Agency News

Replacement Cycle Attack in the Lightning Network

The Bitcoin Lightning Network is a layer-2 scaling solution for Bitcoin, aimed at addressing the scalability challenges of the Bitcoin blockchain. It enables instant and low-cost Bitcoin transactions, making it more efficient and accessible for users. Compared to on-chain transactions on Bitcoin, transactions on the Lightning Network are private, occur off-chain, and only the overall outcome is recorded.

One of the main advantages of the Lightning Network is its speed and affordability. It enables users to send and receive small payments over the Bitcoin network in a simple and cost-effective manner. By creating a network of payment channels between users, the Lightning Network enables transactions without broadcasting every transaction to the blockchain. This reduces congestion on the Bitcoin blockchain and improves the scalability of transactions.

However, it should be noted that the Lightning Network is still in development and faces certain security risks and centralization risks. In October this year, a vulnerability called “replacement cycle attack” was newly discovered in the Lightning Network, which involves the Transaction Replacement Mechanism and may lead to loss of channel funds in the Lightning Network. The emergence of this attack method has raised concerns about the security of the Lightning Network and prompted further research and improvements to its protocols and implementations.

Lightning Network Mechanism

The Bitcoin Lightning Network leverages the Multisig mechanism to ensure the security of payment channels. Participants need to lock up funds and establish payment channels. Participants can make fast, low-cost payments within the channel, without having to submit the transactions to the Bitcoin blockchain every time. The payment channel is just a relationship between the participants outside of the Bitcoin blockchain, which is achieved by signing a series of transactions within the channel that are only propagated between the two ends of the channel without involving the consensus of the entire Bitcoin network.

In terms of the specific process, when opening a payment channel, participants need to create a multi-signature script that requires each party on the channel to provide their public key, while specifying the required number of signatures, for example, defining a script that contains multiple public keys and signature verification logic. When generating the multi-signature address, this script will be converted into a Bitcoin address, forming the infrastructure of the payment channel.

For example, as shown in Figure 1, Bob and Alice first create a 2-of-2 multi-signature Bitcoin address on-chain as a joint fund. Within the channel, they can conduct unlimited off-chain commitment transactions to record the current state of fund allocation. The two parties can negotiate and sign new commitment transactions to update the state of the channel, without broadcasting these updates to the entire Bitcoin network. When they decide to close the channel, the final on-chain settlement transaction will distribute the funds according to the last negotiated allocation. This settlement transaction requires the joint signatures of both Bob and Alice, ensuring the funds are allocated in the finally agreed upon manner. In this way, the Lightning Network improves the efficiency of Bitcoin transactions, reduces costs, while retaining its decentralized characteristics.

 

Figure 1: State Channel Diagram

Source:

https://cypherpunks-core.github.io/bitcoinbook/images/mbc2_1204.png

HTLC Mechanism

The Bitcoin Lightning Network also adopts payment channels based on Hashed Timelock Contracts (HTLCs) to implement a routable, multi-hop payment channel system. In the implementation, HTLCs require a complex transaction script defined in a scripting language to meet the hash condition and time lock condition. This script will be used for initialization when opening the payment channel and triggered during payment. In this way, the Bitcoin Lightning Network achieves efficiency and security for cross-chain payments.

HTLC (Hashed Timelock Contract) is a Hashed Timelock Contract, which is one of the important components for implementing cross-chain transactions on the blockchain. HTLC has two common applications: cross-chain atomic swaps and payment channels in the Lightning Network. HTLC can lock a transfer and set unlocking conditions, such as providing specific information within a specified time. This ensures that the funds can only be withdrawn by the recipient when the conditions are met.

Technically, an HTLC is an additional output in a Commitment Transaction with a unique output script. This is a Script script containing operations like OP_HASH160, OP_EQUALVERIFY, etc., used to lock up funds so that only providing the preimage value R can unlock them. This script has two possible paths. The first path (defined in OP IF) sends funds to Bob if Bob can provide R. The second path is to enforce a timelock using nLockTime in the payment transaction, allowing refunds back to Alice after the lock expires.

OP_IF

          OP_HASH160 <Hash160 (R)> OP_EQUALVERIFY

          2 <Alice2> <Bob2> OP_CHECKMULTISIG

OP_ELSE

          2 <Alice1> <Bob1> OP_CHECKMULTISIG

OP_ENDIF

Routing Example

In the Lightning Network, Alice wants to pay 1 bitcoin to Eric, but there is no direct payment channel between Alice and Eric. So Alice routes the payment through intermediate nodes in the payment channel network (Bob, Carol, Diana) to construct a secure payment path, allowing her to indirectly pay 1 bitcoin to Eric. Payment routing uses HTLCs – only by providing the correct “secret” within a specific time window can the funds be unlocked, ensuring payment security.

In this example, in Step 1, Eric generates a Secret R (solution) and calculates the hash value H (puzzle), then gives the hash value H to Alice.

Steps 2-5: Alice, Bob, Carol, Diana, and Eric each construct HTLCs in pairs, requiring the provision of R (solution) within a certain period of time to retrieve the locked funds from the upstream party.

Steps 6-9: Eric provides R (solution) to Diana to retrieve 1 BTC. Diana then retrieves the BTC from Carol with R, and R is passed backwards like this until Alice’s 1.003 BTC (0.003 BTC of which is the service fee for intermediary nodes) is retrieved.

In this example, if in Step 6 Eric did not provide R (solution) within the fixed time, after the time expiration, the funds locked in Steps 2-5 will directly unlock and return.

Figure 2: Routing Example

Source:https://cypherpunks-core.github.io/bitcoinbook/images/mbc2_1210.png

Replacement cycling attack

Bitcoin’s transaction replacement mechanism refers to when a transaction is marked as replaceable, then a transaction can be replaced by another transaction in the network with a higher fee before it is confirmed in a block. If a transaction is paid a higher absolute fee and a higher fee rate, it can replace pending unconfirmed transactions that directly conflict with it. After receiving the replacement transaction, nodes will remove the original transaction with the lower fee rate from the mempool and only keep the replacement transaction. The transaction replacement mechanism allows adjustment of transaction fees or other parameters before the transaction is confirmed. But this mechanism can also be used to implement transaction denial of service attacks, such as repeatedly replacing a critical transaction, causing it to fail confirmation. Therefore, the transaction replacement mechanism provides convenience for adjusting transactions, but also introduces risks of abuse.

According to Bitcoin Core developer Antoine Riard’s email, the replacement cycle attack mainly involves payment channels in the Bitcoin Lightning Network. The attacker broadcasts an HTLC-preimage transaction with a higher absolute fee and fee rate to replace the honest node’s HTLC-timeout transaction. During replacement, the attacker can add additional inputs or outputs to ensure the replacement transaction is successfully accepted by the network. This attack method may result in double spending of funds in payment channels, that is, after the honest node broadcasts the HTLC-timeout transaction, the attacker successfully retrieves the funds through replacement. We can give a simple example to illustrate, similar to the previous example, assuming the path is simplified to only Alice, Bob and Eric, and Alice and Eric collude to steal Bob’s BTC.

Step 1: Alice intends to pay 1 BTC to Eric through Bob. Alice\Bob and Bob\Eric each builds an HTLC. Eric needs to provide R (solution) to Bob before block 1020 (assume current height is 1000), otherwise Bob can retrieve the locked 1 BTC; similarly, Bob needs to respond to Alice before block 1080, otherwise Alice can retrieve her 1 BTC.

Step 2: Eric did not provide R (solution) to Bob before block 1020. Bob will broadcast a transaction containing HTLC-timeout. The funds in this transaction will be refunded to Bob.

Step 3: Eric monitors Bob’s HTLC-timeout transaction and replaces it with an HTLC-preimage transaction with a higher fee rate. Then Eric initiates another transaction to evict the previous HTLC-preimage out of the mempool.

Step 4: Bob’s node will rebroadcast the HTLC-timeout transaction until block 1080. Eric can initiate replacement every time. Until block 1080, the transaction of the other channel party Alice is confirmed, and Alice retrieves the locked BTC.

Step 5: Eric gets his HTLC-preimage confirmed, so the 1 BTC locked by Bob is transferred to Eric.

Thus, Bob’s 1 BTC was transferred to Eric, while he did not receive the BTC due from Alice either.

Summary

As of November 2023, the Lightning Network has over 16,000 Lightning nodes and 5,000 BTC. Although actual replacement cycle attack cases have not been confirmed, it highlights the necessity of continuous security research and improvements for the Lightning Network. Antoine Riard also suggested several measures to avoid or mitigate replacement cycle attacks, such as monitoring local mempool and relayed transactions, building overlay networks between miners and Lightning nodes, and actively replaying HTLC timeout transactions to increase attacker costs. But at the same time, he announced stopping participation in Lightning Network and its implementation work, including coordinating solutions for protocol-level security vulnerabilities.

As the Lightning Network scales up, the potential threat of replacement cycle attacks may become an obstacle in its development path, forcing the community to focus more on security research and improvements. However, it is precisely by seriously addressing and improving security issues that we may witness the Lightning Network gradually resolving potential risks in the future, achieving a healthier and more reliable ecosystem.

About CoinEx

Founded in 2017, CoinEx is a global cryptocurrency exchange committed to making trading easier. The platform provides a range of services, including spot and margin trading, futures, swaps, automated market making (AMM), and financial management services for over 5 million users across 200+ countries and regions. Since its establishment, CoinEx has steadfastly adhered to a “user-first” service principle. With the sincere intention of nurturing an equitable, respectful and secure crypto trading environment, CoinEx enables users to effortlessly access the world of cryptocurrency by offering easy-to-use products and services.

References

https://cypherpunks-core.github.io/bitcoinbook/

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-October/022032.html

https://lightning.network/lightning-network-paper.pdf

https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper/replacement-cycling.pdf

Loading...