lightning-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 19, 2023 19:33 UTC
In the email, the sender discusses a scenario involving a replacement-cycling attacker and a defender's scorched earth policy.
The attacker can afford to pay 100% of the HTLC (Hashed Time-Locked Contract) value under the policy and still gain economically. The scenario involves three individuals: Alice, Bob, and Caroll, who are "honest" routing hops targeted by the attacker.
The defense strategy is as follows: Alice broadcasts her HTLC-timeout at T + 1 with a committed absolute fee of 10,000 sats (satoshis). However, the attacker, Mallory, replaces it at T+2 with a HTLC-preimage X of 200,000 sats, along with an RBF (Replace-By-Fee) penalty of 1 sat/vb (virtual byte) according to rule 4. Alice's HTLC-timeout is then out of network mempools.
Bob subsequently broadcasts her HTLC-timeout of 200,000 sats at T+3. Mallory replaces it again at T+4 with her HTLC-preimage Y of 200,000 sats, along with an RBF penalty of 1 sat/vb * 2. Bob's HTLC-timeout is also out of network mempools. Notably, HTLC-preimage Y conflicts with HTLC-preimage X, resulting in a multiplied RBF penalty.
Caroll then broadcasts her HTLC-timeout of 200,000 sats at T+5. Mallory replaces it again at T+6 with her HTLC-preimage Z of 200,000 sats, along with an RBF penalty of 1 sat/vb * 3. Caroll's HTLC-timeout is out of network mempools as well. Similar to before, HTLC-preimage Z conflicts with HTLC-preimage Z, leading to a multiplied RBF penalty.
If Mallory's HTLC-preimage enters the top mempool feerates group due to the accumulated RBF penalty, one unconfirmed ancestor can be double-spent to evict the HTLC-preimage. If Mallory successfully executes the replacement cycling, she may incur a loss of 10,000 sats and the RBF penalty cost for each rebroadcast attempt of the victim. However, she would gain the HTLC value of 200,000 sats from each of Alice, Bob, and Caroll.
Considering assumptions such as 5 rebroadcasts per block (even on random timers), 3 victims, an HTLC-preimage size of 200 bytes, and a cltv_delta (block height difference) of 144 blocks, the total attacker cost is calculated as 432,000 sats. The realized economic gain amounts to 168,000 sats. Thus, it appears that each additional victim has a cost of 144,000 sats, regardless of the targeted HTLC value.
The sender expresses gratitude for checking the fees math and replacement rules, confirming that they seem correct. They also mention that more favorable assumptions for the attacker, like mempool spikes, where the "honest" HTLC-timeout transactions can be left floating in network mempools, are not introduced.