bitcoin-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Matt Morehouse

Posted on: October 20, 2023 18:35 UTC

The email suggests applying the concept of a presigned fee multiplier to prevent replacement cycling attacks in HTLC spends.

The proposed solution involves modifying HTLC scripts so that both parties can only spend the HTLC via presigned second-stage transactions, which are always signed with SIGHASH_ALL. By doing so, the attacker is prevented from adding inputs to their presigned transaction, thus making a replacement cycling attack impossible. However, implementing this solution would require more bookkeeping and result in less fee granularity when claiming HTLCs on chain.