1

Let's imagine Alice wants to send multiple transactions to Bob. Both Alice and Bob have open channels with Carol, not with each other:

Alice <-> Carol <-> Bob

So Alice first sends 0.01 BTC to Bob. She sets up the multi-sig tx and sends it off to Carol, which then also Bob sees. Then Alice makes another transaction to Bob of 0.02 BTC, and sets an earlier time-lock in order to invalidate the earlier 0.01 tx.

Now both Alice and Bob have seen these 2 transactions and they both go offline. They are sure that Alice has given Bob 0.02 BTC.

My question is: how do they know that Carol will commit to the blockchain (when the moment comes) the second transaction rather than the first? Couldn't Carol simply send the 0.01 tx to the blockchain rather than the 0.02 one?

I understand that Bob could come online and post it himself, and because of the timelock, he could do it before the other one, thus invalidating it.

But in the scenario where both Alice and Bob are offline do they have to trust Carol to behave honestly?

Murch
  • 71,155
  • 33
  • 180
  • 600
Luca Matteis
  • 5,182
  • 17
  • 24

1 Answers1

1

AFAIU, if you have open lightning channels, you cannot go offline. You must be online in order to monitor the blockchain for old commitments. If you see an old commitment transaction, you immediately broadcast the punishment transaction, but you cannot do this if you go offline. So if you have open lightning channels, you must be online and if you go offline, you are trusting that the other person in the channel will not attempt to defraud you.

Andrew Chow
  • 67,209
  • 5
  • 76
  • 149
  • Interesting, so both Alice and Bob need to be online for the entire channel duration? This seems quite unfriendly for users of wallets on mobile for instance where connections are quite sporadic. – Luca Matteis Jul 05 '17 at 08:45
  • I think there might me more to this. Carol can commit the 0.01 tx instead of the 0.02 to the blockchain (while you're offline). However, then you come online, say after a week, and present the 0.02 one which has an earlier timelock. The network would see that and penalize Carol for commiting the 0.01 one instead of the 0.02 one? I was reading about something that has to do with penalties but am not sure if this is the logic behind it and how it would work. – Luca Matteis Jul 05 '17 at 15:58
  • In order for you to know that the penalty transaction should be broadcast, you need to be online and monitoring the blockchain. Alternatively you can have some third party watch it for you. But there's no way around the fact that someone needs to watch the blockchain in order to know whether to broadcast the penalty transaction or not. – Andrew Chow Jul 05 '17 at 16:37
  • But how can you trust that the third-party will do it correctly and in a timely manner as to not let the other, old, transaction win? – Luca Matteis Jul 05 '17 at 16:57
  • That's why you must trust them. Otherwise you can't. – Andrew Chow Jul 05 '17 at 16:58
  • Are you sure there's not a system in place where the third-party can't just commit old transaction to the blockchain? That seems like an awful lot of trust to put on to third-parties. – Luca Matteis Jul 05 '17 at 21:37
  • There seems to be something here although I can't quite decipher it yet https://bitcoin.stackexchange.com/questions/42887/transaction-overriding-in-lightning-network?rq=1 "To invalidate the previous "exit-transactions" each party gives the counterparty another transaction that builds on the previous exit transaction by spending the party's output to the counterparty if the old "exit-transaction" were broadcast to the network" – Luca Matteis Jul 05 '17 at 22:24
  • The third party wouldn't need to know the transaction itself, just their hashes so that it can watch the blockchain for you. They can't commit, only watch and notify. Anyways, LN doesn't require these third parties, it only requires that someone (either yourself or someone on your behalf) is watching the blockchain to ensure that you aren't being defrauded. – Andrew Chow Jul 05 '17 at 22:24
  • It still seems weird that a user could do a LN transaction, go offline for more than the channel's lifetime, and come back with the risk of losing that LN tx as the other party proceeded to overwrite it with a past transaction (and the locktime is over). The user that went offline might still have a transaction to get his money back I think, in case this happens after the channel's lifetime. – Luca Matteis Jul 05 '17 at 22:28
  • The current LN specification has no option for a user to go offline. You just are not allowed to have open channels and be offline at the same time because you can lose your money. LN does not allow users to go offline, and so far, there is no way around that. – Andrew Chow Jul 05 '17 at 23:02