bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Olaoluwa Osuntokun

Posted on: October 21, 2023 00:18 UTC

In the given email, the sender provides some important context regarding a scenario involving Carol, Bob, and Alice.

The email explains that Mallory can only replace an HTLC-timeout transaction if she is directly connected to the targeted peer through a direct channel. It is emphasized that Mallory cannot unilaterally replace any transaction in the mempool solely with knowledge of the preimage.

The email goes on to describe the nature of HTLC transactions as two-party contracts, with the public keys of both participants hardcoded into the contract. This means that a third party cannot unilaterally sweep an HTLC with just the preimage. The email suggests taking a step back to establish some fundamental context. When the timelock of an HTLC expires and the receiver has the preimage, a bidding war ensues. If the receiver confirms their success transaction in time, they receive the funds and the preimage is pipelined backwards in the route, ensuring all parties are compensated. On the other hand, if the sender wins, it is as if nothing happened, except for the fees paid at the last mile, and all other hops can safely cancel their HTLCs.

It is mentioned that most implementations today monitor the mempool for preimages so that they can resolve incoming HTLCs as quickly as possible off-chain. The attack described in the email relies on the attacker's ability to execute precise transaction replacement globally across the mempool. However, if any honest party sees the preimage in the mempool, the attack ends as they can settle off-chain. If their timeout confirms first, the defender actually gains funds.

Furthermore, executing such an attack perfectly, for hours or even days, is crucial. In the Lightning Network, nodes set a security parameter called the CLTV delta, which determines the duration before outgoing and incoming HTLCs expire. Increasing this value makes the attack more challenging for the attacker, as they need to balance low fees to avoid being mined, while still having enough to replace the defender's transaction. If their fees are too high, the transaction will be mined and the attack will fail.

The email also discusses the attacker's options for launching the replacement attack. One possibility is locating the defender's node to launch the attack directly in their mempool. However, this would reveal the preimage to the defender, allowing them to settle everything back and stop the attack. Additionally, the attacker needs to execute the replacement iteratively across a real network, considering factors such as network jitter, propagation delay, and geographic heterogeneity. Any timing discrepancies could lead to confirmation or the revelation of the preimage in the mempool.

Regarding anchor channels, the second-level HTLCs enable the defender to attach arbitrary inputs for fee bumping purposes. This allows them to incrementally increase their fee through Replace-By-Fee (RBF) as the expiry deadline approaches, further increasing the cost for the attacker. Moreover, the attack cannot be launched indiscriminately across the network; it requires per-node setup by the attacker and the consumption of UTXOs to create a chain of transactions for the replacement attack. These transactions also need to be maintained in a non-confirming superposition state.

In conclusion, the email suggests that this attack is fragile and requires per-node setup, precise timing and execution, non-confirming superposition of all transactions, and instant propagation across the entire network of the replacement transaction, which must also remain obscured from the defender's perspective. The attack can potentially be launched directly with a miner or "into" their mempool, but this weakens the attack as any broadcasting of preimage replacement transactions by the miner allows the defender to extract the preimage and settle the incoming HTLC.