bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby ZmnSCPxj

Posted on: October 17, 2023 10:34 UTC

The email provides a detailed explanation of a potential attack on the Lightning Network (LN) and its implications.

The attack involves three nodes, A, B, and C, connected through channels. The timelocks for the transactions are specified, with A->B having a timelock of 144 and B->C having a timelock of 100.

According to the LN BOLT requirements, if B has a cltv_expiry_delta of 44 or lower, the setup is considered valid. However, in this attack scenario, after B forwards the HTLC (B->C), node C suddenly goes offline, causing all signed transactions, including the commitment transaction and HTLC-timeout transactions, to be "stuck" at the feerate at the time.

At block height 100, B notices that the B->C HTLC timelock has expired without C claiming it, so B forces the B====C channel on-chain. However, due to the increased on-chain feerates, the commitment transaction and HTLC-timeout transaction do not confirm. Meanwhile, node A is still online with B and updates the on-chain fees of the A====B channel pre-signed transactions (commitment tx and HTLC-timeout tx) to the latest fees.

At block height 144, B is still unable to claim the A->B HTLC, so A drops the A====B channel on-chain. Since the fees are up-to-date, the confirmation happens immediately, allowing A to recover the HTLC funds. However, the feerates of the B====C pre-signed transactions remain at the old, uncompetitive feerates.

In this situation, C broadcasts an HTLC-success transaction with high feerates, using Child-Pays-for-Parent (CPFP) to confirm the commitment transaction. However, this transaction replaces the HTLC-timeout transaction, which has a lower feerate. As a result, C is able to claim the value of the HTLC, but B can no longer use the knowledge of the preimage since its own incoming HTLC has already been confirmed as claimed by A.

The email also provides an explanation for why the HTLC-timeout transaction is presigned in this case and why B cannot feebump it. In the Poon-Dryja mechanism, HTLCs are "infected" by the Poon-Dryja penalty case, making them not plain HTLCs. The commitment transaction held by B is infected by the penalty case, adding a revocation branch (C && revocation) and including C in the branch claimable by B in the "plain" HTLC (B && OP_CLTV).

This is done to prevent B from cheating using an old, revoked transaction. Even if B retains an old revoked transaction, the relative timelock added to the HTLC-timeout transaction makes it necessary for B to contend with a new output. However, this means that the HTLC-timeout transaction is presigned and has a specific feerate. Changing the feerate requires both B and C to agree to re-sign the HTLC-timeout transaction at a higher feerate.

On the other hand, the HTLC-success transaction spends the plain (C && OP_HASH160) branch, involving only C. This allows C to feebump the HTLC-success transaction arbitrarily, even without B's cooperation. Additionally, C has an advantage in terms of fees because they only need to push a smaller number of bytes compared to B, requiring a smaller fee to achieve a particular feerate.

Overall, the email provides a comprehensive explanation of the attack on the Lightning Network, covering the nodes involved, the timelocks, the implications of offline nodes, on-chain fees, and the specifics of the HTLC-timeout and HTLC-success transactions.