lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Olaoluwa Osuntokun

Posted on: October 21, 2023 00:18 UTC

In the given email, the discussion revolves around the scenario of Carol, Bob, and Alice in the context of HTLC (Hash Time-Locked Contract) transactions.

The email clarifies that Mallory, an attacker, can only replace an HTLC-timeout transaction if she is directly connected to the targeted peer through a direct channel. It is emphasized that a third party cannot unilaterally sweep an HTLC with just knowledge of the preimage as all HTLC transactions are two-party contracts with hardcoded public keys.

The email further explains the process when the timelock of an HTLC expires and the receiver has the preimage. At this point, a bidding war ensues where either the receiver can confirm their success transaction in time, gaining the funds, or the sender wins out, resulting in no change except for fees paid at the last mile. Most implementations today monitor the mempool for preimages, allowing them to resolve incoming HTLCs off-chain quickly.

The attack described in the email relies heavily on the attacker's ability to precisely replace transactions globally across the mempool. However, if any honest party sees the preimage in the mempool, they can settle off-chain, potentially gaining funds if their timeout confirms first. The attacker must execute the attack flawlessly for hours or even days. The security parameter known as CLTV delta, set by all nodes in the Lightning Network, determines the time available before outgoing and incoming HTLCs expire. Increasing this value makes the attack more challenging as fees need to be low enough to avoid mining while still replacing the defender's transaction.

The email acknowledges that the attacker may attempt to locate the defender's node to launch the replacement attack directly in their mempool. However, this approach would reveal the preimage to the defender, enabling them to settle everything back and thwart the attack. Additionally, executing the replacement attack iteratively across a real network poses challenges due to network jitter, propagation delay, and geographic heterogeneity.

Regarding anchor channels, the defender can attach arbitrary inputs for fee bumping purposes in second-level HTLCs. This allows them to iteratively increase their fee using Replace-By-Fee (RBF) as the expiry deadline approaches, further increasing the cost for the attacker. The attack cannot be launched indiscriminately across the network but requires per-node setup by the attacker, including maintaining non-confirming superposition of all transactions. The attack's success also relies on instant propagation across the entire network while remaining obscured from the defender's point of view.

In summary, the email highlights the complexity and fragility of the described attack, which necessitates per-node setup, precise timing and execution, non-confirming superposition of transactions, and instantaneous propagation across the network. Launching the attack directly with a miner or into their mempool weakens it, as any broadcasting of preimage replacement transactions gives the defender an opportunity to extract the preimage and settle the incoming HTLC.