bitcoin-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 19, 2023 19:33 UTC
In the email, Antoine discusses a scenario involving a replacement-cycling attacker and a defender's scorched earth policy.
The attacker can afford to pay 100% of the HTLC (Hash Time Locked Contract) value under this policy and still gain economically. Alice, Bob, and Caroll are mentioned as "honest" routing hops targeted by the attacker.
The process begins with Alice broadcasting her HTLC-timeout at T + 1 with a committed fee of 10,000 sats. However, Mallory replaces it at T + 2 with an HTLC-preimage X of 200,000 sats, along with an RBF (Replace By Fee) penalty of 1 sat/vb rule 4. This transaction is out of network mempools. Bob then broadcasts her HTLC-timeout of 200,000 sats at T + 3, which is replaced by Mallory at T + 4 with her HTLC-preimage Y of 200,000 sats (+ RBF penalty 1 sat/vb rule 4 * 2). Similarly, Caroll broadcasts her HTLC-timeout of 200,000 sats at T + 5, which is replaced by Mallory at T + 6 with her HTLC-preimage Z of 200,000 sats (+ RBF penalty 1 sat/vb rule 4 * 3).
It is important to note that both Bob and Caroll's HTLC-timeouts are also out of network mempools. Additionally, HTLC-preimage Y conflicts with HTLC-preimage X, and HTLC-preimage Z conflicts with HTLC-preimage Y (resulting in multiplied RBF penalties). If Mallory's HTLC-preimage enters the top mempool feerates group (due to accumulated RBF penalties), one unconfirmed ancestor can be double-spent to evict the HTLC-preimage.
In this scenario, Mallory may incur a loss of 10,000 sats + RBF penalty cost for each rebroadcast attempt of the victim. However, she gains the HTLC value of 200,000 sats from Alice, Bob, and Caroll. Assuming 5 rebroadcasts per block (random timers) multiplied by 3 victims, along with an HTLC-preimage size of 200 bytes and a cltv_delta of 144 blocks, the total attacker cost is 432,000 sats. The realized economic gain is 168,000 sats. It appears that each additional victim has a cost of 144,000 sats, regardless of the targeted HTLC value.
Antoine concludes by thanking the recipient for checking the fees math and replacement rules, as it seems correct to him. He also mentions that more favorable assumptions to the attacker, such as mempool spikes where "honest" HTLC-timeout transactions can be left floating in network mempools, are not taken into account.