lightning-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 21, 2023 20:05 UTC
In the email, the sender is addressing misrepresentations of their previous communication on offline Twitter posts.
They clarify that the security flaws found are not intentional backdoors and do not question the competence of the Bitcoin and Lightning development community. The discovery of the replacement cycling issue has been known by a small circle of Bitcoin developers since December 2022. It is suggested that changes at the bitcoin base-layer may be the most substantial fixes, but these take time, similar to how the Linux kernel, BSDs, and OS vendors work.
The sender mentions having internal discussions on improving coordinated security fixes and patching processes for the future. They have always been at the forefront of this area of concern since 2020/2021. Meanwhile, lightning experts have already implemented mitigations that significantly strengthen the lightning ecosystem against simple or medium attacks. More advanced attacks require in-depth knowledge and months of preparation.
The sender advises journalists reporting on the information to wait for expert reporters within the Bitcoin circles, who have more in-field knowledge and can provide a qualified technical assessment. They emphasize the importance of responsible reporting, as journalists' reputations are at stake. The nature of electronic communication and contemporary media makes information fluid, with no native anti-DoS mechanism to slow down the spread of sensitive information while mitigations are still being deployed. This is one of the reasons why the sender does not participate in any form of social media.
Additionally, the sender suggests reading Seneca and Marcus Aurelius to approach the situation with stoicism and meditation. They acknowledge that some of their previous statements could have been written with more clarity, as English is not their native language. They express the intention to discuss further the best fix and trade-offs within the community, but will comment on the mailing list if the flow of information on social media hinders the bitcoin community's ability to work on long-term appropriate fixes responsibly.
The sender briefly mentions the handling of hardware-sourced vulnerabilities and recommends reading about the Meltdown security vulnerability. They also provide a link to a lightning-dev mailing list discussing propagation and network effect. In terms of personal well-being, they suggest reading Venkatesh Rao's Ribbonfarm essays and mention that technology companies practice meditation daily, with "The Mind Illuminated" being a recommended read.
Overall, the email emphasizes the need for accurate reporting, highlights ongoing efforts to address security flaws, and mentions resources for further understanding the technical aspects and personal well-being in the context of the situation.