bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Olaoluwa Osuntokun

Posted on: October 16, 2023 22:51 UTC

The email begins with the sender expressing gratitude to Antoine for a well-written report and their efforts in addressing an issue.

The sender clarifies that all relevant mitigations for lnd were implemented in version 0.16.1-beta, which was released on April 24th, 2023 [1]. They mention that some performance regressions were fixed in subsequent versions, specifically related to mempool watching. Additionally, in version 0.17.1, they plan to utilize the new gettxspendingprevout RPC call with bitcoind to further reduce load.

Next paragraph:

Antoine, you brought up some interesting points about the performance improvements in lnd. It's great to see that the team is actively working on addressing any regressions introduced due to the implemented mitigations. By utilizing the gettxspendingprevout RPC call with bitcoind in version 0.17.1, they aim to enhance the efficiency of lnd even further. This approach is expected to help reduce the load and optimize the overall performance of the system.

The sender appreciates Antoine's contribution in raising awareness about the performance issues and collaborating on potential attack scenarios. Their diligence in reporting these concerns to various implementations is acknowledged. This demonstrates Antoine's commitment to ensuring the robustness and security of the system.

In conclusion, the email emphasizes the implementation of relevant mitigations in lnd version 0.16.1-beta and the subsequent fixes for performance regressions. The upcoming version, 0.17.1, will introduce the use of the gettxspendingprevout RPC call with bitcoind, aiming to further reduce load and improve the efficiency of lnd. Antoine's valuable insights and collaboration in identifying potential attack scenarios are highly appreciated.

[1] - Link to lnd v0.16.1-beta release: [insert link here]