bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 17, 2023 18:47 UTC

In a recent email, the sender apologizes for any typos and mentions that there is currently no specific context being discussed.

They refer to a previous email from August 11th, 2023, where they had discussed the idea of conducting experiments prior to disclosure. The sender expresses their willingness to participate in setting up a "black box" Lightning infrastructure on the mainnet to explore vulnerabilities and mitigation strategies. They suggest that the timing of disclosure could be adjusted based on the learnings from these experiments.

However, the sender notes that the number of Lightning experts with the necessary knowledge and understanding to participate in the experiments may be limited to those listed on the disclosure emails. Additionally, at the time of the email, there were other pending security issues that had not been disclosed, such as the "fake channel DoS vector" revealed on August 23rd, 2023. Due to these factors, the experiments were not conducted.

Overall, the email highlights the intention to conduct experiments related to Lightning infrastructure vulnerabilities and mitigations but acknowledges the constraints in terms of expert availability and other undisclosed security issues.