bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 17, 2023 18:34 UTC

The email discusses a scenario involving three parties, A, B, and C, and their interactions in a payment channel.

In this scenario, party C forces the channel between parties B and C to be settled on-chain without party C having claimed it. The HTLC-timeout transaction does not confirm, but instead, it is replaced by party C's HTLC-preimage, which remains valid even after the HTLC timelock between parties B and C has expired. This HTLC-preimage is subsequently replaced itself.

The email also mentions that party A drops the channel between parties A and B on-chain in an attempt to recover the HTLC funds. It clarifies that there is no need to consider fee rates or mempool congestion because the exploit lies within the replacement mechanism itself.

Furthermore, the email explains that party C broadcasts an HTLC-success transaction at block height 144. However, party C broadcasts this high feerate transaction at every block between blocks 100 and 144 to replace party B's HTLC-timeout transaction. It also mentions that party B can feebump the HTLC-timeout for anchor output channels using sighash_single | anyonecanpay on party C's signature.

The email includes a link to a test on GitHub (https://github.com/ariard/bitcoin/commit/19d61fa8cf22a5050b51c4005603f43d72f1efcf) for further reference.

Overall, the email outlines the details of a complex scenario in a payment channel involving multiple parties and the exploitation of the replacement mechanism within the channel.