bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 21, 2023 20:05 UTC

In the email, the sender addresses the misrepresentation of their previous mail in offline Twitter posts, clarifying that the security flaws discussed are not intentional backdoors.

They emphasize that these flaws have been known by a small circle of Bitcoin developers since December 2022. The sender mentions that changes at the bitcoin base-layer may be the most substantial fixes, but these changes take time, similar to how the linux kernel and OS vendors work.

The sender also mentions their recent internal discussions on improving coordinated security fixes and patching processes for the future. They highlight their long-standing concern for this area and their efforts to stay at the forefront since 2020/2021. Additionally, the lightning experts have already deployed mitigations that significantly strengthen the lightning ecosystem against simple or medium attacks. However, more advanced attacks require extensive knowledge and preparation.

The sender advises journalists reporting on this information to wait for expert reporters from the bitcoin community who have more in-field knowledge to provide a qualified technical perspective. They stress the fluid nature of information in electronic communication and the lack of native anti-DoS mechanisms to slow down the propagation of sensitive information during mitigation deployment. The sender mentions their absence from social media and recommends reading Seneca and Marcus Aurelius to approach the situation with stoicism and meditation.

The sender acknowledges that while their previous statements are technically correct, they could have been written with more clarity due to English not being their native language. They express a desire to further discuss the best fix and trade-offs as a community in the week of October 30th, considering the shipping of fixes by some laggard lightning implementations. However, they mention the possibility of commenting further on the mailing list if the flow of information on social media hinders the bitcoin community's ability to work on long-term appropriate fixes responsibly and constructively.

Throughout the email, the sender includes several links to relevant resources, such as Wikipedia articles on hardware-sourced vulnerabilities and a lightning development mailing list post. They also recommend reading Venkatesh Rao's Ribbonfarm essays for insights on propagation and network effect, as well as "The Mind Illuminated" for meditation practices.