Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64232C0032 for ; Sat, 21 Oct 2023 14:22:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3E5F0435FE for ; Sat, 21 Oct 2023 14:22:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3E5F0435FE Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=QTZUOsl4 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E09U0DP1-w7D for ; Sat, 21 Oct 2023 14:22:27 +0000 (UTC) Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4EDC8400D0 for ; Sat, 21 Oct 2023 14:22:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4EDC8400D0 Received: by mail-il1-x130.google.com with SMTP id e9e14a558f8ab-357c9dc1068so530615ab.0 for ; Sat, 21 Oct 2023 07:22:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697898146; x=1698502946; darn=lists.linuxfoundation.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=0e9nC9HUc1PZ2rM/Oh+d75eULxOTtTMQyPFzQVNmnCQ=; b=QTZUOsl47HoRcbRyMms1f7LGfywzpcfJrxK3t2L3Z0UKOzPyoIkIuzdLEv0QyZftqs Ts2gJEnt5SPcU1YZwckzVS6HeyO/MeSWUGUCs1Op1LUsQXQiVSXjTBis567ADiwl2jdW FJJ1y9syTum3sb5xKLEfAvQxDQ2PJQRaEVd45vEZ5P1L74WwDBjGACYe7GbT+gSykVvQ JQ494tb1QUIx+loxYxn6Ly0xtLNCNPg+iQJajkkaHldA/E3lTKFT3V+nUN9p7hASk06h LaFBTyxY62BKUszqFKgSL7fHmKpV5/6+1/4w8PK3+ibRIAxnSkQQWydNwiNBUZ7UKFRr Qdvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697898146; x=1698502946; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=0e9nC9HUc1PZ2rM/Oh+d75eULxOTtTMQyPFzQVNmnCQ=; b=n7sYoBPLw9jDsR9BQFONSVT2abJPjtXPOVmTcORrEQr+Hf/5VZJMjpyX240mNemr0B mlB2plsMyTFQivOs64WsFXk5qIcdcEi/I6xWEnLdXW3QfSs9bqGvS/TNJ/gcbkGnX4PK ceky0fgP6entYL9mdMeqksYUVRAMNUpE6y29E6lJLF3yOBDm9/rqfa5M0o8S1WfwQTm9 EOov80NMQZH7IZX1YkaJan2EZGKPecF0QOmS0MHrQYFIl7vokI2WzugzbXHpZHWREGpW y/LEALmKNPymFIWrJ5DoYtoO0VBC+wYqCYTtmLAmiou/5oEvCtzGzwSbHrfqnDKinHo6 sZ4Q== X-Gm-Message-State: AOJu0YxNjdNzmLqqch8Esb5MVu6zmasonYLCz/6Qaxpmd7r8Pp8CMbRT X4tDqnI89EFqdTs6uGg4cKLjp695qEfSNDsQF53Fum7sRoU= X-Google-Smtp-Source: AGHT+IHg8G/t+XFzneJmqgbycRBPHyAobuv2j9zwjjMCcKLiBgt63eZdXGxFvxO7VxEnahDu5Cq6UEJAf7ANtfIcC1Y= X-Received: by 2002:a05:6e02:1a6c:b0:357:a272:dbc with SMTP id w12-20020a056e021a6c00b00357a2720dbcmr5403055ilv.9.1697898146140; Sat, 21 Oct 2023 07:22:26 -0700 (PDT) MIME-Version: 1.0 From: Nagaev Boris Date: Sat, 21 Oct 2023 11:21:48 -0300 Message-ID: To: bitcoin-dev@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sat, 21 Oct 2023 14:35:22 +0000 Subject: Re: [bitcoin-dev] [Lightning-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2023 14:22:28 -0000 I think the presigned transactions should be interleaved fee-wise: 1.1 to Alice 1.2 to Bob 1.3 to Alice 1.4 to Bob ... Then any such transaction evicts all previous transactions in the chain. It reduces risks of mempool split. If there are two transactions to Alice and to Bob both with fee 1.1, then it is possible that half of nodes have the transaction to Alice in their mempools and another half of nodes has the transaction to Bob. Though I don't see how exactly this can be used in replacement cycling attacks, I think it is safer to prevent this scenario. On Fri Oct 20 18:35:26 UTC 2023, Matt Morehouse via bitcoin-dev wrote: > I think if we apply this presigned fee multiplier idea to HTLC spends, > we can prevent replacement cycles from happening. > We could modify HTLC scripts so that *both* parties can only spend the > HTLC via presigned second-stage transactions, and we can always sign > those with SIGHASH_ALL. This will prevent the attacker from adding > inputs to their presigned transaction, so (AFAICT) a replacement > cycling attack becomes impossible. > The tradeoff is more bookkeeping and less fee granularity when > claiming HTLCs on chain. -- Best regards, Boris Nagaev