On Mon, Oct 16, 2023 at 7:21 PM Peter Todd via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > I think if you want people to understand this exploit, you need to explain in > more detail how we have a situation where two different parties can spend the > same HTLC txout, without the first party having the right to spend it via > their knowledge of the HTLC-preimage.
The two main ways of spending an "offered" HTLC txout: 1) With a presigned multisig covenant transaction paying to the offerer (a.k.a HTLC-timeout transaction) 2) With a preimage and the receiver's signature Since option 1 uses a presigned covenant held by the offerer, only the offerer can spend via that path. Since option 2 requires the receiver's signature, only the receiver can spend via that path. The exact script used is here: https://github.com/lightning/bolts/blob/master/03-transactions.md#offered-htlc-outputs. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev