BUIP004 (passed A1): RBF/double spending support

Inca

Moderator
Staff member
Aug 28, 2015
517
1,679
BUIP004:
Date submitted: 31/12/2015
Proposer: Pete Waterland

Background:
From the Articles of Federation IV: "Since 0-confirmation transactions are practically useful for people, we encourage innovations that enhance their security without undermining other key properties of the Bitcoin network"

When you send a bitcoin transaction it enters the network via a bitcoin node and propagates network wide remaining stored within the memory pool of each node until it is either included in a mined block or drops of the network. During this time the transaction is unconfirmed and not written to the blockchain and thus is less secure than a transaction which has being mined into a block, which is in turn less secure than a transaction which has one or n more blocks mined above it in the chain.

Since blocks are mined approximately every ten minutes waiting for transactions to be confirmed into the blockchain - although highly secure - is not practical for low value transactions where the customer / merchant would prefer not to delay. These instant transactions are called 0-confirmation transactions and rely upon a) a transaction being rapidly propagated across the network and b) node behaviour to prevent a second transaction with identical unspent outputs attempting to 'double spend' the same funds to another address and defraud the merchant.

Double spends are prevented by a mechanism called the 'first seen rule' which is where given two transactions from identical unspent outputs appearing on the network simultaneously only the first transaction to reach a given node is stored in that memory pool and relayed to other nodes. The second transaction is ignored. It is therefore a race between these two transactions to propagate across the network and which ever is mined into a block first wins. Technically then it is possible to perform a double spend on the bitcoin network if a merchant accepts 0-confirmation transactions though in practice simply by monitoring the network for attempted double spending this risk can be managed and is entirely acceptable for low value transactions and has been since bitcoin's inception.

RBF:

Unfortunately recently the Core reference client merged something called replace-by-fee (RBF) which will be shipped as an opt-in setting from the next release. RBF is where the first seen rule is altered such that if a node sees a second transaction with the same unspent outputs as one previously in the memory pool, instead of discarding it as fraudulent as before, if it has a higher fee than the first it replaces that transaction in the pool and is relayed onwards. This controversial change therefore allows double spending of transactions whilst they are unconfirmed (not written to a block). It is opt-in which means that transactions that wish to allow this behaviour are flagged as being potentially double spendable and can be identified as such by a relay node.

Reasons why this may be useful are to allow a 'stuck' transaction to be returned to a users wallet, or increase the priority of a transaction during periods of congestion, or to steal from a merchant.

Core will implement opt-in full RBF. Other variants include: first seen safe (FSS) RBF where a transaction may be replaced by another with a higher fee but only if the transaction outputs are the same, and scorched earth RBF.

Proposal:

1. vote amongst members regarding which of the following options we should offer in BU.

A 1) Keep 'first seen rule', not support RBF, ignore transactions flagged as opt-in RBF
0-conf is important to the ecosystem and is safe. Allowing double spending goes against the ethos of bitcoin and the original vision by Satoshi. We should actively oppose its implementation and not relay transactions which try to do this.

A 2) same as A 1 but relay opt-in-RBF transactions


B) Keep 'first seen rule' but allow user configurable setting which offers choice of: No RBF or FSS RBF
If we expect full blocks and network congestion then allowing users to 'unstick' their transactions by raising the fees should be supported by BU nodes. It does not allow fraudulent double spending like full RBF and therefore is both giving a choice to the user and keeping 0-conf safe.

C) Give user configurable behaviour to either enable or disable RBF. With enabled options of: opt-in RBF, FSS-RBF or full RBF.
With default setting to disabled and a warning if enabled.

Suggestion:

This is a highly contentious area where I personally disagree strongly with how Core has chosen to move forward and I suspect their next release will move opt-in RBF to full RBF.
My personal view is that we should strongly support the continued safety of 0-conf transactions where possible and I would prefer option A 1 or at a push B.

EDIT: removed the breaking consensus line for A 2 as Rocks quite rightly pointed out it does not actually break consensus or alter block behaviour

EDIT2: this probably needs to be stickied. @Bloomie do you have the power? :)
 
Last edited:

Zangelbert Bingledack

Well-Known Member
Aug 29, 2015
1,485
5,585
Nice. Will likely vote yes.

Preliminary comments:

I would I likely vote for A 1 or A 2 (with as many options as possible).

Note that I intend to vote for or propose B as a design goal if it sees any popular use in Core or other clients (but with default off and stern warnings about the problems with RBF).

Reasoning:

I also strongly support the continued safety of 0-conf transactions. I find RBF to be an unnecessarily harmful "feature" that seems to be adopted under suspicious circumstances by the Core variant of Bitcoin.

However, I am likewise unwilling to condone Core's practices of babying the user and trying to shape consensus using the clout of the BU platform. I don't feel anyone should be using the "convenience barrier" of the difficulty of user modification of the software as a truncheon with which to attempt to enforce good behavior, and I believe the whole approach of BU inherently contradicts the notion that such a truncheon would be effective against popular user support anyway. Such an approach is everything I feel is problematic about Core.

Under B (and partly A 2) a user can do the same as under A 1, but they are not limited to it. This *unlimited*, laissez-faire approach of neutrality comports best with the BU message, especially at this sensitive time. Taking a paternalistic stance that "BU knows best for you," even should it be desirable, is more than sufficiently achievable by having the setting off by default and warning the user sternly (even better: have countermeasures/defenses against RBF as additional options).

Deliberately denying users a feature they desire can only backfire, both in loss of users and negative PR undermining the entire premise of BU's superiority. Policy should not be set by engineers or steering committees, but by users. A fair-weather impartiality would immediately show BU as not serious about impartiality.

Nevertheless, practicality indeed demands that the implementation of such an option be deprioritized unless substantially popular. Until such popularity is reached, the deliberate non-inclusion of the feature functions not as paternalism but as an indicator of BU philosophy and is benign and I think beneficial for attracting users as @rocks has suggested.
 
Last edited:
(Am I allowed to vote yet?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I vote yes to Pete Waterland's BUIP 004. We should have a poll to decide what we will offer in Bitcoin Unlimited with regards to RBF and 0-confirmation transactions.

In this poll, I will likely favor whichever option maximizes the users' choice while having the safest setting as the default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWhLB/AAoJEHN9+j2LWHie8OUH/3/52wlo+A9QbZ/XoCXix0kU
2I6JYW59sBqlwOwHuiW9xtneRWVXo4F5K14hAeUvx0dqaZ2EgQwYcE/scOOgkcBP
iOcbqynatnqNbsW1WO4D2iT6+kh2TB9/SU+bxwoFn4OZhX2erBBugdCvU/AQRhvv
8EqFvpL4EcDSt8olJtOFadnLA8PEMQmYH/Jm9D80pCyXObdiVWPeFbUTb6Yw6GLS
fNFv+mlAVs3z9fBwDNI52h9seCtDap60+gc22iCQ4WvDv+140Thdf5GybkHI4+CN
44+lmsXsGRR3Ke3wVw2xkSLvlj0ubZLQ85ajBCa8BmA/q4YggJzPwaPlG8aGLes=
=+2tn
-----END PGP SIGNATURE-----
 

rocks

Active Member
Sep 24, 2015
586
2,284
Great BUIP write up on the RBF proposal.

One comment regarding A2 though, option A does not break consensus with the blockstream client. Even if a node does not support RBF, if a later RBF transaction is the transaction that is included in a block, then that RBF transaction becomes the accepted transaction. Today's current behavior (which is the behavior we've always had) is that block confirmations trump first-seen-safe.

So I think you can remove the comment "Prevents BU breaking consensus with Core." from A2, since A1 does not break consensus with core.

Instead A1 simply does not support RBF by broadcasting RBF transactions. But it will still follow the same block confirmation consensus rules.
 

Aquent

Active Member
Aug 19, 2015
252
667
My vote is for A. As for whether A1 or A2 I think I'll leave that to better judgment so I'd encourage an elaboration on the practical effects of relaying or not relaying an rbf and how that affects the merchant who (unwisely) uses a blockstream client.

If the vote results narrow down to between A1 or A2 with the other options dismissed, then my vote can be counted towards the higher voted option if I do not elect the right to specify between the two after further discussion.

My reason for going with A and not any configurable option is because I am mindful that dev's time is necessarily limited and I would rather it is used towards higher priority matters, such as perhaps making the double spending alert system a configurable option. My vote therefore should not be taken as making a statement on whether features we do not like should nonetheless, on principle, be configurable, or otherwise, as I am undecided on this matter.
 
Last edited:

freetrader

Moderator
Staff member
Dec 16, 2015
2,806
6,088
Count me in for A1.
(signed vote can be submitted when solicited).

I think the purported benefits of RBF are entirely unnecessary at this stage, and the cost of breaking trust in 0-conf at this stage outweigh them completely.

At this stage RBF is a solution looking for a problem, at best.
 

theZerg

Moderator
Staff member
Aug 28, 2015
1,012
2,327
Please no votes. Voting is not open and these will be ignored. We can't ask the secretary to page thru weeks of discussion to find the votes.

2 questions:

1. how does RBF benefit LN?

2. How should we deal with a BUIP with options? We either eliminate the options during discussion and finally vote on one, or we could have a vote for your favorite and then bring that option to a final vote (probably simultaneously).
 
1. RBF can assist the development of the "fee market", which pushes lower value transactions into off-chain channels.

2. The way I interpreted this BUIP, the proposal itself is that we conduct a vote. If we vote to approve the BUIP, we would then vote among the options. It's up to the BUIP to define the voting protocol.
 

Inca

Moderator
Staff member
Aug 28, 2015
517
1,679
In answer to your questions @theZerg :

1 - I don't think RBF is strictly necessary for LN. A nice short primer for LN is found here.

But with a functioning fee market in a congested network predicting appropriate transaction fees for opening / closing channels is probably inexact science. For example a time locked transaction for say 30 days in the future.

Quoting Adam Back about LN, "Fees being insufficient is a problem for direct bitcoin transactions also. That can be addressed in the same way, fee estimation and increasing fees via RBF or CPFP. "

So it is possible that Core is implementing opt-in-RBF for this purpose.

2 - I think a BUIP with options should, once approved by you, be put to a general vote amongst members in a democratic fashion. Each member should vote with a YES/NO to accept/reject the BUIP and an accompanying vote for selecting a preferred outcome (A1/A2/B/C).
 

Aquent

Active Member
Aug 19, 2015
252
667
That would be nice @TrevinHofmann It would be great if it could incorporate the procedure. From what I am understanding so far, a BUIP is proposed, but once there is a secretary he has to assign a number so that individuals don't propose a buip with the same number (although if this can be automated maybe buip numbers should be automatically assigned?). Once a number is assigned the lead developer then reviews it - so in the app this could be set down as pending review. Once reviewed then it is open for comments. Once the discussion is over then it is open for voting.

Do correct me everyone if I am mistaken on the procedure, but regardless, it would be nice if all these stages are automated and the stage described with a label because otherwise it is difficult to keep track of when you can discuss, when you can vote, etc.
 

theZerg

Moderator
Staff member
Aug 28, 2015
1,012
2,327
WRT 1 Are u guys sure there isn't a technical reason that somehow reduces onchain txns? That was the impression I got from some speech during scaling conf.

WRT voting we definitely want an automated system.

WRT procedure a member proposes with a number and the secretary just changes the number if there's a conflict. This is subtle but important. Secretary cannot block a buip by having no assigned number. See Olivier Janssen s recent BIP to see abuse of the number assignment process.

And the applicable officer (not necessarily the dev) works with submitter. In this case both dev and secretary would be working secretary hammering out voting.

WRT voting on multiple options, I don't want the buip to pass but the option to get a minority of the vote. This opens the system up to abuse. And we can't ask an automated system to be rewritten for every BUIPs custom voting procedure.

How about: you vote your preferred option (or none) and for every option you vote if it is acceptable or not. Acceptable means "if this was the only option I would have voted yes to it"

Secretary only evaluates the option that gets the most votes... and retallies the sum of the votes + acceptable. That tally must pass the normal BUIP rules for the BUIP to pass with only that option in effect.
 

Roy Badami

Active Member
Dec 27, 2015
140
203
I'm against diverging from Core on this (except to add a switch, if there's demand).

Some means of clearing stuck transactions is very important for any form of smart contract where it is often vital that a transaction is sent before some deadline (usually set in some other time locked transaction). This is true, for example, for all forms of payment channel (including Lightning). Smart contracts of this kind generally won't be using zeroconf so opt-in RBF works fine for that use case, and since it's opt-in, it doesn't affect normal transactions.

I have yet to see any convincing argument *against* opt-in RBF. Far too many people are conflating this with the attempt by a couple of people to get Core to merge non-opt-in RBF. However Core has not shown any willingness to merge that.

Let's keep things as they are, and not break a feature designed to make smart contracts more usable just out of spite for the Lightning folks.

EDIT: "and I suspect their next release will move opt-in RBF to full RBF." Please let's not go down the route of taking pre-emptive strikes against something that you are merely speculating that Core *might* do in future. The fact is that all pull requests to date proposing such a change have either been rejected or forced to be withdrawn.
 

Erdogan

Active Member
Aug 30, 2015
476
855
Fortunately, RBF can be implemented, the market can learn from the experience, then remove the possibility (A 1) later.
 

cypherdoc

Well-Known Member
Aug 26, 2015
5,257
12,995
The hope with BU is that it leads to bigger blocks allowing mempools to be cleared out in much shorter block intervals {one?) making schemes like RBF totally unnecessary..

RBF does kill 0 confs forcing txs to LN.
 

Inca

Moderator
Staff member
Aug 28, 2015
517
1,679
I'm against diverging from Core on this (except to add a switch, if there's demand).

Some means of clearing stuck transactions is very important for any form of smart contract where it is often vital that a transaction is sent before some deadline (usually set in some other time locked transaction). This is true, for example, for all forms of payment channel (including Lightning). Smart contracts of this kind generally won't be using zeroconf so opt-in RBF works fine for that use case, and since it's opt-in, it doesn't affect normal transactions.

I have yet to see any convincing argument *against* opt-in RBF. Far too many people are conflating this with the attempt by a couple of people to get Core to merge non-opt-in RBF. However Core has not shown any willingness to merge that.

Let's keep things as they are, and not break a feature designed to make smart contracts more usable just out of spite for the Lightning folks.

EDIT: "and I suspect their next release will move opt-in RBF to full RBF." Please let's not go down the route of taking pre-emptive strikes against something that you are merely speculating that Core *might* do in future. The fact is that all pull requests to date proposing such a change have either been rejected or forced to be withdrawn.
Before it is even released they have already been (2!?) pull requests to try and enable full RBF.

Now opt-in RBF is fine but is not necessary for smart contracts if fees are stable which they would be with increased block capacity. Also why didn't they choose opt in FSS-RBF?

Another thing I see written is that it doesn't matter if BU does not relay RBF transactions because others will. But if a significant % of nodes do not relay RBF then i would love to hear from someone if this is actually the case as it seems counterintuitive.
 
Last edited:

chainstor

New Member
Aug 28, 2015
16
25
In answer to your questions @theZerg :

1 - I don't think RBF is strictly necessary for LN. A nice short primer for LN is found here.

But with a functioning fee market in a congested network predicting appropriate transaction fees for opening / closing channels is probably inexact science. For example a time locked transaction for say 30 days in the future.

Quoting Adam Back about LN, "Fees being insufficient is a problem for direct bitcoin transactions also. That can be addressed in the same way, fee estimation and increasing fees via RBF or CPFP. "

So it is possible that Core is implementing opt-in-RBF for this purpose.

2 - I think a BUIP with options should, once approved by you, be put to a general vote amongst members in a democratic fashion. Each member should vote with a YES/NO to accept/reject the BUIP and an accompanying vote for selecting a preferred outcome (A1/A2/B/C).
My (vague) understanding is that the driving force behind RBF is to allow for an 'undo' button in a wallet - to allow users to cancel payments. I believe this is Peter Todds vision. Correct me if I am wrong...
 

Roy Badami

Active Member
Dec 27, 2015
140
203
Before it is even released they have already been (2!?) pull requests to try and enable full RBF.
Oh, please, the presence of a pull request is hardly a convincing argument - and as I already said, both the pull requests I'm aware of were rejected, which rather weakens your argument.

It concerns me that there's no real technical justification in the BUIP beyond assertions of controversy, claims that it can be used to defraud merchants, and disquiet about Core governance and future plans - and yet we have people actually casting votes already - before we've even had any substantive technical discussion!

Come on folks, BUIP votes are not reddit upvotes and downvotes. I'm really keen that we stick to actual reasoned technical argument about the consequences of accepting or rejecting this BUIP, rather than lowering ourselves to the typical reddit echo chamber way of doing things.

I'm going to write up a slightly more technical post on my take on the pros and cons of this over the next day or so.

roy
[doublepost=1451697894,1451697246][/doublepost]
My (vague) understanding is that the driving force behind RBF is to allow for an 'undo' button in a wallet - to allow users to cancel payments. I believe this is Peter Todds vision. Correct me if I am wrong...
I'm not at all sure that's what Peter Todd is arguing for - it's not exactly compatible with scorched earth RBF! (Which, admittedly, few people other than Peter are in favour of.) As for wallets planning to implement an undo feature? Seems unlikely - they'd have to opt the transaction in to RBF, in which case no one should accept it without confirmation anyway. And once it's confirmed, there's no (easy) way to undo it.
[doublepost=1451698683][/doublepost]
As Jeff Garzik commented succinctly:

"We are seeing bad behavior, 'might as well release a feature making bad behavior easier' is illogical."
It would be helpful if you provide context for quotes like this. Jeff is talking here about full (non-opt-in) RBF here, which is not what is in Core's 0.12 release, and not what this BUIP is discussing.

EDIT: Also, if this is still Jeff's position on RBF (that quote is from 2014) then that means that at least two of the four Core committers (Jeff Garzik and Pieter Wuille) are against merging full (non-opt-in) RBF into Core. Which tends to go against the usual scare mongering (repeated in the BUIP) that Core intends to do this. In any case, speculation about may or may not be in Core 0.13 is just silly when 0.12 isn't even released - and anyway I don't think it's directly relevent to this BUIP. If and when Core implements non-opt-in RBF, that will be the appropriate point in time to consider how we should respond.
 
Last edited:
  • Like
Reactions: solex