summaryrefslogtreecommitdiff
path: root/e8/cb3d628399fc3d0a6276b9bd8e9372950845b0
blob: f0d2e29a4895b7b6ba2999055cf6b12a4cc8af46 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
Return-Path: <antoine.riard@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 79FC5C0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 12 May 2021 13:19:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 6463B4014D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 12 May 2021 13:19:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id SNH1V9uHBsKQ
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 12 May 2021 13:19:51 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com
 [IPv6:2a00:1450:4864:20::430])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 238F840002
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 12 May 2021 13:19:51 +0000 (UTC)
Received: by mail-wr1-x430.google.com with SMTP id v12so23575204wrq.6
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 12 May 2021 06:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=YmDO7oRgGQB2fLFbvmsgAiT5pWGozN/rqkKhWsfWuEo=;
 b=p4gtl0Q0f0Yr766AHxLCjc9ivyKbfWhlj1XgN40Qn+uMwWfEJYkNk0zA6uScrc4xWa
 2UGl3SL6J7gJxh+Lyok7WCeZqoe0Tzu0wUutnMf+oF31Py3/KZ3WogLsOnKxqT0KKRVb
 pkrDQTdGWj6qPqoZr+9786LvZnXt8W8Cc2ZUDsFFAvt91tvb5fompfvVUgAwzBzSCxp4
 UAFkW2tEHUmKT/BiFo6vTvSRe8omD6IlYL1/iOAftC0Dv6xca4NyeZdtkYkIa4xyZ3En
 Ej24f8cbFORjSbVaCrYdIaw2y8BjDU0QHMTOXGS2ZhFaQTiRiYayxjN2l+VXBdvTSwng
 izAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=YmDO7oRgGQB2fLFbvmsgAiT5pWGozN/rqkKhWsfWuEo=;
 b=hTMF7oLgVGfwpO8CvHF3/d0wwRJXaxk1eArsjsxQPWNOHaUKKcq5sQCndJ1vna7FNv
 mMXuiNd2LXcQhkL7xaEjFi6ssrZJwgnAtn/dQeeECsdqo6BpBWoLXDkeD/Q3K6tTuDME
 peOoJKvmCOF+fr8QfkUH6EiWJ/LUjZ5/Tajd60ajbZYTEgeYdNqFXYIgsVg4yJlNgBQy
 Jx3SJs7t1NmDMTaiutD+JbqU0In/exwjk+ab7tVP6+uzdxoJtLc9VGBwh1Ye9I9K9/vq
 OKdejKS76vJ24sdEjx5vVDbSsIMYDpUxZtTNwG+xGU2nzM5kiJssB0yIyrGo3+ds7ET7
 WHeQ==
X-Gm-Message-State: AOAM531lSAM6l/FJGOqhXtSkZ+NqrwA06ZjZZTKaz/GEsl/Buif+JVg+
 hxEnE4kw4f43ahajpbbKuD8stT83LBQteHsy0EcrJXtr8G+eEA==
X-Google-Smtp-Source: ABdhPJwYJrkeyDGhbqpuG1vWBWtdBAS2x1CN/Ug4sVI0MYwitQ4IPo9m/t5qq0sq29HH2rYp2BPpDXJeA+w8TF/Dc8s=
X-Received: by 2002:a05:6000:184a:: with SMTP id
 c10mr1164649wri.244.1620825589346; 
 Wed, 12 May 2021 06:19:49 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+GK4WNBmKim3w9LAd1b69+uAyAsNu5tVniHzN6Ue4KJCw@mail.gmail.com>
 <202105112150.51410.luke@dashjr.org>
In-Reply-To: <202105112150.51410.luke@dashjr.org>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Wed, 12 May 2021 09:19:37 -0400
Message-ID: <CALZpt+FNGtXQuVF9JmtK-OQTxEu89ks42Y7j1NWqHSxc79uiWg@mail.gmail.com>
To: Luke Dashjr <luke@dashjr.org>
Content-Type: multipart/alternative; boundary="0000000000007ef2e605c221dd3f"
X-Mailman-Approved-At: Wed, 12 May 2021 13:30:25 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Full Disclosure: CVE-2021-31876 Defect in Bitcoin
 Core's bip125 logic
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 13:19:53 -0000

--0000000000007ef2e605c221dd3f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Luke,

> Is there a list of software impacted by this CVE, and the versions it is
fixed
in?

Speaking only for LN clients, as I think they're the only ones deployed
with real funds at stake. Defect is mitigated by new "anchor" channel type,
forcing RBF-signaling on all transactions.
* lnd v0.12 "anchor" activated by default, lnd v0.10 "anchor" activated by
user flag
* c-lightning, no release yet with "anchor" support
* eclair, no release yet with "anchor" support
* rust-lightning, no release yet with "anchor" support

> (Note this isn't a vulnerability in Bitcoin Core; BIP125 is strictly a
policy
matter, not part of the consensus rules and never safe to rely on in any
case...)

Answering two-folds.

First I somehow agree it's not a "vulnerability" in Bitcoin Core but at
least a clear lack of compliance to a heavily relied-on bitcoin standard
through the ecosystem. Even if BIPs are descriptive documentation and not
prescriptive, I don't think we have guidelines for now on how to proceed
with identified flaws with security implications for downstream projects.

Should the Bitcoin Core project adopt a security bulletin or advisories for
security-related info pertinent for downstream ?

Secondly, opinions were divergent on the security list on how to report on
this. On one side, tx-relay and mempool acceptance rules aren't considered
as reliable or strongly normative and purely a matter of node's policy.

On the other side, we have more and more deployed Bitcoin
applications/protocols (e.g LN, vaults, ...) directly making security
assumptions on them. Even if we consider such beliefs misplaced or
ingenious, we're laying on top of a permissionless system and can't really
prevent developers and users from deploying such softwares.

Should we stay on this statu quo and invite such Bitcoin users to deploy
their own overlay network for transaction propagation satisfying their
advanced requirements, at the price of far-less censorship-resistance and a
more opaque fee market for everyone ?

Or instead qualify a new, third set of rules between consensus and pure
"policy", especially crafted to support Bitcoin applications requiring
transparency and stability of tx-relay and mempool acceptance rules, at the
price of ossifying some part of full-nodes ? Of course, the degree of
normativity we could guarantee for those rules is making them compatible
with economic incentives of everyone. Hopefully fostering their wide
dissemination across full-node implementations and miner mempools.

You have good arguments and trade-offs on both sides.

Overall, I agree that describing tx-relay/mempool rules as non-normative,
non-reliable is the most understood mental model among developers *today*.
That said, I would like to underscore that this model might not be adequate
in light of recent ecosystem evolutions and reveal itself a bit crippling
the future...

Cheers,
Antoine

Le mar. 11 mai 2021 =C3=A0 17:51, Luke Dashjr <luke@dashjr.org> a =C3=A9cri=
t :

> Is there a list of software impacted by this CVE, and the versions it is
> fixed
> in?
>
> (Note this isn't a vulnerability in Bitcoin Core; BIP125 is strictly a
> policy
> matter, not part of the consensus rules and never safe to rely on in any
> case...)
>
>
> On Thursday 06 May 2021 13:55:53 Antoine Riard via bitcoin-dev wrote:
> > Hi,
> >
> > I'm writing to report a defect in Bitcoin Core bip125 logic with minor
> > security and operational implications for downstream projects. Though
> this
> > defect grieves Bitcoin Core nodes 0.12.0 and above, base layer safety
> isn't
> > impacted.
> >
> > # Problem
> >
> > Bip 125 specification describes the following signalling mechanism :
> >
> > "
> > This policy specifies two ways a transaction can signal that it is
> > replaceable.
> >
> > * Explicit signaling: A transaction is considered to have opted in to
> > allowing replacement of itself if any of its inputs have an nSequence
> > number less than (0xffffffff - 1).
> >
> > * Inherited signaling: Transactions that don't explicitly signal
> > replaceability are replaceable under this policy for as long as any one
> of
> > their ancestors signals replaceability and remains unconfirmed.
> >
> > One or more transactions currently in the mempool (original transaction=
s)
> > will be replaced by a new transaction (replacement transaction) that
> spends
> > one or more of the same inputs if,
> >
> > # The original transactions signal replaceability explicitly or through
> > inheritance as described in the above Summary section.
> > "
> >
> > An unconfirmed child transaction with nSequence =3D 0xff_ff_ff_ff spend=
ing
> an
> > unconfirmed parent with nSequence <=3D 0xff_ff_ff_fd should be replacea=
ble
> as
> > the child transaction signals "through inheritance". However, the
> > replacement code as implemented in Core's `PreChecks()` shows that this
> > behavior isn't  enforced and Core's mempool rejects replacement attempt=
s
> of
> > an unconfirmed child transaction.
> >
> > Branch asserting the behavior is here :
> > https://github.com/ariard/bitcoin/commits/2021-03-test-rbf
> >
> > # Solution
> >
> > The defect has not been patched.
> >
> > # Downstream Projects Affected
> >
> > * LN : State-of-the-art pinning attacks against second-stage HTLCs
> > transactions were thought to be only possible by exploiting RBF rule 3 =
on
> > the necessity of a higher absolute fee [0]. However, this replacement
> > defect opens the way for an attacker to only pin with an opt-out child
> > without a higher fee than the honest competing transaction. This lowers
> the
> > cost of attack as the malicious pinning transaction only has to be abov=
e
> > mempools'min feerate. This also increases odds of attack success for a
> > reduced feerate diminishes odds of confirmation ending the pinning.
> >
> > A functional test demo illustrating cases is available on this branch:
> > https://github.com/ariard/bitcoin/commits/2021-05-htlc-preimage-pinning=
s
> >
> > LN nodes operators concerned by this defect might favor anchor outputs
> > channels, fully mitigating this specific pinning vector.
> >
> > * Onchain DLC/Coinswap/Vault : Those contract protocols have also
> multiple
> > stages of execution with time-sensitive transactions opening the way to
> > pinning attacks. Those protocols being non-deployed or in early phase, =
I
> > would recommend that any in-protocol competing transactions explicitly
> > signal RBF.
> >
> > * Coinjoin/Cut-Through : if CPFP is employed as a fee-bumping strategy,
> if
> > the coinjoin transaction is still laying in network mempools, if a
> > fee-bumping output is spendable by any protocol participant, this
> > fee-bumping mechanism might be halted by a malicious protocol participa=
nt
> > broadcasting an low-feerate opt-out child. According to bip125, if the
> > coinjoin parent tx signals replaceability, the child transaction should
> be
> > replaceable, whatever its signaling. However Core doesn't apply this
> > policy. RBF of the coinjoin transaction itself should be used as a
> > fallback. I'm not aware of any deployed coinjoin using such
> > "anyone-can-bump" fee-bumping strategy.
> >
> > * Simple wallets : RBF engines' behaviors might be altered in ways not
> > matching the intent of their developers. I invite RBF engines dev to
> verify
> > what those components are doing in the light of disclosed information.
> >
> > # Discovery
> >
> > While reviewing the LN dual-funding flow, I inquired on potential new D=
oS
> > vectors introduced by relying on counterparty utxos in this following
> > analysis [1]. The second DoS issue "RBF opt-out by a Counterparty
> > Double-Spend" is relying on a malicious chain of transactions where the
> > parent is signaling RBF opt-in through nSequence<=3D0xff_ff_ff_ff-1 but=
 the
> > child, servicing as a pinning transaction, opt-out from the RBF policy.
> > This pinning trick conception was matching my understanding of Core cod=
e
> > but while reading again the specification, I observed that it was
> > inconsistent from the inherited signaling mechanism as described in the
> > bip's "Summary" section.
> >
> > After exercising the logic, I did submit the defect to Dave Harding,
> asking
> > confirmation of divergence between Bitcoin Core and BIP 125. Soon after=
,
> he
> > did confirm it and pointed that the defect has been there since the
> 2015's
> > PR introducing the opt-in RBF, advicing to to consider security
> > implications for deployed second-layer protocols. After noticing the
> minor
> > implications for pinning attacks on second-stage LN transactions while
> > talking with Matt Corallo, I did disclose to the Bitcoin Core security
> > list.
> >
> > My initial report was recommending avoiding a covert patch in the mempo=
ol
> > as risks of introducing DoS in this part of the codebase seemed to
> outweigh
> > security of deployed LN channels. This direction was agreed by the
> opinions
> > expressed on the security list. Beyond, there was a lack of agreement o=
n
> > how to proceed with the disclosure as so far in the history project,
> > transaction relay policy have not been considered as strongly reliable.
> > Though from now on, L2 protocols like Lightning are making assumptions =
on
> > subset of this policy for their safety, such as the highlighted RBF one=
.
> >
> > Defect was disclosed to the LN projects maintainers, informing them tha=
t
> > currently in deployment anchor outputs protocol upgrade was mitigating
> > against this defect though old channels will stay vulnerable. To the be=
st
> > of my knowledge, I didn't identify other deployed protocols of which
> coins
> > safety are impacted by this defect.
> >
> > # Ecosystem Observations
> >
> > This long-standing defect with benign security implications provided an
> > opportunity to exercise coordinated security disclosure across layers a=
nd
> > development teams.
> >
> > IMO, it underlies few interesting points:
> > * the lack of an established policy for coordinated security disclosure=
s
> > between a base layer implementation and its downstream projects
> > * the lack of a clear methodology to identify downstream projects
> affected
> > by a transaction relay policy wreckage
> > * the lack of minimally-disruptive, emergency upgrade mechanisms
> > implemented by downstream projects [2]
> >
> > Finally, security implications for downstream projects provoked by base
> > layer issues shouldn't be minimized as they do have a risk of windblow =
on
> > base layer operations. I believe we should minimize risks of disaster
> > scenarios such as thousands of LN channels manually closed by worried
> > operators due to a non-concerted security disclosure, provoking mempool
> > cloaks and disrupting regular transactions for a while.
> >
> > # Timeline
> >
> > 2021-03-18 : Defect discovered, report to Dave Harding original author =
of
> > bip125, confirmation of the defect
> > 2021-03-19 : Disclosure to the Bitcoin Core security list, Dave Harding=
,
> > Matt Corallo, acknowledgment of the issue
> > 2021-04-05 : Disclosure to the LN projects maintainers (c-lightning, ln=
d,
> > eclair, electrum, rust-lightning)
> > 2021-04-28 : CVE-2021-31876 assigned
> > 2021-05-06 : Full disclosure to the bitcoin-dev mailing list
> >
> > I believe the information reported is correct and reflects the best of =
my
> > knowledge, please point any shortcoming.
> >
> > Cheers,
> > Antoine
> >
> > [0]
> >
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/0026=
39
> >.html [1] See "On Mempool Funny Games against Multi-Party Funded
> > Transactions", published 2021-05-06
> > [2] Such as
> >
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-July/00276=
3
> .
> >html
>
>

--0000000000007ef2e605c221dd3f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Luke,<br><br>&gt; Is there a list of software impacted =
by this CVE, and the versions it is fixed <br>in?<br><br>Speaking only for =
LN clients, as I think they&#39;re the only ones deployed with real funds a=
t stake. Defect is mitigated by new &quot;anchor&quot; channel type, forcin=
g RBF-signaling on all transactions.<br>* lnd v0.12 &quot;anchor&quot; acti=
vated by default, lnd v0.10 &quot;anchor&quot; activated by user flag<br>* =
c-lightning, no release yet with &quot;anchor&quot; support<br>* eclair, no=
 release yet with &quot;anchor&quot; support<br>* rust-lightning, no releas=
e yet with &quot;anchor&quot; support<br><br>&gt; (Note this isn&#39;t a vu=
lnerability in Bitcoin Core; BIP125 is strictly a policy <br>matter, not pa=
rt of the consensus rules and never safe to rely on in any <br>case...)<br>=
<br>Answering two-folds. <br><br>First I somehow agree it&#39;s not a &quot=
;vulnerability&quot; in Bitcoin Core but at least a clear lack of complianc=
e to a heavily relied-on bitcoin standard through the ecosystem. Even if BI=
Ps are descriptive documentation and not prescriptive, I don&#39;t think we=
 have guidelines for now on how to proceed with identified flaws with secur=
ity implications for downstream projects.<br><br>Should the Bitcoin Core pr=
oject adopt a security bulletin or advisories for security-related info per=
tinent for downstream ?<br><br>Secondly, opinions were divergent on the sec=
urity list on how to report on this. On one side, tx-relay and mempool acce=
ptance rules aren&#39;t considered as reliable or strongly normative and pu=
rely a matter of node&#39;s policy. <br><br>On the other side, we have more=
 and more deployed Bitcoin applications/protocols (e.g LN, vaults, ...) dir=
ectly making security assumptions on them. Even if we consider such beliefs=
 misplaced or ingenious, we&#39;re laying on top of a permissionless system=
 and can&#39;t really prevent developers and users from deploying such soft=
wares.<br><br>Should we stay on this statu quo and invite such Bitcoin user=
s to deploy their own overlay network for transaction propagation satisfyin=
g their advanced requirements, at the price of far-less censorship-resistan=
ce and a more opaque fee market for everyone ?<br><br>Or instead qualify a =
new, third set of rules between consensus and pure &quot;policy&quot;, espe=
cially crafted to support Bitcoin applications requiring transparency and s=
tability of tx-relay and mempool acceptance rules, at the price of ossifyin=
g some part of full-nodes ? Of course, the degree of normativity we could g=
uarantee for those rules is making them compatible with economic incentives=
 of everyone. Hopefully fostering their wide dissemination across full-node=
 implementations and miner mempools.<br><br>You have good arguments and tra=
de-offs on both sides. <br><br>Overall, I agree that describing tx-relay/me=
mpool rules as non-normative, non-reliable is the most understood mental mo=
del among developers *today*. That said, I would like to underscore that th=
is model might not be adequate in light of recent ecosystem evolutions and =
reveal itself a bit crippling the future...<br><br>Cheers,<br>Antoine<br></=
div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le=
=C2=A0mar. 11 mai 2021 =C3=A0=C2=A017:51, Luke Dashjr &lt;<a href=3D"mailto=
:luke@dashjr.org">luke@dashjr.org</a>&gt; a =C3=A9crit=C2=A0:<br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex">Is there a list of software i=
mpacted by this CVE, and the versions it is fixed <br>
in?<br>
<br>
(Note this isn&#39;t a vulnerability in Bitcoin Core; BIP125 is strictly a =
policy <br>
matter, not part of the consensus rules and never safe to rely on in any <b=
r>
case...)<br>
<br>
<br>
On Thursday 06 May 2021 13:55:53 Antoine Riard via bitcoin-dev wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; I&#39;m writing to report a defect in Bitcoin Core bip125 logic with m=
inor<br>
&gt; security and operational implications for downstream projects. Though =
this<br>
&gt; defect grieves Bitcoin Core nodes 0.12.0 and above, base layer safety =
isn&#39;t<br>
&gt; impacted.<br>
&gt;<br>
&gt; # Problem<br>
&gt;<br>
&gt; Bip 125 specification describes the following signalling mechanism :<b=
r>
&gt;<br>
&gt; &quot;<br>
&gt; This policy specifies two ways a transaction can signal that it is<br>
&gt; replaceable.<br>
&gt;<br>
&gt; * Explicit signaling: A transaction is considered to have opted in to<=
br>
&gt; allowing replacement of itself if any of its inputs have an nSequence<=
br>
&gt; number less than (0xffffffff - 1).<br>
&gt;<br>
&gt; * Inherited signaling: Transactions that don&#39;t explicitly signal<b=
r>
&gt; replaceability are replaceable under this policy for as long as any on=
e of<br>
&gt; their ancestors signals replaceability and remains unconfirmed.<br>
&gt;<br>
&gt; One or more transactions currently in the mempool (original transactio=
ns)<br>
&gt; will be replaced by a new transaction (replacement transaction) that s=
pends<br>
&gt; one or more of the same inputs if,<br>
&gt;<br>
&gt; # The original transactions signal replaceability explicitly or throug=
h<br>
&gt; inheritance as described in the above Summary section.<br>
&gt; &quot;<br>
&gt;<br>
&gt; An unconfirmed child transaction with nSequence =3D 0xff_ff_ff_ff spen=
ding an<br>
&gt; unconfirmed parent with nSequence &lt;=3D 0xff_ff_ff_fd should be repl=
aceable as<br>
&gt; the child transaction signals &quot;through inheritance&quot;. However=
, the<br>
&gt; replacement code as implemented in Core&#39;s `PreChecks()` shows that=
 this<br>
&gt; behavior isn&#39;t=C2=A0 enforced and Core&#39;s mempool rejects repla=
cement attempts of<br>
&gt; an unconfirmed child transaction.<br>
&gt;<br>
&gt; Branch asserting the behavior is here :<br>
&gt; <a href=3D"https://github.com/ariard/bitcoin/commits/2021-03-test-rbf"=
 rel=3D"noreferrer" target=3D"_blank">https://github.com/ariard/bitcoin/com=
mits/2021-03-test-rbf</a><br>
&gt;<br>
&gt; # Solution<br>
&gt;<br>
&gt; The defect has not been patched.<br>
&gt;<br>
&gt; # Downstream Projects Affected<br>
&gt;<br>
&gt; * LN : State-of-the-art pinning attacks against second-stage HTLCs<br>
&gt; transactions were thought to be only possible by exploiting RBF rule 3=
 on<br>
&gt; the necessity of a higher absolute fee [0]. However, this replacement<=
br>
&gt; defect opens the way for an attacker to only pin with an opt-out child=
<br>
&gt; without a higher fee than the honest competing transaction. This lower=
s the<br>
&gt; cost of attack as the malicious pinning transaction only has to be abo=
ve<br>
&gt; mempools&#39;min feerate. This also increases odds of attack success f=
or a<br>
&gt; reduced feerate diminishes odds of confirmation ending the pinning.<br=
>
&gt;<br>
&gt; A functional test demo illustrating cases is available on this branch:=
<br>
&gt; <a href=3D"https://github.com/ariard/bitcoin/commits/2021-05-htlc-prei=
mage-pinnings" rel=3D"noreferrer" target=3D"_blank">https://github.com/aria=
rd/bitcoin/commits/2021-05-htlc-preimage-pinnings</a><br>
&gt;<br>
&gt; LN nodes operators concerned by this defect might favor anchor outputs=
<br>
&gt; channels, fully mitigating this specific pinning vector.<br>
&gt;<br>
&gt; * Onchain DLC/Coinswap/Vault : Those contract protocols have also mult=
iple<br>
&gt; stages of execution with time-sensitive transactions opening the way t=
o<br>
&gt; pinning attacks. Those protocols being non-deployed or in early phase,=
 I<br>
&gt; would recommend that any in-protocol competing transactions explicitly=
<br>
&gt; signal RBF.<br>
&gt;<br>
&gt; * Coinjoin/Cut-Through : if CPFP is employed as a fee-bumping strategy=
, if<br>
&gt; the coinjoin transaction is still laying in network mempools, if a<br>
&gt; fee-bumping output is spendable by any protocol participant, this<br>
&gt; fee-bumping mechanism might be halted by a malicious protocol particip=
ant<br>
&gt; broadcasting an low-feerate opt-out child. According to bip125, if the=
<br>
&gt; coinjoin parent tx signals replaceability, the child transaction shoul=
d be<br>
&gt; replaceable, whatever its signaling. However Core doesn&#39;t apply th=
is<br>
&gt; policy. RBF of the coinjoin transaction itself should be used as a<br>
&gt; fallback. I&#39;m not aware of any deployed coinjoin using such<br>
&gt; &quot;anyone-can-bump&quot; fee-bumping strategy.<br>
&gt;<br>
&gt; * Simple wallets : RBF engines&#39; behaviors might be altered in ways=
 not<br>
&gt; matching the intent of their developers. I invite RBF engines dev to v=
erify<br>
&gt; what those components are doing in the light of disclosed information.=
<br>
&gt;<br>
&gt; # Discovery<br>
&gt;<br>
&gt; While reviewing the LN dual-funding flow, I inquired on potential new =
DoS<br>
&gt; vectors introduced by relying on counterparty utxos in this following<=
br>
&gt; analysis [1]. The second DoS issue &quot;RBF opt-out by a Counterparty=
<br>
&gt; Double-Spend&quot; is relying on a malicious chain of transactions whe=
re the<br>
&gt; parent is signaling RBF opt-in through nSequence&lt;=3D0xff_ff_ff_ff-1=
 but the<br>
&gt; child, servicing as a pinning transaction, opt-out from the RBF policy=
.<br>
&gt; This pinning trick conception was matching my understanding of Core co=
de<br>
&gt; but while reading again the specification, I observed that it was<br>
&gt; inconsistent from the inherited signaling mechanism as described in th=
e<br>
&gt; bip&#39;s &quot;Summary&quot; section.<br>
&gt;<br>
&gt; After exercising the logic, I did submit the defect to Dave Harding, a=
sking<br>
&gt; confirmation of divergence between Bitcoin Core and BIP 125. Soon afte=
r, he<br>
&gt; did confirm it and pointed that the defect has been there since the 20=
15&#39;s<br>
&gt; PR introducing the opt-in RBF, advicing to to consider security<br>
&gt; implications for deployed second-layer protocols. After noticing the m=
inor<br>
&gt; implications for pinning attacks on second-stage LN transactions while=
<br>
&gt; talking with Matt Corallo, I did disclose to the Bitcoin Core security=
<br>
&gt; list.<br>
&gt;<br>
&gt; My initial report was recommending avoiding a covert patch in the memp=
ool<br>
&gt; as risks of introducing DoS in this part of the codebase seemed to out=
weigh<br>
&gt; security of deployed LN channels. This direction was agreed by the opi=
nions<br>
&gt; expressed on the security list. Beyond, there was a lack of agreement =
on<br>
&gt; how to proceed with the disclosure as so far in the history project,<b=
r>
&gt; transaction relay policy have not been considered as strongly reliable=
.<br>
&gt; Though from now on, L2 protocols like Lightning are making assumptions=
 on<br>
&gt; subset of this policy for their safety, such as the highlighted RBF on=
e.<br>
&gt;<br>
&gt; Defect was disclosed to the LN projects maintainers, informing them th=
at<br>
&gt; currently in deployment anchor outputs protocol upgrade was mitigating=
<br>
&gt; against this defect though old channels will stay vulnerable. To the b=
est<br>
&gt; of my knowledge, I didn&#39;t identify other deployed protocols of whi=
ch coins<br>
&gt; safety are impacted by this defect.<br>
&gt;<br>
&gt; # Ecosystem Observations<br>
&gt;<br>
&gt; This long-standing defect with benign security implications provided a=
n<br>
&gt; opportunity to exercise coordinated security disclosure across layers =
and<br>
&gt; development teams.<br>
&gt;<br>
&gt; IMO, it underlies few interesting points:<br>
&gt; * the lack of an established policy for coordinated security disclosur=
es<br>
&gt; between a base layer implementation and its downstream projects<br>
&gt; * the lack of a clear methodology to identify downstream projects affe=
cted<br>
&gt; by a transaction relay policy wreckage<br>
&gt; * the lack of minimally-disruptive, emergency upgrade mechanisms<br>
&gt; implemented by downstream projects [2]<br>
&gt;<br>
&gt; Finally, security implications for downstream projects provoked by bas=
e<br>
&gt; layer issues shouldn&#39;t be minimized as they do have a risk of wind=
blow on<br>
&gt; base layer operations. I believe we should minimize risks of disaster<=
br>
&gt; scenarios such as thousands of LN channels manually closed by worried<=
br>
&gt; operators due to a non-concerted security disclosure, provoking mempoo=
l<br>
&gt; cloaks and disrupting regular transactions for a while.<br>
&gt;<br>
&gt; # Timeline<br>
&gt;<br>
&gt; 2021-03-18 : Defect discovered, report to Dave Harding original author=
 of<br>
&gt; bip125, confirmation of the defect<br>
&gt; 2021-03-19 : Disclosure to the Bitcoin Core security list, Dave Hardin=
g,<br>
&gt; Matt Corallo, acknowledgment of the issue<br>
&gt; 2021-04-05 : Disclosure to the LN projects maintainers (c-lightning, l=
nd,<br>
&gt; eclair, electrum, rust-lightning)<br>
&gt; 2021-04-28 : CVE-2021-31876 assigned<br>
&gt; 2021-05-06 : Full disclosure to the bitcoin-dev mailing list<br>
&gt;<br>
&gt; I believe the information reported is correct and reflects the best of=
 my<br>
&gt; knowledge, please point any shortcoming.<br>
&gt;<br>
&gt; Cheers,<br>
&gt; Antoine<br>
&gt;<br>
&gt; [0]<br>
&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/lightning-dev/2=
020-April/002639" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxf=
oundation.org/pipermail/lightning-dev/2020-April/002639</a><br>
&gt;.html [1] See &quot;On Mempool Funny Games against Multi-Party Funded<b=
r>
&gt; Transactions&quot;, published 2021-05-06<br>
&gt; [2] Such as<br>
&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/lightning-dev/2=
020-July/002763" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfo=
undation.org/pipermail/lightning-dev/2020-July/002763</a>.<br>
&gt;html<br>
<br>
</blockquote></div>

--0000000000007ef2e605c221dd3f--