Saturday, 30 September 2017

How a Roger Ver vs. Trace Mayer trustless 25,000 coin swap could work


Recently Trace Mayer offered Roger Ver a swap of 25,000 bitcoins on two different chains, if it could be done via an atomic swap as proposed by Greg Maxwell here.Since Greg's description of the swap assumes some technical background, below I'll describe in more detail how this type of trustless atomic swap can be set up before the fork happens. I'll assume that the Segwit2x project has decided to adopt the method of replay protection proposed by Jeff Garzik here.Step 1: The funding transactionRoger and Trace create a funding transaction that moves 25,000 bitcoins from each of them into a 2-of-2 multisig address, but they don't sign it or publish it to the blockchain yet.This multisig address works such that any transaction that spends these 50,000 bitcoins needs to be signed by both Roger and Trace. No one can move the coins without the other's approval.Step 2: Trace's redemption transactionTrace creates a transaction that moves all 50,000 bitcoins from the funding transaction to an address that only he controls. The transaction is created with replay protection, so that it's valid on the 1x chain (the chain favored by Bitcoin Core) and invalid on the SegWit2x chain.This transaction also has a "timelock", so that it can only be included in a block after December 15th 2017.Both Trace and Roger sign this transaction. They don't need to worry about who signs first because they haven't signed the funding transaction yet. If anyone refuses to sign promptly, the other person can just not sign the funding transaction in step 4.Step 3: Roger's redemption transactionRoger creates a transaction that moves all 50,000 bitcoins from the funding transaction to an address that only he controls. This transaction is timelocked to only be spendable after December 25th 2017 (10 days after Trace's transaction becomes spendable).Roger and Trace both sign this transaction. They don't need to worry about who signs first because they still haven't signed the funding transaction, so either can still back out.Roger's transaction doesn't have replay protection, but that won't matter because by the time Roger publishes it Trace will have already moved the coins on the 1x chain. Replaying the transaction on the 1x chain at that point will be impossible.Step 4: The funding transaction is signed and sent out for inclusion in the blockchainRoger and Trace finally sign the original funding transaction, which both of their redemption transactions refer to. The order of signing doesn't matter much, because if Roger signs and then Trace refuses to sign (intending to hold onto the funding transaction for a while and then only publish it later when he's more sure he'll get the better end of the swap), Roger can just cancel the deal by spending some of the inputs to the funding transaction. Until the funding transaction is included in a block, either party can cancel it in this way.Risks to RogerRoger has two main sources of risk here:(1) If the method of replay protection used by SegWit2x changes before the hard fork, then Trace's redemption could be 'replayed' on the SegWit2x chain, which would give Trace all 50,000 coins on both chains. So for Roger to accept this method of atomic swap, he'd want to be very sure how replay protection would work on SegWit2x. (Currently the SegWit2x team hasn't made a final decision on how this will work).(2) If the SegWit2x fork doesn't happen for some reason, then Trace will get all of Roger's coins on the original chain, and Roger will end up with nothing. The swap that Roger has with Charlie Lee specifies that if there is no hard fork, the swap is canceled. It's impossible to do this with atomic swaps, because the original chain has no way of knowing if some other chain exists.One solution to these asymmetric risks is for Roger and Trace to negotiate some compensation to Roger for bearing them. For instance Trace might contribute more coins to the swap. Alternatively they could wait to finalize the swap until we're closer to the hard fork date, when the method of replay protection and chance of the fork happening are more certain.Greg's method, which avoids dependence on a specific type of replay protectionGreg's description of how this swap could work uses the fact that since the 1x chain won't accept blocks above a certain size, Roger's redemption transaction could be constructed in a way where it was too big to be included in the 1x chain.The benefit of this is Roger would face less risk that the method of replay protection used by SegWit2x would change between when he commits to the swap and when the fork activates.One downside is that creating such a transaction is more complex. The network hasn't seen many transactions near 1 MB in size, so there may be some unforeseen issue. It would also require a huge amount of transaction fees to ensure that the miners included such a huge transaction. The fee might need to be several bitcoins. For a swap of 25,000 bitcoins this isn't a big deal, but most people interested in similar swaps will probably prefer versions that rely on replay protection. via /r/Bitcoin http://bit.ly/2kgi907

No comments :

Post a Comment