MIME-Version: 1.0
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
In-Reply-To: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Fri, 20 Oct 2023 07:56:34 +0100
Message-ID: <CALZpt+G-eLLShrJckLG1UMDQ9tMGzqP1pBsUpEZ+82e9wHZGYw@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>, 
 "lightning-dev\\\\@lists.linuxfoundation.org"
 <lightning-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000034d82f0608206090"
Cc: security@ariard.me
Subject: Re: [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232
 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Precedence: list

--00000000000034d82f0608206090
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

After writing the mail reply on the economics of sequential malicious
replacement of honest HTLC-timeout, I did write one more test to verify the
behavior on core mempool, and it works as expected.

https://github.com/ariard/bitcoin/commit/30f5d5b270e4ff195e8dcb9ef6b7ddcc5f=
6a1bf2

Responsible disclosure process has followed the lines of hardware issues
affecting operating system, as documented for the Linux kernel, while
adapted to the bitcoin ecosystem:

https://docs.kernel.org/6.1/process/embargoed-hardware-issues.html

Effective now, I'm halting my involvement with the development of the
lightning network and its implementations, including coordinating the
handling of security issues at the protocol level (I informed some senior
lightning devs in that sense before).

Closed the very old issue which was affected to me at this purpose on the
bolt repository:

https://github.com/lightning/bolts/pull/772

I think this new class of replacement cycling attacks puts lightning in a
very perilous position, where only a sustainable fix can happen at the
base-layer, e.g adding a memory-intensive history of all-seen transactions
or some consensus upgrade. Deployed mitigations are worth something in face
of simple attacks, though I don't think they're stopping advanced attackers
as said in the first full disclosure mail.

Those types of changes are the ones necessitating the utmost transparency
and buy-in of the community as a whole, as we're altering the full-nodes
processing requirements or the security architecture of the decentralized
bitcoin ecosystem in its integrality.

On the other hand fully explaining why such changes would be warranted for
the sake of lightning and for designing them well, we might need to lay out
in complete state practical and critical attacks on a ~5 355 public BTC
ecosystem.

Hard dilemma.

There might be a lesson in terms of bitcoin protocol deployment, we might
have to get them right at first try. Little second chance to fix them in
flight.

I'll be silent on those issues on public mailing lists until the week of
the 30 oct. Enough material has been published and other experts are
available. Then I'll be back focusing more on bitcoin core.

Best,
Antoine

Le lun. 16 oct. 2023 =C3=A0 17:57, Antoine Riard <antoine.riard@gmail.com> =
a
=C3=A9crit :

> (cross-posting mempool issues identified are exposing lightning chan to
> loss of funds risks, other multi-party bitcoin apps might be affected)
>
> Hi,
>
> End of last year (December 2022), amid technical discussions on eltoo
> payment channels and incentives compatibility of the mempool anti-DoS
> rules, a new transaction-relay jamming attack affecting lightning channel=
s
> was discovered.
>
> After careful analysis, it turns out this attack is practical and
> immediately exposed lightning routing hops carrying HTLC traffic to loss =
of
> funds security risks, both legacy and anchor output channels. A potential
> exploitation plausibly happening even without network mempools congestion=
.
>
> Mitigations have been designed, implemented and deployed by all major
> lightning implementations during the last months.
>
> Please find attached the release numbers, where the mitigations should be
> present:
> - LDK: v0.0.118 - CVE-2023 -40231
> - Eclair: v0.9.0 - CVE-2023-40232
> - LND: v.0.17.0-beta - CVE-2023-40233
> - Core-Lightning: v.23.08.01 - CVE-2023-40234
>
> While neither replacement cycling attacks have been observed or reported
> in the wild since the last ~10 months or experimented in real-world
> conditions on bitcoin mainet, functional test is available exercising the
> affected lightning channel against bitcoin core mempool (26.0 release
> cycle).
>
> It is understood that a simple replacement cycling attack does not demand
> privileged capabilities from an attacker (e.g no low-hashrate power) and
> only access to basic bitcoin and lightning software. Yet I still think
> executing such an attack successfully requests a fair amount of bitcoin
> technical know-how and decent preparation.
>
> From my understanding of those issues, it is yet to be determined if the
> mitigations deployed are robust enough in face of advanced replacement
> cycling attackers, especially ones able to combine different classes of
> transaction-relay jamming such as pinnings or vetted with more privileged
> capabilities.
>
> Please find a list of potential affected bitcoin applications in this ful=
l
> disclosure report using bitcoin script timelocks or multi-party
> transactions, albeit no immediate security risk exposure as severe as the
> ones affecting lightning has been identified. Only cursory review of
> non-lightning applications has been conducted so far.
>
> There is a paper published summarizing replacement cycling attacks on the
> lightning network:
>
> https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper=
/replacement-cycling.pdf
>
>  ## Problem
>
> A lightning node allows HTLCs forwarding (in bolt3's parlance accepted
> HTLC on incoming link and offered HTLC on outgoing link) should settle th=
e
> outgoing state with either a success or timeout before the incoming state
> timelock becomes final and an asymmetric defavorable settlement might
> happen (cf "Flood & Loot: A Systematic Attack on The Lightning Network"
> section 2.3 for a classical exposition of this lightning security propert=
y).
>
> Failure to satisfy this settlement requirement exposes a forwarding hop t=
o
> a loss of fund risk where the offered HTLC is spent by the outgoing link
> counterparty's HTLC-preimage and the accepted HTLC is spent by the incomi=
ng
> link counterparty's HTLC-timeout.
>
> The specification mandates the incoming HTLC expiration timelock to be
> spaced out by an interval of `cltv_expiry_delta` from the outgoing HTLC
> expiration timelock, this exact interval value being an implementation an=
d
> node policy setting. As a minimal value, the specification recommends 34
> blocks of interval. If the timelock expiration I of the inbound HTLC is
> equal to 100 from chain tip, the timelock expiration O of the outbound HT=
LC
> must be equal to 66 blocks from chain tip, giving a reasonable buffer of
> reaction to the lightning forwarding node.
>
> In the lack of cooperative off-chain settlement of the HTLC on the
> outgoing link negotiated with the counterparty (either
> `update_fulfill_htlc` or `update_fail_htlc`) when O is reached, the
> lightning node should broadcast its commitment transaction. Once the
> commitment is confirmed (if anchor and the 1 CSV encumbrance is present),
> the lightning node broadcasts and confirms its HTLC-timeout before I heig=
ht
> is reached.
>
> Here enter a replacement cycling attack. A malicious channel counterparty
> can broadcast its HTLC-preimage transaction with a higher absolute fee an=
d
> higher feerate than the honest HTLC-timeout of the victim lightning node
> and triggers a replacement. Both for legacy and anchor output channels, a
> HTLC-preimage on a counterparty commitment transaction is malleable, i.e
> additional inputs or outputs can be added. The HTLC-preimage spends an
> unconfirmed and unrelated to the channel parent transaction M and conflic=
ts
> its child.
>
> As the HTLC-preimage spends an unconfirmed input that was already include=
d
> in the unconfirmed and unrelated child transaction (rule 2), pays an
> absolute higher fee of at least the sum paid by the HTLC-timeout and chil=
d
> transaction (rule 3) and the HTLC-preimage feerate is greater than all
> directly conflicting transactions (rule 6), the replacement is accepted.
> The honest HTLC-timeout is evicted out of the mempool.
>
> In an ulterior move, the malicious counterparty can replace the parent
> transaction itself with another candidate N satisfying the replacement
> rules, triggering the eviction of the malicious HTLC-preimage from the
> mempool as it was a child of the parent T.
>
> There is no spending candidate of the offered HTLC output for the current
> block laying in network mempools.
>
> This replacement cycling tricks can be repeated for each rebroadcast
> attempt of the HTLC-timeout by the honest lightning node until expiration
> of the inbound HTLC timelock I. Once this height is reached a HTLC-timeou=
t
> is broadcast by the counterparty's on the incoming link in collusion with
> the one on the outgoing link broadcasting its own HTLC-preimage.
>
> The honest Lightning node has been "double-spent" in its HTLC forwarding.
>
> As a notable factor impacting the success of the attack, a lightning
> node's honest HTLC-timeout might be included in the block template of the
> miner winning the block race and therefore realizes a spent of the offere=
d
> output. In practice, a replacement cycling attack might over-connect to
> miners' mempools and public reachable nodes to succeed in a fast eviction
> of the HTLC-timeout by its HTLC-preimage. As this latter transaction can
> come with a better ancestor-score, it should be picked up on the flight b=
y
> economically competitive miners.
>
> A functional test exercising a simple replacement cycling of a HTLC
> transaction on bitcoin core mempool is available:
> https://github.com/ariard/bitcoin/commits/2023-test-mempool
>
> ## Deployed LN mitigations
>
> Aggressive rebroadcasting: As the replacement cycling attacker benefits
> from the HTLC-timeout being usually broadcast by lightning nodes only onc=
e
> every block, or less the replacement cycling malicious transactions paid
> only equal the sum of the absolute fees paid by the HTLC, adjusted with t=
he
> replacement penalty. Rebroadcasting randomly and multiple times before th=
e
> next block increases the absolute fee cost for the attacker.
>
> Implemented and deployed by Eclair, Core-Lightning, LND and LDK .
>
> Local-mempool preimage monitoring: As the replacement cycling attacker in
> a simple setup broadcast the HTLC-preimage to all the network mempools, t=
he
> honest lightning node is able to catch on the flight the unconfirmed
> HTLC-preimage, before its subsequent mempool replacement. The preimage ca=
n
> be extracted from the second-stage HTLC-preimage and used to fetch the
> off-chain inbound HTLC with a cooperative message or go on-chain with it =
to
> claim the accepted HTLC output.
>
> Implemented and deployed by Eclair and LND.
>
> CLTV Expiry Delta: With every jammed block comes an absolute fee cost pai=
d
> by the attacker, a risk of the HTLC-preimage being detected or discovered
> by the honest lightning node, or the HTLC-timeout to slip in a winning
> block template. Bumping the default CLTV delta hardens the odds of succes=
s
> of a simple replacement cycling attack.
>
> Default setting: Eclair 144, Core-Lightning 34, LND 80 and LDK 72.
>
> ## Affected Bitcoin Protocols and Applications
>
> From my understanding the following list of Bitcoin protocols and
> applications could be affected by new denial-of-service vectors under som=
e
> level of network mempools congestion. Neither tests or advanced review of
> specifications (when available) has been conducted for each of them:
> - on-chain DLCs
> - coinjoins
> - payjoins
> - wallets with time-sensitive paths
> - peerswap and submarine swaps
> - batch payouts
> - transaction "accelerators"
>
> Inviting their developers, maintainers and operators to investigate how
> replacement cycling attacks might disrupt their in-mempool chain of
> transactions, or fee-bumping flows at the shortest delay. Simple flows an=
d
> non-multi-party transactions should not be affected to the best of my
> understanding.
>
> ## Open Problems: Package Malleability
>
> Pinning attacks have been known for years as a practical vector to
> compromise lightning channels funds safety, under different scenarios (cf=
.
> current bip331's motivation section). Mitigations at the mempool level ha=
ve
> been designed, discussed and are under implementation by the community
> (ancestor package relay + nverrsion=3D3 policy). Ideally, they should
> constraint a pinning attacker to always attach a high feerate package
> (commitment + CPFP) to replace the honest package, or allow a honest
> lightning node to overbid a malicious pinning package and get its
> time-sensitive transaction optimistically included in the chain.
>
> Replacement cycling attack seem to offer a new way to neutralize the
> design goals of package relay and its companion nversion=3D3 policy, wher=
e an
> attacker package RBF a honest package out of the mempool to subsequently
> double-spend its own high-fee child with a transaction unrelated to the
> channel. As the remaining commitment transaction is pre-signed with a
> minimal relay fee, it can be evicted out of the mempool.
>
> A functional test exercising a simple replacement cycling of a lightning
> channel commitment transaction on top of the nversion=3D3 code branch is
> available:
> https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2
>
> ## Discovery
>
> In 2018, the issue of static fees for pre-signed lightning transactions i=
s
> made more widely known, the carve-out exemption in mempool rules to
> mitigate in-mempool package limits pinning and the anchor output pattern
> are proposed.
>
> In 2019, bitcoin core 0.19 is released with carve-out support. Continued
> discussion of the anchor output pattern as a dynamic fee-bumping method.
>
> In 2020, draft of anchor output submitted to the bolts. Initial finding o=
f
> economic pinning against lightning commitment and second-stage HTLC
> transactions. Subsequent discussions of a preimage-overlay network or
> package-relay as mitigations. Public call made to inquiry more on potenti=
al
> other transaction-relay jamming attacks affecting lightning.
>
> In 2021, initial work in bitcoin core 22.0 of package acceptance.
> Continued discussion of the pinning attacks and shortcomings of current
> mempool rules during community-wide online workshops. Later the year, in
> light of all issues for bitcoin second-layers, a proposal is made about
> killing the mempool.
>
> In 2022, bip proposed for package relay and new proposed v3 policy design
> proposed for a review and implementation. Mempoolfullrbf is supported in
> bitcoin core 24.0 and conceptual questions about alignment of mempool rul=
es
> w.r.t miners incentives are investigated.
>
> Along this year 2022, eltoo lightning channels design are discussed,
> implemented and reviewed. In this context and after discussions on mempoo=
l
> anti-DoS rules, I discovered this new replacement cycling attack was
> affecting deployed lightning channels and immediately reported the findin=
g
> to some bitcoin core developers and lightning maintainers.
>
> ## Timeline
>
> - 2022-12-16: Report of the finding to Suhas Daftuar, Anthony Towns, Greg
> Sanders and Gloria Zhao
> - 2022-12-16: Report to LN maintainers: Rusty Russell, Bastien Teinturier=
,
> Matt Corallo and Olaoluwa Osuntunkun
> - 2022-12-23: Sharing to Eugene Siegel (LND)
> - 2022-12-24: Sharing to James O'Beirne and Antoine Poinsot (non-lightnin=
g
> potential affected projects)
> - 2022-01-14: Sharing to Gleb Naumenko (miners incentives and cross-layer=
s
> issuers) and initial proposal of an early public disclosure
> - 2022-01-19: Collection of analysis if other second-layers and
> multi-party applications affected. LN mitigations development starts.
> - 2023-05-04: Sharing to Wilmer Paulino (LDK)
> - 2023-06-20: LN mitigations implemented and progressively released. Week
> of the 16 october proposed for full disclosure.
> - 2023-08-10: CVEs assigned by MITRE
> - 2023-10-05: Pre-disclosure of LN CVEs numbers and replacement cycling
> attack existence to security@bitcoincore.org.
> - 2023-10-16: Full disclosure of CVE-2023-40231 / CVE-2023-40232 /
> CVE-2023-40233 / CVE-2023-40234 and replacement cycling attacks
>
> ## Conclusion
>
> Despite the line of mitigations adopted and deployed by current major
> lightning implementations, I believe replacement cycling attacks are stil=
l
> practical for advanced attackers. Beyond this new attack might come as a
> way to partially or completely defeat some of the pinning mitigations whi=
ch
> have been working for years as a community.
>
> As of today, it is uncertain to me if lightning is not affected by a more
> severe long-term package malleability critical security issue under curre=
nt
> consensus rules, and if any other time-sensitive multi-party protocol,
> designed or deployed isn't de facto affected too (loss of funds or denial
> of service).
>
> Assuming analysis on package malleability is correct, it is unclear to me
> if it can be corrected by changes in replacement / eviction rules or
> mempool chain of transactions processing strategy. Inviting my technical
> peers and the bitcoin community to look more on this issue, including to
> dissent. I'll be the first one pleased if I'm fundamentally wrong on thos=
e
> issues, or if any element has not been weighted with the adequate technic=
al
> accuracy it deserves.
>
> Do not trust, verify. All mistakes and opinions are my own.
>
> Antoine
>
> "meet with Triumph and Disaster. And treat those two impostors just the
> same" - K.
>

--00000000000034d82f0608206090
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>After writing the mail reply on the=
 economics of sequential malicious replacement of honest HTLC-timeout, I di=
d write one more test to verify the behavior on core mempool, and it works =
as expected.</div><div><br></div><div><a href=3D"https://github.com/ariard/=
bitcoin/commit/30f5d5b270e4ff195e8dcb9ef6b7ddcc5f6a1bf2">https://github.com=
/ariard/bitcoin/commit/30f5d5b270e4ff195e8dcb9ef6b7ddcc5f6a1bf2</a><br></di=
v><div><br></div><div>Responsible disclosure process has followed the lines=
 of hardware issues affecting operating system, as documented for the Linux=
 kernel, while adapted to the bitcoin ecosystem:</div><div><br></div><div><=
a href=3D"https://docs.kernel.org/6.1/process/embargoed-hardware-issues.htm=
l">https://docs.kernel.org/6.1/process/embargoed-hardware-issues.html</a><b=
r></div><div><br></div><div>Effective now, I&#39;m halting my involvement w=
ith the development of the lightning=C2=A0network and its implementations, =
including coordinating the handling of security=C2=A0issues at the protocol=
=C2=A0level (I informed some senior lightning devs in that sense before).</=
div><div><br></div><div>Closed the very old issue which was affected to me =
at this purpose on the bolt repository:</div><div><br></div><div><a href=3D=
"https://github.com/lightning/bolts/pull/772">https://github.com/lightning/=
bolts/pull/772</a><br></div><div><br></div><div>I think this new class of r=
eplacement cycling attacks puts lightning in a very perilous position, wher=
e only a sustainable fix can happen at the base-layer, e.g adding a memory-=
intensive history of all-seen transactions or some consensus upgrade. Deplo=
yed mitigations are worth something in face of simple attacks, though I don=
&#39;t think they&#39;re stopping advanced attackers as said in the first f=
ull disclosure mail.</div><div><br></div><div>Those types of changes are th=
e ones necessitating the utmost transparency and buy-in of the community as=
 a whole, as we&#39;re altering the full-nodes processing requirements or t=
he security architecture of the decentralized bitcoin ecosystem in its inte=
grality.</div><div><br></div><div>On the other hand fully explaining why su=
ch changes would be warranted for the sake of lightning and for designing t=
hem well, we might need to lay out in complete state practical and critical=
 attacks on a ~5 355 public BTC ecosystem.</div><div><br></div><div>Hard di=
lemma.</div><div><br></div><div>There might be a lesson in terms of bitcoin=
 protocol deployment, we might have to get them right at first try. Little =
second chance to fix them in flight.</div><div><br></div><div>I&#39;ll be s=
ilent on those issues on public mailing lists until the week of the 30 oct.=
 Enough material has been published and other experts are available. Then I=
&#39;ll be back focusing more on bitcoin core.</div><div><br></div><div>Bes=
t,</div><div>Antoine</div></div><br><div class=3D"gmail_quote"><div dir=3D"=
ltr" class=3D"gmail_attr">Le=C2=A0lun. 16 oct. 2023 =C3=A0=C2=A017:57, Anto=
ine Riard &lt;<a href=3D"mailto:antoine.riard@gmail.com">antoine.riard@gmai=
l.com</a>&gt; a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style=
:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr=
"><div>(cross-posting mempool issues identified are exposing lightning chan=
 to loss of funds risks, other multi-party bitcoin apps might be affected)<=
/div><div><br></div>Hi,<div><br></div><div>End of last year (December 2022)=
, amid technical discussions on eltoo payment channels and incentives compa=
tibility of the mempool anti-DoS rules, a new transaction-relay jamming att=
ack affecting lightning channels was discovered.</div><div><br></div><div>A=
fter careful analysis, it turns out this attack is practical and immediatel=
y=C2=A0exposed lightning routing hops carrying HTLC traffic to loss of fund=
s security risks, both legacy and anchor=C2=A0output channels. A potential =
exploitation plausibly happening even without network mempools congestion.<=
/div><div><br></div><div>Mitigations have been designed, implemented and de=
ployed by all major lightning implementations during the last months.</div>=
<div><br></div><div>Please find attached the release numbers, where the mit=
igations should be present:</div><div>- LDK: v0.0.118 - CVE-2023 -40231</di=
v><div>- Eclair: v0.9.0 - CVE-2023-40232</div><div>- LND: v.0.17.0-beta - C=
VE-2023-40233</div><div>- Core-Lightning: v.23.08.01 - CVE-2023-40234</div>=
<div><br></div><div>While neither replacement cycling attacks have been obs=
erved or reported in the wild since the last ~10 months or experimented in =
real-world conditions on bitcoin mainet, functional test is available exerc=
ising the affected lightning channel against bitcoin core mempool (26.0 rel=
ease cycle).</div><div><br></div><div>It is understood that a simple replac=
ement cycling attack does not demand privileged capabilities from an attack=
er (e.g no low-hashrate power) and only access to basic bitcoin and lightni=
ng software. Yet I still think executing such an attack successfully reques=
ts a fair amount of bitcoin technical know-how and decent preparation.</div=
><div><br></div><div>From my understanding of those issues, it is yet to be=
 determined if the mitigations deployed are robust enough in face of advanc=
ed replacement cycling attackers, especially ones able to combine different=
 classes of transaction-relay jamming such as pinnings or vetted with more =
privileged capabilities.</div><div><br></div><div>Please find a list of pot=
ential affected bitcoin applications in this full disclosure report using b=
itcoin script timelocks or multi-party transactions, albeit no immediate se=
curity risk exposure as severe as the ones affecting lightning has been ide=
ntified. Only cursory review of non-lightning applications has been conduct=
ed so far.</div><div><br></div><div>There is a paper published summarizing =
replacement cycling attacks on the lightning network:</div><div><a href=3D"=
https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper/r=
eplacement-cycling.pdf" target=3D"_blank">https://github.com/ariard/mempool=
-research/blob/2023-10-replacement-paper/replacement-cycling.pdf</a></div><=
div><br></div><div>=C2=A0## Problem</div><div><br></div><div>A lightning no=
de allows HTLCs forwarding (in bolt3&#39;s parlance accepted HTLC on incomi=
ng link and offered HTLC on outgoing link) should settle the outgoing state=
 with either a success or timeout before the incoming state timelock become=
s final and an asymmetric defavorable settlement might happen (cf &quot;Flo=
od &amp; Loot: A Systematic Attack on The Lightning Network&quot; section 2=
.3 for a classical exposition of this lightning security property).</div><d=
iv><br></div><div>Failure to satisfy this settlement requirement exposes a =
forwarding hop to a loss of fund risk where the offered HTLC is spent by th=
e outgoing link counterparty&#39;s HTLC-preimage and the accepted HTLC is s=
pent by the incoming link counterparty&#39;s HTLC-timeout.</div><div><br></=
div><div>The specification mandates the incoming HTLC expiration timelock t=
o be spaced out by an interval of `cltv_expiry_delta` from the outgoing HTL=
C expiration timelock, this exact interval value being an implementation an=
d node policy setting. As a minimal value, the specification recommends 34 =
blocks of interval. If the timelock expiration I of the inbound HTLC is equ=
al to 100 from chain tip, the timelock expiration O of the outbound HTLC mu=
st be equal to 66 blocks from chain tip, giving a reasonable buffer of reac=
tion to the lightning forwarding node.</div><div><br></div><div>In the lack=
 of cooperative off-chain settlement of the HTLC on the outgoing link negot=
iated with the counterparty (either `update_fulfill_htlc` or `update_fail_h=
tlc`) when O is reached, the lightning node should broadcast its commitment=
 transaction. Once the commitment is confirmed (if anchor and the 1 CSV enc=
umbrance is present), the lightning node broadcasts and confirms its HTLC-t=
imeout before I height is reached.</div><div><br></div><div>Here enter a re=
placement cycling attack. A malicious channel counterparty can broadcast it=
s HTLC-preimage transaction with a higher absolute fee and higher feerate t=
han the honest HTLC-timeout of the victim lightning node and triggers a rep=
lacement. Both for legacy and anchor output channels, a HTLC-preimage on a =
counterparty commitment transaction is malleable, i.e additional inputs or =
outputs can be added. The HTLC-preimage spends an unconfirmed and unrelated=
 to the channel parent transaction M and conflicts its child.</div><div><br=
></div><div>As the HTLC-preimage spends an unconfirmed input that was alrea=
dy included in the unconfirmed and unrelated child transaction (rule 2), pa=
ys an absolute higher fee of at least the sum paid by the HTLC-timeout and =
child transaction (rule 3) and the HTLC-preimage feerate is greater than al=
l directly conflicting transactions (rule 6), the replacement is accepted. =
The honest HTLC-timeout is evicted out of the mempool.</div><div><br></div>=
<div>In an ulterior move, the malicious counterparty can replace the parent=
 transaction itself with another candidate N satisfying the replacement rul=
es, triggering the eviction of the malicious HTLC-preimage from the mempool=
 as it was a child of the parent T.</div><div><br></div><div>There is no sp=
ending candidate of the offered HTLC output for the current block laying in=
 network mempools.</div><div><br></div><div>This replacement cycling tricks=
 can be repeated for each rebroadcast attempt of the HTLC-timeout by the ho=
nest lightning node until expiration of the inbound HTLC timelock I. Once t=
his height is reached a HTLC-timeout is broadcast by the counterparty&#39;s=
 on the incoming link in collusion with the one on the outgoing link broadc=
asting its own HTLC-preimage.</div><div><br></div><div>The honest Lightning=
 node has been &quot;double-spent&quot; in its HTLC forwarding.</div><div><=
br></div><div>As a notable factor impacting the success of the attack, a li=
ghtning node&#39;s honest HTLC-timeout might be included in the block templ=
ate of the miner winning the block race and therefore realizes a spent of t=
he offered output. In practice, a replacement cycling attack might over-con=
nect to miners&#39; mempools and public reachable nodes to succeed in a fas=
t eviction of the HTLC-timeout by its HTLC-preimage. As this latter transac=
tion can come with a better ancestor-score, it should be picked up on the f=
light by economically competitive miners.</div><div><br></div><div>A functi=
onal test exercising a simple replacement cycling of a HTLC transaction on =
bitcoin core mempool is available:</div><div><a href=3D"https://github.com/=
ariard/bitcoin/commits/2023-test-mempool" target=3D"_blank">https://github.=
com/ariard/bitcoin/commits/2023-test-mempool</a><br></div><div><br></div><d=
iv>## Deployed LN mitigations</div><div><br></div><div>Aggressive rebroadca=
sting: As the replacement cycling attacker benefits from the HTLC-timeout b=
eing usually broadcast by lightning nodes only once every block, or less th=
e replacement cycling malicious transactions paid only equal the sum of the=
 absolute fees paid by the HTLC, adjusted with the replacement penalty. Reb=
roadcasting randomly and multiple times before the next block increases the=
 absolute fee cost for the attacker.</div><div><br></div><div>Implemented a=
nd deployed by Eclair, Core-Lightning, LND and LDK .</div><div><br></div><d=
iv>Local-mempool preimage monitoring: As the replacement cycling attacker i=
n a simple setup broadcast the HTLC-preimage to all the network mempools, t=
he honest lightning node is able to catch on the flight the unconfirmed HTL=
C-preimage, before its subsequent mempool replacement. The preimage can be =
extracted from the second-stage HTLC-preimage and used to fetch the off-cha=
in inbound HTLC with a cooperative message or go on-chain with it to claim =
the accepted HTLC output.</div><div><br></div><div>Implemented and deployed=
 by Eclair and LND.<br></div><div><br></div><div>CLTV Expiry Delta: With ev=
ery jammed block comes an absolute fee cost paid by the attacker, a risk of=
 the HTLC-preimage being detected or discovered by the honest lightning nod=
e, or the HTLC-timeout to slip in a winning block template. Bumping the def=
ault CLTV delta hardens the odds of success of a simple replacement cycling=
 attack.</div><div><br></div><div>Default setting: Eclair 144, Core-Lightni=
ng 34, LND 80 and LDK 72.</div><div><br></div><div>## Affected Bitcoin Prot=
ocols and Applications</div><div><br></div><div>From my understanding the f=
ollowing list of Bitcoin protocols and applications could be affected by ne=
w denial-of-service vectors under some level of network mempools congestion=
. Neither tests or advanced review of specifications (when available) has b=
een conducted for each of them:</div><div>- on-chain DLCs</div><div>- coinj=
oins</div><div>- payjoins</div><div>- wallets with time-sensitive paths</di=
v><div>- peerswap and submarine swaps</div><div>- batch payouts</div><div>-=
 transaction &quot;accelerators&quot;</div><div><br></div><div>Inviting the=
ir developers, maintainers and operators to investigate how replacement cyc=
ling attacks might disrupt their in-mempool chain of transactions, or fee-b=
umping flows at the shortest delay. Simple flows and non-multi-party transa=
ctions should not be affected to the best of my understanding.</div><div><b=
r></div><div>## Open Problems: Package Malleability</div><div><br></div><di=
v>Pinning attacks have been known for years as a practical vector to compro=
mise lightning channels funds safety, under different scenarios (cf. curren=
t bip331&#39;s motivation section). Mitigations at the mempool level have b=
een designed, discussed and are under implementation by the community (ance=
stor package relay=C2=A0+ nverrsion=3D3 policy). Ideally, they should const=
raint a pinning attacker to always attach a high feerate package (commitmen=
t=C2=A0+ CPFP) to replace the honest package, or allow a honest lightning n=
ode to overbid a malicious pinning package and get its time-sensitive trans=
action optimistically included in the chain.</div><div><br></div><div>Repla=
cement cycling attack seem to offer a new way to neutralize the design goal=
s of package relay and its companion nversion=3D3 policy, where an attacker=
 package RBF a honest package out of the mempool to subsequently double-spe=
nd its own high-fee child with a transaction unrelated to the channel. As t=
he remaining commitment transaction is pre-signed with a minimal relay fee,=
 it can be evicted out of the mempool.</div><div><br></div><div>A functiona=
l test exercising a simple replacement cycling of a lightning channel commi=
tment transaction on top of the nversion=3D3 code branch is available:</div=
><div><a href=3D"https://github.com/ariard/bitcoin/commits/2023-10-test-mem=
pool-2" target=3D"_blank">https://github.com/ariard/bitcoin/commits/2023-10=
-test-mempool-2</a><br></div><div><br></div><div>## Discovery</div><div><br=
></div><div>In 2018, the issue of static fees for pre-signed lightning tran=
sactions is made more widely known, the carve-out exemption in mempool rule=
s to mitigate in-mempool package limits pinning and the anchor output patte=
rn are proposed.</div><div><br></div><div>In 2019, bitcoin core 0.19 is rel=
eased with carve-out support. Continued discussion of the anchor output pat=
tern as a dynamic fee-bumping method.</div><div><br></div><div>In 2020, dra=
ft of anchor output submitted to the bolts. Initial finding of economic pin=
ning against lightning commitment and second-stage HTLC transactions. Subse=
quent discussions of a preimage-overlay network or package-relay as mitigat=
ions. Public call made to inquiry more on potential other transaction-relay=
 jamming attacks affecting lightning.</div><div><br></div><div>In 2021, ini=
tial work in bitcoin core 22.0 of package acceptance. Continued discussion =
of the pinning attacks and shortcomings of current mempool rules during com=
munity-wide online workshops. Later the year, in light of all issues for bi=
tcoin second-layers, a proposal is made about killing the mempool.</div><di=
v><br></div><div>In 2022, bip proposed for package relay and new proposed v=
3 policy design proposed for a review and implementation. Mempoolfullrbf is=
 supported in bitcoin core 24.0 and conceptual questions about alignment of=
 mempool rules w.r.t miners incentives are investigated.</div><div><br></di=
v><div>Along this year 2022, eltoo lightning channels design are discussed,=
 implemented and reviewed. In this context and after discussions on mempool=
 anti-DoS rules, I discovered this new replacement cycling attack was affec=
ting deployed lightning channels and immediately reported the finding to so=
me bitcoin core developers and lightning maintainers.</div><div><br></div><=
div>## Timeline</div><div><br></div><div>- 2022-12-16: Report of the findin=
g to Suhas Daftuar, Anthony Towns, Greg Sanders and Gloria Zhao</div><div>-=
 2022-12-16: Report to LN maintainers: Rusty Russell, Bastien Teinturier, M=
att Corallo and Olaoluwa Osuntunkun</div><div>- 2022-12-23: Sharing to Euge=
ne Siegel (LND)</div><div>- 2022-12-24: Sharing to James O&#39;Beirne and A=
ntoine Poinsot (non-lightning potential affected projects)</div><div>- 2022=
-01-14: Sharing to Gleb Naumenko (miners incentives and cross-layers issuer=
s) and initial proposal of an early public disclosure=C2=A0</div><div>- 202=
2-01-19: Collection of analysis if other second-layers and multi-party appl=
ications affected. LN mitigations development starts.</div><div>- 2023-05-0=
4: Sharing to Wilmer Paulino (LDK)</div><div>- 2023-06-20: LN mitigations i=
mplemented and progressively released. Week of the 16 october proposed for =
full disclosure.</div><div>- 2023-08-10: CVEs assigned by MITRE</div><div>-=
 2023-10-05: Pre-disclosure of LN CVEs numbers and replacement cycling atta=
ck existence to <a href=3D"mailto:security@bitcoincore.org" target=3D"_blan=
k">security@bitcoincore.org</a>.</div><div>- 2023-10-16: Full disclosure of=
 CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 and repl=
acement cycling attacks</div><div><br></div><div>## Conclusion=C2=A0</div><=
div><br></div><div>Despite the line of mitigations adopted and deployed by =
current major lightning implementations, I believe replacement cycling atta=
cks are still practical for advanced attackers. Beyond this new attack migh=
t come as a way to partially or completely defeat some of the pinning mitig=
ations which have been working for years as a community.</div><div><br></di=
v><div>As of today, it is uncertain to me if lightning is not affected by a=
 more severe long-term package malleability critical security issue under c=
urrent consensus rules, and if any other time-sensitive multi-party protoco=
l, designed or deployed isn&#39;t de facto affected too (loss of funds or d=
enial of service).</div><div><br></div><div>Assuming analysis on package ma=
lleability is correct, it is unclear to me if it can be corrected by change=
s in replacement / eviction rules or mempool chain of transactions processi=
ng strategy. Inviting my technical peers and the bitcoin community to look =
more on this issue, including to dissent. I&#39;ll be the first one pleased=
 if I&#39;m fundamentally wrong on those issues, or if any element has not =
been weighted with the adequate technical accuracy it deserves.</div><div><=
br></div><div>Do not trust, verify. All mistakes and opinions are my own.</=
div><div><br></div><div>Antoine</div><div><br></div><div>&quot;meet with Tr=
iumph and Disaster. And treat those two impostors just the same&quot; - K.<=
/div></div>
</blockquote></div>

--00000000000034d82f0608206090--