Quickly understand Lightning Network replacement transaction loop attacks

Recently (late October 2023) the Bitcoin community revealed that the Lightning Network may have major flaws, allowing users to construct an attack method to steal money, called the “Lightning Replacement Cycling Attack”.

I read the principle of it, and Chinese name can be translated as “Lightning Network Cyclic Replacement Transaction Attack”.

Its attack principle is as follows.

First, explain how the Lightning Network works:

1. Alice and Bob open a payment channel, that is, jointly open a 2-2 signature address, each of them holds a private key.

Alice and Bob recharge 0.5BTC and 0.6BTC to this 2-2 signature address respectively (the amount can be arbitrarily chosen, I’m just an example), both of which occur on the main Bitcoin chain, and miners are to confirm. In this way, the initial state of this payment channel is that 0.5BTC belongs to ALICE, 0.6BTC belongs to BOB, we record (ALICE: 0.5BTC; bob:0.6btc）。

In this way, in this 2-2 signature address, Alice and Bob can pay each other, for example, Alice can pay BOB 0.1BTC, so that the state of the state channel becomes 0.4BTC belongs to Alice, 0.7BTC belongs to BOB, (ALICE: 0.4BTC; bob：0.7btc）。 And such transactions do not need to be packaged on the main Bitcoin chain, but only occur between Alice and Bob, which is called a payment channel.

Arbitrary transfers between Alice and Bob do not need to be settled to the main chain, which saves a lot of miner fees and can be received in real time, eliminating the need for 10 minutes of block confirmation.

But if you can only transfer transactions between two people, it is useless.

2. A payment channel is also opened between Bob and Carol, and the initial state is that Bob has 1.0BTC, carol0BTC, which is recorded as (BOB: 1.0BTC; carol:0btc）。

3. At this time, you see that there is a payment channel between Alice and Bob, and there is also a payment channel between Bob and Carol.

Alice can then pay bitcoins to Carol via Bob.

The payment process is as follows: Alice pays Carol 0.1BTC, and the following status changes occur in the above two payment channels

1. The status change between Alice and Bob is (Alice: 0.3BTC; BOB: 0.8BTC)

2. The state change between BOB and CAROL is (BOB: 0.9BTC; CAROL: 0.1BTC)

3. This completes the transaction of 0.1BTC transfer from Alice to Carol.

4. When more and more parties open the payment channel and realize mutual interconnection, a payment network is formed, which we call the Lightning Network.

Of course, the detailed technical explanation is too complicated, and the above is the most concise explanation.

The following describes the general process of the Lightning Network cyclic replacement transaction attack, and I don’t understand the detailed technical details, and those opcodes, contracts and functions are a bit complicated.

1. The attackers are Alice and Carol, who conspire to attack Bob, and Bob is the victim.

Alice pays 0.3BTC to Carol.

1. The initial state channels are as follows (ALICE: 0.3BTC; BOB: 0.8BTC) and (BOB: 0.9BTC; CAROL: 0.1BTC)

2. The state channel between Alice and Bob should be changed to (Alice:0; bob：1.1btc）

3. The state channel between BOB and CAROL should be changed to (BOB: 0.6BTC; CAROL: 0.4BTC)

Alice and Carol decided to partner to scam Bob’s 0.3BTC

1. Carol has not claimed to confirm that he has received 0.3BTC from Alice, that is, Carol does not send the Lightning Network receipt information to BOB. As a result, Bob would not be able to legally claim Alice’s 0.3BTC within the Lightning Network.

2. At a certain time, Alice played tricks and directly initiates the clearing transaction TX1 on the main Bitcoin chain, claiming that he still has 0.3BTC, while Bob only has 0.8BTC in his state channel.

In the tx1 deal, 0.3BTC was sent to Alice’s own address (single signature), so Alice was trying to steal 0.3BTC that did not belong to her.

3. Because Bob did not get Carol’s receipt of receipt, Bob cannot prove (Alice; bob) in this state channel should be changed to (alice:0btc; bob：1.1btc）

4. Once TX1 is packaged on-chain, i.e. Alice does steal 0.3BTC, Carol will immediately collect 0.3BTC in the Lightning Network and send the receipt to BOB.

5. In this way, Alice did not actually send 0.3BTC to BOB, but Carol actually received 0.3BTC from BOB. So Bob was stolen 0.3BTC by Alice and Carol in partnership.

6. Note that when Alice initiates a TX1 coin theft transaction on the main chain, Bob has countermeasures, that is, initiating a transaction to the main chain TX2 proves that Alice is cheating, but because Bob did not get Carol’s receipt of receipt, the TX2 transaction is still quite troublesome, but it can be done theoretically.

After Alice sees TX2, she will use the higher miner fee method again to reset TX1 to induce miners to package TX1 and reject TX2, which is called “replacement”.

7. At present, developers say that the collusion between Alice and Carol can indeed make it seem more difficult to legitimize BOB’s TX2 on Bitcoin’s main chain miners, and to prove more clearly that TX2 is legitimate, the protocol needs to be modified, and it is a soft fork for the main chain, which is difficult.

The above is the general process of the Lightning Network cyclic replacement transaction attack, the specific technical principle is too complicated, I don’t understand, I just assume that the technical details posted by the developer I see on the Internet are correct.

The method of attack is to sandwich one of the two, and the exchange is natural and all users have opened a payment channel, so the exchange is going to suffer.

In the end, I feel that this is not a big deal, there are no bugs in the software, there will be a way to fix it.