lightning-dev

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Original Postby Antoine Riard

Posted on: October 21, 2023 20:05 UTC

The email addresses the need to correct misrepresentations of a previous mail in offline Twitter posts.

The security flaws mentioned are not intentional backdoors and do not question the competence of the Bitcoin and Lightning development community. The replacement cycling issue has been known by a small circle of Bitcoin developers since December 2022. Changes at the bitcoin base-layer may be the most substantial fixes, but they take time to implement. Similar to how the Linux kernel, BSDs, and OS vendors work, improvements in coordinated security fixes and patching processes have been discussed. The lightning experts have already deployed mitigations that strengthen the lightning ecosystem against simple or medium attacks. However, more advanced attacks require a deep understanding of p2p and mempool knowledge. It is advised that journalists wait for expert reporters from the bitcoin community to provide a qualified technical situation before reporting on mainstream crypto publications. The fluidity of information in electronic communication and contemporary media makes it challenging to slow down the propagation of sensitive information where mitigations are still being deployed. The author does not engage in social media and suggests reading Seneca and Marcus Aurelius to approach the situation with stoicism and meditation. Despite some statements that could have been written with more clarity due to English not being the author's native language, most of the previous statements are technically correct. Further discussions on the best fix and trade-offs will take place in the week of October 30th. If the flow of information on social media hinders the bitcoin community's ability to work on long-term appropriate fixes, the author will comment further on the mailing list. The email also mentions handling hardware-sourced vulnerabilities and recommends reading about Meltdown, a security vulnerability. Additionally, the propagation and network effect are discussed, and Venkatesh Rao's Ribbonfarm essays are recommended for further reading. Finally, the email mentions that technology companies practice daily meditation, with "The Mind Illuminated" being a suggested read from 2020.