bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: November 17, 2023 22:36 UTC

The email from Antoine addresses a potential vulnerability in the way Lightning Network handles transactions, specifically concerning HTLC (Hash Time-Locked Contracts) preimages and the mempool, which is the network of transactions waiting to be confirmed.

Antoine argues that an attacker can execute a relatively simple yet critical attack by broadcasting a replacement parent transaction with a higher fee, effectively overbidding the original transaction associated with the HTLC preimage. This can confirm the replacement at any time, and it's more economically beneficial for the attacker to delay this transaction to maximize the impact of the attack.

Antoine goes on to explain that an attacker could partition a defender's mempool by broadcasting a conflicting parent transaction, thus preventing the honest HTLC preimage transaction from being recognized by the defender's mempool. Factors such as network jitter, propagation delay, and geographic heterogeneity are deemed irrelevant because the Bitcoin network favors the propagation of high-fee transactions through a system of distributed state machines. Moreover, policy divergences across different implementations of the Bitcoin protocol do not significantly affect the attack.

Furthermore, Antoine suggests that the peer-to-peer (p2p) transaction-relay system of the Bitcoin network, which is supposed to propagate transactions, might actually work to the advantage of the attacker. This is because attackers can occupy inbound slots at low cost and potentially evict honest transactions by making mass connections, due to the public nature of node network addresses.

Despite the severity of the situation, Antoine points out that the likelihood of an attacker encountering an extremely precise timing and execution challenge is low, with the most adverse event being a block mined just seconds after an HTLC-timeout enters the block template. Since blocks are mined on average every 10 minutes, the probability favors the attacker, and currently, there is no widespread mechanism in place among miners to broadcast preimage replacement transactions to counteract this.

As a mitigation strategy, Antoine recommends that lightning nodes duplicate their mempool-monitoring to watchtower backends, which are assumed to run on full-nodes. This would require attackers to partition each new watchtower, raising the difficulty of a successful attack. He urges Lightning Network software to adopt this strategy, especially those used by high-value routing nodes or Lightning Service Providers (LSPs), to enhance security against such attacks.