bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Matt Morehouse

Posted on: October 20, 2023 18:35 UTC

The email discusses a proposal to prevent replacement cycling attacks in HTLC spends by applying the concept of a presigned fee multiplier.

The idea is to modify HTLC scripts so that both parties can only spend the HTLC via presigned second-stage transactions, which are always signed with SIGHASH_ALL. By doing this, the attacker will be unable to add inputs to their presigned transaction, effectively preventing a replacement cycling attack from occurring. However, implementing this approach would require more bookkeeping and result in less fee granularity when claiming HTLCs on chain.