bitcoin-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 19, 2023 16:23 UTC
The email suggests a potential defense strategy against an attacker attempting to exploit the HTLC-timeout mechanism.
The strategy involves the honest node aggressively fee-bumping and retransmitting the HTLC-timeout as the CLTV delta deadline approaches. Specifically, within 10 blocks of the deadline, the honest node would increase the fee by 1/10th the HTLC value for each non-confirmation.
This approach, referred to as the "scorched earth" approach, may result in considerable fees for the honest node. However, it would cost the attacker even more, as each replacement attempt by the attacker would need to burn at least as much as the HTLC-timeout fees. Additionally, the attacker would need to perform a replacement every time the honest node fee bumps.
The suggested fee-bumping policy is proposed as a sufficient defense strategy, even if the attacker is directly cycling replacements in miners' mempools and the victim has no visibility into the attack.
Overall, the email discusses a potential defense strategy involving aggressive fee-bumping and retransmission of the HTLC-timeout as the CLTV delta deadline approaches. The strategy aims to deter attackers and impose higher costs on them than on the honest node.