Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Posted by Antoine Riard

Oct 19, 2023/17:22 UTC

The email discusses a specific mitigation mentioned in an attached paper, which can be found at the link provided. The mitigation is referred to as "defensive fee-rebroadcasting" and is discussed in subsection 3.4 of the paper. The sender mentions that when there is a backlog in the mempool and the defensive fractional fee HTLC-timeout gets stuck, it gives an advantage to the attacker. They also suggest that an attacker could replace-cycle multiple honest HTLC-timeouts with a single malicious HTLC-preimage, paying the absolute fee but only incurring the RBF penalty. The sender admits to not testing this specific behavior, but notes that the "fees" math doesn't appear to be in favor of the defenders. The email concludes with a farewell.

Link to Raw Post

Thread Summary (69 replies)

Oct 16 - Nov 17, 2023

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback