
Jan 24, 2025
Merged

Add liquidity griefing protection for liquidity ads#2982
t-bast merged 2 commits intomasterfrom
liquidity-ads-utxo-locks

Conversation

@t-bast
Copy link
Member

@t-bast t-bast commented Jan 17, 2025

When using liquidity ads, seller nodes may be vulnerable to liquidity griefing attacks. They may disable utxo locking to protect against such attacks, but the trade-off is that honest peers may also be affected by having their funding transaction double-spent. More details can be found in https://delvingbitcoin.org/t/liquidity-griefing-in-multi-party-transaction-protocols/264.

We thus expose a configuration flags to let node operators decide which trade-off they choose, depending on how likely they think someone will target them vs the UX they want to provide to their customers. Node operators can also choose to operate without this protection, and activate it when they detect that they're targeted.

We also add a mechanism to abort incoming channels after a configurable timeout in the second commit: if a remote node starts opening a channel to us and then becomes unresponsive, they're likely buggy or malicious so we want to fail that channel. Note that splicing already has this mechanism built-in using the quiescence-timeout parameter.

t-bast added 2 commits January 16, 2025 17:40
@t-bast
Allow funding without locks for liquidity griefing
68c6720 
When using liquidity ads, seller nodes may be vulnerable to liquidity
griefing attacks. They may disable utxo locking to protect against such
attacks, but the trade-off is that honest peers may also be affected by
having their funding transaction double-spent.

We thus expose a configuration flags to let node operators decide which
trade-off they choose, depending on how likely they think someone will
target them vs the UX they want to provide to their customers.
@t-bast
Abort incoming channel after timeout
64a12b8 
If a remote node starts opening a channel to us and then becomes
unresponsive, we abort the channel. This is particularly useful
when they're purchasing liquidity and we've locked utxos.
@t-bast t-bast requested review from remyers and sstone January 17, 2025 10:22
@sstone
Copy link
Member

sstone commented Jan 22, 2025

IIUC this fix (not locking UTXOs used for funding transactions), when enabled in the configuration file, is global and applies to all funding attempts. Would it make sense to restrict its applications to channel openings that we do not initiate and include liquidity requests (i.e. we would always lock inputs when we open channels)

@t-bast
Copy link
Member Author

t-bast commented Jan 22, 2025

Would it make sense to restrict its applications to channel openings that we do not initiate and include liquidity requests (i.e. we would always lock inputs when we open channels)

Unfortunately we cannot do that, it doesn't work...this is detailed in the long comment in BitcoinCoreClient.fundTransaction, we must either always lock or never lock, there is no in-between (unless we use separate wallets, but this creates liquidity management issues).

sstone
sstone approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@sstone sstone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the new timeout is a real improvement, the don't lock utxos option is probably not something we will use ourselves but it's better to be ready and could benefit other operators.

@t-bast t-bast merged commit 12df4ce into master Jan 24, 2025
1 check passed
@t-bast t-bast deleted the liquidity-ads-utxo-locks branch January 24, 2025 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sstone sstone sstone approved these changes

@remyers remyers Awaiting requested review from remyers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@t-bast @sstone