The Payment Protocol standard BIP70, specifying how payments in Bitcoin are performed by merchants and customers, is supported by the largest payment processors and most widely-used wallets. The protocol has been shown to be vulnerable to refund attacks due to lack of authentication of the refund addresses. In this paper, we give the first formal model of the protocol and formalise the refund address security goals for the protocol, namely refund address authentication and secrecy. The formal model utilises communication channels as abstractions conveying security goals on which the protocol modeller and verifier can rely. We analyse the Payment Protocol confirming that it is vulnerable to an attack violating the refund address authentication security goal. Moreover, we present a concrete protocol revision proposal supporting the merchant with publicly verifiable evidence that can mitigate the attack. We verify that the revised protocol meets the security goals defined for the refund address. Hence, we demonstrate that the revised protocol is secure, not only against the existing attacks, but also against any further attacks violating the formalised security goals.

最大的支付处理商和使用最广泛的钱包支持支付协议标准BIP70，该协议指定商人和客户如何执行比特币支付。由于缺乏对退款地址的身份验证，该协议容易受到退款攻击。在本文中，我们给出了该协议的第一个正式模型，并正式确定了该协议的退款地址安全目标，即退款地址认证和保密性。形式化模型利用通信渠道作为抽象，传达协议建模者和验证者可以依靠的安全目标。我们分析了付款协议，确认它容易受到违反退款地址身份验证安全目标的攻击。而且，我们提出了一个具体的协议修订建议，以可公开验证的证据为商家提供支持，从而减轻攻击。我们验证修订后的协议符合为退款地址定义的安全目标。因此，我们证明了修订后的协议是安全的，不仅可以抵御现有攻击，而且还可以抵御任何进一步违反正式安全目标的攻击。