lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 20, 2023 06:56 UTC

The email discusses the writer's recent activities and concerns regarding the lightning network and its implementations.

The writer mentions that they have written a test to verify the behavior on the core mempool, which is working as expected. They provide a link to the code for reference.

The writer also mentions following the responsible disclosure process, similar to the process documented for hardware issues affecting the Linux kernel. They provide a link to the documentation for reference.

They inform that they are halting their involvement with the development of the lightning network and its implementations, including coordinating the handling of security issues at the protocol level. They have closed an old issue related to this purpose on the bolt repository and provide a link to it.

The writer expresses concern about a new class of replacement cycling attacks that puts the lightning network in a perilous position. They suggest that a sustainable fix may be required at the base-layer, such as adding a memory-intensive history of all-seen transactions or a consensus upgrade. They mention that current mitigations are not sufficient against advanced attackers.

They emphasize the need for transparency and buy-in from the community when making changes that affect the processing requirements and security architecture of the decentralized bitcoin ecosystem. They acknowledge the challenge of explaining the necessity of these changes while also highlighting the potential risks involved.

The writer plans to remain silent on these issues on public mailing lists until the week of October 30th, as enough material has been published and other experts are available. After that, they will shift their focus back to Bitcoin Core.

Overall, the email reflects the writer's concerns about the security and future development of the lightning network, as well as their intention to continue contributing to Bitcoin Core.