Recently Jersey B asked about a possible attack vector against AtomicDEX on Telegram. So our team looked into it, and it was an interesting question that generated some discussion.
Mad HTLC
Here is a presentation describing the issue.
Our Conclusion
I will summarize the thoughts and responses from our team as I now understand them. I’ll also expand on it a bit and try to make it easy to understand for everyone. Here we go!
- For anyone wondering, ‘HTLC’ means “Hashed Timelock Contract,” and they are used in the atomic swap process. It reduces counterparty risk by creating a time-based escrow that requires a cryptographic passphrase for unlocking
- The videos/pdf linked describes an attack vector against the HTLC contracts. The key to understanding is that it requires coordination with miners. Generally, any chain with a low hash rate is vulnerable to all kinds of attacks.
- For Bitcoin or other chains with high hash rates coordinating such attacks would be extremely hard/impossible.
- Worth adding, KMD uses dPoW and also relies on elected notary nodes for mining - so executing such attacks is harder than on an average chain.
- We think the attack is quite theoretical and might not be practical against real blockchain networks. We will have to dig into it a bit more, and we could even try it with a low hash-rate test chain.
- If our team finds evidence that this could be exploited against real blockchain networks, we will find a solution to mitigate the attack vector.
- Our team noted the info and will stay on top of it!
I would also like to add that in AtomicDEX, we don’t centralize the funds anywhere as the users themselves control the funds at all times. Thus, there’s no way to do a rug pull or steal all the funds as we hear happen with the DEX & bridge solutions that rely on AMM-based DEX. If someone manages to use such an attack vector as described in the video, they can only do it against a single user/trade - not against everyone’s funds sitting in an AtomicDEX wallet.