V3 transaction policy for anti-pinning

In this post, I will attempt to show that Peter Todd’s recent post significantly underestimates the time to sign multiple commitment transaction fee variants. I then directly address the concern about “the danger to decentralization” of building protocols on top of CPFP; I note that a simple as-need soft fork and small change to ephemeral anchor rules makes them into a powerful tool for protecting decentralization in the face of CPFP-based protocols.

Different parents have different children

To fully spend an HTLC in LN-Penalty, you need to publish three transactions:

  1. The commitment transaction. Money is allocated to an output of the commitment transaction using an HTLC script.

  2. An HTLC-Success or HTLC-Timeout transaction. These implement the classic logic of HTLCs: Alice can claim money at any time with a preimage (HTLC-Success) or Bob can receive a refund after a timeout (HTLC-timeout).

  3. HTLC-Penalty or delayed spend. If either the HTLC-Success or HTLC-Timeout transaction were created in a revoked commitment transaction, these allow the party who didn’t publish the revoked state to claim the full amount of the HTLC. If the current commitment transaction was used, this is delayed by a timelock (to allow an HTLC-Penalty to be broadcast) but can otherwise be a normal spend (although with a large witness).

Bitcoin currently lacks covenants, so the only way to ensure an HTLC-Success or HTLC-Timeout transaction pays an output with the HTLC-Penalty conditions is for the HTLC-Success and HTLC-Timeout transactions to require signatures from both parties, allowing each party to only sign payments to the HTLC-Penalty conditions. To ensure each party can act unilaterally (a requirement for trustlessness), each party must presign their half of the spend and send it to the other party before that party accepts (relies upon) an HTLC in the commitment transaction.

This means that updating an LN-Penalty commitment transaction requires sending 1 signature for the commitment transaction and 1 signature for every HTLC output of that commitment transaction. Each party can add a maximum of 483 outputs (source: BOLT2) to a commitment transaction, for a total of 2*483=966 outputs, which is also 966 signatures.

In the above-linked post, Peter Todd suggests presigning multiple versions of the commitment transaction at different feerates. He also notes that HTLC-Success and HTLC-Timeout transactions would need to be signed at different feerates if the same technique was applied to them, resulting in N^2 signatures, although he suggests mitigations.

Not mentioned detailed in that post is the effect of the HTLC-Success and HTLC-Timeout transactions being children of the commitment transaction. Each different version of the commitment transaction at a different feerate has a different txid. An HTLC-Success or HTLC-Timeout transaction will only be valid if a particular txid gets confirmed, so for every different version of the commitment transaction, a different version of the HTLC-Success and HTLC-Timeout transaction is needed. This requires N+N*M signatures, where N is the number of commitment transaction variants and M is the number of HTLCs.

The post suggests N=50 and a points to a Jonas Nick benchmark of 100us per signature (with non-controversial LN upgrades applied). BOLT2 suggests a maximum M=966, for a worst-case of 48,350 signatures that take a bit under 5 seconds to generate. Even a single hop adding a five second delay would be a significant degradation from the performance we hope for in the Lightning Network.

Using a more likely average M=200 and assuming 10 hops would give a minimum payment forwarding time of 12.5 seconds.

This does not consider other negative consequences of massively increasing signature operations, such as the increase in bandwidth and receiver-side verification operations.

If I haven’t messed up my analysis, I think this implies presigned incremental fee bumping does not provide an acceptable substitute to CPFP fee bumping of LN commitment transactions in all reasonable cases. If CPFP of commitment transactions is to continue to be used, we should encourage P2P protocol developers to improve support for it, e.g. through package relay, package RBF, v3 relay, and ephemeral anchors.

Ephemeral anchors can protect decentralization from CPFP-based protocols

Edit: the points in this section are undermined by later replies in the thread. I still think there’s something conceptually useful here, but this solution is broken for now. You probably want to skip reading this.

In the post, Peter Todd argues:

if you have an anchor-using transaction that you need to get mined, it costs twice as much blockspace to get the transaction mined via the intended mechanism — the anchor output — as it does by getting a miner to include the transaction without the anchor output spend. […] a large miner could easily offer out-of-band fee payments at, say, a 25% discount, giving them a substantial 25% premium over their smaller competitors.

I find this to be a compelling argument about the dangers of building protocols that depend on CPFP fee bumping. However, ephemeral anchors are different than other forms of CPFP fee bumping in that we can easily turn their policy rules into consensus rules, plus make one small change to eliminates the advantage of out-of-band payments.

The policy rules for ephemeral anchors are basically:

  • If a transaction pays a certain specified scriptPubKey (the parent’s ephemeral anchor)

  • It will only be considered policy-valid if it is packaged with a spend of that output (the child)

Miners following that policy will only include transactions with ephemeral anchor outputs if the same block includes the spend of that output. As described in the post, that’s just a policy rule and any miner can choose not to include the spend.

However, it’s easy to turn those rules into consensus rules: a block may only include a parent ephemeral anchor if it also includes the child spend. We could also add an extra rule in the soft fork: the child spend must include at least two inputs. That would mean the amount of block space used by someone paying miners out-of-band would be equal to the (best and expected normal case) of someone paying any miner in a decentralized fashion. In other words, the incentive for paying out of band would be eliminated.

Whether as policy or consensus, ephemeral anchors are totally opt-in, don’t affect any other part of the Bitcoin protocol, don’t add significant resource costs, and don’t complex code or new primitives. Implementing them as a soft fork is almost as easy a soft fork as could be. (Forbiding 64 byte transactions is easier, but we have no excuse for not having done that yet IMO.)

If we start with policy-only ephemeral anchors, then any protocol that depended on the policy version of them would continue working without changes if a soft fork activated. Only people who expected to pay fees out of band would be affected, and they would simply have to use the CPFP method already implemented in stock software.

This leads me personally to the opposite conclusion of that section of the original post. The post says,

We must not build protocols that put decentralized mining at a disadvantage. On this basis alone, there is a good argument that V3 transactions and ephemeral anchor outputs should not be implemented.

If we expect people to continue to build protocols based on CPFP fee bumping, and I think there’s a compelling case for that in the previous section, then ephemeral anchors is the best way I know of to prevent a CPFP-based reduction in mining decentralization. We should start with policy-only ephemeral anchors and, if it gains traction and we don’t discover anything better, eventually switch to consensus-enforced ephemeral anchors.


  • 2023-01-05 13:17 HST. Added note about soft fork ephemeral anchors not being a satisfactory solution after additional feedback. Struck out comment that PT hadn’t mentioned needing to sign N variants per HTLC; his post says, “we will have to sign N HTLC variants rather than a single variant”.
1 Like

Is it a given that there would be widespread consensus for such a soft fork?

If enough people are paying fees out-of-band for ephemeral anchors that we believe it’s threatening mining decentralization, our choice would be to either activate an easy and laser-focused soft fork or to lose mining decentralization. Given that choice, I think there would be widespread consensus.

hmmm not sure about this extension, sometimes the best thing to do is just burn the ephemeral anchor value by itself, which results in a 65 vbyte txn. I think in the end it’s the same risk as people paying transaction accelerators so they can use fewer inputs in an RBF?

I think the expected use of an ephemeral anchor would be:

  • Parent: 1 input, x+1 outputs. The +1 is the ephemeral anchor.
  • Child: >=2 inputs, >=1 outputs. One input is the anchor spend; the other contributes fees.

In the pathological case, the parent is the same but the child is never created. So we need a requirement that spending the parent can only be done at a cost equal to at least 2-inputs and 1 output.

That requirement doesn’t need to be an input requirement; it could also be treating a childless parent as if it had the additional weight of a 2-input, 1-output child.

But as per Peter Todd’s tweet miners can just efficiently spend all the anchor channel outputs together in a block. More efficient than any normal CPFP. It’s still more efficient to pay out of band too because UTXOs for the ephemeral txs need to be created and spent. Vast majority of channels will be stuff like Phoenix in the future, which want one UTXO per user. Can’t anchor that.

1 Like

Backing up a bit:

How is this decentralization argument not generalizable to any BringYourOwnFunds(BYOF) scheme?

For example, presigned HTLC-X transactions?

These are batchable. They are cheaper to be paid out of band.

Are we really arguing against all exogenous fees in smart contracts? I reject the premise entirely.


Link to what a HTLC-X transaction is?

@instagibbs is talking about HTLC-Success and HTLC-Timeout transactions as defined in BOLT3

These are presigned spends of HTLCs made with SIGHASH_SINGLE|SIGHASH_ANYPREVOUT that allow multiple of them to be combined into a single transaction. The don’t contribute any fee (or any meaningful fee), so we would normally expect them to be combined with an extra contributed input that adds fees (and likely an extra output for change). However, the threat-to-decentralization argument, you could pay a miner out-of-band fees to mine them without adding an extra input or output, saving block space.

I made this same argument to PT last night (last paragraph): https://twitter.com/hrdng/status/1743293516992876561

He almost doesn’t even address it.

“As for SIGHASH_ANYONECANPAY, obviously, it is still a problem, which is why I mentioned, among other mitigations, that in the future SIGHASH_ANYPREVOUT would help the situation.”

Again, does he believe that all future smart contracts should have endogenous fees, otherwise we’re risking decentralization? Is that really a tenable reason to stop any proposal(aside from the ~50vb that ephemeral anchors costs)?

“Obviously scale matters. We can’t prevent every single circumstance where someone might want to pay a transaction out of band. But we can and should design protocols to minimize it.”

That seems to cover it. His article that started all this proposes a few solutions for HTLC-X problem too: V3 Transactions Review

That’s a fair point; it does undermine my claimed advantage of a soft-fork version of ephemeral anchors.

I haven’t thought of an alternative way to obtain the property of in-band CPFP fee bumping pay the same weight cost as out-of-band transaction acceleration, at least not without preventing batching that would be beneficial to users.

That’s an argument for specs to avoid exogenous fees when possible, not how to make sensible mempool designs. if your smart contract can have endogenous fees, you should consider it. That’s appropriate! But this is not the case in many(most?) protocols outside of ln-penalty, and it’s completely inappropriate to gatekeep good mempool design to a specific instantiation of a specific idea.

Please see motivation/use-cases sections for more details on what kind of smart contracts V3 and ephemeral anchors is useful for:

Lastly, if “scale matters”, then we should be doing everything in our power to make fee bidding useful. No one has put forward an alternative proposal that makes sense for many RBF like V3. This has been years of discussions, and based on Peter’s writeup I don’t think he bothered to read my BIP draft.

This stuff IIUC is only talking about signature complexity and providing fees? As a humerous aside, HTLCs are endogenous fees(decentralization hit!), and would be more pin resistant using ephemeral anchors, but I’m not pushing for that in my proposal spec because of relative spec diff(HTLC-Success paths on both commit txs would have to be pre-signed, really hairy given the duplex updates it has now) :slight_smile:

Note that similar OOB benefits are obtained by batching and SIGHASH_SINGLE|ACP-based smart contracts today, and would be similar if we had any good introspection opcodes.


is there a reason to necessarily allow more than 1 unconfirmed ancestor for an ephemeral anchor type fee bump transaction?

if only the anchor itself is unconfirmed, what mempool pinning tactics are possible?

I mean, it’d be nice for batched CPFP! There are no known designs to do that that are pin-resistant though.

not entirely sure what the question is, mind rewording?

1 Like

that’s what i thought. so first we could just allow for a more restricted and less efficient way of doing ephemeral anchors. but at least we would have something usable that is easy to implement and reason about. then expand later to more useful and more optimal ways of doing it?

1 Like

I’m trying to better understand the claimed v3 pinning vulnerability. Do I understand correctly that:

  1. The worst case, which is what PT analyzed, is a commitment transaction with no pending HTLCs.
  2. The attacker reduces the feerate of the package/cluster containing the commitment transaction by the attacker using their own money to pay the fees.
  3. A commitment transaction with no pending HTLCs has no special urgency (i.e., no timelocks that will expire to the detriment of the broadcasting party).

In other words, the worst case form of this attack would be that Bob will have to wait a bit longer to respend his channel funds but Mallory will pay his fees?

Obviously, the attack also works against commitment transactions with pending HTLCs, but for each additional HTLC output, the attack quickly becomes less effective due to the decrease in relative size difference. Perhaps more interestingly, if Bob pays out of band to fee bump both the commitment transaction and Mallory’s pin (ephemeral anchor spend), Bob will possibly pay less fees than he would’ve without the pinning attack and Mallory will end up losing the funds she spent on the attack.

Of course, paying to defeat an attack out of band is still bad for mining decentralization, but I think all of the above points to this pinning attack being possibly ineffective.

1 Like

yeah, protocol and wallet devs should be reluctant to rely on oob payments to resolve mempool conflicts or timeout situations. such an api is a single point of failure and a huge centralization vector.

not gonna pretend i fully understand the various pinning attacks, i expect the major pain would be when you try to settle some contract by adding fees through the anchor, and someone else outbids your tx with higher fees (which is not a problem for you in itself) but with dependence on other unconfirmed ancestors, which ancestors they can double spend, resulting in the eviction of both fee bumps and the anchored tx from the mempools.

I don’t think that works: if you get to the point where miners offer an API for out of band fee payments that’s trustworthy enough and discounted enough that it sees wide adoption, leading to a centralisation risk, then if you did have a soft fork to require ephemeral anchors be spent, then those miners could work around your soft fork as follows:

  • create a “nouveau ephemeral anchors” BIP, with the same behaviour as before the soft-fork, but with a different scriptPubKey pattern
  • flood the network with nodes that relay according to the new BIP, have those nodes preferentially peer with each other to ensure there aren’t disconnected subgraphs
  • get this implemented by the devs that had already integrated with their API
  • push the patch to core noting that it’s in wide use on the network
  • profit

I think the sort of soft-fork you be okay if it was in line with economic incentives (ie, the only time an ephemeral anchor is in a block but not immediately spent is people testing things on regtest/signet/testnet, or due to bugs), but if the economic incentives are strongly pushing the other way (miners, wallet devs and users all collaborating to save a buck despite the centralisation risk), I don’t think a soft fork here would actually help.

(The other soft-fork approach would be: “an ephemeral anchor output can only be spent in the same block that it was created; it’s removed from the utxo set once the block is completely processed”. That resolves the “bugs lead to dust in the utxo set” issue, but doesn’t touch out-of-band-payment incentives, and introduces the potential for the child tx to become invalid in a reorg, if for some reason it isn’t included in the same block as its parent)

1 Like

I think you’re mostly describing the “cycle attack”, where the child is RBF’d out of the mempool, and the new child no longer spends the ephemeral anchor, causing the parent transaction to be evicted.


Mitigation is, in general, to aggressively re-broadcast, since each cycle costs the attacker fees(unlike pins).

You can think of it in another, imo more principled way: Someone is paying toe censor you, but they have to continuously bid block on block(and inbetween blocks if you’re doing it right + mempool synchrony assumptions), where you only pay once at the end of the game at most, and at your expected rate.

I don’t want to get too deep into cycle discussion though; it’s been done to death.

1 Like