Make orphan processing interruptible (p2p)

Jul 22, 2020

https://github.com/bitcoin/bitcoin/pull/15644

Host: narula - PR author: sipa

The PR branch HEAD was 866c805 at the time of this review club meeting.

Notes

PR 15644 was merged over a year ago. It changes the way a node looks through its orphan set to figure out if orphans can now be processed and added to the mempool.
A transaction is an orphan if we’re missing one or more of its inputs (we refer to the transactions that create the transaction outputs spent by the orphan as parent transactions). This might be a valid transaction, but we don’t know yet. We have to be careful with orphan management because orphans cannot be validated.
Orphans are stored in a map called mapOrphanTransactions by their txid. We limit the number of orphan transactions to -maxorphantx which is by default 100.

Questions

Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK? You’re always encouraged to put your PR review on GitHub, even after it has been merged.
Why might we want a node to keep track of orphans at all? What does this help with?
Look at the way orphans are added to the orphan maps and how orphans are re-evaluated when we accept new transactions to the mempool. What happens when a node receives a transaction where it has not seen the transaction’s inputs?
Observe that mapOrphanTransactionsByPrev is a map of outpoints to a set of iterators over the orphan transactions map. Why do you think it’s written the way it is, instead of storing, say, orphan txids?
Can you think of a problem with the pre-PR version of the code? What is it and how does the PR fix it? Hint: look at what we are iterating over when processing orphans pre- and post- PR.
How might the adoption of something like SIGHASH_NOINPUT affect orphan processing?

Meeting Log

17:00

<jnewbery> #startmeeting

17:00

<jnewbery> hi everyone!

17:00

<emzy> hi

17:00

<troygiorshev> hi

17:00

<willcl_ark> hi

17:00

<nehan> hi everyone!

17:00

<swapna> hi eveyone!

17:00

<michaelfolkson> hi

17:00

<ariard> hi

17:00

<felixweis> hiu

17:00

<lightlike> hi

17:00

<theStack> hi

17:00

<factoid> hi

17:00

<gzhao408> hi!

17:00

<adiabat> hi

17:00

<nehan> thanks for joining today. notes and questions here: https://bitcoincore.reviews/15644.html

17:01

<ajonas> hi

17:01

<amiti> hi

17:01

<nehan> reminder, feel free to ask ANY questions. and let us know if this is your first time at review club!

17:01

<nehan> today we're going to talk about orphan processing. who's had a chance to review the pr? (y/n)

17:01

<amiti> y

17:01

<adiabat> y

17:02

<willcl_ark> y

17:02

<troygiorshev> y

17:02

<theStack> n

17:02

<felixweis> n

17:02

<jnewbery> y

17:02

<lightlike> y

17:02

<emzy> y/n

17:02

<michaelfolkson> y

17:02

<swapna> n

17:02

<gzhao408> y

17:02

<factoid> y

17:03

<nehan> ok. so as stated in the notes, an orphan transaction is one where we are missing one or more of its inputs

17:03

<pinheadmz> hi

17:03

<nehan> first question: Why might we want a node to keep track of orphans at all? What does this help with?

17:03

<nehan> one could imagine just dropping transactions if we can't validate them immediately

17:04

<adiabat> It seems like if you don't, you still have to keep track of the fact that you saw it, and not request it again

17:04

<willcl_ark> if we already have the orphan then as soon as we have the parent we can validate immediately without needing to receive/request again

17:04

<adiabat> but if you only keep track of "this is bad/invalid" then when it's no longer an orphan you won't get it until it's in a block

17:04

<emzy> could be that the order they arive are different. So the missing input will arive later.

17:04

<michaelfolkson> Though it is removed after 20 mins. Is that right? Seems short time

17:05

<nehan> good points. adiabat: given that the orphan map is limited in size, we cannot guarantee we will never request something again

17:05

<adiabat> would a different strategy be to hang up on or ban nodes that give you an orphan tx? Are there problems or DoS attacks with doing that?

17:06

<amiti> also helps enable CPFP (child pays for parent). if the mempool conditions means the parent isn't accepted, the child would need to be accepted first in order to include both into a block

17:06

<jnewbery> adiabat: we can only add txs to 'recent rejects' if we know that they're definitely invalid. Otherwise, there are tx censorship attacks

17:06

<gzhao408> seems reasonable to only keep for a short period of time, I'm imagining the case where they're both relayed and you just happen to receive the child first

17:06

<nehan> adiabat: good question! what do people think?

17:06

<ariard> well the sending node may not be the one responsible for the tx being an orphan at reception, parent might have been replaced

17:06

<nehan> i think that would be a bad idea, especially on startup, when your mempool is empty and you might receive transactions out of order

17:06

<factoid> ariard +1

17:07

<jnewbery> nehan: +1. Orphans are most common at startup or when making new connections

17:07

<sipa> orphan transactions are not a sign of misbehavior; they arise naturally due to variations in network connections

17:07

<adiabat> it does seem to put a lot of responsibility on the sending node, they'd need to make sure to send all invs in order

17:07

<nehan> and a sending node just doesn't know what its peer has seen/not seen

17:07

<ariard> they do send inv in topology-order in SendMessages IIRC

17:07

<nehan> unless it sent it itself!

17:07

<sipa> and the sending node cannot know if perpahs they already gave you the parent, but you replaced it!

17:07

<nehan> or that ^

17:07

<nehan> ok let's move on to how orphans are handled

17:08

<amiti> also a node might request a parent from one peer, child from another & the child is delivered first. doesn't seem like a fault of the peer that delivered!

17:08

<nehan> what happens regarding orphans when we accept a new transaction to the mempool?

17:08

<jnewbery> adiabat: that is indeed what we do: https://github.com/bitcoin/bitcoin/blob/2c0c3f8e8ca6c64234b1861583f55da2bb385446/src/net_processing.cpp#L4203-L4206

17:08

<lightlike> also, if we just discarded the orphans, we might request and discard them again multiple times from different peers even before getting a parent, which seems ineffective.

17:08

<gzhao408> a clarification question: how sure are we that an orphan is a valid orphan as opposed to invalid? what validation has it passed before it's called a TX_MISSING_INPUTS?

17:09

<sipa> jnewbery, adiabat: but all we can do is _announce_ in topology order; it doesn't guarantee that things are requested/received in the same order when multiple nodes are involved (as amiti points out)

17:09

<sipa> gzhao408: none

17:09

<sipa> syntactic validity

17:09

<ariard> gzhao408: every check in PreChecks before hitting TX_MISSING_INPUTS, like transaction standard size or nLocktime finality

17:09

<pinheadmz> nehan when a tx is accpted ot mempool we check it against the map of known orphans

17:09

<pinheadmz> to see if it resolves anything

17:10

<adiabat> maybe make a new type of INV message that has clumps, like these 4 txids should be requested at once (this is probably a bad idea; just making stuff up :) )

17:10

<pinheadmz> with this PR, IIUC, we only resolve one orphan at a time

17:10

<ariard> requesting/reception might be biased by your connection type and sending nodes shouldn't make assumptions on receiving peer topology

17:10

<sipa> adiabat: there is a very long term plan for that, it's called package relay, but it's nontrivial

17:11

<nehan> pinheadmz: yes!

17:11

<sipa> adiabat: and it's indeed probably the only complete solution to orphan processing and a number of other issues

17:11

<jnewbery> adiabat: we're getting a bit off-topic, but the idea you're referring to is called 'package relay'

17:11

<factoid> gzhao408 sipa ariard, it's the case, isn't it, that we can be certain a transaction is invalid, we can't be certain it is valid -- right?

17:11

<michaelfolkson> It depends how "expensive" certain operations are. Rejecting it and then requesting the orphan transaction again has to be compared to storing and retrieving from memory

17:11

<pinheadmz> factoid somethings maybe like MAXMONEY etc

17:11

<pinheadmz> but most TX checks require context (utxo set)

17:11

<adiabat> sipa, jnewbery: oh cool that it isn't inherenly a bad idea but yes sounds complicated & getting of topic, thanks

17:11

<nehan> what happens if the orphan we are checking is now accepted to the mempool?

17:12

<nehan> (it has been un-orphaned)

17:12

<willcl_ark> it waits for a parent to arrive which validates it

17:12

<ariard> factoid: validity might change due to order of transaction reception or your block tip, but once it's a valid one it should be guaranteed to stay so

17:12

<nehan> willcl_ark: not exactly. that's what just happened (a parent arrived that enabled us to validate it; it was valid; we put it in the mempool)

17:13

<pinheadmz> nehan do we check the orphanmap again for more decesndants?

17:13

<ariard> adiabat: fyi https://bitcoincore.reviews/15644.html

17:13

<nehan> pinheadmz: yes! this newly unorphaned transaction might be a parent to _other_ orphan transactions!

17:13

<ariard> pinheadmz: yes we do recursively call ProcessOprhanTx IIRC

17:13

<amiti> pinheadmz: +1

17:14

<factoid> uh oh >:)

17:14

<factoid> the harbinger to resource exhaustion?

17:14

<nehan> yeah so we see that we need to be careful here.

17:15

<nehan> what happens when a node receives a transaction and it hasn't seen one or more of the transaction's inputs?

17:15

<nehan> (basically, how do orphans get processed and saved)

17:16

<michaelfolkson> Stored in mapOrphanTransactions

100

17:16

<jnewbery> nehan: we add them to a global map, but there are also a few other data structures involved

101

17:17

<nehan> michaelfolkson: jnewbery: yep

102

17:17

<pinheadmz> and the map is limited to size of 100

103

17:18

<sipa> and each orphan is limited in size

104

17:18

<nehan> https://github.com/bitcoin/bitcoin/blob/master/src/net_processing.cpp#L916

105

17:19

<pinheadmz> sipa ah didnt know - so if a tx is too big we wont even store it in the map?

106

17:19

<nehan> that is done in AddOrphanTx. it ignores large orphans. the other important datastructure is mapOrphanTransactionsByPrev. how does that work?

107

17:19

<pinheadmz> just a lost cause

108

17:19

<pinheadmz> 100k is pretty fair i guess

109

17:19

<nehan> pinheadmz: we could process it again once we get its parents

110

17:20

<michaelfolkson> But removed at random rather than by lowest fee when full and also removed after 20 minutes. Was unsure why

111

17:20

<michaelfolkson> 20 minutes by default, obviously can change that if you want

112

17:20

<sipa> orphan transactions are primarily just a way to resolve things that are sent out of order

113

17:21

<sipa> usually, when they happen, they resolve immediately

114

17:21

<pinheadmz> nehan mapOrphanTransactionsByPrev is used to match new incoming TX with orphans it resolves

115

17:21

<sipa> (as we request the parent)

116

17:21

<nehan> i *think* that saving orphans is not required for correct operation. it's an optimization.

117

17:21

<nehan> someone should check me on that

118

17:21

<pinheadmz> nehan the reason a tx is orhpaned is bc we dont know the coins (prevs) its spending - so when a tx comes in that creates those prevs, we can find the orphan and REUNITE THE FAMILY

119

17:21

<sipa> nehan: well that depends on how you define correct operation; ignoring every tx announcement is arguably equally correct

120

17:22

<adiabat> yeah blocksonly works fine, as long as not everyone does that

121

17:22

<nehan> sipa: so it would require some other way to hear about invs again

122

17:22

<jnewbery> nehan: you're correct. We don't make any guarantees with orphans. They do help you get a better view of the mempool more quickly, and they may help with compact block relay

123

17:22

<sipa> nehan: but sure, orphan processing is a best effort, and its primary motivation is making sure compact block reconstruction doesn't need a roundtrip because of a just-missed out of order relay

124

17:22

<nehan> anyone want to answer the mapOrphanTransactionsByPrev question? Why is it a map of iterators?

125

17:23

<sipa> iterators are smaller than uint256s

126

17:23

<sipa> (8 vs 32 bytes)

127

17:23

<aj> nehan: (map of sets of iterators)

128

17:23

<nehan> sipa: yes. iterators are 8 bytes (on my platform) vs 32

129

17:24

<factoid> If we don't know the the market is for transactions bidding into blocks, they other fee estimations will break -- so that's important to make sure orphans are represent in those stats

130

17:24

<amiti> nehan: mapOrphanTransactionsByPrev is a map of outpoint -> to iterators, so it can point to the relevant entries on the orphan list. I thought for quicker access

131

17:24

<nehan> amiti: yes that is also true! it saves you a lookup into mapOrphanTransactions. but that is limited in size to 100 so imho that's not necessarily worth optimizing

132

17:25

<amiti> yeah fair

133

17:25

<jnewbery> if it were txids, we'd just be using those txids to index into mapOrphanTransactions, so we just store the iterators

134

17:25

<nehan> aj: yes good point

135

17:25

<sipa> the point of having the byPrev map is to quickly find potential dependent orphans that can get reprocessed, without needing to walk the entire set

136

17:25

<ariard> factoid: I think orphans aren't processed by fee estimator as we can't' know their validity and otherwise that would be a vector to manipulate your feerate

137

17:26

<sipa> it being a map of iterators is both a size savings, and also avoids another lookup in the primary map (compared to it storing a uint256)

138

17:27

<nehan> there are a couple of other interesting things to point out: if we receive an orphan from a peer, that peer is the best one to ask about the parents. cause it shouldn't be relaying a txn if it can't validate it!

139

17:27

<jnewbery> important to note: mapOrphanTransactions is a std::map, so inserting or erasing elements doesn't invalidate iterators into the map (except an iterator to the erased element)

140

17:28

<factoid> ariard ah yeah -- I suppose I meant if we have a delayed (maybe it's negligible amount of time) processing of a txn from orphan to valid, that'll delay a node's view of what the block-space market might be

141

17:28

<nehan> jnewbery: good point

142

17:28

<sipa> ariard: damn, i just realized you've responding to the nickname factoid here, instead of just dropping random factoids

143

17:29

<factoid> ok fixed

144

17:29

<factoid> oops

145

17:29

<factoid> maybe now

146

17:29

<nehan> now the fun part. Can you think of a problem with the pre-PR version of the code? What is it and how does the PR fix it?

147

17:29

<sipa> factoid: nothing to fix, i was just confused :)

148

17:29

<ariard> sipa: ah googling factoid :)

149

17:30

<pinheadmz> nehan well i suppose another peer could be realyign the missing parent?

150

17:30

151

17:30

<pinheadmz> but becuase we stick with the loop before moving on to the next peer's cue, we could be wasting time

152

17:31

<nehan> there's something really bad with the pre-PR code

153

17:31

<nehan> it helps to take a look at what the pre-PR code is iterating over vs the post-PR code

154

17:31

<pinheadmz> the workQueue

155

17:32

<pinheadmz> ooh i see something that adds an element back to the queue

156

17:32

<nehan> yes. there is a workQueue, and what type is in the workqueue?

157

17:32

<factoid> an attacker can tie up our node processing orphan decendents by stacking a big list of orphaned transaction?

158

17:32

<pinheadmz> std::deque<COutPoint>

159

17:32

<theStack> so basically a denial of service attack was possible?

160

17:33

<nehan> pinheadmz: yes! we are iterating over outpoints. each of these outpoints *might* be an input to an orphaned transaction. in fact, it could be an input to MULTIPLE orphan transactions...

161

17:33

<nehan> factoid: sort of!

162

17:33

<emzy> I also think it is a anti DOS fix.

163

17:33

<factoid> I was thinking the attack would be something like: create transaction{A..ZZZ}, send over transaction{B..ZZZ}, then send transaction{A} force node to iterate through the rest of the set

164

17:34

<nehan> and multiple outpoints might be consumed by the same orphan

165

17:34

<nehan> does anyone know the limit on # of inputs for a valid transaction?

166

17:35

<pinheadmz> heh, 0xffffff ?

167

17:35

<emzy> I think there is none.

168

17:35

<theStack> in practice it's only limited by the total size i guess?

169

17:35

<felixweis> ~ 2700 in pracise

170

17:35

<sipa> an input is at least 41 vbytes

171

17:35

<nehan> emzy: theStack: yes! i think it's in the thousands

172

17:35

<pinheadmz> oops ffffff would be max output count i guess

173

17:35

<troygiorshev> felixweis: i think you missed a 0

174

17:36

<sipa> (well, 41 non-witness bytes)

175

17:36

<felixweis> ok ~ 2400

176

17:36

<pinheadmz> ah so even though the map is limited to 100, if all 100 of those txs have max # inputs, it can really hurt

177

17:36

<nehan> each orphan could be as large as 100KB

178

17:37

<nehan> but it's even worse than that!

179

17:37

<nehan> in the pre-PR code, how many times might a single orphan be considered?

180

17:37

<aj> pinheadmz: you mean ffffffff (8 f's, not 6) right?

181

17:37

<pinheadmz> aj ty.

182

17:39

<pinheadmz> nehan as many times as its input count ? per incoming potential parent

183

17:39

<factoid> nehan (N^2-n)/2?

184

17:39

<amiti> before the pr, the same orphan could be considered again for each output of a txn. so ~3000 times I believe?

185

17:39

<nehan> hint: we're iterating over outputs. an orphan might refer to many of the outputs in the workQueue, but maybe when we consider it (for a single output) it still has unknown inputs

186

17:39

<nehan> factoid: what's N and n?

187

17:39

<factoid> sorry both lowercase

188

17:39

<factoid> n = 100 or whatever our limit is

189

17:40

<pinheadmz> so an orphan can have as many missing parents as it has inputs

190

17:40

<nehan> amiti: right! an orphan might be considered # of output times in the loop! and there could be thousands of outputs...

191

17:41

<pinheadmz> so for each output in work q we checked each input of each orphan

192

17:41

<pinheadmz> oh no not quite bc there is amap

193

17:41

<nehan> pinheadmz: close! we check each orphan that refers to this output

194

17:41

<nehan> so an attacker could set up some transactions that are very bad

195

17:43

<nehan> she could make 100 100KB orphans with, let's say, k+1 inputs where k is in the thousands (I don't know the exact number but if someone does feel free to chime in). Let's say k=2000

196

17:43

<nehan> as a node, i'd receive those orphans and happily put them in my orphan map. note that this doesn't cost the attacker anything other than the bandwidth of sending those out

197

17:44

<nehan> all those orphans take the same k inputs plus one input which is different for each orphan

198

17:45

<nehan> then, the attacker crafts a transaction that will be accepted to the mempool and triggers the work of looking in the orphan map

199

17:45

<thomasb06> https://bitcoin.stackexchange.com/questions/85752/maximum-number-of-inputs-per-transaction

200

17:45

<nehan> thomasb06: thanks!

201

17:45

<thomasb06> ;p

202

17:46

<nehan> that exact number doesn't matter as much for this attack as long as it's greater than the number of max outputs

203

17:47

<pinheadmz> nehan why the k+1 scheme?

204

17:47

<nehan> let's say the special attacker transaction has k outputs, which are referenced by every orphan in the orphan map

205

17:47

<nehan> what happens?

206

17:47

<michaelfolkson> "The maximum number of inputs that can fit in a valid transaction is 27022."

207

17:47

<pinheadmz> why couldnt all the orphns just have 2000 totally random prevs ?

208

17:47

<nehan> pinheadmz: we're trying to craft a resource-intensive attack

209

17:47

<felixweis> this feels off by an order of magnitue

210

17:48

<nehan> pinheadmz: we want to make the node process all the orphans. if it's a random prev, then the special transaction won't match any orphans in the orphan map

211

17:48

<sipa> felixweis: validity vs standardness

212

17:48

<pinheadmz> i see

213

17:48

<troygiorshev> felixweis: it's a very contrived example. no security or anything

214

17:48

<felixweis> oh if its a mined block. not having to adhere to isStandard()

215

17:48

<pinheadmz> do we call acceptToMemoryPool on every single input match?

216

17:48

<nehan> felixweis: yeah i'm not trying to get my attack transactions mined in a block, just accepted to the mempool! important note, thanks

217

17:49

<pinheadmz> so an orphan with 1000 inputs. a single parent comes in. we call ATMP(orphan) which fails bc the other 999 are still missing... ?

218

17:50

<nehan> i actually wrote a test to conduct this attack here, it might be easier to look at that: https://github.com/narula/bitcoin/blob/pr15644test/test/functional/p2p_orphan.py#L69

219

17:50

<nehan> * wrote with amiti!

220

17:50

<michaelfolkson> Oh wow

221

17:50

<amiti> :)

222

17:50

<emzy> Hacker ;)

223

17:51

<gzhao408> but now we also don't consider orphans bigger than MAX_STANDARD_TX_WEIGHT right?

224

17:51

<gzhao408> oh or this is still within that restriction

225

17:51

<nehan> the key thing to notice is that the pre-PR version of the code did two things: 1) it looped through all the outputs and orphans without stopping and 2) it would potentially process one orphan many times

226

17:52

<gzhao408> ok yeah sorry, kinda off topic :sweat_smile:

227

17:53

<nehan> gzhao408: not at all! you are right it checks that before adding something to the orphan map: https://github.com/bitcoin/bitcoin/blob/master/src/net_processing.cpp#L930

228

17:54

<pinheadmz> when you say loop thgouh all the orphans, you mean as a result of mapOrphanTransactionsByPrev.find() ?

229

17:54

<nehan> ok so in the worst case, an attacker could make a node process 100*100KB*orphans*k amount of data. if k=2000, that's 20 GB!!!

230

17:55

<nehan> oops 100 orphans * 100 KB max orphan size * k outpoints

231

17:55

<pinheadmz> while (!vWorkQueue.empty()) I understand loops through all the new outputs generated by valid incoming (potential) parents right?

232

17:56

<nehan> pinheadmz: yes! that lookup might return every orphan in the orphan map: https://github.com/bitcoin/bitcoin/pull/15644/commits/9453018fdc8f02d42832374bcf1d6e3a1df02281#diff-eff7adeaec73a769788bb78858815c91L2388

233

17:56

<michaelfolkson> This test will be opened as a separate PR to Core to check that orphan processing is actually interruptible right?

234

17:56

<pinheadmz> ohhhhhhh light bulb! thank you

235

17:56

<nehan> pinheadmz: answering your previous question about mapOrphanTransactionByPrev.find()

236

17:56

<lightlike> how long would that take in the worst case? Is that the runtime of the test you linked?

237

17:56

<jnewbery> and the attack is almost free for the attacker. They have to provide 10MB of transactions, but apart from the parent, none of those need to actually be valid, so they don't cost anything

238

17:57

<michaelfolkson> Plus we should chat NOINPUT/ANYPREVOUT. aj is here ;)

239

17:57

<nehan> lightlike: the test case hung for a long time and crashed, so i'm not sure how long it takes! good question!

240

17:58

<pinheadmz> so, sipa -- was this PR a stealthy fix?

241

17:58

<nehan> oh right shoot. last question: how is orphan processing affected by SIGHASH_NOINPUT / etc?

242

17:58

<nehan> michaelfolkson: thank you!

243

17:59

<michaelfolkson> We can expect there to be many more orphans right? And delays in processing "justice transactions" with eltoo will be problematic for Lightning

244

17:59

<ariard> in fact that's just a sighash flag so tx parent can be fulfilled by initial sender to favor propagation

245

17:59

<nehan> i don't totally know the answer to this question, except that it's helpful right now that you can't create an orphan without first creating its parent. SIGHASH_NOINPUT changes that.

246

17:59

<jnewbery> mapOrphanTransactionsByPrev is no longer enough, since a SIGHASH_NOPREVOUT input doesn't refer to a single outpoint

247

17:59

<pinheadmz> nehan oh dang hadn't thought of this - do we actually need to check all the scripts? I would think that sighashnoinput just shouldnt be allowed to be an orphan

248

17:59

<ariard> michaelfolkson: not only justice txn almost all LN txn are time-sensitive

249

17:59

<sipa> nehan: i don't see how that is related

250

17:59

<sipa> you still need the parent to construct the tx

251

17:59

<sipa> you don't need the parent to construct a signature

252

18:00

<sipa> but does that change anything materially?

253

18:00

<nehan> sipa: i might be getting this wrong. but the orphan tx doesn't necessarily commit to one parent

254

18:00

<jnewbery> ⏰

255

18:00

<ariard> nehan: I think you're blurring p2p relay and script validation here

256

18:00

<nehan> er, one output. it could be satisfied by many outputs!

257

18:00

<pinheadmz> oh the sig doesnt cover the txid of the coin being spent

258

18:00

<pinheadmz> but it is still there in teh tx message

259

18:00

<ariard> your noinput tx can still include an outpoint at tx-relay

260

18:00

<nehan> ok wrapping up. but feel free to continue the conversation here, i woudl love to understand the last question better

261

18:00

<sipa> nehan: a tx's input still refers to explicit txids being spent from

262

18:00

<michaelfolkson> Indeed ariard. Assuming CLTVs aren't really high right? If they are non-justice transactions aren't time pressured

263

18:01

<nehan> thanks everyone!

264

18:01

<troygiorshev> thanks nehan!

265

18:01

<pinheadmz> 👏👏👏

266

18:01

<theStack> thanks to nehan and everyone

267

18:01

<factoid> thanks nehan

268

18:01

<thomasb06> thanks

269

18:01

<lightlike> thanks!

270

18:01

<emzy> Thanks nehan and everyone else. I learned much!

271

18:01

<ariard> michaelfolkson: would say no, with current deployed timelocks it's easier to target CLTV ones than justice CSV ones

272

18:02

<felixweis> thanks

273

18:02

<jnewbery> ariard sipa: ah you're right. The tx does still refer to the outpoint. It's just the sighash that changes. Sorry nehan - I got myself confused when we talked about this earlier.

274

18:02

<jnewbery> thanks for hosting nehan. Great meeting!

275

18:02

<michaelfolkson> Interesting... can you explain why ariard?

276

18:02

<nehan> jnewbery: np! helpful to understand this better

277

18:02

<michaelfolkson> Thanks nehan!

278

18:03

<nehan> so nothing would need to change because the orphan still refers to a referrable parent?

279

18:03

<sipa> yes

280

18:03

<ariard> michaelfolkson: https://arxiv.org/pdf/2006.01418.pdf, look on 4.5 A3, that's lowest timelock and that's a CLTV one

281

18:04

<ariard> nehan: yes tx refers to a parent but the sigs in its witness doesn't commit to this parent

282

18:04

<nehan> right, ty. so the transaction could be malleated to refer to invalid inputs, making it an orphan?

283

18:04

<pinheadmz> sipa is there a stealthy security story around this PR? since the attack is so cheap? The PR description isnt too explicit in this sense

284

18:04

<ariard> but matt as some kind of blind package relay proposal which would reintroduce this issue

285

18:04

<sipa> pinheadmz: i'd rather not comment at this point

286

18:05

<pinheadmz> ok

287

18:05

<jnewbery> oh, if anyone is in the mood for more orphan handling code, there's a small PR here: https://github.com/bitcoin/bitcoin/pull/19498 which fixes up some of the loose ends from this PR.

288

18:05

<ariard> nehan: depends by whom, an infrastructure attacker yes, but why a honest relay node would do this??

289

18:06

<ariard> and it shouldn't be pinned in recentRejects, malleating inputs change txid ofc

290

18:08

<emzy> Is this only an optimation? chnaging -maxorphantx to a very low number (3) would not hurt the network?

291

18:09

<emzy> The whole caching of orphans

292

18:09

<sipa> it'd potentially affect block propagation

293

18:10

<emzy> Is it not only relevant for the mempool?

294

18:10

<sipa> compact block reconstruction depends on having the block's transactions ahead of time

295

18:10

<sipa> in the mempool, or "extra pool" (which is indirectly populated by orphans too)

296

18:10

<emzy> Ok. I see.

297

18:11

<emzy> can result in slower block propagation

298

18:11

<emzy> tnx

299

18:12

<sipa> and it's really an all or nothing thing- to get the best propagation speed, a node needs to have _all_ the transactions

300

18:12

<sipa> otherwise an additional roundtrip is needed

301

18:12

<emzy> but how could be an orphan included in a block?

302

18:13

<sipa> because the miner has the parent, and you don't

303

18:13

<emzy> ok but then you need the additional roundtrip anyway

304

18:14

<sipa> i think you're confused, but i don't know about what :)

305

18:14

<aj> nehan: SIGHASH_NOINPUT doesn't matter for orphan processing -- you don't look at validating the sigs until you've got all the parents. what it means is you could take a tx with a parent [txid,n] and change it to a different parent [txid',n'] while keeping the same sig, but that would produce a different transaction with different txid and wtxid, and it may not even be a doublespend at that

306

18:14

<aj> point, so it's really just another tx

307

18:15

<emzy> sipa: ok. I will try to figure it out myself. Good for lerning :)

308

18:15

<sipa> emzy: the orphan pool helps with tx propagation- without out, we'll just miss certain transactions for slightly longer

309

18:15

<sipa> missing a transaction is bad if it is included in a block, because that means an additional roundtrip at _block propagation_ time