bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 17, 2023 01:11 UTC

The email discusses a situation where two different parties can spend the same HTLC (Hashed Time Lock Contract) transaction output without the first party having the right to spend it using their knowledge of the HTLC preimage.

The email explains that in Lightning Network (LN) commitment transactions, HTLC outputs are used where one counterparty, Alice, pledges the HTLC amount to another counterparty, Caroll, in exchange for a preimage and Caroll's signature. If the HTLC is not claimed on-chain by Caroll before the expiration of the HTLC timelock, Alice can claim it back with her signature and the pre-exchanged Caroll signature.

However, the email highlights an exploit where Caroll can use her HTLC preimage transaction as a replace-by-fee for Alice's HTLC timeout after the timelock has expired. This means that Caroll can replace Alice's HTLC timeout transaction in the mempool and continue to do so until an inbound HTLC on another channel of Alice's expires. As a result, the "forward" HTLC can be double-spent.

The email mentions that this exploit is possible because there are no mempool policy rules preventing Caroll's HTLC preimage from being replaced once Alice's HTLC timeout transaction has been evicted from the mempool. It is important to note that the HTLC output does not have any remaining spend candidate for the current block.

In summary, the email explains how the exploitation of the HTLC preimage transaction can lead to a situation where two parties can spend the same HTLC transaction output without the first party having the right to spend it via their knowledge of the HTLC preimage. This is achieved by Caroll replacing Alice's HTLC timeout transaction in the mempool until an inbound HTLC on another channel expires, allowing for the double-spending of the "forward" HTLC.