XT took a step forward by sharing information on the network about the existence of conflicting spends.
The random drop policy goes in the opposite direction, by adding to uncertainty that ANY particular transaction will be mined, no matter how early it is sent, no matter how high a fee it pays -- we've made it more likely that a double-spend will be mined without the miner even knowing.
Consensus is the accomplishment of the blockchain. The network should try to converge on it.
We're talking about resource-limited nodes here. We can't pretend that we've somehow accidentally created a massive distributed mempool that will hold N*M transactions and get them all mined.
We need to think about the usability of this money. Languishing transactions are a major problem for bitcoin users and they deserve a way to address that problem without having to defeat their own wallet.
The random drop policy goes in the opposite direction, by adding to uncertainty that ANY particular transaction will be mined, no matter how early it is sent, no matter how high a fee it pays -- we've made it more likely that a double-spend will be mined without the miner even knowing.
I don't think the network can stop an "attacker" who wants to pay higher fees than everybody else. The incentive for such an attacker to go directly to miners is too great.
I don't think the network can stop an "attacker" who wants to pay higher fees than everybody else. The incentive for such an attacker to go directly to miners is too great.
I don't think the network can stop an "attacker" who wants to pay higher fees than everybody else. The incentive for such an attacker to go directly to miners is too great.
To me this is like saying
"Any attacker can always pay miners to just shut Bitcoin down. Therefore we may as well make it easy for them to do so."
With a feerate mempool-limit policy, if things get tight, the user knows how to deal with the problem -- pay more fees.
It sounds like the alternative we are talking about is graceful service degradation for everybody. That is the choice.
Even if miners don't, there will be quite a few different mining nodes out there, so the probability that a high-fee tx will get evicted and stay evicted from most of the major pools is small.
As you say, a fullnode plays a limited role. The most important decision it makes is whether to add/relay a tx when it first sees it.
In times of high use, the fee-sorted mempool makes this decision using what can be considered a node-local minimum relay fee that adjusts in real time (unlike core, which pegs this fee with a half life, for unconvincing reasons).
By contrast, Gavin's emergency solution, which you are using, draws a line at the 2-block fee, which I think in all the attacks so far, is generally much higher than the lowest-fee tx in the mempool.
Below the 2-block level, the new tx is rejected, and not relayed. The selection of the ejected tx is not nearly as important as the fact that, as soon as the mempool fills up, the minimum relay fee shoots directly up to the 2-block level. *The attacker can do this without offering fees that high himself.*
To fix this, you need to sort the mempool. After you do that, I suppose we could still evict randomly, but weighting by the "largest" heuristic is much inferior to weighing by feerate. Low-feerate txes are the ones that clog things up the most.
In fact, a simple way to implement that would be to use PR 90 and pick a random offset into the feerate index, instead of evicting the last one.
By contrast, Gavin's emergency solution, which you are using, draws a line at the 2-block fee, which I think in all the attacks so far, is generally much higher than the lowest-fee tx in the mempool.
else if ((int64_t)pool.size() < nMaxPoolTx) { pool.addUnchecked(hash, entry, !IsInitialBlockDownload()); } else { // Mempool full... static int64_t lastEstimate = 0; // Only call estimateFee every 10 minutes static CFeeRate highFee; if (entry.GetTime()-lastEstimate > 600) { lastEstimate = entry.GetTime(); highFee = pool.estimateFee(2); } if (dPriority < AllowFreeThreshold() && CFeeRate(nFees, nSize) < highFee) { // Low-priority, low-fee: dropped immediately LogPrint("mempool", "mempool full, dropped %s\n", hash.ToString()); SyncWithWallets(tx, NULL, false); // Let wallet know it exists return false; } // High enough priority/fee: add to pool, we'll evict somebody below pool.addUnchecked(hash, entry, !IsInitialBlockDownload()); }
Below the 2-block level, the new tx is rejected, and not relayed. The selection of the ejected tx is not nearly as important as the fact that, as soon as the mempool fills up, the minimum relay fee shoots directly up to the 2-block level. *The attacker can do this without offering fees that high himself.*
... I suppose we could still evict randomly, but weighting by the "largest" heuristic is much inferior to weighing by feerate. Low-feerate txes are the ones that clog things up the most.
Well, pushing up the price of blockspace is not really shutting the system down. But I rush to add, higher prices for blockspace are NOT some great thing.
This is node policy, not mining policy -- we're trying to keep an accurate copy of ledger changes that need to be made; we're not trying to maximize someminer's profit.
expectedByteStay [= sizeBytes * expectedBlocksToConfirm(feeRate)]
This quantity only depends on the confirmation time implied by the fee rate, not the rate itself. Using it would isolate the node's actions from being unduly influenced by transactions that pay the miner exorbitantly but don't leave the mempool any quicker than other txes with a 1-block fee.
Something I really dislike about the random approach is that at the limit, a dumb spam flood will totally wreak havoc -- each incoming transaction will generally cause one random transaction to be evicted.
Well, pushing up the price of blockspace is not really shutting the system down. But I rush to add, higher prices for blockspace are NOT some great thing.
--
You received this message because you are subscribed to the Google Groups "bitcoin-xt" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoin-xt+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Something I really dislike about the random approach is that at the limit, a dumb spam flood will totally wreak havoc -- each incoming transaction will generally cause one random transaction to be evicted.
It won't cause havoc because the random tx that gets evicted will, with overwhelming probability, be a DoS transaction. And nobody cares if those get evicted: by definition. If someone cared (other than the attacker) then it wouldn't be a DoS tx.
This is the key point and I'm uncertain why we're unable to reach agreement on it. Random eviction yields ideal results practically all the time assuming a mempool that's much larger than the block size (actual not limit).
expectedByteStay [= sizeBytes * expectedBlocksToConfirm(feeRate)]
This quantity only depends on the confirmation time implied by the fee rate, not the rate itself. Using it would isolate the node's actions from being unduly influenced by transactions that pay the miner exorbitantly but don't leave the mempool any quicker than other txes with a 1-block fee.
Right, the fee estimator code calculates that.
Now, if you a normal human and don't know the finer points of statistics you might think that the repetitive ejecting makes things worse.
With a sorted mempool, a dumb spam flood first evicts all the transactions that pay less than the spam, then the spam itself starts getting rejected as soon as it's added. The rest of the pool is untouched.This scenario means its much more predictable what will happen. Because all pools do the same thing. All you need to do is make spam of higher fee and you are guaranteed to eject valid transactions. Most of them. On all nodes. How is that better?
Look at the transaction confidence services (mycelium, blochcypher, etc.). They monitor how well-propagated a transaction is. We've made those services work better by presenting them with hard evidence of double-spends. Let's not allow a spammer to break them by getting his spam relayed all over the place and making all XT nodes have wildly different mempools.
Making the transactions get forgotten by the network is a big deal.
The selection of the ejected tx is not nearly as important as the decision to relay it.
Bitcoin is unique among internet protocols in its ability to impose a direct monetary cost on spam, as a way of controlling it. This should be leveraged to the absolute fullest extent possible. We should not shy away from it. It's the ultimate dog food.
The moment we try to reserve space for anything other than those who use the system itself to buy space within it, we have all the same anti-DoS problems as any other network. Few know more about those other problems than you do.
Since miners are encouraged to have an unlimited mempool, this is very useful.