bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 19, 2023 17:22 UTC

The email discusses a paper on the topic of mitigation, specifically focusing on subsection 3.4 which discusses defensive fee-rebroadcasting.

The author mentions that when there is a mempool backlog and the defensive fractional fee HTLC-timeout becomes stuck, it gives an advantage to the attacker. Additionally, the author suggests that an attacker can replace-cycle multiple honest HTLC-timeouts with a single malicious HTLC-preimage, paying the absolute fee while only incurring the RBF penalty. Although the author has not tested this specific behavior, they note that the "fees" math does not seem to favor the defenders.