In Network and Distributed System Security (NDSS'23), 2023.
Hashed Time-Locked Contracts (HTLCs) are a widely used primitive in blockchain systems. Unfortunately, HTLC is incentive-incompatible and is vulnerable to bribery attacks. MAD-HTLC (Oakland'21) is an elegant solution aiming to address the incentive incompatibility of HTLC.
In this paper, we show that MAD-HTLC is also incentive-incompatible. The crux of the issue is that MAD-HTLC only considers passively rational miners. We argue that such a model fails to capture active rational behaviors. We demonstrate the importance of taking actively rational behaviors into consideration by showing three novel reverse-bribery attacks against MAD-HTLC that can be implemented using Trusted Execution Environments (TEEs) or zero-knowledge proofs (ZKPs). We further show that reverse bribery can be combined with original delaying attacks to render MAD-HTLC insecure regardless of the relationship between collateral and deposit. Based on the learnings from our attacks, we devise a new smart contract specification, He-HTLC, which is lightweight and inert to incentive manipulation attacks. HE-HTLC, according to us, is the first specification to meet the HTLC specification even in the presence of actively rational miners.