bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Peter Todd

Posted on: October 27, 2023 00:43 UTC

The email discusses a potential attack related to the redemption of HTLC-preimage transactions.

The sender clarifies that they are not claiming this attack is easy to execute, but they mention that there may be cases where it happens accidentally. One example given is when a node with a HTLC-preimage is offline and then comes online at the right time to broadcast a HTLC-preimage redemption transaction with a higher fee than the timeout transaction. If the other node goes offline after broadcasting the timeout transaction, it may fail to notice the HTLC-preimage in the mempool and therefore fail to redeem it.

To mitigate this situation, the sender suggests the use of OP_Expire, which would make it impossible to redeem the HTLC-preimage after the timeout. They explain that OP_Expire could help prevent scenarios where the redemption is missed due to timing issues between nodes being online or offline.

The email includes a link to a website (https://petertodd.org) belonging to someone named Peter Todd. It seems to be relevant to the topic of discussion, although the specific content of the website is not mentioned in the email. The email also mentions an email address (peter[:-1]@petertodd.org), which is likely associated with Peter Todd's website.