If one of the participants withdraws or fails to sign the final transaction, does that effectively abort the entire coinjoin round and require reconstructing a brand new collaborative transaction from scratch?
This is one of my favorite bitcoin transactions.
400 inputs, 407 outputs, 127.9 btc
It's a miracle that so many inputs managed to sign the same transaction at the same time.
https://mempool.space/tx/d465033214fd2309dcce5a90c45fcaa788aa4394ee36debe07aad8d8a37907d2
Discussion
Exactly.
If even one input does not sign the transaction, it is invalid and won't be accepted by any Bitcoin node.
That's why we initiate a "blame round" as second attempt, where only those inputs that signed the previous transaction are allowed. This smaller round is more likely to succeed. It often takes 5 attempts to finalize.
That’s actually pretty clever! I was wondering how, with such a large number of inputs, you could successfully deter a malicious entity (state actor?) from sybil attacking and screwing up each coinjoin.
Is there a limit to the # of “blame rounds,” or does it keep going, progressively kicking out non-cooperative parties, until the coinjoin finally succeeds?
If there's less than 150 eligible inputs remaining, then there's no advancement to a blame round. There's also an arbitrary limit of 7 blame rounds.
To be an active adversary in coinjoin is expensive for two reasons:
The attacker has to pay the mining fee for each input and output.
The attacker has to pay the interest for bitcoin required for the attack, that's thousands of bitcoin per month.