bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Matt Morehouse

Posted on: October 19, 2023 17:53 UTC

The email discusses the concept of replacement cycles in the context of reducing the cost of an attack.

The defender implements a scorched-earth fee bumping policy to counter the attacker's strategy. This policy ensures that either the HTLC-timeout will confirm in the next block or the attacker must pay more fees than the HTLC-timeout fees to replace it. As the CLTV delta deadline approaches, the fees required for replacement may reach 50%, 80%, or even 100% of the HTLC value under this policy. This makes the attack unprofitable, especially considering that multiple replacements may be necessary as the deadline approaches. The email emphasizes the need to further tune the fee bumping curve to ensure minimal fees when not under attack. However, as the deadline nears, it is recommended to adopt an aggressive approach to both confirm transactions during high mempool congestion and punish replacement-cycling attackers.