Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Posted by Nadav Ivgi

Oct 22, 2023/04:49 UTC

One suggestion in the email is to address a potential issue with unconfirmed outputs in the HTLC (Hash Time Locked Contract) preimage-spending transaction. The proposal is to introduce a new opcode called OP_CSV_ALLINPUTS, which would require all inputs to have a matching nSequence. By using 1 OP_CSV_ALLINPUTS in the HTLC preimage branch, it would effectively prevent the use of unconfirmed outputs in the transaction.

The purpose of this approach is to protect against a replacement cycling attack. It's worth noting that an alternative option could be to use OP_CSV_OTHERINPUTS instead, which would allow the HTLC output itself to be spent immediately via the preimage branch and only require confirmation for additional inputs added for fees.

It is important to carefully consider the implications and potential trade-offs of implementing such a change. Additionally, further analysis and discussion may be needed to determine the best approach and any potential drawbacks or limitations.

Overall, the suggestion aims to enhance the security and reliability of HTLC preimage-spending transactions by addressing the potential vulnerability associated with unconfirmed outputs. Further research and evaluation are required to determine the feasibility and potential impact of implementing this proposed solution.

Link to Raw Post

Thread Summary (69 replies)

Oct 16 - Nov 17, 2023

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback