lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Peter Todd

Posted on: October 27, 2023 00:43 UTC

The email discusses a potential attack scenario and proposes the use of OP_Expire to avoid it.

The sender clarifies that they are not claiming the attack is easy to execute, but rather pointing out that there may be cases where it happens accidentally. They give an example of a node with a HTLC-preimage that is offline and then comes online at the right time to broadcast a HTLC-preimage redemption transaction with a higher fee than the timeout transaction.

If the other node goes offline at the right time, after broadcasting the timeout transaction, it may not notice the HTLC-preimage in the mempool and fail to redeem it. The sender suggests that using OP_Expire would prevent this situation by making it impossible to redeem the HTLC-preimage after the timeout.

The sender includes a link to Peter Todd's website (https://petertodd.org) and their email address (peter@petertodd.org).