Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Posted by Antoine Riard

Oct 19, 2023/19:33 UTC

In the email, Antoine discusses the concept of a replacement-cycling attacker and how they can potentially gain economically even if they pay 100% of the HTLC value under the defender's scorched earth policy. The scenario involves three individuals: Alice, Bob, and Caroll, who are all "honest" routing hops targeted by the attacker.

Antoine explains that each person has three independent 10,000 satoshi HTLC (Hashed Time-Locked Contract) in-flight on their outbound channels. Under the defensive fee scorched earth policy, Alice broadcasts her HTLC-timeout at T + 1 with a committed absolute fee of 10,000 satoshis. However, Mallory, the attacker, replaces it at T+2 with an HTLC-preimage X of 200,000 satoshis. This replacement incurs an RBF (Replace-By-Fee) penalty of 1 sat/vb (virtual byte), following rule 4.

Bob then broadcasts his HTLC-timeout of 200,000 satoshis at T+3, which is also replaced by Mallory at T+4 with her HTLC-preimage Y of 200,000 satoshis. This replacement incurs a multiplied RBF penalty of 2 due to the conflict between HTLC-preimage X and HTLC-preimage Y. Similarly, Caroll broadcasts her HTLC-timeout of 200,000 satoshis at T+5, which is replaced by Mallory at T+6 with her HTLC-preimage Z of 200,000 satoshis. This replacement incurs a multiplied RBF penalty of 3 due to the conflict between HTLC-preimage Z and HTLC-preimage Z.

Antoine mentions that if Mallory's HTLC-preimage enters the top mempool feerates group (due to the accumulated RBF penalty), one unconfirmed ancestor can be double-spent to evict out the HTLC-preimage. If Mallory successfully executes the replacement cycling, she may incur a loss of 10,000 satoshis plus the RBF penalty cost for each rebroadcast attempt of the victim's HTLC. However, she would ultimately gain the HTLC value of 200,000 satoshis from Alice, Bob, and Caroll.

Assuming 5 rebroadcasts per block (even on random timers) multiplied by 3 victims, with an HTLC-preimage size of 200 bytes and a cltv_delta (time lock) of 144 blocks, the total attacker cost is calculated to be 432,000 satoshis. The economic gain realized by the attacker is 168,000 satoshis. Antoine concludes that it seems each additional victim has a cost of 144,000 satoshis, regardless of the targeted HTLC value.

Antoine expresses gratitude for checking the fees math and replacement rules, confirming that they appear correct to him. He also mentions that his analysis does not include more favorable assumptions to the attacker, such as mempool spikes where the "honest" HTLC-timeout transactions can be left floating in network mempools.

Link to Raw Post

Thread Summary (69 replies)

Oct 16 - Nov 17, 2023

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback