Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Posted by David A. Harding

Oct 23, 2023/08:49 UTC

In an email sent by Nadav Ivgi, he discusses the shortcomings of an approach described by Riard regarding the replacement cycle in a transaction. Nadav presents two different scenarios.

The first scenario outlined by Nadav follows this sequence: Bob broadcasts an HTLC-timeout with input A, input B for fees, and output X. Mallory then replaces the HTLC-timeout with an HTLC-preimage using input A, input C for fees, and output Y. Finally, Mallory replaces the transaction that created input C, effectively removing the HTLC-preimage from the mempool.

However, Nadav suggests an alternative approach. In this alternative scenario, Bob still broadcasts an HTLC-timeout with input A, input B for fees, and output X. Mallory then replaces the HTLC-timeout with an HTLC-preimage using input A, input C for fees, and output Y. The crucial difference is that Mallory now uses input C to replace the HTLC-preimage with a transaction that does not include input A, thereby removing the preimage from the mempool.

Nadav highlights that the original scenario only works if input C comes from an unconfirmed transaction, making OP_CSV_ALLINPUTS effective. However, in the alternative scenario, even if input C comes from a confirmed transaction, OP_CSV_ALLINPUTS becomes ineffective.

This email provides valuable insights into the different approaches in handling the replacement cycle in a transaction and highlights the limitations of the OP_CSV_ALLINPUTS method.

Link to Raw Post

Thread Summary (69 replies)

Oct 16 - Nov 17, 2023

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback