Skip to content

Instantly share code, notes, and snippets.

@phyro
Last active May 8, 2021 21:07
Show Gist options
  • Save phyro/6a3ba09f4a3fb29786c760f0172c7faf to your computer and use it in GitHub Desktop.
Save phyro/6a3ba09f4a3fb29786c760f0172c7faf to your computer and use it in GitHub Desktop.
Grin donations

Donations on Grin

Suppose Alice wants to send Bob a donation of 5 coins and wants to avoid doing the regular 3 steps. Let's assume Alice has an input with 10 coins.

Alice produces the following transaction T1:

inputs = [10*H + r1*G]
outputs = [5*H + r2*G]
kernels = []
offset = r2-r1

This transaction is invalid because the amounts don't balance out. Notice that there is no kernel at all. Alice then sends T1 to Bob who then adds a kernel and the output:

inputs = [10*H + r1*G]
outputs = [
  5*H + r2*G,
  5-fee*H + r3*G
]
kernels = [K]
offset = y

So Alice creates a random kernel and adjusts the offset to account for this random kernel and r3. The fact that Alice sends r2-r1 is insecure because Bob could revert the transaction, however, if the transaction is reversed, then Alice profits and Bob gets his money taken away, which is why Bob constructs the kernel to protect himself. The downside is that there is no payment proof.

@tromp
Copy link

tromp commented Feb 15, 2021

Looks ok. Bob cannot change the value distribution between his and Alice's change output, because the latter is fixed by Alice's range proof.

@antiochp
Copy link

This is effectively the same idea as a single coinswap partial transaction.
The excess between input and output is revealed as the offset.
Bob can fill the gap in and claim the funds.

@phyro
Copy link
Author

phyro commented Feb 15, 2021

@antiochp yes indeed, it's the same basic idea underneath. It's almost a framework where you share the private excess of outputs - inputs and then show why the "undo attack" should not hurt.
In the case of coinswaps, it doesn't hurt because it is a self-spend, in this case, it doesn't hurt because Alice gets money back and Bob gets his money taken away, so the incentive is that Bob provides a kernel to protect himself.

@antiochp
Copy link

Lack of payment proof makes this tricky I guess.
If only there were a way to require Bob to produce a payment proof alongside the kernel confirming receipt of funds in a case like this.

@phyro
Copy link
Author

phyro commented Feb 16, 2021

yeah, if we found a way, then this would effectively be a 2-step transaction

@phyro
Copy link
Author

phyro commented May 8, 2021

Pasting here since it may be relevant to this conversation as well.
https://gist.github.com/phyro/c1884c6db1e7c885255b4fa19e18aa07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment