lightning-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 16, 2023 16:57 UTC
A new transaction-relay jamming attack has been discovered in lightning channels, posing security risks to HTLC traffic.
Major lightning implementations have introduced mitigations to prevent this attack, which involves replacing honest HTLC-timeout transactions with higher fee HTLC-preimage transactions. The attacker evicts the honest transaction from the mempool using replacement transactions with higher fees, potentially leading to a loss of funds for the lightning node. Various strategies have been implemented to mitigate these attacks, including aggressive rebroadcasting, local-mempool preimage monitoring, and adjusting the default CLTV delta. However, other bitcoin applications using time-sensitive paths or multi-party transactions may also be vulnerable to denial-of-service vectors under network mempool congestion. The email highlights the need for further research and development in the area of package malleability pinning attacks, as well as ongoing investigation into the security of lightning implementations and potential vulnerabilities in other bitcoin applications.