lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Matt Morehouse

Posted on: October 20, 2023 18:35 UTC

The email discusses the idea of applying a presigned fee multiplier to HTLC spends in order to prevent replacement cycles.

The suggestion is to modify HTLC scripts so that both parties can only spend the HTLC via presigned second-stage transactions, which would be signed with SIGHASH_ALL. This modification would prevent attackers from adding inputs to their presigned transaction, making a replacement cycling attack impossible. However, implementing this solution would require more bookkeeping and result in less fee granularity when claiming HTLCs on chain.