lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 17, 2023 01:11 UTC

The email discusses a situation where two parties can spend the same HTLC (Hash Time Locked Contract) transaction output, even if the first party does not have the right to spend it using their knowledge of the HTLC preimage.

The sender is seeking clarification on why this situation exists.

In Lightning Network (LN) commitment transactions, one counterparty, Alice, pledges the HTLC amount to another counterparty, Caroll, in exchange for a preimage and Caroll's signature. If the HTLC is not claimed on-chain by Caroll before the expiration of the HTLC timelock, Alice can claim it back with her signature and the pre-exchanged Caroll signature.

The exploit occurs when Caroll uses her HTLC-preimage transaction to replace Alice's HTLC-timeout after the timelock has expired. This replacement is still considered valid by the consensus rules. There are no mempool policy rules preventing Caroll's HTLC-preimage from being replaced once Alice's HTLC-timeout has been evicted from the mempool.

As a result, the HTLC output does not have any remaining spend candidate for this block. If Caroll successfully repeats this replacement process until an inbound HTLC on another channel owned by Alice expires, the "forward" HTLC can be double-spent.

This vulnerability allows Caroll to spend the HTLC transaction output without having the right to do so based on her knowledge of the HTLC preimage. It highlights a flaw in the current system that needs to be addressed to prevent such double-spending scenarios.