In Antoine Riard’s
original description of replacement cycle attacks against HTLCs, a replacement cycle looks like this:
- Bob broadcasts an HTLC-timeout (input A, input B for fees, output X)
- Mallory replaces the HTLC-timeout with an HTLC-preimage (input A,
input C for fees, output Y) - Mallory replaces the transaction that created input C, removing the
HTLC-preimage from the mempool
However, an alternative approach is:
- (Same) Bob broadcasts an HTLC-timeout (input A, input B for fees,
output X) - (Same) Mallory replaces the HTLC-timeout with an HTLC-preimage (input
A, input C for fees, output Y) - (Different) Mallory uses input C to replace the HTLC-preimage with a
transaction that does not include input A, removing the preimage from
the mempool
The alternative approach has three clear advantages:
- It’s simpler. The original approach works by replacing input C’s parent, removing from the mempool the data necessary to confirm the HTLC-preimage; the alternative approach simply replaces the HTLC-preimage, removing it from the mempool directly.
- It requires less setup. The original approach requires input C’s parent to be an unconfirmed transaction already in the mempool of targeted nodes; the alternative approach can use any of those outputs or any confirmed output.
- It’s more robust. If the original approach’s unconfirmed output gets confirmed, the attacker needs to create another unconfirmed output.
Are there additional advantages to the alternative approach? Are there advantages to the original approach?
