lightning-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Posted on: October 19, 2023 19:33 UTC
In the email, Antoine discusses the concept of a replacement-cycling attacker and how they can potentially gain economically even if they pay 100% of the HTLC value under the defender's scorched earth policy.
The scenario involves three individuals: Alice, Bob, and Caroll, who are all "honest" routing hops targeted by the attacker.
Antoine explains that each person has three independent 10,000 satoshi HTLC (Hashed Time-Locked Contract) in-flight on their outbound channels. Under the defensive fee scorched earth policy, Alice broadcasts her HTLC-timeout at T + 1 with a committed absolute fee of 10,000 satoshis. However, Mallory, the attacker, replaces it at T+2 with an HTLC-preimage X of 200,000 satoshis. This replacement incurs an RBF (Replace-By-Fee) penalty of 1 sat/vb (virtual byte), following rule 4.
Bob then broadcasts his HTLC-timeout of 200,000 satoshis at T+3, which is also replaced by Mallory at T+4 with her HTLC-preimage Y of 200,000 satoshis. This replacement incurs a multiplied RBF penalty of 2 due to the conflict between HTLC-preimage X and HTLC-preimage Y. Similarly, Caroll broadcasts her HTLC-timeout of 200,000 satoshis at T+5, which is replaced by Mallory at T+6 with her HTLC-preimage Z of 200,000 satoshis. This replacement incurs a multiplied RBF penalty of 3 due to the conflict between HTLC-preimage Z and HTLC-preimage Z.
Antoine mentions that if Mallory's HTLC-preimage enters the top mempool feerates group (due to the accumulated RBF penalty), one unconfirmed ancestor can be double-spent to evict out the HTLC-preimage. If Mallory successfully executes the replacement cycling, she may incur a loss of 10,000 satoshis plus the RBF penalty cost for each rebroadcast attempt of the victim's HTLC. However, she would ultimately gain the HTLC value of 200,000 satoshis from Alice, Bob, and Caroll.
Assuming 5 rebroadcasts per block (even on random timers) multiplied by 3 victims, with an HTLC-preimage size of 200 bytes and a cltv_delta (time lock) of 144 blocks, the total attacker cost is calculated to be 432,000 satoshis. The economic gain realized by the attacker is 168,000 satoshis. Antoine concludes that it seems each additional victim has a cost of 144,000 satoshis, regardless of the targeted HTLC value.
Antoine expresses gratitude for checking the fees math and replacement rules, confirming that they appear correct to him. He also mentions that his analysis does not include more favorable assumptions to the attacker, such as mempool spikes where the "honest" HTLC-timeout transactions can be left floating in network mempools.