On 10/16/23, Matt Morehouse via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

On Mon, Oct 16, 2023 at 7:21 PM Peter Todd via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

...

I think if you want people to understand this exploit, you need to explain in more detail how we have a situation where two different parties can spend the same HTLC txout, without the first party having the right to spend it via their knowledge of the HTLC-preimage.

The two main ways of spending an "offered" HTLC txout: 1) With a presigned multisig covenant transaction paying to the offerer (a.k.a HTLC-timeout transaction) 2) With a preimage and the receiver's signature

Since option 1 uses a presigned covenant held by the offerer, only the offerer can spend via that path. Since option 2 requires the receiver's signature, only the receiver can spend via that path.

The exact script used is here: https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-ht.... _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev