2
I've seen a lot of methods hard forked chains use to provide both strong and opt-in replay protection so that transactions are only valid on one of the chains. Examples of such rules include using a transaction-invalidating output, and using a specific OP_RETURN string.
My question is why are any of these mechanisms neccessary to protect a holder from replay attack? More specifically, why can't a person who holds coins pre-fork protect themselves simply by spending a pair of coin-splitting transactions on each chain like this:
- Alice has sole knowledge of the private key needed to spend UTXO
Awhich is valued at 1 "LegacyCoin" before the hard fork. - Hard fork creates a new coin called "NewCoin" based on the blockchain history of LegacyCoin.
- UTXO
Anow contains 1 LegacyCoin according to the LegacyCoin network and 1 NewCoin according to the NewCoin network because that's how hard forks work.
- UTXO
- Alice creates and signs two transactions: one that spends
AtoBand one that spendsAtoC(both of which Alice also has sole knowlege of the priavte key). - Alice then simultaneously broadcasts these signed transactions on the two networks: broadcasting the transaction
A->Bonly on the LegacyCoin network and the transactionA->Conly on the NewCoin network. - Both transactions get confirmed on their respective networks and now Alice has effectively split the original value of UTXO
Ainto the two blockchains in complete absence of any replay protection mechanisms implemented by NewCoin. The coins can now be concidered split because even if she spendsB, no one else can spendC(and vice versa) becuase they are different UTXOs and require different signatures to spend. Also, obviously no one can spendAbecause it is already spent on both chains.
Why is statement in step 5 not true? Where does this logic break down requiring actual replay protection mechanism to be implemented by hard-forked chains?
So to clairfy, your saying the process breaks down at step 4: Alice may not have the ability to chooses that the transactions get broadcast on separate networks because they might not actually be separate networks and even if they are there's still a chance someone can intercept one of her transactions and replay it on the "other" network anyway without Alice's knowledge or permission? – RBF06 – 2017-10-10T03:35:45.613
Yes. That is why it is called a "transaction replay attack"; your transaction is being replayed onto another network possibly without you knowing at all. – Andrew Chow – 2017-10-10T03:36:52.593
Right. I know it's possible to defeat this method of replay protection but wouldn't the replay event be unlikely to happen unless there was economic incentive for someone to do it (which presumably wouldn't exist bc Alice still controls private keys to both B and C)? – RBF06 – 2017-10-10T03:41:08.677
It's a more general reason for having replay protection. Those who don't know how to do this sort of splitting will end up having their normal transactions replayed either accidentally or possibly by the person receiving the transaction who wishes to gain coins on the other chain. – Andrew Chow – 2017-10-10T04:18:53.693