bitcoin-dev
Combined summary - Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
The recent discussions among programmers have focused on addressing security threats to the Lightning Network (LN), particularly vulnerabilities in Hashed Time-Locked Contracts (HTLCs).
The "flood & loot" attack, where attackers exploit network mempools by closing channels and hindering defensive transactions, has been highlighted as a significant threat. It was noted that policy differences across Bitcoin Core implementations allow such attacks due to transaction prioritization based on fees.
Mitigation strategies are being implemented in various lightning node implementations to address these vulnerabilities. One suggestion is for nodes to monitor their mempool duplicates to reduce exploitation risk, although this does not eliminate the threat entirely. Additionally, there's a push for ecosystem-level solutions rather than quick fixes that could disrupt LN or lower miners' earnings.
To enhance security against replacement cycling attacks, a technical proposal suggests implementing a new opcode, OP_CSV_ALLINPUTS, which would require all inputs in an HTLC preimage branch to have a consistent nSequence, ensuring only confirmed inputs are used.
The email exchanges also reflect on one author's decision to step away from lightning development due to the severity of replacement cycling issues and the lack of standardized mechanisms to combat them. An expert assessment and dedicated time to improve lightning's robustness are called for.
Plans to demonstrate a real-world replacement cycling attack no earlier than the second semester of 2024 were disclosed, with encouragement for public discussion and correspondence on these topics. Debates continue over alternative methods for handling vulnerabilities within the technical community.
New opcodes like OP_CSV_ALLINPUTS and restructuring of presigned transactions are suggested to manage fees and prevent attacks more effectively. Insights into optimizing transaction handling and storage include proposals by Peter Todd, who advocates for combining multiple HTLC claims into one transaction for larger nodes using specific signatures. Discussions also mention the potential efficiency of Replace-by-Fee (RBF) over Child-Pays-for-Parent (CPFP) under most conditions.
For those seeking detailed information, Peter Todd's website at https://petertodd.org is recommended, with an invitation for further dialogue via direct email.
Security discussions extend to anchor outputs in LN for managing fees and transaction replacement strategies, recognizing the benefits of small transactions and deterministic forms. Concerns regarding default settings for RBF, fee overheads, and different feerate variants are raised, including identifying a possible policy bug that requires attention at the policy or Bitcoin Core layer.
An explained attack scenario clarifies that successful attacks depend on precise timing and execution by directly connected peers. Increased security parameters, like the CLTV delta, and the use of anchor channels for fee bumping through second-level HTLCs are considered to hinder such attacks. A proposal to limit spending to presigned second-stage transactions signed with SIGHASH_ALL is suggested to prevent replacement cycling attacks.
Innovative approaches to mitigating aggressive fee bumping near the CLTV deadline are explored, recommending a "scorched earth" strategy to make it costly for attackers. Research on defensive fee rebroadcasting suggests foundational improvements at the bitcoin protocol level to reinforce Layer 2 protocols.
Discussants suggest increasing the CLTV delta to give node operators more time for intervention and consider various mitigation strategies, including mempool scanning and transaction re-signing. Establishing a "black box" Lightning infrastructure on the mainnet to experiment with LN vulnerabilities and defenses is of interest, but limited by the scarcity of LN experts and undisclosed risks.
A complex payment channel scenario reveals strategic advantages and limitations of CPFP and presigned transactions, while an unobserved attack type exploiting neighboring nodes highlights the need for surveillance and countermeasures like aggressive fee-bumping.
Eclair and LND have partially implemented mitigation strategies against vulnerabilities, while Core-Lightning and LDK have yet to adopt similar mechanisms. Node operators are advised to limit HTLCs for large channels to unknown peers and monitor for suspicious behavior.
Lastly, the Lightning Network Daemon (lnd) version 0.16.1-beta includes safeguards against HTLC-related exploits, with performance improvements planned for the upcoming version 0.17.1. The collaborative nature of the community in enhancing lnd's security is acknowledged, and the importance of critical analysis and skepticism in technical discussions is emphasized ahead of the public disclosure of related CVEs on October 16, 2023.