Coinbase outputs as Transaction outputs

Exactly, the coinbase maturity rule ensures that in typical reorgs (let’s say the non Nation State reorgs) only the user being double spent is effected (and also, for sure, the miners that mined the block(s) before are effected too as they lose their coinbase reward(s))

I was thinking about miners including it in a block before as well, but I couldn’t see it work out because you can’t know which miner is going to mine a block. I hope I’m wrong but the only way I was able to see it was if miners create multiple coinbase outputs (I think the code allows for this iirc). But this creates an anonymity set that is entirely separate (due to coinbase labels) so the users can’t benefit from the miner output and the miner can’t benefit from the users. It wouldn’t be possible to know which coinbase UTXO holds the grins though. So if a miner creates N coinbase outputs, they have created 1/N amount blinding set (it’s not really anonymity set because we know they have the same owner).

[EDIT] Ignore the comment below. The re-org history is completely up to the attacker and doesn’t allow for any spenders to change their mind unless they are colluding with the attacker.

It cannot ensure that. Anyone whose spending tx got reorged can opportunistically try to doublespend it, e.g. with a much higher fee to make it preferable over the old spend.

1 Like

It cannot; as the balanced value requirement means that one of the inputs must supply the 60 Grin reward?! An unbalanced tx would not get relayed or make it onto mempools.

I don’t understand your thought here as I understand of it that the person being double spent can himself proceed to double spend in the process : “anyone whose spending tx got reorged can (…) try to double spend it”.

Historically attackers only attack one transaction, which makes perfect sense financially speaking to not harm unnecessarily the value of the blockchain.

Miner could replace an existing input with a smaller input removing those 60 grin though?
I guess that input needs to actually exist though.
Again, not fully thought through and likely does not work.

That only works if said input belongs to the miner, so they know its blinding factor and can adjust the kernel appropriately.

So are we saying the primary (sole?) benefit of coinbase maturity is to minimize collateral damage incurred during a 51% attack?
The attack may be focused on a single transaction but its all the other transactions, descended from subsequent coinbase being reorg’d away that coinbase maturity prevents?

(Edited last sentence to make it more clear - subsequent coinbase may be “undone” but maturity rule prevents this from affecting potentially many descendent txs).

Also the damage incurred in an accidental chain split due to a consensus bug and the resulting orphaning of one branch when fixed.

Both very rare events.

It does not prevent subsequent coinbase outputs being effected. All coinbase outputs inside the blocks being reorged are effected in the sense that they will not exist anymore once the reorg is completed. Coinbase maturity prevents coinbase outputs being spent too soon (100 blocks in bitcoin), which in turn prevents by definition child transactions being created from them too soon (100 blocks need to be appended to the blockchain before you can spend the coinbase output, in other words before you can do any child transaction from them).

I guess the question is are these rare enough to consider implementing what is going to be a potentially contentious change like this.
And if the incentives change by removing the maturity rule then are these potentially less rare?

They are rare but they happened on a non negligible number of mid-cap altcoins. And a consensus bug happened in bitcoin. Which essentially means that it’s not rare.

1 Like

I think the risk is very much bearable. In the event of a reorg, whatever the cause may be, the absolute worst case scenario is an unnecessary collateral damage of ~16 grin hours (1000 blocks). As time passes it becomes a very small share of overall network value.
Besides, It’s more likely that a reorg would result in 0 damage that a maturity rule could have prevented.

Might be worth pointing out that the 51% attacks on Grin might be a bit different than in say Bitcoin due to OWAS. If the attacker attacks by being online but avoids showing his blocks, then they can skip their own transaction in block inclusion and replace it with some other with which they move the money and thus protect themselves from a replay of tx. If they mine offline, they would need to find in which block their transaction was included and then subtract their transaction from the block transaction. It might be much simpler (though worse incentives) to just include their own transaction in the block and be done with it (which is a way worse attack, even worse than what the maturity rule protects against)

What about the normal, occasional, non-malicious reorgs? Are these ever more than 1 block?

You might see an occasional 2 block reorg, but MUCH fewer than 1 block ones. I don’t know of anyone keeping track of these. Probabilities go down exponentially. A 10-deep reorg would only result from an attack or a network partition.

I will once again remind everyone of the bitcoin 0.7 => 0.8 upgrade as an example of why eliminating the coinbase maturity rule is risky. If there was no coinbase maturity rule, that accidental 24 block fork could’ve been much worse.

That’s not to say that I am against eliminating coinbase outputs, but I think it’s important to understand the full implications.

https://freedom-to-tinker.com/2015/07/28/analyzing-the-2013-bitcoin-fork-centralized-decision-making-saved-the-day/

5 Likes

I’m going to suggest a potentially unpopular approach -

  1. Leave coinbase outputs and kernels in place for HF4 (final scheduled HF)
  2. Leave the option open in the future to simplify these through a future (as yet undetermined) HF

We know how coinbase outputs work and we know the validation rules for these are in place and correct.

There is still some level of uncertainty around exactly how this proposed simplification affects miner incentives and double-spend incentives. I would hate to push a potentially contentious change out like this in our final scheduled hardfork and then subsequently discover we need to change the consensus rules back to something similar to what we have today (via an unscheduled hardfork).

My understanding is we do have consensus in the community around supporting “duplicate outputs” and I propose we focus on investigating and ideally implementing the changes required to get this rule change in for HF4, leaving coinbase outputs as they currently stand today. There are some edge cases to think through around the interaction between spending duplicate outputs and coinbase maturity rules andI propose we tackle these with the assumption that coinbase outputs will remain.

I’d love to hear arguments for why people do think we should tackle “coinbase outputs as transaction outputs” now in advance of HF4.

5 Likes

While I find the “no coinbase outputs” idea tempting, as you said, there are a few uncertainties right now unfortunately. I agree it shouldn’t be rushed and the approach you suggest makes more sense. Hopefully, we make a decision on how the hard forks will look like post HF4 and revisit it later.

1 Like