bitcoin-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 21, 2023 20:05 UTC
In the email, the sender addresses some misrepresentations of their previous communication that have been circulating on offline Twitter posts.
They clarify that the security flaws in question are not intentional backdoors and do not reflect negatively on the competence of the Bitcoin and Lightning development community. The sender mentions that a small circle of Bitcoin developers has been aware of the replacement cycling issue since December 2022. They also note that changes at the bitcoin base-layer could potentially be the most substantial fixes, but these changes take time to implement, similar to how the linux kernel, BSDs, and OS vendors work.
The sender explains that they have recently had internal discussions on improving coordinated security fixes and patching processes for the future. They have always been at the forefront of this area of concern since 2020/2021. In the meantime, lightning experts have already deployed mitigations that significantly strengthen the lightning ecosystem against simple or medium attacks. However, more advanced attacks require extensive knowledge of p2p and mempool, which takes years to acquire for average bitcoin developers, as noted by other bitcoin experts like Matt or Peter.
The sender advises journalists reporting on this information to wait until expert reporters from the bitcoin circles, who have more in-field knowledge, can provide a qualified assessment of the technical situation with more distance. They emphasize the importance of responsible reporting, as journalists' reputations are at stake. They acknowledge that information in the electronic communication and media is fluid, and there is no native anti-DoS mechanism to slow down the spread of sensitive information while mitigations are still being deployed. This is why the sender does not use any form of social media.
Additionally, the sender suggests reading works by Seneca and Marcus Aurelius to approach the situation with stoicism and meditation. They acknowledge that while their previous statements are mostly technically correct, some could have been written with more clarity due to English not being their native language. They express their intention to wait until the week of October 30th to discuss further the best fix and trade-offs as a community, considering that some laggard lightning implementations still need to ship fixes. However, they mention the possibility of commenting further on the mailing list if the flow of information on social media is hindering the bitcoin community's ability to work on long-term appropriate fixes in a responsible and constructive manner.
Throughout the email, the sender provides various links for reference, including resources on handling hardware-sourced vulnerabilities like Meltdown, a link to a lightning-dev mailing list thread, and recommendations for reading material on communication in a crisis and daily meditation practices.