Strategic Analysis of Griefing Attack in Lightning Network

Hashed Timelock Contract (HTLC) in Lightning Network is susceptible to a griefing attack. An attacker can block several channels and stall payments by mounting this attack. A state-of-the-art countermeasure, Hashed Timelock Contract with Griefing-Penalty (HTLC-GP) is found to work under the classical assumption of participants being either honest or malicious but fails for rational participants. To address the gap, we introduce a game-theoretic model for analyzing griefing attacks in HTLC. We use this model to analyze griefing attacks in HTLC-GP and conjecture that it is impossible to design an efficient protocol that will penalize a malicious participant with the current Bitcoin scripting system. We study the impact of the penalty on the cost of mounting the attack and observe that HTLC-GP is weakly effective in disincentivizing the attacker in certain conditions. To further increase the cost of attack, we introduce the concept of guaranteed minimum compensation, denoted as (\zeta), and modify HTLC-GP into HTLC-GP(\zeta). By experimenting on several instances of Lightning Network, we observe that the total coins locked in the network drops to 28% for HTLC-GP(\zeta), unlike in HTLC-GP where total coins locked does not drop below 40%. These results justify that HTLC-GP(\zeta) is better than HTLC-GP to counter griefing attacks.

Index Terms—Bitcoin; Lightning Network; Griefing Attack; Game Theory; Hashed Timelock Contract with Griefing-Penalty or HTLC-GP; Guaranteed Minimum Compensation.

I. INTRODUCTION

Blockchain has redefined trust in the banking system. Transactions can be executed without relying on any central authority [1]. However, blockchain-based financial transactions cannot match traditional payment systems [2] in terms of throughput. Factors serving as the bottleneck are computation-overhead involved in verifying transactions, and expensive consensus mechanism [3]. Layer 2 solutions [4] have been developed on top of blockchain to address these shortcomings. One of the solutions, payment channels [5] are widely deployed and quite simple to implement. Several interconnected payment channels form a payment channel network or PCN.

Subhra Mazumdar was with Cryptology and Security Research Unit, Indian Statistical Institute Kolkata, India. She is now with TU Wien and Christian Doppler Lab Blockchain Technologies for the Internet of Things, Vienna, Austria. Email: subhra.mazumdar@tuwien.ac.at

Prabal Banerjee is with Cryptology and Security Research Unit, Indian Statistical Institute Kolkata, India and Polygon (previously Matic Network). Email: mail.prabal@gmail.com

Abhinandan Sinha was with Economic Research Unit, Indian Statistical Institute Kolkata, India. He is now with Ahmedabad University, India. Email: abhinandan.sinha@ahduni.edu.in

Sushmita Ruj was with CSIRO’s Data61, Sydney, Australia. She is now with University of New South Wales, Sydney, Australia. Email: sushmita.ruj@unsw.edu.au

Bimal Kumar Roy is with Applied Statistics Unit, Indian Statistical Institute Kolkata, India. Email: bimal@isical.ac.in

The network is used for executing several transactions between parties not directly connected by a channel, without recording any of them in the blockchain.

Lightning Network is the most popular Bitcoin-based PCN [6]. A payer can securely transfer funds to an intended recipient in the network by using a Hashed Timelock Contract or HTLC. It is a form of conditional payment where a payment succeeds contingent on the knowledge of the preimage of a hash value. For example, in Fig. 1, Alice intends to transfer (b) coins to Bob via channels Alice-Dave, Dave-Charlie, and Charlie-Bob. Bob generates a hash (H = \mathcal{H}(x)) and shares it with Alice. The latter forwards a conditional payment to Dave, locking (b) coins for time (D_1). Dave forwards the payment to Charlie, locking (b) coins for (D_2) units of time. Finally, Charlie locks (b) coins with Bob for time (D), where (D_1 > D_2 > D). To claim (b) coins from Charlie, Bob must release (x) within the time (D). If Bob does not respond, then Charlie withdraws the coins locked from the contract by going on-chain and closing the channel after the timeout period. However, Bob manages to lock (b) coins in each of the preceding payment channels for the next (D) units [7]. This is an instance of griefing attack [8]. An empirical analysis [9], [10] shows that a griefing attack reduces the liquidity of Lightning Network, and it has been used for eliminating specific edges in PCN [11].

A payment protocol Hashed Timelock Contract with Griefing Penalty or HTLC-GP [12] was proposed to counter griefing attack. The off-chain contract formation in HTLC-GP is illustrated in Fig. 2. Dave has to lock (l_1) coins as a guarantee against (b) coins locked by Alice, for a period of (D_1) units. If Dave responds within (D_1), he claims (b) coins and unlocks (l_1) coins. If he fails to respond, Alice goes on-chain, closes the channel, unlocks (b) coins, and gets the compensation from Alice.

Dave. Similarly, Charlie has to lock $l_1 + l_2$ coins for a period of $D_2$ units as a guarantee against $b$ coins locked each by Dave and Alice. Bob locks $l_1 + l_2 + l_3$ coins for a period of $D$ units as a guarantee against $b$ coins locked by Charlie, Dave and Alice. The drawback of HTLC-GP is that it does not consider an attacker to be rational. If Bob intends to mount griefing attack, he will choose a strategy that avoids paying any penalty. He will resolve the payment off-chain with Charlie just before the contract’s locktime elapses. In this way, he manages to lock Alice, Dave and Charlie’s coins without compensating them. We realize that the underlying punishment mechanism in HTLC-GP must be argued from a game-theoretic point of view and not from the cryptographic aspect.

A. Contributions

We make the following contributions in our paper:

(i) This is the first attempt to propose a two-player game-theoretic model for analyzing griefing attacks in HTLC. The first player receives a conditional payment and makes a decision of forwarding the same to the second player based on the belief that the latter may be corrupt or uncorrupt.

(ii) We use the same game model to analyze the griefing attacks in HTLC-GP [12]. From the analysis, we conjecture that it is impossible to design an effective countermeasure without changing the Bitcoin scripting system.

(iii) We analyze the impact of the penalty on the attacker’s behavior and infer that HTLC-GP is weakly effective in countering the attack in certain conditions.

(iv) We introduce the concept of guaranteed minimum compensation, $\zeta$, and propose a protocol, HTLC-GP$^\zeta$, for disincentivizing griefing attack.

(v) Our experimental analysis shows that the total coins locked by the attacker drops to 28% when the guaranteed minimum compensation is 2.5% of the transaction amount and the maximum allowed path length is set to 10 in HTLC-GP$^\zeta$. This quantity is 27% less than the coins locked in HTLC-GP, proving that HTLC-GP$^\zeta$ is far more effective than HTLC-GP in countering the griefing attack. The code is provided in GitHub [1].

B. Organization

Section II discusses the background and Section III discusses the state-of-the-art. In Section IV, we propose a game-theoretical model of griefing attack in HTLC. We discuss an existing countermeasure for griefing attack, HTLC-GP, in Section V and use the game model discussed in Section IV to analyze the griefing attacks in HTLC-GP in Section VI. In Section VII, we propose the concept of guaranteed minimum compensation, denoted as $\zeta$. We modify HTLC-GP into HTLC-GP$^\zeta$ by incorporating the concept of minimum compensation, and discuss in Section IX. Experimental analysis of the effectiveness of HTLC-GP and HTLC-GP$^\zeta$ is provided in Section X. Section XI discusses how scalable is HTLC-GP$^\zeta$ compared to the state-of-the-art. Finally, we conclude the paper in Section XII.

II. BACKGROUND

(i) Lightning Network: It is a layer 2 solution for scalability issues in Bitcoin blockchain [6]. It is modeled as a bidirected graph $G := (V, E)$, where $V$ is the set of nodes and $E \subseteq V \times V$ is the set of payment channels opened between a pair of nodes. Every node charges a processing fee for processing payment requests, defined by a function $f$, where $f : \mathbb{R}^+ \rightarrow \mathbb{R}^+$. Each payment channel $(U_i, U_j) \in E$ has an initial capacity $\text{locked}(U_i, U_j)$, denoting the amount deposited by $U_i$ in the channel, $t_{i,j}$ is the timestamp at which the channel was opened. In the context of the Bitcoin blockchain, this will be the block height, $T$ is the expiration time of the channel $\text{id}_{i,j}$, i.e., once a channel is opened, it remains active till time $T$. $\text{remain}(U_i, U_j)$ signifies the residual amount of coins $U_i$ can transfer to $U_j$ via off-chain transactions. $M$ denotes the average fee for mining a Bitcoin transaction.

(ii) Hashed Timelock Contract: It is used for forwarding conditional payments across parties not directly connected by the payment channel [6]. Suppose a payer $U_0$ wants to transfer funds to a payee $U_n$ via an $n$-hop route $P = (U_0, U_1, U_2, \ldots, U_n)$ in the network. $U_0$ creates a condition $Y$ defined by $Y = H(x)$ where $x$ is a random string and $H$ is a cryptographic hash function [14]. $U_n$ shares the condition $Y$ with $U_0$. The latter uses $Y$ for conditional payment across the whole payment path. Between any pair of adjacent nodes $(U_{i-1}, U_i)$ in $P$, where $i \in [1, n]$, the hashed timelock contract is defined by $\text{HTLC}(U_{i-1}, U_i, Y, b, t_{i-1})$, where $t_{i-1} = t_i + \Delta$, where $\Delta$ is the worst-case confirmation time for a transaction to get confirmed on-chain. The contract implies that $U_{i-1}$ locks $b$ coins in the off-chain contract. The coins locked can be claimed by the party $U_i$ only if it releases the correct preimage $x’ : Y = H(x’)$ within time $t_{i-1}$. If $H$ is a collision-resistant hash function, then $x’ \neq x$ with negligible probability. If $U_i$ doesn’t release the preimage within $t_{i-1}$, then $U_{i-1}$ settles the dispute on-chain by broadcasting the transaction. The channel between $U_{i-1}$ and $U_i$ is closed and $U_{i-1}$ unlocks the coins from the contract. If both the parties mutually decide to settle off-chain then $U_i$ either releases the preimage and claims $b$ coins from $U_{i-1}$. If $U_i$ decides to reject the payment then $b$ coins are refunded to $U_{i-1}$.

(iii) Dynamic Games of Incomplete Information or Sequential Bayesian Games: In this class of games, players move in sequence, with at least one player being uncertain about another player’s payoff. We define a belief system and a player’s behavioral strategy to approach these games. A type space for a player is the set of all possible types of that player. A belief system in a dynamic game describes the uncertainty of that player of the types of the other players. A behavioral strategy of a player $i$ is a function that assigns to each of $i$’s information set a probability distribution over the set of actions to the player $i$ at that information set, with the property that each probability distribution is independent of every other distribution. A dynamic game of incomplete information [15] is defined as a tuple that consists of (i) a set of players $I$; (ii) a sequence of histories $H^m$ at the $m^{th}$ stage of the game, each history assigned to one of the players (or to Nature/Chance); (iii) an information partition. The partition determines which of histories assigned to a player are in the same information set; (iv) a set of pure strategies for each player $i$, denoted as $S_i$; (v) a set of types for each player $i : \theta_i \in \Theta_i$; (vi) a payoff function for each player $i : x_i(s_1, s_2, \ldots, s_l, \theta_1, \theta_2, \ldots, \theta_l)$; (vii) a joint probability distribution $p(\theta_1, \theta_2, \ldots, \theta_l)$ over types. Perfect Bayesian equilibrium \cite{16} is used to analyze dynamic games with incomplete information.

III. RELATED WORKS

Few existing works analyze the payments executed in Lightning Network from a game-theoretic point of view but none of them have analyzed the griefing attack. Zappala et al. \cite{17} proposed a framework for formally characterizing the robustness of blockchain systems in the presence of Byzantine participants. The authors have defined HTLC as a game between three participants. However, it is assumed that an HTLC can either be accepted or rejected but there is no discussion on griefing. Rain et al. \cite{18} discusses the shortcoming of the game model of multi-hop payment proposed in \cite{17}. They have improved the model and analyzed wormhole attacks in the network but the work does not discuss the griefing attack.

In \cite{19}, a game-theoretic analysis of atomic cross-chain swaps using HTLC has been provided. They have studied the impact of token price volatility on the strategic behavior of the participants initiating the swap and suggested the use of collateral deposits to prevent parties from canceling the swap. Han et al. \cite{20} proposed use of premium for fairness in the atomic cross-chain swap. This is the first paper to introduce penalty as a countermeasure for countering the griefing attack in the context of atomic swap. However, the paper lacks a detailed analysis of how the introduction of premiums might ensure a faster exchange of assets. Also, the premium calculated is not a function of the assets locked in the off-chain contract and its timeout period. This might lead to under-compensation of victims. Our work is the first to propose a game model for analyzing griefing attack in Lightning Network. Several countermeasures like upfront payments \cite{21}, proof-of-Closure of channels \cite{22}, etc were proposed for mitigating the work. However, they are not effective because the malicious node does not lose anything in the process. Hashed Timelock Contract with Griefing Penalty or HTLC-GP \cite{12} claims to address the above shortcomings and disincentivize griefing attacks. We use our proposed game model to study the effectiveness of HTLC-GP and suggest appropriate modifications to the protocol.

IV. ANALYSIS OF GRIEFING ATTACK IN HTLC

A. System Model

Given an instance of payment in $G$, where a payer $S$ wants to transfer $\alpha$ coins to a payee $R$ where $S,R \in V$. The notations used in defining the model is summarized in Table 1. We discuss how the payment is routed in the network:

(i) $S$ finds a path $P$ of length $\kappa : \kappa \in N$ that connects it to $R$. The maximum allowed path length for routing is $n$ so $|P| = \kappa \leq n$. We denote $P = \langle U_0 \rightarrow U_1 \rightarrow U_2 \ldots \rightarrow U_n \rangle$, where $U_0 = S$ and $U_1 = R$ and locked$(U_{i-1}, U_i) > \alpha$, $\forall (U_{i-1}, U_i) \in E$, $i \in [1, n]$, (ii) Criteria for a node to route the payment: A node $U_{i-1}$ can lock $\alpha_{i-1}$ coins in an off-chain HTLC formed with $U_i$ if remain$(U_{i-1}, U_i) \geq \alpha_{i-1}$; $\alpha_{i-1} = \alpha_0 – \sum_{k=1}^{i-1} f(\alpha_{k-1}), i \in [1, n]$. Node $U_{i-1}$ gets a processing fee $f(\alpha_{i-1})$. If $U_i$ claims the coins, the residual capacity is updated as follows: remain$(U_{i-1}, U_i) = \text{remain}(U_{i-1}, U_i) – \alpha_{i-1}$ and remain$(U_i, U_{i-1}) = \text{remain}(U_i, U_{i-1}) + \alpha_{i-1}$.

(iii) Once the path is decided, $U_k$ generates a payment condition $H = H(x)$ and shares it with $U_0$. The latter forwards the payment across $P$ by forwarding HTLC’s. The HTLC timeout period between any pair $U_{i-1}$ and $U_i$ is set to $t_{i-1}, i \in [1, n]$. If $U_i$ chooses to resolve the HTLC just before timeout period, it responds at time $t_{i-1} – \delta$, where $\delta \rightarrow 0$. The least HTLC timeout period $D$ is assigned for the contract between $U_{k-1}$ and $U_k$, i.e., $t_{k-1} = D$.

(iv) Lightning Network uses the Sphinx protocol \cite{23} while forwarding HTLCs. It is a form of onion routing where none of the intermediate parties have any information regarding the routing path except their immediate neighbors. Thus, a node $U_i$ upon receiving a request, knows that a conditional payment request came from $U_{i-1}$ and it must be forwarded to node $U_{i+1}$ where $i \in [1, \kappa – 1]$.

System Assumption: We discuss some of the assumptions:

(i) All the nodes in the network are rational \cite{24}.

Rational processes always seek to maximize their expected utility. They may deviate or not choose to participate in a protocol depending on the situation.

(ii) We assume that a channel between $U_{i-1}$ and $U_i$ is unilat-

Table 1: Notations used in the paper

Notation	Description
$I$	A bidirected graph representing the Lightning Network
$V$	Set of nodes in Lightning Network
$E$	Set of payment channels in Lightning Network, $E \subseteq V \times V$
$\alpha$	Amount to be transferred from sender $S$ to receiver $R$
$P$	Path connecting $S$ to $R$
$\kappa$	Length of the path $P$ in $G$ connecting payer $S$ to payer $R$.
$n$	Maximum allowed path length for payment, where $n \in N, \kappa \leq n$
$U_i \in V, i \in [0, n]$	Nodes in $P = \langle U_0, U_1, \ldots, U_n \rangle$ where $U_0 = S$ and $U_n = R$.
$w_{ij}$	Identifier of channel $(U_i, U_j)$
$T$	Lifetime of a channel
$l_{i,j}$	The time at which the channel between $U_i$ and $U_j$ was opened
locked$(U_i, U_j)$	Amount of funds locked by $U_i$ in the payment channel $(U_i, U_j)$ while channel opening.
remain$(U_i, U_j)$	Net balance of $U_i$ that can be transferred to $U_j$ via off-chain transaction
$f(\alpha)$	Processing fee charged by a node for forwarding $\alpha$ coins to its neighbor
$\mathcal{H}(0.1^\lambda) \rightarrow [0, 1]^\lambda$	Standard Cryptographic Hash function
$\lambda$	Time-base confirmation function when a transaction is settled on-chain
$\tilde{t}_i$	HTLC Timeout period in contract $(U_i, U_{i+1}), i \in [0, n-1]$
$T$	Least HTLC Timeout period (or $t_{i-1}$)
$L$	Bribe offered per attack
$\tilde{t}_i$	Compensation offered for keeping $\alpha_{i-1}$ coins unutilized for the next $t_{i-1}$ units of time
$t_{val}$	Rate of payments processed by node $U$ per unit time
$O_{(t, \tilde{t}, val)}$	Opportunity cost of a node $U$ for next $t_{i-1}$ units of time, also denoted as $o_{(t, \tilde{t}, val)}$
$\epsilon_{contract, initiate}$	Timestamp at which off-chain contract got initiated
$M$	Average fee charged for mining a transaction
$\gamma$	Rate of payment locked by payer and the payment value locked by payee
$\tilde{\gamma}$	Rate of griefing-penalty in HTLC-GP for a given $\gamma$ and $k$
$\tilde{\gamma}, \tilde{k}$	Maximum path length in HTLC-GP for a given $\gamma$ and $k$, $\tilde{\gamma}, \tilde{k} \leq n$

3For our model, we rule out any altruistic and Byzantine behavior and focus on the most typical scenario where participants are rational. However, the Lightning network may have Byzantine as well as altruistic nodes. We leave the analysis of griefing attack in the BAR model \cite{26} as future work.

eraly funded by $U_{i-1}$, $i \in [1, \kappa]$, i.e., $\text{locked}(U_i, U_{i-1}) = 0$.

(iii) We define a function $O : \mathbb{R}^+ \times \mathbb{W} \times \mathbb{R}^+ \to \mathbb{R}^+ \cup {0}$, where $O(r_U, t, \text{val})$ is the expected revenue a node $U$ would have earned had it utilized the amount $\text{val}$ for processing transactions in a period of $t$ units given that $r_U$ is the rate of payments processed by $U$ per unit time. In other words, $O$ defines the opportunity cost $\text{cost}$.

The primary source of revenue for a routing node in the Lightning Network is the fee obtained by processing transactions $[29], [31], [32]$. Also, the arrival of payment in a channel follows a Poisson process. $U$ expects each transaction size to be $\text{per}tx{\text{val}}$. Given the number of coins locked is $\text{val}$, the number of transactions $U$ expects to receive in period of $t$ units is $J = \frac{\text{val}}{\text{per}tx{\text{val}}}$. Given $X$ is the number of transactions in that interval or $X \sim \text{Poisson}(r_U t)$, we have:

$$P(X = x) = \frac{e^{-r_U t} (r_U t)^x}{x!}$$

where $0 \leq x \leq J$. Expected number of transactions in $t$ unit of time

$$E(X) = \sum_{x=0}^{J} x P(X = x)$$

The fee earned by processing a transaction of size $\text{per}tx{\text{val}}$ is defined as $[33], [34]$:

$$\text{Fee}_{\text{per}tx{\text{val}}} = \text{base}_f \text{ee} + \text{fee}_r \text{ate} \times \text{per}tx{\text{val}}$$

Thus, the revenue $U$ expects to earn within period $t$ or in other words, the opportunity cost $O(r_U, t, \text{val})$ is

$$O(r_U, t, \text{val}) = E(X) \times \text{Fee}_{\text{per}tx{\text{val}}}$$

B. Attacker Model

An attacker with budget $B_{EX}$ tries to disrupt the network by incentivizing a certain fraction of nodes to mount the griefing attack $[4]$. We make the following assumptions – (i) if a node has accepted the bribe, then it implies that the expected earning by cooperating with other nodes is lower than the bribe, and hence it has chosen to be a corrupt node. Such nodes act as per the instructions received from the attacker, and (ii) a corrupt node knows whether another node is corrupt or uncorrupt. An uncorrupt node lacks this information.

We discuss the bribe offered to a corrupt node and the method for mounting a griefing attack:

(a) Bribe offered per attack. Given a payment send across the network is of value $\alpha$, the attacker fixes the bribe offered to a node to $L$ coins, where $L = \alpha + D, \alpha + C$. Here $C$ is the auxiliary cost for routing payment and opening new channels, if needed. $I_{D, \alpha}$ coins are used to compensate the node for keeping $\alpha$ coins unutilized for the next $D$ units of time. We assume $I_{D, \alpha} \approx 2O(r_U, D, \alpha)$, $\forall U \in V$ so that a corrupt node gains at least $O(r_U, D, \alpha)$ inspite of locking $\alpha$ coins.

(b) Method for mounting Griefing Attack. The attacker instructs the corrupt node to execute a self-payment (i.e., $S = R$) of $\alpha$ coins via a route of maximum allowed path length $n$ in order to maximize the damage. The least HTLC timeout period is $t_{n-1} \approx D$. After the conditional payment reaches the payee $U_n$, it intentionally stops responding, locking a collateral of $(n-1)\alpha$ for the next $D$ units in the path routing payment.

C. Game Model

(i) Choice of players: We assume that all the miners in the underlying blockchain are honest, and only nodes in Lightning Network can be the strategic players. In the path $P$, a node $U_{i-1}$ locks an amount $\alpha_{i-1}$ with the off-chain contract formed with $U_i$, hence it will be bothered with $U_i$’s nature and the corresponding action. Except for $U_0$, none of the intermediaries routing the payment knows the recipient’s identity. $U_{i-1}$ makes a decision of whether to forward a payment to $U_i$ based on the belief of the $U_i$’s type (discussed next). We model the griefing attack as an interaction between pair of nodes $U_{i-1}$ and $U_{i}$, $i \in [1, \kappa]$ in path $P$ routing payment in the network. Player forms a belief about the type of the other players based on either their position in the network or past interaction.

(ii) Action Space: We define the actions of $U_{i-1}$ and $U_{i}$:

$U_{i-1}$’s action ($S_{U_{i-1}}$): It can either forward ($F$) the conditional payment to $U_i$ or it can choose to not forward ($NF$). If it chooses to forward the payment, it forms a contract with $U_i$, locking the designated amount in the channel $id_{i-1, i}$ for time $t_{i-1}$, which is the HTLC timeout period.
If $i > 1$, then $U_{i-1}$ gets a fee of $f(\alpha_{i-1})$ from $U_{i-2}$ contingent to the release of solution by $U_i$. For $U_0$, the satisfaction level is proportional to success of payment. In this case, we consider $f(\alpha_0)$ as the level of satisfaction. If $U_i$ delays, then opportunity cost of coins locked in the off-chain contract increases, and a loss is incurred. If $U_i$ doesn’t respond within $t_{i-1}$, then $U_{i-1}$ closes the channel and withdraws its coins from the contract.
$U_{i}$’s action ($S_{U_{i}}$): If $U_{i-1}$ has forwarded the payment, then $U_i$ can choose its action from the following: accept the payment or $Ac$, reject the payment or $Rt$, wait and then accept or $W & Ac$, wait and then reject or $W & Rt$, and grief or $Gr$. If $U_{i-1}$ does not forward the payment, the game aborts.

We define the sequential Bayesian game $\Gamma_{HTLC}$ as the tuple $\Gamma_{HTLC} = (N, (\Theta_{U_{i-1}}, \Theta_{U_{i}}) , (S_{U_{i-1}}, S_{U_{i}}), p_{U_{i-1}}(u_{U_{i-1}}, u_{U_{i}}))$ $[35]$, where $N = {U_{i-1}, U_i}$ where $i \in [1, \kappa]$. The type of player $U_i$ is defined as $\Theta_{U_{i}} = {\text{Corrupt}, \text{Uncorrupt}}$. The probability function $p_{U_{i-1}}$ is a function from $\Theta_{U_{i-1}}$ into $p(\Theta_{U_{i}})$, where the $p(\Theta_{U_{i}})$ denotes the set of probability distribution over $\Theta_{U_{i}}$, i.e., $p_{U_{i-1}}(\text{Corrupt}) = \theta_i$, $p_{U_{i-1}}(\text{Uncorrupt}) = 1 – \theta_i$. The payoff function $u_k : \Theta \times S \to \mathbb{R}$ for any player $k \in {U_{i-1}, U_i}$, where $\Theta = \Theta_{U_{i}}$ and $S = S_{U_{i-1}} \times S_{U_{i}}$, is such that for any profile of actions and any profile of types $(\theta, s) \in \Theta \times S$, specifies the payoff the player $k$ would get, if the player’s actual type were all as in $\tilde{\theta}$ and the players all chose their action as in $s$.

Preference Structure: The game begins with Nature (N) choosing the type of $U_i$, either corrupt or uncorrupt, respectively. $U_{i-1}$ believes that a corrupt $U_i$ will be selected with probability $\theta_i$, whereas an uncorrupt $U_i$ will be selected with probability $1 – \theta_i$. After N makes its move, $U_{i-1}$ selects its strategy based on the belief of $U_i$’s type. $U_i$ chooses its strategy after $U_{i-1}$ has forwarded the payment. The extensive form is represented in Fig.3. If $U_{i-1}$ chooses not to forward, then either party receives a payoff 0 since no off-chain contract got established, i.e., $u_{U_{i-1}}(\theta_i, NF, s_b) = u_{U_i}(\theta_i, NF, s_b) = 0, \theta_i \in \Theta_{U_i}$ and $s_b \in S_{U_i}$. We analyze the payoff of $U_{i-1}$ when it has chosen $F$:

A. If $N$ has chosen an uncorrupt $U_i$, then the payoffs are defined as follows:

(a) Instantaneous Response, i.e., $t \rightarrow 0$: If $U_i$ accepts the payment, then $U_{i-1}$ gets processing fee $f(\alpha_{i-1})$ from its preceding neighbour $U_{i-2}$ and $U_i$ gets $\alpha_{i-1}$ coins from $U_{i-1}$. If $U_i$ rejects the payment then none of them gains anything, i.e., $u_{U_{i-1}}(uco, F, Rt) = u_{U_i}(uco, F, Rt) = 0$.

(b) Delayed Response, i.e., $0 < t < t_{i-1}$: If $U_i$ waits and then accepts the payment after $t$ units then $u_{U_{i-1}}(uco, F, W & Ac) = f(\alpha_{i-1}) – o^{t,\alpha_{i-1}}{i-1}$. $U{i-1}$ can earn $f(\alpha_{i-1})$ only after $U_i$ resolves the payment but it suffers a loss due to $\alpha_{i-1}$ coins remaining locked in channel $id_{i-1,i}$. $O(r_{U_{i-1}}, t, \alpha_{i-1})$ is the opportunity cost of locked coins, also denoted as $o^{t,\alpha_{i-1}}{i-1}$. Simultaneously, $U_i$ loses the opportunity to earn profit by utilizing $\alpha{i-1}$ coins for the next $t$ units of time. The expected profit that $U_i$ could have made using $\alpha_{i-1}$ within the next $t$ units is $O(r_{U_{i-1}}, t, \alpha_{i-1})$, also denoted as $o^{t,\alpha_{i-1}}{i-1}$. Thus the payoff $u{U_i}(uco, F, W & Ac) = o^{t,\alpha_{i-1}}{i-1} – o^{t,\alpha{i-1}}{i-1}$. If $U_i$ waits and then rejects the payment after time $t$ units then the payoff of $U{i-1}$, $u_{U_{i-1}}(uco, F, W & Rt) = -o^{t,\alpha_{i-1}}{i-1}$, and payoff of $U_i$, $u{U_i}(uco, F, W & Rt) = -o^{t,\alpha_{i-1}}_{i-1}$.

(c) $U_i$ griefs: If $U_i$ fails to respond within time $t_i$, $U_{i-1}$ will close the channel by going on-chain. $U_{i-1}$ cannot utilize $\alpha_{i-1}$ coins locked in the off-chain contract. The opportunity cost is $O(r_{U_{i-1}}, t_{i-1}, \alpha_{i-1})$, also denoted as $o^{t_{i-1},\alpha_{i-1}}{i-1}$. Additionally, due to closure of channel, $U{i-1}$ fails to utilize the residual capacity $\text{remain}(U_{i-1}, U_i)$ for the next $T – (t_{i-1} + t_{\text{contract initiate}} – t_{i-1,i})$ unit of time, where $t_{i-1,i}$ is the timestamp at which channel $id_{i-1,i}$ was opened and $t_{\text{contract initiate}}$ is the current timestamp at which the off-chain contract got initiated in the channel. We use a shorter notation $t_{i-1,i}$ to denote $T – (t_{i-1} + t_{\text{contract initiate}} – t_{i-1,i})$. The opportunity cost of the remaining balance is $O(r_{U_i}, T – (t_{i-1} + t_{\text{contract initiate}} – t_{i-1,i}), \text{remain}(U_{i-1}, U_i))$ or $o^{t_{i-1,i},\text{remain}(U_{i-1}, U_i)}{i-1}$. Along with that $U{i-1}$ has to pay the transaction fee $M$ for settling on-chain. Hence, payoff $u_{U_{i-1}}(uco, F, Gr) = -o^{t_{i-1,i},\text{remain}(U_{i-1}, U_i)}{i-1} – o^{t{i-1,i},\text{remain}(U_{i-1}, U_i)}_{i-1}$.

If $U_{i-1}$ had previously transferred coins to $U_i$ then $\text{remain}(U_i, U_{i-1}) > 0$. In that case, $U_i$ incurs a loss $O(r_{U_i}, T – (t_{i-1} + t_{\text{contract initiate}} – t_{i-1,i}), \text{remain}(U_i, U_{i-1}) – 1)$, also denoted as $o^{t_{i-1,i},\text{remain}(U_i, U_{i-1})}{i-1}$, due to closure of channel after timeout period $t{i-1,i}$. Additionally, it loses $o^{t_{i-1,i},\alpha_{i-1}}{i-1}$, as it fails to earn and utilize the coins for other purpose. Hence, payoff $u{U_i}(uco, F, Gr) = -o^{t_{i-1,i},\text{remain}(U_i, U_{i-1})}{i-1} – o^{t{i-1,i},\alpha_{i-1}}_{i-1}$. Since $U_i$ doesn’t go on-chain for settling the transaction, we do not subtract $M$ from the payoff.

B. If $N$ had chosen a corrupt node, then the latter executes a self-payment of amount $\alpha$ via a path of length $n$. Thus we analyze this as a game between $U_{n-1}$ and $U_n$, where the latter is the corrupt node. The amount forwarded is $\alpha + \sum_{i=1}^{n-1} f(\alpha_i)$, where, $f(\alpha_i)$ is the fee charged by an intermediate node $U_i$. Since the cost incurred per payment is $C$ and the corrupt node has to keep $\alpha$ coins locked for time $t_n = D$, the bribe offered must compensate for all these costs. The amount of bribe offered by the attacker is $L$ where $L = \alpha + C + I_{D,\alpha}$, where $I_{D,\alpha} = 2o^{t,\alpha}{n-1}$. Since the purpose of $U_n$ is to mount attack, it would not be interested in performing payments like other participants. This implies that $U_n$ has not accepted any payment from $U{n-1}$ and $\text{remain}(U_n, U_{n-1}) = 0$. We analyze each case as follows:

(a) Instantaneous Response, i.e., $t \rightarrow 0$: If $U_n$ accepts the payment then it ends up losing approximately $\sum_{i=1}^{n-1} f(\alpha_i)$, as it needs to pay $(n – 1)$ intermediaries. It had already incurred a cost $C$. $U_{n-1}$ has successfully forwarded the amount. Thus, payoffs are $u_{U_{n-1}}(co, F, Ac) = f(\alpha_{n-1})$ and $u_{U_n}(co, F, Ac) = -C – \sum_{i=1}^{n-1} f(\alpha_i)$. If $U_i$ or $U_n$ rejects the payment then $u_{U_{n-1}}(co, F, Rt) = 0$ and $u_{U_n}(co, F, Rt) = -C$.

(b) Delayed Response, i.e., $0 < t \leq D – \delta$: If $U_n$ waits and then accepts the payment after $t$ units then payoff of $U_{n-1}$ is same as the payoff it had obtained when $U_{n-1}$ is not corrupt and chooses to wait and accept the payment. Thus $u_{U_{n-1}}(co, F, W & Ac) = f(\alpha_{n-1}) – o^{t,\alpha_{n-1}}{n-1}, i{n-1}^{\alpha_{n-1}}$.

defines the net profit received by $U_n$ for keeping $\alpha_{n-1}$ coins unutilized till time $t$, where:

$$ \eta_{n}^{t,\alpha_{n-1}} = \begin{cases} -C – O(r_{U_n},t,\alpha_{n-1}), & 0 < t < D – \delta \ -L – C – O(r_{U_n},D,\delta,\alpha_{n-1}), & \text{otherwise} \end{cases} $$

(5)

If $U_n$ delays till time $t < D – \delta$, it loses the setup cost and the revenue it had utilized $\alpha_{n-1}$ for $t$ units of time. If $U_n$ delays for at least $D – \delta$, it gets paid for the work done, i.e., $\eta_{n}^{D-\delta,\alpha_{n-1}}$. Since $\delta \to 0$, $\eta_{n}^{D-\delta,\alpha_{n-1}} \approx \eta_{n}^{D,\alpha_{n-1}} = L – C – O(r_{U_n},D,\alpha_{n-1})$. But $I_{D,\alpha_{n-1}} \approx 2\eta_{n}^{D,\alpha_{n-1}}$, which implies $L – C – o_{n}^{D,\alpha_{n-1}} = \alpha + C + I_{D,\alpha_{n-1}} – C – o_{n}^{D,\alpha_{n-1}} \approx \alpha + \eta_{n}^{D,\alpha_{n-1}}$. Upon accepting a self-payment, it ends up paying a processing fee to $n – 1$ intermediaries. Thus, the payoff of $U_n$, $u_{U_n}(co,F,W & Ac) = -\sum_{i=1}^{n-1} f(\alpha_i) + \eta_{n}^{t,\alpha_{n-1}}$.

If $U_n$ waits and then rejects the payment after $t$ units then $u_{U_{n-1}}(co,F,W & Rt) = -\eta_{n}^{t,\alpha_{n-1}}$ and $u_{U_n}(co,F,W & Rt) = \eta_{n}^{t,\alpha_{n-1}}$.

(c) $U_n$ grieves: It gets an incentive $L$ coins from attacker. The loss is summation of $C$, which is the cost for mounting the attack, and the opportunity cost $o_{n}^{D,\alpha_{n-1}}$. Since the channel is unilaterally funded by $U_{n-1}$, $\text{remain}(U_{n},U_{n-1}) = 0$. Thus there is no loss associated due to closure of channel. The payoff of $U_{n-1}$ is the same as the payoff it had obtained when $U_n$ is uncorrupt and $o_{n}^{D,\alpha_{n-1}}$. Thus, $u_{U_{n-1}}(co,F,Gr) = -o_{n-1}^{D,\alpha_{n-1}} – \eta_{n-1}^{\text{remain}(U_{n-1},U_n) – M}$ and $u_{U_n}(co,F,Gr) = L – C – o_{n}^{D,\alpha_{n-1}} = \eta_{n}^{D,\alpha_{n-1}}$.

Game Analysis: We infer from the payoff model that the corrupt node can select either of the strategies for mounting the attack – (i) Reject the payment just before lock time $D$ elapses: $U_n$ rejects the conditional payment forwarded by $U_{n-1}$ off-chain just before the contract’s lock time elapses. (ii) $U_n$ does not respond: This is as per the conventional definition of grieving. $U_{n-1}$ closes the channel unilaterally after the contract’s lock time expires.

The expected payoff of $U_{i-1}$ is calculated by applying backward induction on the game tree $\Gamma_{HTLC}$: If $U_{i-1}$ plays $F$; an uncorrupt $U_i$ chooses $Ac$ as its best response since $u_{U_i}(uco,F,Ac) \geq u_{U_i}(uco,F,s’)$, $\forall s’ \in S_{U_i}$; a corrupt node (also $U_n$) can choose either to grieve or Wait & Reject at $D – \delta$ as its best response since $u_{U_n}(co,F,Gr) = u_{U_n}(co,F,W & Rt)$ at time $D – \delta$ $\geq u_{U_n}(co,F,s’)$, $\forall s’ \in S_{U_n}$. A corrupt node applies mixed strategy, either choosing to Grief with probability $1 – q$ or it can Wait and Reject at time $D – \delta$ with probability $q$. The expected payoff of $U_{i-1}$ for selecting $F$, denoted as $\mathbb{E}{U{i-1}}(F)$, is $\theta_i \left( -q o_{n-1}^{D-\delta,\alpha_{n-1}} + (1-q)(-o_{n-1}^{D,\alpha_{n-1}} – \eta_{n-1}^{\text{remain}(U_{n-1},U_n) – M}) + (1 – \theta_i) f(\alpha_{i-1}) \right)$ and expected payoff for selecting $NF$, denoted as $\mathbb{E}{U{i-1}}(NF)$, is $0$.

Since $\delta \to 0$, we consider $o_{n-1}^{D-\delta,\alpha_{n-1}} \approx o_{n-1}^{D,\alpha_{n-1}}$. If $\mathbb{E}{U{i-1}}(F) > \mathbb{E}{U{i-1}}(NF)$ then $U_{i-1}$’s best response is $F$ else it chooses $NF$. We derive that $U_{i-1}$ chooses $F$ if $\theta_i < \frac{\theta_i f(\alpha_{i-1})}{\theta_i f(\alpha_{i-1}) + f(\alpha_{i-1}) + (1-q) \eta_{n-1}^{\text{remain}(U_{n-1},U_n) – M}}$, else it chooses $NF$; corrupt $U_i$ can either choose Grief or Wait & Reject at time $D – \delta$; uncorrupt $U_i$ chooses Accept; is a perfect Bayesian equilibrium.

V. HASHED TIMELOCK CONTRACT WITH GRIEFING PENALTY OR HTLC-GP

The protocol Hashed Timelock Contract with Griefing Penalty or HTLC-GP [12] has been developed on top of HTLC. The concept of the griefing penalty is used in the protocol for countering the griefing attack. If the party grieves, it gets penalized, and the amount locked is distributed as compensation amongst the affected parties. The total penalty charged is proportional to the summation of the collateral locked in each off-chain contract instantiated on the channels routing payment. Collateral locked in an off-chain contract is the product of coins locked in the off-chain contract and timeout period.

HTLC-GP is a two-round protocol where the first round, or Cancellation round, involves locking of penalty. The round is initiated by the payee and proceeds in the reverse direction. The penalty locked by a party serves as a guarantee against a payment forwarded. The second round, or the Payment round, involves locking the payment value in off-chain contracts from payer to payee. We explain the protocol with the help of an example shown in Fig. 4. Alice wants to transfer $b$ units to Bob. Each party that forwards a payment must be guaranteed by its counterpart to receive compensation if there is an incidence of a griefing attack. The compensation charged must be proportional to the collateral locked in the path. We define this proportionality constant as the rate of griefing-penalty per unit time, denoted as $\gamma$. The first round termed as Cancellation round proceeds in the following way: Bob has to lock $\gamma bD_1 + \gamma bD_2 + \gamma bD$ coins for duration $D$. This amount is the cumulative penalty to be distributed among Alice, Dave and Charlie, if Bob grieves. After Charlie receives the cancellation contract, he locks $\gamma bD_1 + \gamma bD_2$ in the contract formed with Dave for $D_2$ units. The latter locks $\gamma bD_1$ coins in the contract formed with Alice for $D_1$ units of time. The second round, termed as Payment round proceeds similarly as in HTLC. Payment value $b$ is forwarded from Alice to Bob via the intermediaries. Since the least timeout period is $D$, one might question why Bob must take into account the lock time of the other contracts while locking penalty. If Bob locks $3\gamma bD$ coins, Charlie locks $2\gamma bD_2$ and Dave locks $\gamma bD_1$ as penalty, and Bob grieves, then Charlie keeps the compensation $\gamma bD$ and forwards $2\gamma bD$ to Dave. Dave is greedy and refuses to cancel the off-chain contract with Charlie. After elapsed of $D_2$, he goes on-chain and claims $2\gamma D_2$. Since $D_2 > D$, Charlie incurs a loss of $2\gamma b(D_2 – D)$. Thus, we account for the lock time of each contract while calculating compensation to prevent the loss of coins of uncorrupt parties.

Suppose Bob grieves. He has to pay a compensation of $\gamma bD_1 + \gamma bD_2 + \gamma bD$ units to Charlie, as per the terms of the contract. After $D$ expires, Charlie goes on-chain. He closes the channel, unlocks $b$ coins, and claims compensation. He requests Dave to cancel the off-chain contract, offering a compensation of $\gamma bD_1 + \gamma bD_2$. Dave cancels the contract off-chain, unlocks $b$ units from the contract, and claims the compensation from Charlie. If Charlie decides to grief, Dave can claim the compensation by going on-chain and closing the channel. Dave requests Alice to cancel the contract by offering a compensation of $\gamma bD_i$. Except for Bob, none of the parties lose coins. In the next section, we formulate a game model for grieving attacks in HTLC-GP and study its effectiveness.

VI. ANALYSIS OF GRIEVING ATTACK IN HTLC-GP

A. System Model

For payment of $\alpha$ from $S$ to $R$ via $(\kappa – 1)$ intermediaries, where $\kappa \in \mathbb{N}$, $\kappa \leq n$, we denote the cumulative compensation to be locked by $U_i$ if $U_{i-1}$ forwards $\alpha_{i-1}$ as $Z_{\alpha_{i-1},i} \in [1, \kappa]$ where $Z_{\alpha_{i-1},i} = Z_{\alpha_{i-2},i-1} + c_{\alpha_{i-1},i-1}$; $c_{\alpha_{i-1},i-1}$ is the compensation charged by node $U_{i-1}$ and $Z_{\alpha_{i-2},i-1} \in \mathbb{R}^+$ is used for compensating other nodes $U_j, j < i$. Note that $Z_{\alpha,\kappa} = 0, \forall \alpha \in \mathbb{R}^+, \alpha_{i-1} = \alpha$. $c_{\alpha_{i-1},i-1}$ charged by a node $U_{i-1}$, must be proportional to the collateral it has locked in the off-chain contract formed with node $U_i$ for timeout period $t_{i-1}, i \in [1, \kappa]$. $t_{i-1} = t_i + \Delta, t_{\kappa-1} = D$ and $c_{\alpha_{i-1},i-1} = \gamma \alpha_{i-1} t_{i-1}$, $\gamma$ being the rate of griefing-penalty per unit time. An off-chain contract between node $U_{i-1}$ and $U_i$ requires $U_{i-1}$ locking an $\alpha_{i-1}$ coins and $U_i$ must lock $Z_{\alpha_{i-1},i}$ coins. Here $Z_{\alpha,\kappa}$ denoted as $Z_{\alpha} = \sum_{i=0}^{\kappa-1} c_{\alpha,i}$ is locked by $U_k$ as guaranteed compensation against the amount locked by party $U_{i-1}$. Again, $U_{i-1}$ has locked $Z_{\alpha_{i-2},\kappa-1}$ with the contract formed with $U_{i-2}$ for time $t_{i-2}$.

Change in System Assumption: The assumptions taken here is same as in Section IV-A, except that the payment channel is considered to be dual-funded. This implies that in channel $id_{i-1,i}, i \in [1, \kappa]$, both the parties $U_{i-1}$ and $U_i$ lock coins i.e., $\text{locked}(U_{i-1}, U_i) > 0$ and $\text{locked}(U_i, U_{i-1}) > 0$.

B. Attacker Model

If a corrupt node routes a self-payment via maximum allowed path length $n$, then the recipient (i.e., $U_n$) has to lock extra coins as guarantee. Cost of the attack increases. However, the attacker does not increase the incentive offered per attack. Thus, $U_n$ is forced to distribute $\alpha$ coins between the cumulative penalty locked in the contract formed with $U_{n-1}$ and the amount to be forwarded for payment. This implies $\alpha$ is the summation of transaction value $v + \sum_{i=0}^{n-1} f(v_i)$ and the cumulative penalty $Z_v = \sum_{i=0}^{n-1} c_{v,i} = \gamma \sum_{j=0}^{n-1} v_j t_j$ where $v_j = v_0 – \sum_{i=1}^{j} t_i, j \in [0, n-1]$. Since $\sum_{i=1}^{n-1} f(v_i) << v$, we consider $v_0 + Z_v \approx v + Z_v = \alpha$, or, $v = \frac{\alpha – \gamma}{1+\gamma} \sum_{i=0}^{n-1} t_j$ executes a self-payment of $v$ coins.

C. Game Model

Given a payment is routed via a path of length $\kappa$ using HTLC-GP, $U_\kappa$ locks penalty in the contract formed with $U_{\kappa-1}$ in the first round locking phase. However, the former has the power to unlock the coins anytime by releasing the preimage of the cancellation hash. $U_{\kappa-1}$ will accept the contract if it thinks that the expected payoff upon forwarding the payment contract in the second round will be greater than the expected payoff on not forwarding the same. Only then it will lock the penalty in the off-chain contract with $U_{\kappa-2}$. This holds for any pair $U_{i-1}$ and $U_i$ in path $P$. If $U_{i-1}$ accepts to form a contract with $U_i$ in the first round of HTLC-GP, it implies that it will forward the conditional payment to $U_i$ in the second round as well. Thus we merge both the first and second round while studying the interaction between any two parties $U_{i-1}$ and $U_i$. We analyze the payoff assuming both parties lock their coins in a single off-chain contract instead of two separate contracts. We adapt the model $\Gamma_{HTLC}$ and propose the two-party game model $\Gamma_{HTLC-GP}$ for grieving attack in HTLC-GP. The extensive form of the game $\Gamma_{HTLC-GP}$ is shown in Fig. 5.

Preference Structure: When $U_{i-1}$ chooses not to forward, both $U_{i-1}$ and $U_i$ receives a payoff 0 since no off-chain contract got established, i.e., $u_{U_{i-1}}(\theta_b, NF, s_b) = u_{U_i}(\theta_b, NF, s_b) = 0, \theta_b \in \Theta_{U_i}$ and $s_b \in S_{U_i}$. We analyze the payoff of each case when $U_{i-1}$ chooses to forward:

A. If $N$ had chosen an uncorrupt $U_i$, then the payoffs are defined as follows:

(a) Instantaneous Response, i.e., $t \to 0$: Upon instant acceptance or rejection of payment, the payoffs are the same as that observed in $\Gamma_{HTLC}$.

(b) Delayed Response, i.e., $0 < t < t_i$: If $U_i$ waits and then accepts the payment after $t$ units then $w_{U_{i-1}}(uco, F, W & Ac) = f(\alpha_{i-1}) – d_{\alpha_{i-1}}$. $U_{i-1}$ has to keep $Z_{\alpha_{i-1},i}$ coins locked in the contract established in channel $id_{i-1,i}$. Thus, it faces loss not only due to delay in claiming $\alpha_{i-1}$ coins from $U_{i-1}$ but also due to unutilization of $Z_{\alpha_{i-1},i}$. The expected profit that could have been made using $\alpha_{i-1}$ and $Z_{\alpha_{i-1},i}$ within the next $t$ units is $O(r_{U_i}, t, \alpha_{i-1})$, also denoted…

as (o_i^{t_1,\alpha_i-1}), and (O(r_{U_i}, t, Z_{\alpha_i-1})), denoted as (o_i^{t_1, Z_{\alpha_i-1}}).

Thus, (u_{U_i}(uco, F, W & Ac) = \alpha_{i-1,1} – o_i^{t_1, \alpha_i-1} – o_i^{t_1, Z_{\alpha_i-1}}).

If (U_i) waits and then rejects the payment after (t) units then the payoff of (U_i) is (u_{U_i}(uco, F, W & Rt) = -o_i^{t_1, \alpha_i-1}) and payoff of (U_i) is (u_{U_i}(uco, F, W & Rt) = -o_i^{t_1, \alpha_i-1} – o_i^{t_1, Z_{\alpha_i-1}}).

Payoff (u_{U_i}(uco, F, Gr) = -(o_i^{t_1, \alpha_i-1} + o_i^{t_1, \text{remain}(1-U_i)} + M) + Z_{\alpha_i-1,1}).

(U_i) incurs loss of (Z_{\alpha_i-1,1}) coins to compensate (U_i). It fails to earn revenue due to non-utilization of (Z_{\alpha_i-1,1}) coins in channel (id_{\alpha_i-1}) for period (t_i-1). The additional losses suffered are due to inability to claim (\alpha_i) coins and using it within time (t_i-1) and failure in utilizing the residual capacity (\text{remain}(U_i, U_i)) for the next (T – (t_i-1 + t_{\text{contract initiate}} – t_{\text{initiate}})) units. Payoff of (U_i) is (u_{U_i}(uco, F, Gr) = -o_i^{t_1, \text{remain}(1-U_i)} – o_i^{t_1, \alpha_i-1} – o_i^{t_1, Z_{\alpha_i-1,1}} – Z_{\alpha_i-1,1}).

If (N) had chosen an corrupt node, then the payoffs are defined as follows:

(a) Instantaneous Response, i.e., (t \to 0): Upon instant acceptance or rejection of payment, the payoffs are the same as that observed in (\Gamma_{HTLC}).

(b) Delayed Response, i.e., (0 < t \leq D – \delta): If (U_n) waits and then accepts the payment after (t) units then payoff of (U_n) is (u_{U_n}(co, F, W & Ac) = f(v_{n-1}) – o_{n-1}).

The loss observed is due to delay in claiming of (v_{n-1}) as (U_n) delays in resolving payment. (U_n) keeps (v + Z_v \approx \alpha) coins locked for mounting the attack and receives a bribe (L). The value (\eta_i^{t,\alpha}) is the same as defined in Eq[5]. Upon accepting a self-payment of amount (v), the corrupt node ends up paying a processing fee to (n – 1) intermediaries. Thus, the payoff of (U_n) is (u_{U_n}(co, F, W & Ac) = -\sum_{i=1}^{n-1} f(u_i) + \eta_i^{t,\alpha}).

If (U_n) waits and then rejects the payment after (t) units, then the payoff of (U_n) is (u_{U_n}(co, F, W & Rt) = -o_{n-1}) and (u_{U_n}(co, F, W & Rt) = \eta_i^{t,\alpha}). When (t \approx D – \delta) where (\delta \to 0), (\eta_i^{t,\alpha}) attains the maximum value.

(c) (U_i) griefs: It gets an incentive (L) from the attacker, but at the same time loses (Z_v) in order to compensate the affected parties. (U_n) loses channel and the expected revenue due to coins remaining locked but gets the compensation (Z_v). Thus, the payoffs of (U_n) and (U_n) are (u_{U_n}(co, F, Gr) = -o_{n-1} – o_{n-1, \text{remain}(U_i-1, U_i)} – M + Z_v) and (u_{U_n}(co, F, Gr) = L – C – o_{n-1} – Z_v – o_{n-1, \text{remain}(U_i, U_i)} = \eta_i^{t,\alpha} – Z_v – o_{n-1, \text{remain}(U_i, U_i)}).

The expected payoff of (U_i) for selecting (F), denoted as (\bar{u}{U_i}(F)), is (\theta_i^{(D-i)^{D-\delta} – \delta – 1} + (1 – \theta_i) f(\alpha{i-1})), and expected payoff for selecting (NF), denoted as (\bar{u}_{U_i}(NF)), is (0).

Since (\delta \to 0), we consider (\bar{o}{n-1}^{D, \alpha{n-1}} \approx \bar{o}{n-1}^{D, v{n-1}}). If (\bar{u}{U_i}(F) > \bar{u}{U_i}(NF)), then (U_i) chooses (F) else it aborts.

We derive that (U_i) chooses (F) if (\theta_i < f(\alpha_{i-1}) + \eta_i^{t,\alpha}), else it chooses (NF); corrupt (U_i) chooses (Wait & Reject) at time (D – \delta); uncorrupt (U_i) chooses (Accept); is a perfect Bayesian equilibrium.

Comparing (\theta_i) for which (U_i) chooses (F) in (\Gamma_{HTLC}) and (\Gamma_{HTLC-\text{GP}}): Since (f(\alpha_{i-1}) + o_{n-1}^{D, \alpha_{n-1}} < o_{n-1}^{D, v_{n-1}} + f(\alpha_{i-1}) + (1 – q)(\alpha_{n-1} – o_{n-1, \text{remain}(U_i, U_i)} + M)), the cut-off of (\theta_i) for which (U_i) will choose to forward a payment is higher in (\Gamma_{HTLC-\text{GP}}) than in (\Gamma_{HTLC}) even if (q \to 0). The corrupt player has to invest some amount as penalty and as a consequence, the payment amount reduces from (\alpha_{i-1}) to (v_{n-1}). Additionally, the corrupt player chooses to cancel the payment with (U_n) off-chain just before elapse of locktime. This results in less risk compared to (\Gamma_{HTLC}).

D. Effectiveness of HTLC-GP

The analysis in Section VI-C2 shows that a rational corrupt node will cancel the payment off-chain just before the contract lock time elapsed i.e., at time (D – \delta), where (\delta \to 0). The corrupt node avoids paying any penalty but still manages to mount the attack. We cannot protect uncorrupt parties from griefing attacks unless we do not account for the intermediate delay in resolving payments. Since Bitcoin scripting language is not Turing-complete, we cannot have a single off-chain contract where we can define penalty as a function of time. There is no way to execute a transaction like this: If (t’) time units have elapsed, pay amount (p). If (t’ + 1) time units have elapsed, pay amount (p + \delta). CheckSequenceVerify [36] imposed on the first condition of elapse of (t’) time unit makes the transaction eligible for broadcasting on-chain after elapse of time (t’ + 1). This might lead to a race condition, and the victim might not receive proper compensation. Instead, it is desirable to construct (t’) off-chain contracts, each accounting for a delay after every (t’) interval. The timeout period of the (t’) contract is (i), (i \in [1, t’]). However, multiple off-chain contracts for a single payment reduce the network throughput. Additionally, it is risky to have off-chain contracts with a shorter timeout period as it will lead to the abrupt closure of the payment channel and compromise the security of the protocol [37]. We conjecture that it is impossible to design an efficient protocol that will penalize the attacker and compromise the victims of a griefing attack with the current Bitcoin scripting system.

Instead of focussing on the victims, we analyze the protocol from the attacker’s point of view. The latter has an objective of maximizing the damage by locking as much network liquidity possible for the given budget (E_{EX}). The attacker will continue to invest in the network if the return on investment is good enough. If the return on investment diminishes, the attacker will refrain from mounting the attack and instead prefer to invest in another activity. In (\Gamma_{HTLC-\text{GP}}), the introduction of penalty led to locking extra coins, increasing the cost of the attack. The attacker will be able to corrupt fewer nodes compared to HTLC. We define a metric, ( \text{capacity locked in a path routing payment} ), that indirectly determines the success rate of the attack [9], [10]. It is the summation of the coins locked in the off-chain contract instantiated on the channel forming the path. Ignoring the processing fee (negligible quantity), assuming all the payments executed are of value ( \alpha ) and the bribe offered per instance is ( I_l ), the attacker can corrupt ( \frac{B_{\text{EX}}}{L} ) nodes in the networks. We assume that for any node ( V \in V, E_{\text{FC}}(V) > E_{\text{U}}(\text{NF}) ). So each self-payment gets routed and reaches the payee.

Claim 1: Given the total budget of the attack is ( B_{\text{EX}} ), incentive per attack being ( L ), transaction value per payment being ( \alpha ), HTLC timeout period is ( D ), time taken to settle a transaction on-chain being ( \Delta ), ( n ) is the maximum allowed path length and a corrupt recipient rejects the payment at time ( t’ = D – \delta ), where ( \delta \to 0 ), the capacity locked upon using HTLC-GP is less than the capacity locked in HTLC, the loss percent being ( \frac{\gamma n(D + \frac{\Delta(n-2)}{6})}{1+\gamma n(D + \frac{\Delta(n-2)}{6})} ).

Proof: In HTLC, a given instance of attack locks ( (n – 1)\alpha ) coins in the path routing payment. The capacity locked in HTLC-GP, ( U_n ) executes self-payment of amount ( v ). It cancels the contract at time ( t’ = D – \delta ). Capacity locked is

[ B_{\text{EX}}(L)(n-1)\alpha – \sum_{i=1}^{n-1} \sum_{j=0}^{Z_{v,i}} B_{\text{EX}}(L) ]

In both the cases, we exclude the coins locked by the corrupt node while computing the unusable capacity and fee charged by the intermediate parties. Thus we substitute ( Z_{v,i} ) with ( Z_{v,i} ). We measure the difference in capacity locked to judge the effectiveness.

[ B_{\text{EX}}(L)(n-1)\alpha – (B_{\text{EX}}(L)(n-1)v + \frac{B_{\text{EX}}}{L} \sum_{i=1}^{n-1} Z_{v,i}) ]

[ = B_{\text{EX}}((n-1)\alpha – (n-1)v – \sum_{i=1}^{n-1} Z_{v,i}) ]

[ = B_{\text{EX}}((n-1)\alpha – (n-1)v – \gamma v \sum_{i=0}^{n-1} \sum_{j=0}^{t_j}) ]

Substituting ( v = \frac{\alpha}{1+\gamma(nD+\frac{\Delta(n-2)}{6})} ),

[ \gamma n(D + \frac{\Delta(n-2)}{6})n(n-1)\frac{B_{\text{EX}}}{L} (\frac{D}{2} + \frac{\Delta(n-2)}{6}) ]

[ = \frac{\gamma n(D + \frac{\Delta(n-2)}{6})n(n-1)\gamma n(D + \frac{\Delta(n-2)}{6})}{1+\gamma n(D + \frac{\Delta(n-2)}{6})} ]

The loss percent of capacity locked in HTLC and HTLC-GP and capacity locked in HTLC.

We observe that the loss percent ( \frac{\gamma n(D + \frac{\Delta(n-2)}{6})}{1+\gamma n(D + \frac{\Delta(n-2)}{6})} ) is dependent on ( \gamma ). If ( \gamma ) is too low, the loss percent is not substantial and the attacker can still consider stalling the network. Hence the payment protocol HTLC-GP is weakly effective in disincentivizing the attacker.

VII. SIMULATING THE GAME MODEL FOR GRIEFING ATTACK IN HTLC AND HTLC-GP

A. Dataset and Parameters

Simulation of sequential Bayesian games: The first part analyzes the payoff of each party involved in the games ( \Gamma_{\text{HTLC}} ) and ( \Gamma_{\text{HTLC-GP}} ). We simulate the games ( \Gamma_{\text{HTLC}} ) and, ( \Gamma_{\text{HTLC-GP}} ) respectively, and estimate the payoff of ( U_{n-1} ) and ( U_n ). We consider a Poisson distribution for the arrival of transaction in a given channel [32]. The rate of arrival of the transaction is varied between 1 and 4 for the next 10 blocks. The path length is set 20 and ( D = 100 ). The transaction amount is varied between 15000 satoshis to 60000 satoshis. The mining fee for closing a channel is 0.000000154 BTC/tx( q ) is set to 0.7. If the coins remaining unutilized are ( C ), the party tries to estimate the fee earned in the future had it utilized the coins. We set ( \text{per tx val} \to 1000 ) satoshis, thus a party will earn by processing ( \frac{C}{1000} ) transactions.

B. Observations

We discuss our observation in this section:

(HTLC): For transaction value ranging 15000 – 60000 (in satoshis) and rate of arrival of transaction fixed to 10 within 10 blocks, the plots in Fig. 7(a) and 7(b) shows the expected payoff of ( U_{n-1} ) and expected payoff of ( U_n ) varying with the belief ( \theta ). ( U_{n-1} )’s payoff decreases with increase in ( \theta ). Payoff of ( U_n ) remains more or less constant for a fixed transaction amount, but increases with increase in the transaction amount. For ( \theta \geq 0.25 ), ( U_{n-1} ) acts cautious and chooses not forward, as forwarding will lead to negative payoff. Both ( U_{n-1} )’s and ( U_n )’s payoff drops to 0 from this point onwards.

In Fig. 7(c) and 7(d), the rate of arrival of transaction is varied between 1 and 4 within a period of 10 blocks and transaction amount is 15000 satoshis. We observe that for ( \theta < 0.025 ), payoff of ( U_{n-1} ) and ( U_n ) remains positive and invariant.

(HTLC-GP): The plots in Fig. 7(a) and 7(b) shows that for ( \theta \geq 0.1 ), ( U_{n-1} ) acts cautious and chooses not forward for transaction varying between 30000 satoshi and 60000 satoshis. For transaction amount 15000, expected payoff of ( U_{n-1} ) and ( U_n ) remains positive till ( \theta < 0.7 ).

\footnote{It may not be always possible for a corrupt node to find a path of maximum allowed length for mounting the attack. In that case, the attacker might ask the corrupt node to get the longest feasible path for routing payment. In our analysis, we consider the worst-case scenario where the corrupt node is able to route all its transaction via paths of length ( n ).}

\footnote{We have considered the data for mining fee observed for one particular channel closure \url{https://blockstream.info/x/0G47LCd7f27a883d4a450580209049fa12B92d7379244147b5cd523857275D01}, the mining fee can vary as observed for various closed channels in \url{https://1ml.com/channel?order=closedchannels}.}

In Fig. 7(c) and 7(d), given the rate of arrival of transaction is 1, $U_{n-1}$ chooses to forward till $\theta \leq 0.2$. When the rate of arrival of transaction is 2, $U_{n-1}$ chooses to forward till $\theta \leq 0.7$ and when rate of arrival is 4, $\theta \leq 0.9$.

C. Discussion of Results

Expected Payoff in $\Gamma_{HTLC}$ and $\Gamma_{HTLC-GP}$:

Transaction amount is varied: We see that expected payoff of $U_{n-1}$ in $\Gamma_{HTLC-GP}$ remains positive for a higher value of $\theta$ compared to $\Gamma_{HTLC}$. The reason being that in the first game, $U_n$ can choose not to respond, forcing $U_{n-1}$ to go on-chain and close the channel. Since the mining fee for closing the channel is quite high, the stakes are higher. Thus $U_{n-1}$ tends to stop forwarding payment for $\theta$ as low as 0.025. In the second game, $U_n$ will always resolve the payment just

Useful information for enthusiasts:

[1]YouTube Channel CryptoDeepTech
[2]Telegram Channel CryptoDeepTech
[3]GitHub Repositories CryptoDeepTools
[4]Telegram: ExploitDarlenePRO
[5]YouTube Channel ExploitDarlenePRO
[6]GitHub Repositories Keyhunters
[7]Telegram: Bitcoin ChatGPT
[8]YouTube Channel BitcoinChatGPT
[9] Bitcoin Core Wallet Vulnerability
[10] BTC PAYS DOCKEYHUNT
[11] DOCKEYHUNT
[12]Telegram: DocKeyHunt
[13]ExploitDarlenePRO.com
[14]DUST ATTACK
[15]Vulnerable Bitcoin Wallets
[16] ATTACKSAFE SOFTWARE
[17] LATTICE ATTACK
[18] RangeNonce
[19] BitcoinWhosWho
[20] Bitcoin Wallet by Coinbin
[21] POLYNONCE ATTACK
[22] Cold Wallet Vulnerability
[23] Trezor Hardware Wallet Vulnerability
[24] Exodus Wallet Vulnerability
[25] BITCOIN DOCKEYHUNT

Contact me via Telegram: @ExploitDarlenePRO