bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 19, 2023 19:33 UTC

The email discusses the concept of a replacement-cycling attacker in the context of the Bitcoin Lightning Network.

The attacker is able to pay 100% of the Hash Time-Locked Contract (HTLC) value under the defender's scorched earth policy and still make a profit. The scenario involves three participants: Alice, Bob, and Caroll, who all have independent HTLCs in-flight on their outbound channels.

Under the defensive fee scorched earth policy, Alice broadcasts her HTLC-timeout with an absolute fee of 10,000 sats at T + 1. Mallory, the attacker, replaces it at T+2 with a HTLC-preimage X of 200,000 sats, along with a replace-by-fee (rbf) penalty of 1 sat/vb rule 4. Alice's HTLC-timeout is then out of network mempools.

Bob then broadcasts his HTLC-timeout of 200,000 sats at T+3, which is replaced by Mallory at T+4 with her HTLC-preimage Y of 200,000 sats, along with an rbf penalty of 1 sat/vb rule 4 * 2. Bob's HTLC-timeout is also out of network mempools. HTLC-preimage Y conflicts with HTLC-preimage X as well, resulting in a multiplied by 2 rbf penalty.

Caroll follows suit by broadcasting her HTLC-timeout of 200,000 sats at T+5, which is replaced by Mallory at T+6 with her HTLC-preimage Z of 200,000 sats, along with an rbf penalty of 1 sat/vb rule 4 * 3. Caroll's HTLC-timeout is also out of network mempools. HTLC-preimage Z conflicts with HTLC-preimage Z too, resulting in a multiplied by 3 rbf penalty.

At any point, if Mallory's HTLC-preimage enters the top mempool feerates group (due to the accumulated rbf penalty), one unconfirmed ancestor can be double-spent to remove the HTLC-preimage. If Mallory successfully executes the replacement cycling, she may incur a loss of 10,000 sats plus the rbf penalty cost for each rebroadcast attempt of the victim. However, she gains the HTLC value of 200,000 sats from Alice, Bob, and Caroll.

Assuming 5 rebroadcasts per block (even on random timers) multiplied by 3 victims, with an HTLC-preimage size of 200 bytes and a cltv_delta of 144 blocks, the total cost for the attacker is 432,000 sats. The economic gain realized is 168,000 sats. It seems that each additional victim costs 144,000 sats, regardless of the targeted HTLC value.

The author expresses gratitude for checking the fees math and replacement rules, as they appear correct. They mention that more favorable assumptions could be introduced to benefit the attacker, such as mempool spikes where the "honest" HTLC-timeout transactions are left floating in network mempools.

Best, Antoine