bitcoin-dev
Combined summary - Keyless Anchors Are Vulnerable To Replacement Cycling Attacks
The discovery of a novel vulnerability within the Bitcoin transaction process, notably affecting transactions where fees are paid using a method known as Child Pays for Parent (CPFP) through the use of keyless ephemeral anchors, has raised concerns about the security and reliability of cryptocurrency transactions.
This vulnerability facilitates what is termed a replacement cycling attack, which enables attackers to disrupt the standard processing of transactions at minimal cost, assuming they intend to transact with a higher total fee and fee-rate than their target. Central to this attack is the creation of two transactions, where the second transaction is designated to pay the fees for both. An attacker then uses a third-party transaction to replace these in the mempool by offering higher fees, rendering the original transactions uneconomical to mine due to their lower fee rate. Specifically, this attack targets transactions arranged such that transaction A is made with low or zero fees, depending on transaction B to cover its fees via CPFP. An attacker can broadcast a competing transaction B2 that spends from their own funds along with the keyless ephemeral anchor from A but at a higher fee rate than B, followed by double-spending B2 with another transaction, B3, thereby cycling out transaction B and leaving transaction A unminable.
In response to this issue, the proposal of adding an optional rebroadcasting module to Bitcoin Core has been put forward as a potential solution. The purpose of this module would be to monitor transactions that have fallen out of the mempool and ensure their reinsertion once they become valid again, hence mitigating the impact of replacement cycling attacks. However, this approach is not without its challenges. It could inadvertently act as a vector for Denial of Service (DoS) attacks, putting undue strain on node resources like memory and disk space. Additionally, the implementation of such a module introduces complexities in managing the mempool, particularly in deciding which transactions should be prioritized for eviction when conflicts arise.
Moreover, while preventing the replacement of transactions such as B2 with B3 might seem straightforward, it does not fully address the potential for new forms of exploitation by attackers. Concerns also extend to privacy, as each rebroadcast could inadvertently reveal information about the transaction's origin. To mitigate these privacy issues, it has been suggested that having third parties altruistically rebroadcast transactions could help preserve users' anonymity. For those interested in further details on this topic, Peter Todd offers additional discussion and analysis on his personal website.