bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 17, 2023 17:47 UTC

The email discusses the possibility of a specific type of attack on the Lightning Network (LN) and clarifies that no such attack has been observed on the mainnet.

The sender mentions that they have discussed privately to experiment with a demo attack in restricted development circles, similar to what has been done in the past for LN security issues. The risk of exposure is confirmed if an attacker targets channels with high capacity and loose channel policies.

The sender suggests that to observe the existence of such an attack happening, one can look at mempool logs and the amount of HTLC (Hash Time Locked Contract) output being systematically conflicted out with a specific sequence. It is noted that this attack is not akin to a pinning attack and can happen without network mempool congestion. The attack involves controlling two neighboring nodes to target the victim, cycling the attack on the tail side, and delaying the confirmation of the HTLC-timeout covenant. This will force-close the channel and claim the timeout-path, canceling back the initial HTLC amount to the attacker's initial node. The sender believes this behavior is worthy of testing.

The email also mentions that Local-mempool preimage monitoring has been implemented by Eclair and LND as a mitigation against old school pinning attacks and replacement cycling attacks respectively. However, it is not currently implemented by Core-Lightning or LDK.

The sender proposes a defensive fee mitigation strategy, where if the attacker tries to steal an HTLC output, aggressive fee-bumping should be done on the HTLC-output in addition to claiming it on the incoming path. This would make the attack more costly for the peer when they know that fees up to 50% of the HTLC value are used.

It is mentioned that the attack becomes more costly when the HTLCs the attacker tries to steal are small, highlighting the lack of a way at the specification level to negotiate a cap on the total value of outbound HTLC in-flight.

Overall, the email discusses the potential attack on the Lightning Network, clarifies its non-occurrence on the mainnet, suggests monitoring mempool logs, and proposes defensive fee mitigation as a strategy against the attack. It also mentions the implementation of Local-mempool preimage monitoring by some LN implementations and highlights the limitation in negotiating a cap on the total value of outbound HTLC in-flight.