Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: taker can lock maker funds without getting his funds locked #1049

Closed
moshababo opened this issue Jun 20, 2019 · 6 comments
Closed

security: taker can lock maker funds without getting his funds locked #1049

moshababo opened this issue Jun 20, 2019 · 6 comments
Assignees
@sangaman
Labels
critical bug P1 top priority swaps

Comments

@moshababo
Copy link
Collaborator

Scenario:

  • taker is paying the maker the 1st leg of the swap.
  • maker receives the taker HTLC, and is paying the taker the 2nd leg of the swap.
  • taker receives the maker HTLC, but is shutting down instead of settling the invoice and releasing the hash preimage.

Outcome: maker gets swap timeout, and is cancelling the taker invoice (1st leg) and so releasing the taker funds, while the taker invoice (2nd leg) is not cancelled and so the maker funds are locked until he will force-close the channel on-chain.
@moshababo moshababo mentioned this issue Jun 20, 2019
Closed
29 tasks
@sangaman
Copy link
Collaborator

so the maker funds are locked until he will force-close the channel on-chain.

Unless I'm mistaken I believe the funds are only locked until the HTLC expires. I don't think force-closing the channel is necessary unless the other side of the channel is uncooperative, but if they're uncooperative then all funds on the channel are locked until force-close no matter what since that's how LN is designed.

@sangaman sangaman mentioned this issue Jun 24, 2019
Closed
@ghost
Copy link

ghost commented Jun 26, 2019

Unless I'm mistaken I believe the funds are only locked until the HTLC expires

That was my initial response/understanding of the issue as well.

@moshababo
Copy link
Collaborator Author

Closing a channel with a pending HTLC cooperatively doesn't seems to work, although both parties remain connected and responsive.
Here's the test: https://github.com/ExchangeUnion/xud/pull/1047/files#diff-daf6bab84d805fdac657e724cbf96c3cR287

Let me know if i'm missing something.

@kilrau kilrau self-assigned this Jul 23, 2019
@kilrau
Copy link
Contributor

kilrau commented Jul 23, 2019

Todo: documentation on how to resolve via force close

@kilrau kilrau mentioned this issue Aug 6, 2019
Merged
@kilrau kilrau assigned ghost Aug 6, 2019
@moshababo moshababo mentioned this issue Sep 11, 2019
Merged
@moshababo
Copy link
Collaborator Author

Update: test case was already fixed so that maker channel will get closed after HTLC expiration. It just required more waiting steps before the funds could return to wallet balance (see testTakerShutdownAfter2ndHTLC implementation).

We should keep this issue open only if we want to disable the maker cancelling the taker invoice, and so allowing his funds to get easily released, instead of punishing him.

@kilrau kilrau assigned sangaman and unassigned ghost and kilrau Sep 16, 2019
@sangaman
Copy link
Collaborator

I'm thinking we should leave this issue alone for now (not modifying our cancel logic for now) on the grounds that we will ban a peer eventually whose swaps timeout repeatedly. I believe it's also possible that the maker's HTLC can get held up due to an unresponsive intermediary, so we may be punishing an "innocent" taker. We can revisit this topic if it becomes an issue later on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sangaman sangaman

Labels
critical bug P1 top priority swaps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sangaman @moshababo @kilrau