lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Olaoluwa Osuntokun

Posted on: October 21, 2023 00:18 UTC

The email discusses an attack scenario involving the Lightning Network (LN), specifically focusing on the process of replacing HTLC (Hashed Time-Locked Contract) transactions in the mempool.

It is clarified that a third party, Mallory, can only replace an HTLC-timeout transaction if she has a direct channel connection with the target peer. Mallory cannot unilaterally replace any transaction in the mempool solely with knowledge of the preimage.

To understand the attack, it is important to establish some fundamental context. When the timelock of an HTLC expires and the receiver has the preimage, a bidding war commences. If the receiver successfully confirms their transaction in time, they receive the funds, and the sender can propagate the preimage backwards in the route. If the sender wins the bidding war, it is as if nothing happened except for the fees paid at the last mile, and all other hops can safely cancel their HTLC back on the chain.

Most LN implementations monitor the mempool for preimages, enabling them to resolve incoming HTLCs off-chain quickly. The described attack relies heavily on the attacker's ability to execute precise transaction replacement globally across the mempool. If any honest party sees the preimage in the mempool, they can settle off-chain, and if their timeout confirms first, the defender gains funds.

Executing this attack perfectly for hours or even days is crucial. Within the LN, nodes have a security parameter called the CLTV delta, determining how much time they have before outgoing and incoming HTLCs expire. Increasing this value makes the attack more difficult as the attacker must balance low enough fees to avoid mining while being high enough to replace the defender's transaction but not too high to be mined and end the attack. With each iteration, the attacker must increase the fees paid, increasing the likelihood of mining and rendering the attack moot.

The attacker may attempt to locate the defender's node to launch the replacement attack directly in their mempool. However, by doing so, the defender will learn of the preimage and can settle everything back, thwarting the attack. Even without direct access to the defender's mempool, the attacker must iteratively execute the replacement across a real network with network jitter, propagation delay, and geographic heterogeneity. Any slight timing discrepancy could lead to confirmation or the revelation of the preimage in the mempool.

Regarding anchor channels, the defender can attach arbitrary inputs for fee bumping purposes using second-level HTLCs. This allows them to iteratively increase their fee via Replace-By-Fee (RBF) as the expiry deadline approaches, further increasing the cost for the attacker. Additionally, this attack cannot be launched indiscriminately across the network but requires per-node setup by the attacker, consuming UTXOs to create a chain of transactions for launching the replacement attack. These transactions must also be maintained in a non-confirming superposition.

In summary, this attack is considered fragile, requiring per-node setup, precise timing and execution, non-confirming superposition of all transactions, and instant propagation across the entire network while remaining obscured from the defender's point of view. The attack can be launched directly with a miner or "into" their mempool, but this weakens the attack as any broadcast of the preimage replacement transactions by the miner allows the defender to extract the preimage and settle the incoming HTLC.