lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Matt Morehouse

Posted on: October 19, 2023 17:53 UTC

The email discusses the concept of replacement cycles in the context of reducing the cost of an attack.

The defender implements a scorched-earth fee bumping policy to counter this strategy. The email explains that eventually, either the HTLC-timeout will confirm in the next block or the attacker will have to pay more fees than the HTLC-timeout fees to replace it. As the CLTV delta deadline approaches, the fees required for replacement may reach 50%, 80%, or even 100% of the HTLC value. This scorched earth policy aims to make the attack unprofitable, even if the attacker only needs to perform one replacement cycle right before the deadline. In practice, with HTLC values significantly greater than the next-block fee cost, multiple replacements may be necessary as the deadline approaches.

The email also mentions that the linear scorched earth policy is just an illustration and further tuning of the fee bumping curve across the full CLTV delta is needed to ensure minimal fees are paid when not under attack. However, as the deadline approaches, it is suggested to become very aggressive in order to increase the chances of transaction confirmation during high mempool congestion and to punish replacement-cycling attackers.

Overall, the email emphasizes the importance of implementing effective fee bumping strategies to mitigate the impact of replacement cycles in attacks.