Timelocked Bribing

Abstract

A Hashed Time Lock Contract (HTLC) is a central concept in cryptocurrencies where some value can be spent either with the preimage of a public hash by one party (Bob) or after a timelock expires by another party (Alice). We present a bribery attack on HTLC’s where Bob’s hash-protected transaction is censored by Alice’s timelocked transaction. Alice incentivizes miners to censor Bob’s transaction by leaving almost all her value to miners in general. Miners follow (or refuse) this bribe if their expected payoff is better (or worse). We explore conditions under which this attack is possible, and how HTLC participants can protect themselves against the attack. Applications like Lightning Network payment channels and Cross-Chain Atomic Swaps use HTLC’s as building blocks and are vulnerable to this attack. Our proposed solution uses the hashpower share of the weakest known miner to derive parameters that make these applications robust against this bribing attack.

Appendices

Appendix A    Transactions in Pseudo Bitcoin Script

HTLC Transaction:

Seller Transaction, spending from the hashlocked path:

Refund Transaction, spending from the timelocked path: REFUND_TXN:

Bribe Transaction, which leaves the output values to miners: BRIBE_TXN:

Appendix B    Iterated Removal of Dominated Strategies

The FIND_T procedure receives as input a list of mining hashpowers (leader selection probabilities), and the values of parameters f and b. As output, it returns the lowest value of T such that all miners refuse the bribe in the first stage of the game. It uses the inner procedure CALCULATE_BRIBERY_MATRIX to determine the behavior of more strong miners at each block when less strong miners’ strategies get dominated (Fig. 1).

Fig. 1.

Iterated removal of dominated strategies

Example (Table 2): Let’s take the case of 4 miners with hashpower shares \(\mathbb {P} = [0.1, 0.2, 0.3, 0.4]\), \(f = 11, b = 100\). Applying Theorem 1, we get an upper bound of T to be 21. Running the procedure CALCULATE_BRIBERY_MATRIX returns the matrix shown in Table 2, with “1” standing for refuse and “0” standing for follow. Note that this matrix shows the conservative scenario of T = 21 blocks (as given by Theorem 1. The aim of this algorithm is to find a more aggressive (lower) value of T which we get if we eliminate dominated strategies of strong miners. We now go through the actions of each miner.

Table 2. Bribery matrix, worked example

The miner with hashpower 0.1 (\(p_0\)) will play refuse at every block because we have \(T > \frac{\log \frac{f}{b}}{\log (1-p_w)}\). The miner with hashpower 0.2 (\(p_1\)) will play refuse as long as the expected bribe (payable at \(T+1\)) calculated at a particular block is lower than the fees that they would earn if they mine that block. In this case, \((1- p_w)^t \cdot p_1 \cdot b < f\) till \(t = 6\) for values of \(f = 11, b = 100, p_w = 0.1\). This means that \(p_1\) will start playing follow as we get closer to \(t = T\) (specifically when we are 5 blocks away from T). The miner with hashpower 0.3 (\(p_3\)) will play refuse along similar lines, by looking at the actions of miners \(p_0\) and \(p_1\) over the different blocks. One thing to notice is that at block #16, \(p_2\) will act assuming that \(p_0\) and \(p_1\) will both play refuse. At block #17, \(p_2\) will act assuming that \(p_0\) will play refuse and \(p_1\) will play follow. This is implemented in the algorithm by using the 0’s and 1’s in the bribery matrix and using them as factors in line #13 of the CALCULATE_BRIBERY_MATRIX procedure. This way, on line #13, we only use miners who play refuse at each block to calculate the expected bribe.

In the main procedure FIND_T, we then find the last block in which all miners play refuse and return that as the result. In the real world, we can give a 5–6 block cushion on top of this, and it will still be significantly lower than the upper bound of T.

Appendix C    Risk Free Atomic Swaps

Please check the IACR Eprint version of this paper for pseudo-code transactions and flow chart of the risk free atomic swap.