1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
|
Return-Path: <antoine.riard@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 9CF32C0032;
Thu, 19 Oct 2023 19:33:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 7B78643138;
Thu, 19 Oct 2023 19:33:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7B78643138
Authentication-Results: smtp2.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=AFOqFTWp
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id mftIm11NGkjb; Thu, 19 Oct 2023 19:33:35 +0000 (UTC)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com
[IPv6:2607:f8b0:4864:20::d2b])
by smtp2.osuosl.org (Postfix) with ESMTPS id 158ED4312E;
Thu, 19 Oct 2023 19:33:34 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 158ED4312E
Received: by mail-io1-xd2b.google.com with SMTP id
ca18e2360f4ac-79fa5d9f3a2so2640839f.3;
Thu, 19 Oct 2023 12:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1697744014; x=1698348814;
darn=lists.linuxfoundation.org;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=HbklPScFaQd+2POaV7kXPLFBZmNDLKtu8tyOdi6FPiY=;
b=AFOqFTWpqAoC3FOfKRl8KKr5dA7fzZSJf601VfxO96CAWdjLRnHKkjtVym2UVdrXa0
fPsHf+St/+hD1np2Ru3MOUmUc5/RbyB+hKK3boscb6QvZ7g9vRn/C7DpyTtjHUQXCPwT
AbOvD+w8mx486CiyVJz3tNzf9aj1e/M9SDAhtGPNJ1Tdepqc7Xdgt13C0+rGlEXnI3Mk
Qy7qXFmbcTzmT0XgXzrHbwSyGI0S1u98jFbeSeguHIqKZHyYBTI1+9TH8fi7rb3eIOU8
SWgK4vPxKsuxRY5TVGQyfVcoTLMBc/wAr1OAmT/V9hn0n3anuH0LLzkwLemSF+8tIiiS
xnDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1697744014; x=1698348814;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=HbklPScFaQd+2POaV7kXPLFBZmNDLKtu8tyOdi6FPiY=;
b=ndoybhz0ZhgnxOGkyVrJu5UXSs10frBQzvdMBZKnmQL3yvSb/IaQFg7v5dJaN2Hi/S
UPjQHI+QCum2ZT+u8d0CrDoIZe5CnQyFhRgu8xZWa/Gfcr5jnOksLvmHMV6ifkWOXQi6
+b9rdThyrADxxJkQEckkJgTRdKkcL6LrSfBOIO8ha008LWDK8KzigAEBiKiVGo5Dt2j0
zujOauG/8pk74BuhCNAL0wb/BO6Rw9z9ZJqwx/a6pUYK3RqCzXFgr51SbaMo5sTi6QUY
9H+SVZB1RGcXo2yjAmJ4yRF7K49eOczxibvWMhffjfkoWXhP0YpskYQrkFvt7bepQXRu
XPKQ==
X-Gm-Message-State: AOJu0Yzu3SJVEpbq4syNixtEpUGj6VWoIrHH1Y6RYqHEx/RIlZmPD2mf
BPTAsc+8dyBwApsCKgXOzXy14iTq2WpP0Mjfr+o=
X-Google-Smtp-Source: AGHT+IHwFWmb/qv5cRsL7V+NRTY1l2wLtDIKary4Xpdk5zzxZUajJlvupETYxDNdkorMaPK2QdQio/WgLzBL3I4SgUs=
X-Received: by 2002:a05:6602:27d4:b0:792:82f8:749d with SMTP id
l20-20020a05660227d400b0079282f8749dmr3655055ios.10.1697744013634; Thu, 19
Oct 2023 12:33:33 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
<ece6f28b-5b14-4f9c-a115-945082a63d68@mattcorallo.com>
<CAGyamEWnSNAwJ1HpcgiYtNYwUqWOBn7RzhfR_W8460B_9n=qng@mail.gmail.com>
<CALZpt+GaLGk_Yrnb9+CNm6psLdtiqw_DBkQt+gg8FGh87uN+0Q@mail.gmail.com>
<CAGyamEXk6rNnFE1wztpbHqZVH_acN5AYb0Y7F2n2Nou1d_wdUA@mail.gmail.com>
In-Reply-To: <CAGyamEXk6rNnFE1wztpbHqZVH_acN5AYb0Y7F2n2Nou1d_wdUA@mail.gmail.com>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Thu, 19 Oct 2023 20:33:22 +0100
Message-ID: <CALZpt+FaYop1J5Zi=42F4jCScfiPL3AZ98HWtW82Qd8ZQG=aMg@mail.gmail.com>
To: Matt Morehouse <mattmorehouse@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000da31e3060816d4d7"
X-Mailman-Approved-At: Thu, 19 Oct 2023 21:52:02 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Full Disclosure: CVE-2023-40231 /
CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are
belong to us"
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2023 19:33:39 -0000
--000000000000da31e3060816d4d7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> As the CLTV
> delta deadline approaches, the fees in case 2 may be 50%, 80%, even
> 100% of the HTLC value under such a scorched earth policy.
A replacement-cycling attacker can afford to pay 100% of the HTLC value
under the defender scorched earth policy and still realize an economic gain=
.
Let's say you have Alice, Bob and Caroll all "honest" routing hops targeted
by an attacker. They all have 3 independent 10 000 sats HTLC in-flight on
their outbound channels.
Under this defensive fee scorched earth policy, Alice broadcasts her
HTLC-timeout at T + 1 with 10 000 sats committed as absolute fee.
It is replaced by Mallory at T+2 with a HTLC-preimage X of 200 000 sats (+
rbf penalty 1 sat / vb rule 4). Alice's HTLC-timeout is out of network
mempools.
Bob broadcasts her HTLC-timeout of 200 000 sats at T+3. It is replaced by
Mallory at T+4 with her HLTC-preimage Y of 200 000 sats (+ rbf penalty 1
sat / vb rule 4 * 2). Bob's HTLC-timeout is out of network mempools.
HTLC-preimage Y conflicts with HTLC-preimage X too (here comes the
multiplied by 2 of the rbf penalty).
Caroll broadcasts her HTLC-timeout of 200 000 sats at T+5. It is replaced
by Mallory at T+6 with her HTLC-preimage Z of 200 000 sats (+rbf penalty 1
sat / vb rule 4 * 3). Caroll's HTLC-timeout is out of network mempools.
HTLC-preimage Z conflicts with HTLC-preimage Z too (here comes the
multiplied by 3 of rbf penalty).
At any time if Mallory's HTLC-preimage enters into the top mempool feerates
group (due to the accumulated rbf penalty), one unconfirmed ancestor can be
double-spent to evict out the HTLC-preimage.
If Mallory succeeds the replacement cycling, she might be at loss of 10 000
sats + rbf penalty cost for each rebroadcast attempt of the victim. However
she wins Alice + Bob + Carol HTLC value of 200 000 sats each.
Assuming 5 rebroadcasts per block (even on random timers) multiplied by 3
victims, 200 bytes of HTLC-preimage and cltv_delta of 144 blocks, the total
attacker cost is 432 000 sats.
The economic gain realized is 168 000 sats. Sounds each additional victim
has a cost of 144 000 sats, whatever the HTLC value targeted.
Thanks for checking the fees math and replacement rules, though it sounds
correct to me.
(And here without introducing more favorable assumptions to the attacker,
like mempool spikes where the "honest" HTLC-timeout transactions can be let
floating in network mempools).
Best,
Antoine
Le jeu. 19 oct. 2023 =C3=A0 18:54, Matt Morehouse <mattmorehouse@gmail.com>=
a
=C3=A9crit :
> On Thu, Oct 19, 2023 at 5:22=E2=80=AFPM Antoine Riard <antoine.riard@gmai=
l.com>
> wrote:
> >
> > Hi Matt,
> >
> > This mitigation is mentioned in the attached paper (see subsection 3.4
> defensive fee-rebroadcasting)
> >
> https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper=
/replacement-cycling.pdf
> >
> > As soon as you start to have a bit of a mempool backlog and the
> defensive fractional fee HTLC-timeout stays stuck, it gives the advantage
> to the attacker again.
> >
> > Beyond that, I think an attacker can replace-cycle multiple honest
> HTLC-timeout with a single malicious HTLC-preimage (with a sequence of
> replacement, not concurrently) paying the absolute fee, while only
> encumbering the RBF penalty. I didn't test this specific behavior, though
> the "fees" math doesn't seem at the advantage of the defenders at first
> sight.
>
> Right, some replacement cycles can be avoided by the attacker to
> reduce the cost of the attack. But with the defender implementing a
> scorched-earth fee bumping policy, eventually either (1) the
> HTLC-timeout *will* confirm in the next block or (2) the attacker must
> pay more fees than the HTLC-timeout fees to replace it. As the CLTV
> delta deadline approaches, the fees in case 2 may be 50%, 80%, even
> 100% of the HTLC value under such a scorched earth policy. So even if
> the attacker only has to do one replacement cycle right before the
> deadline, the attack can be made unprofitable. And in practice, with
> HTLC values significantly greater than the next-block fee cost, the
> attacker will need to do multiple replacements as the deadline
> approaches.
>
> And of course this linear scorched earth policy is just an
> illustration. We should further tune the fee bumping curve across the
> full CLTV delta to ensure minimal fees paid when not under attack.
> But as we approach the deadline, it makes sense to become very
> aggressive both to get our transaction confirmed during high mempool
> congestion and to punish replacement-cycling attackers.
>
> >
> > Best,
> > Antoine
> >
> > Le jeu. 19 oct. 2023 =C3=A0 17:23, Matt Morehouse <mattmorehouse@gmail.=
com>
> a =C3=A9crit :
> >>
> >> On Wed, Oct 18, 2023 at 12:34=E2=80=AFAM Matt Corallo via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >
> >> > There appears to be some confusion about this issue and the
> mitigations. To be clear, the deployed
> >> > mitigations are not expected to fix this issue, its arguable if they
> provide anything more than a PR
> >> > statement.
> >> >
> >> > There are two discussed mitigations here - mempool scanning and
> transaction re-signing/re-broadcasting.
> >> >
> >> > Mempool scanning relies on regularly checking the mempool of a local
> node to see if we can catch the
> >> > replacement cycle mid-cycle. It only works if wee see the first
> transaction before the second
> >> > transaction replaces it.
> >> >
> >> > Today, a large majority of lightning nodes run on machines with a
> Bitcoin node on the same IP
> >> > address, making it very clear what the "local node" of the lightning
> node is. An attacker can
> >> > trivially use this information to connect to said local node and do
> the replacement quickly,
> >> > preventing the victim from seeing the replacement.
> >> >
> >> > More generally, however, similar discoverability is true for mining
> pools. An attacker performing
> >> > this attack is likely to do the replacement attack on a miner's node
> directly, potentially reducing
> >> > the reach of the intermediate transaction to only miners, such that
> the victim can never discover it
> >> > at all.
> >> >
> >> > The second mitigation is similarly pathetic. Re-signing and
> re-broadcasting the victim's transaction
> >> > in an attempt to get it to miners even if its been removed may work,
> if the attacker is super lazy
> >> > and didn't finish writing their attack system. If the attacker is
> connected to a large majority of
> >> > hashrate (which has historically been fairly doable), they can simpl=
y
> do their replacement in a
> >> > cycle aggressively and arbitrarily reduce the probability that the
> victim's transaction gets confirmed.
> >>
> >> What if the honest node aggressively fee-bumps and retransmits the
> >> HTLC-timeout as the CLTV delta deadline approaches, as suggested by
> >> Ziggie? Say, within 10 blocks of the deadline, the honest node starts
> >> increasing the fee by 1/10th the HTLC value for each non-confirmation.
> >>
> >> This "scorched earth" approach may cost the honest node considerable
> >> fees, but it will cost the attacker even more, since each attacker
> >> replacement needs to burn at least as much as the HTLC-timeout fees,
> >> and the attacker will need to do a replacement every time the honest
> >> node fee bumps.
> >>
> >> I think this fee-bumping policy will provide sufficient defense even
> >> if the attacker is replacement-cycling directly in miners' mempools
> >> and the victim has no visibility into the attack.
> >>
> >> >
> >> > Now, the above is all true in a spherical cow kinda world, and the
> P2P network has plenty of slow
> >> > nodes and strange behavior. Its possible that these mitigations
> might, by some stroke of luck,
> >> > happen to catch such an attack and prevent it, because something too=
k
> longer than the attacker
> >> > intended or whatever. But, that's a far cry from any kind of materia=
l
> "fix" for the issue.
> >> >
> >> > Ultimately the only fix for this issue will be when miners keep a
> history of transactions they've
> >> > seen and try them again after they may be able to enter the mempool
> because of an attack like this.
> >> >
> >> > Matt
> >> >
> >> > On 10/16/23 12:57 PM, Antoine Riard wrote:
> >> > > (cross-posting mempool issues identified are exposing lightning
> chan to loss of funds risks, other
> >> > > multi-party bitcoin apps might be affected)
> >> > >
> >> > > Hi,
> >> > >
> >> > > End of last year (December 2022), amid technical discussions on
> eltoo payment channels and
> >> > > incentives compatibility of the mempool anti-DoS rules, a new
> transaction-relay jamming attack
> >> > > affecting lightning channels was discovered.
> >> > >
> >> > > After careful analysis, it turns out this attack is practical and
> immediately exposed lightning
> >> > > routing hops carrying HTLC traffic to loss of funds security risks=
,
> both legacy and anchor output
> >> > > channels. A potential exploitation plausibly happening even withou=
t
> network mempools congestion.
> >> > >
> >> > > Mitigations have been designed, implemented and deployed by all
> major lightning implementations
> >> > > during the last months.
> >> > >
> >> > > Please find attached the release numbers, where the mitigations
> should be present:
> >> > > - LDK: v0.0.118 - CVE-2023 -40231
> >> > > - Eclair: v0.9.0 - CVE-2023-40232
> >> > > - LND: v.0.17.0-beta - CVE-2023-40233
> >> > > - Core-Lightning: v.23.08.01 - CVE-2023-40234
> >> > >
> >> > > While neither replacement cycling attacks have been observed or
> reported in the wild since the last
> >> > > ~10 months or experimented in real-world conditions on bitcoin
> mainet, functional test is available
> >> > > exercising the affected lightning channel against bitcoin core
> mempool (26.0 release cycle).
> >> > >
> >> > > It is understood that a simple replacement cycling attack does not
> demand privileged capabilities
> >> > > from an attacker (e.g no low-hashrate power) and only access to
> basic bitcoin and lightning
> >> > > software. Yet I still think executing such an attack successfully
> requests a fair amount of bitcoin
> >> > > technical know-how and decent preparation.
> >> > >
> >> > > From my understanding of those issues, it is yet to be determined
> if the mitigations deployed are
> >> > > robust enough in face of advanced replacement cycling attackers,
> especially ones able to combine
> >> > > different classes of transaction-relay jamming such as pinnings or
> vetted with more privileged
> >> > > capabilities.
> >> > >
> >> > > Please find a list of potential affected bitcoin applications in
> this full disclosure report using
> >> > > bitcoin script timelocks or multi-party transactions, albeit no
> immediate security risk exposure as
> >> > > severe as the ones affecting lightning has been identified. Only
> cursory review of non-lightning
> >> > > applications has been conducted so far.
> >> > >
> >> > > There is a paper published summarizing replacement cycling attacks
> on the lightning network:
> >> > >
> https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper=
/replacement-cycling.pdf
> >> > > <
> https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper=
/replacement-cycling.pdf
> >
> >> > >
> >> > > ## Problem
> >> > >
> >> > > A lightning node allows HTLCs forwarding (in bolt3's parlance
> accepted HTLC on incoming link and
> >> > > offered HTLC on outgoing link) should settle the outgoing state
> with either a success or timeout
> >> > > before the incoming state timelock becomes final and an asymmetric
> defavorable settlement might
> >> > > happen (cf "Flood & Loot: A Systematic Attack on The Lightning
> Network" section 2.3 for a classical
> >> > > exposition of this lightning security property).
> >> > >
> >> > > Failure to satisfy this settlement requirement exposes a forwardin=
g
> hop to a loss of fund risk where
> >> > > the offered HTLC is spent by the outgoing link counterparty's
> HTLC-preimage and the accepted HTLC is
> >> > > spent by the incoming link counterparty's HTLC-timeout.
> >> > >
> >> > > The specification mandates the incoming HTLC expiration timelock t=
o
> be spaced out by an interval of
> >> > > `cltv_expiry_delta` from the outgoing HTLC expiration timelock,
> this exact interval value being an
> >> > > implementation and node policy setting. As a minimal value, the
> specification recommends 34 blocks
> >> > > of interval. If the timelock expiration I of the inbound HTLC is
> equal to 100 from chain tip, the
> >> > > timelock expiration O of the outbound HTLC must be equal to 66
> blocks from chain tip, giving a
> >> > > reasonable buffer of reaction to the lightning forwarding node.
> >> > >
> >> > > In the lack of cooperative off-chain settlement of the HTLC on the
> outgoing link negotiated with the
> >> > > counterparty (either `update_fulfill_htlc` or `update_fail_htlc`)
> when O is reached, the lightning
> >> > > node should broadcast its commitment transaction. Once the
> commitment is confirmed (if anchor and
> >> > > the 1 CSV encumbrance is present), the lightning node broadcasts
> and confirms its HTLC-timeout
> >> > > before I height is reached.
> >> > >
> >> > > Here enter a replacement cycling attack. A malicious channel
> counterparty can broadcast its
> >> > > HTLC-preimage transaction with a higher absolute fee and higher
> feerate than the honest HTLC-timeout
> >> > > of the victim lightning node and triggers a replacement. Both for
> legacy and anchor output channels,
> >> > > a HTLC-preimage on a counterparty commitment transaction is
> malleable, i.e additional inputs or
> >> > > outputs can be added. The HTLC-preimage spends an unconfirmed and
> unrelated to the channel parent
> >> > > transaction M and conflicts its child.
> >> > >
> >> > > As the HTLC-preimage spends an unconfirmed input that was already
> included in the unconfirmed and
> >> > > unrelated child transaction (rule 2), pays an absolute higher fee
> of at least the sum paid by the
> >> > > HTLC-timeout and child transaction (rule 3) and the HTLC-preimage
> feerate is greater than all
> >> > > directly conflicting transactions (rule 6), the replacement is
> accepted. The honest HTLC-timeout is
> >> > > evicted out of the mempool.
> >> > >
> >> > > In an ulterior move, the malicious counterparty can replace the
> parent transaction itself with
> >> > > another candidate N satisfying the replacement rules, triggering
> the eviction of the malicious
> >> > > HTLC-preimage from the mempool as it was a child of the parent T.
> >> > >
> >> > > There is no spending candidate of the offered HTLC output for the
> current block laying in network
> >> > > mempools.
> >> > >
> >> > > This replacement cycling tricks can be repeated for each
> rebroadcast attempt of the HTLC-timeout by
> >> > > the honest lightning node until expiration of the inbound HTLC
> timelock I. Once this height is
> >> > > reached a HTLC-timeout is broadcast by the counterparty's on the
> incoming link in collusion with the
> >> > > one on the outgoing link broadcasting its own HTLC-preimage.
> >> > >
> >> > > The honest Lightning node has been "double-spent" in its HTLC
> forwarding.
> >> > >
> >> > > As a notable factor impacting the success of the attack, a
> lightning node's honest HTLC-timeout
> >> > > might be included in the block template of the miner winning the
> block race and therefore realizes a
> >> > > spent of the offered output. In practice, a replacement cycling
> attack might over-connect to miners'
> >> > > mempools and public reachable nodes to succeed in a fast eviction
> of the HTLC-timeout by its
> >> > > HTLC-preimage. As this latter transaction can come with a better
> ancestor-score, it should be picked
> >> > > up on the flight by economically competitive miners.
> >> > >
> >> > > A functional test exercising a simple replacement cycling of a HTL=
C
> transaction on bitcoin core
> >> > > mempool is available:
> >> > > https://github.com/ariard/bitcoin/commits/2023-test-mempool
> >> > > <https://github.com/ariard/bitcoin/commits/2023-test-mempool>
> >> > >
> >> > > ## Deployed LN mitigations
> >> > >
> >> > > Aggressive rebroadcasting: As the replacement cycling attacker
> benefits from the HTLC-timeout being
> >> > > usually broadcast by lightning nodes only once every block, or les=
s
> the replacement cycling
> >> > > malicious transactions paid only equal the sum of the absolute fee=
s
> paid by the HTLC, adjusted with
> >> > > the replacement penalty. Rebroadcasting randomly and multiple time=
s
> before the next block increases
> >> > > the absolute fee cost for the attacker.
> >> > >
> >> > > Implemented and deployed by Eclair, Core-Lightning, LND and LDK .
> >> > >
> >> > > Local-mempool preimage monitoring: As the replacement cycling
> attacker in a simple setup broadcast
> >> > > the HTLC-preimage to all the network mempools, the honest lightnin=
g
> node is able to catch on the
> >> > > flight the unconfirmed HTLC-preimage, before its subsequent mempoo=
l
> replacement. The preimage can be
> >> > > extracted from the second-stage HTLC-preimage and used to fetch th=
e
> off-chain inbound HTLC with a
> >> > > cooperative message or go on-chain with it to claim the accepted
> HTLC output.
> >> > >
> >> > > Implemented and deployed by Eclair and LND.
> >> > >
> >> > > CLTV Expiry Delta: With every jammed block comes an absolute fee
> cost paid by the attacker, a risk
> >> > > of the HTLC-preimage being detected or discovered by the honest
> lightning node, or the HTLC-timeout
> >> > > to slip in a winning block template. Bumping the default CLTV delt=
a
> hardens the odds of success of a
> >> > > simple replacement cycling attack.
> >> > >
> >> > > Default setting: Eclair 144, Core-Lightning 34, LND 80 and LDK 72.
> >> > >
> >> > > ## Affected Bitcoin Protocols and Applications
> >> > >
> >> > > From my understanding the following list of Bitcoin protocols and
> applications could be affected by
> >> > > new denial-of-service vectors under some level of network mempools
> congestion. Neither tests or
> >> > > advanced review of specifications (when available) has been
> conducted for each of them:
> >> > > - on-chain DLCs
> >> > > - coinjoins
> >> > > - payjoins
> >> > > - wallets with time-sensitive paths
> >> > > - peerswap and submarine swaps
> >> > > - batch payouts
> >> > > - transaction "accelerators"
> >> > >
> >> > > Inviting their developers, maintainers and operators to investigat=
e
> how replacement cycling attacks
> >> > > might disrupt their in-mempool chain of transactions, or
> fee-bumping flows at the shortest delay.
> >> > > Simple flows and non-multi-party transactions should not be
> affected to the best of my understanding.
> >> > >
> >> > > ## Open Problems: Package Malleability
> >> > >
> >> > > Pinning attacks have been known for years as a practical vector to
> compromise lightning channels
> >> > > funds safety, under different scenarios (cf. current bip331's
> motivation section). Mitigations at
> >> > > the mempool level have been designed, discussed and are under
> implementation by the community
> >> > > (ancestor package relay + nverrsion=3D3 policy). Ideally, they sho=
uld
> constraint a pinning attacker to
> >> > > always attach a high feerate package (commitment + CPFP) to replac=
e
> the honest package, or allow a
> >> > > honest lightning node to overbid a malicious pinning package and
> get its time-sensitive transaction
> >> > > optimistically included in the chain.
> >> > >
> >> > > Replacement cycling attack seem to offer a new way to neutralize
> the design goals of package relay
> >> > > and its companion nversion=3D3 policy, where an attacker package R=
BF
> a honest package out of the
> >> > > mempool to subsequently double-spend its own high-fee child with a
> transaction unrelated to the
> >> > > channel. As the remaining commitment transaction is pre-signed wit=
h
> a minimal relay fee, it can be
> >> > > evicted out of the mempool.
> >> > >
> >> > > A functional test exercising a simple replacement cycling of a
> lightning channel commitment
> >> > > transaction on top of the nversion=3D3 code branch is available:
> >> > > https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2
> >> > > <https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2>
> >> > >
> >> > > ## Discovery
> >> > >
> >> > > In 2018, the issue of static fees for pre-signed lightning
> transactions is made more widely known,
> >> > > the carve-out exemption in mempool rules to mitigate in-mempool
> package limits pinning and the
> >> > > anchor output pattern are proposed.
> >> > >
> >> > > In 2019, bitcoin core 0.19 is released with carve-out support.
> Continued discussion of the anchor
> >> > > output pattern as a dynamic fee-bumping method.
> >> > >
> >> > > In 2020, draft of anchor output submitted to the bolts. Initial
> finding of economic pinning against
> >> > > lightning commitment and second-stage HTLC transactions. Subsequen=
t
> discussions of a
> >> > > preimage-overlay network or package-relay as mitigations. Public
> call made to inquiry more on
> >> > > potential other transaction-relay jamming attacks affecting
> lightning.
> >> > >
> >> > > In 2021, initial work in bitcoin core 22.0 of package acceptance.
> Continued discussion of the
> >> > > pinning attacks and shortcomings of current mempool rules during
> community-wide online workshops.
> >> > > Later the year, in light of all issues for bitcoin second-layers, =
a
> proposal is made about killing
> >> > > the mempool.
> >> > >
> >> > > In 2022, bip proposed for package relay and new proposed v3 policy
> design proposed for a review and
> >> > > implementation. Mempoolfullrbf is supported in bitcoin core 24.0
> and conceptual questions about
> >> > > alignment of mempool rules w.r.t miners incentives are investigate=
d.
> >> > >
> >> > > Along this year 2022, eltoo lightning channels design are
> discussed, implemented and reviewed. In
> >> > > this context and after discussions on mempool anti-DoS rules, I
> discovered this new replacement
> >> > > cycling attack was affecting deployed lightning channels and
> immediately reported the finding to
> >> > > some bitcoin core developers and lightning maintainers.
> >> > >
> >> > > ## Timeline
> >> > >
> >> > > - 2022-12-16: Report of the finding to Suhas Daftuar, Anthony
> Towns, Greg Sanders and Gloria Zhao
> >> > > - 2022-12-16: Report to LN maintainers: Rusty Russell, Bastien
> Teinturier, Matt Corallo and Olaoluwa
> >> > > Osuntunkun
> >> > > - 2022-12-23: Sharing to Eugene Siegel (LND)
> >> > > - 2022-12-24: Sharing to James O'Beirne and Antoine Poinsot
> (non-lightning potential affected projects)
> >> > > - 2022-01-14: Sharing to Gleb Naumenko (miners incentives and
> cross-layers issuers) and initial
> >> > > proposal of an early public disclosure
> >> > > - 2022-01-19: Collection of analysis if other second-layers and
> multi-party applications affected.
> >> > > LN mitigations development starts.
> >> > > - 2023-05-04: Sharing to Wilmer Paulino (LDK)
> >> > > - 2023-06-20: LN mitigations implemented and progressively
> released. Week of the 16 october proposed
> >> > > for full disclosure.
> >> > > - 2023-08-10: CVEs assigned by MITRE
> >> > > - 2023-10-05: Pre-disclosure of LN CVEs numbers and replacement
> cycling attack existence to
> >> > > security@bitcoincore.org <mailto:security@bitcoincore.org>.
> >> > > - 2023-10-16: Full disclosure of CVE-2023-40231 / CVE-2023-40232 /
> CVE-2023-40233 / CVE-2023-40234
> >> > > and replacement cycling attacks
> >> > >
> >> > > ## Conclusion
> >> > >
> >> > > Despite the line of mitigations adopted and deployed by current
> major lightning implementations, I
> >> > > believe replacement cycling attacks are still practical for
> advanced attackers. Beyond this new
> >> > > attack might come as a way to partially or completely defeat some
> of the pinning mitigations which
> >> > > have been working for years as a community.
> >> > >
> >> > > As of today, it is uncertain to me if lightning is not affected by
> a more severe long-term package
> >> > > malleability critical security issue under current consensus rules=
,
> and if any other time-sensitive
> >> > > multi-party protocol, designed or deployed isn't de facto affected
> too (loss of funds or denial of
> >> > > service).
> >> > >
> >> > > Assuming analysis on package malleability is correct, it is unclea=
r
> to me if it can be corrected by
> >> > > changes in replacement / eviction rules or mempool chain of
> transactions processing strategy.
> >> > > Inviting my technical peers and the bitcoin community to look more
> on this issue, including to
> >> > > dissent. I'll be the first one pleased if I'm fundamentally wrong
> on those issues, or if any element
> >> > > has not been weighted with the adequate technical accuracy it
> deserves.
> >> > >
> >> > > Do not trust, verify. All mistakes and opinions are my own.
> >> > >
> >> > > Antoine
> >> > >
> >> > > "meet with Triumph and Disaster. And treat those two impostors jus=
t
> the same" - K.
> >> > >
> >> > > _______________________________________________
> >> > > Lightning-dev mailing list
> >> > > Lightning-dev@lists.linuxfoundation.org
> >> > > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--000000000000da31e3060816d4d7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">> As the CLTV<br>> delta deadline approaches, the fe=
es in case 2 may be 50%, 80%, even<br>> 100% of the HTLC value under suc=
h a scorched earth policy.<br><div><br></div><div>A replacement-cycling att=
acker can afford to pay 100% of the HTLC value under the defender scorched =
earth policy and still realize an economic gain.</div><div><br></div><div>L=
et's say you have Alice, Bob and Caroll=C2=A0all "honest" rou=
ting hops targeted by an attacker. They all have 3 independent 10 000 sats =
HTLC in-flight on their outbound channels.</div><div><br></div><div>Under t=
his defensive fee scorched earth policy, Alice broadcasts her HTLC-timeout =
at T=C2=A0+ 1 with 10 000 sats committed as absolute fee.</div><div><br></d=
iv><div>It is replaced by Mallory at T+2 with a HTLC-preimage X of 200 000 =
sats (+ rbf penalty 1 sat / vb rule 4). Alice's HTLC-timeout is out of =
network mempools.</div><div><br></div><div>Bob broadcasts her HTLC-timeout =
of 200 000 sats at T+3. It is replaced by Mallory at T+4 with her HLTC-prei=
mage Y of 200 000 sats (+ rbf penalty 1 sat / vb rule 4 * 2). Bob's HTL=
C-timeout is out of network mempools. HTLC-preimage Y conflicts with HTLC-p=
reimage X too (here comes the multiplied by 2 of the rbf penalty).</div><di=
v><br></div><div>Caroll broadcasts her HTLC-timeout of 200 000 sats at T+5.=
It is replaced by Mallory at T+6 with her HTLC-preimage Z of 200 000 sats =
(+rbf penalty 1 sat / vb rule 4 * 3). Caroll's HTLC-timeout is out of n=
etwork mempools. HTLC-preimage Z conflicts with HTLC-preimage Z too (here c=
omes the multiplied by 3 of rbf penalty).</div><div><br></div><div>At any t=
ime if Mallory's HTLC-preimage enters into the top mempool feerates gro=
up (due to the accumulated rbf penalty), one unconfirmed ancestor can be do=
uble-spent to evict out the HTLC-preimage.</div><div><br></div><div>If Mall=
ory succeeds the replacement cycling, she might be at loss of 10 000 sats=
=C2=A0+ rbf penalty cost for each rebroadcast attempt of the victim. Howeve=
r she wins Alice=C2=A0+ Bob=C2=A0+ Carol HTLC value of 200 000 sats each.</=
div><div><br></div><div>Assuming 5 rebroadcasts per block (even on random t=
imers) multiplied by 3 victims, 200 bytes of HTLC-preimage and cltv_delta o=
f 144 blocks, the total attacker cost is 432 000 sats.</div><div><br></div>=
<div>The economic gain realized is 168 000 sats. Sounds each additional vic=
tim has a cost of 144 000 sats, whatever the HTLC value targeted.</div><div=
><br></div><div>Thanks for checking the fees math and replacement rules, th=
ough it sounds correct to me.</div><div><br></div><div>(And here without in=
troducing more favorable assumptions to the attacker, like mempool spikes w=
here the "honest" HTLC-timeout transactions can be let floating i=
n network mempools).</div><div><br></div><div>Best,</div><div>Antoine</div>=
</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">=
Le=C2=A0jeu. 19 oct. 2023 =C3=A0=C2=A018:54, Matt Morehouse <<a href=3D"=
mailto:mattmorehouse@gmail.com">mattmorehouse@gmail.com</a>> a =C3=A9cri=
t=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px=
0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:=
rgb(204,204,204);padding-left:1ex">On Thu, Oct 19, 2023 at 5:22=E2=80=AFPM =
Antoine Riard <<a href=3D"mailto:antoine.riard@gmail.com" target=3D"_bla=
nk">antoine.riard@gmail.com</a>> wrote:<br>
><br>
> Hi Matt,<br>
><br>
> This mitigation is mentioned in the attached paper (see subsection 3.4=
defensive fee-rebroadcasting)<br>
> <a href=3D"https://github.com/ariard/mempool-research/blob/2023-10-rep=
lacement-paper/replacement-cycling.pdf" rel=3D"noreferrer" target=3D"_blank=
">https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper=
/replacement-cycling.pdf</a><br>
><br>
> As soon as you start to have a bit of a mempool backlog and the defens=
ive fractional fee HTLC-timeout stays stuck, it gives the advantage to the =
attacker again.<br>
><br>
> Beyond that, I think an attacker can replace-cycle multiple honest HTL=
C-timeout with a single malicious HTLC-preimage (with a sequence of replace=
ment, not concurrently) paying the absolute fee, while only encumbering the=
RBF penalty. I didn't test this specific behavior, though the "fe=
es" math doesn't seem at the advantage of the defenders at first s=
ight.<br>
<br>
Right, some replacement cycles can be avoided by the attacker to<br>
reduce the cost of the attack.=C2=A0 But with the defender implementing a<b=
r>
scorched-earth fee bumping policy, eventually either (1) the<br>
HTLC-timeout *will* confirm in the next block or (2) the attacker must<br>
pay more fees than the HTLC-timeout fees to replace it.=C2=A0 As the CLTV<b=
r>
delta deadline approaches, the fees in case 2 may be 50%, 80%, even<br>
100% of the HTLC value under such a scorched earth policy.=C2=A0 So even if=
<br>
the attacker only has to do one replacement cycle right before the<br>
deadline, the attack can be made unprofitable.=C2=A0 And in practice, with<=
br>
HTLC values significantly greater than the next-block fee cost, the<br>
attacker will need to do multiple replacements as the deadline<br>
approaches.<br>
<br>
And of course this linear scorched earth policy is just an<br>
illustration.=C2=A0 We should further tune the fee bumping curve across the=
<br>
full CLTV delta to ensure minimal fees paid when not under attack.<br>
But as we approach the deadline, it makes sense to become very<br>
aggressive both to get our transaction confirmed during high mempool<br>
congestion and to punish replacement-cycling attackers.<br>
<br>
><br>
> Best,<br>
> Antoine<br>
><br>
> Le jeu. 19 oct. 2023 =C3=A0 17:23, Matt Morehouse <<a href=3D"mailt=
o:mattmorehouse@gmail.com" target=3D"_blank">mattmorehouse@gmail.com</a>>=
; a =C3=A9crit :<br>
>><br>
>> On Wed, Oct 18, 2023 at 12:34=E2=80=AFAM Matt Corallo via bitcoin-=
dev<br>
>> <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br>
>> ><br>
>> > There appears to be some confusion about this issue and the m=
itigations. To be clear, the deployed<br>
>> > mitigations are not expected to fix this issue, its arguable =
if they provide anything more than a PR<br>
>> > statement.<br>
>> ><br>
>> > There are two discussed mitigations here - mempool scanning a=
nd transaction re-signing/re-broadcasting.<br>
>> ><br>
>> > Mempool scanning relies on regularly checking the mempool of =
a local node to see if we can catch the<br>
>> > replacement cycle mid-cycle. It only works if wee see the fir=
st transaction before the second<br>
>> > transaction replaces it.<br>
>> ><br>
>> > Today, a large majority of lightning nodes run on machines wi=
th a Bitcoin node on the same IP<br>
>> > address, making it very clear what the "local node"=
of the lightning node is. An attacker can<br>
>> > trivially use this information to connect to said local node =
and do the replacement quickly,<br>
>> > preventing the victim from seeing the replacement.<br>
>> ><br>
>> > More generally, however, similar discoverability is true for =
mining pools. An attacker performing<br>
>> > this attack is likely to do the replacement attack on a miner=
's node directly, potentially reducing<br>
>> > the reach of the intermediate transaction to only miners, suc=
h that the victim can never discover it<br>
>> > at all.<br>
>> ><br>
>> > The second mitigation is similarly pathetic. Re-signing and r=
e-broadcasting the victim's transaction<br>
>> > in an attempt to get it to miners even if its been removed ma=
y work, if the attacker is super lazy<br>
>> > and didn't finish writing their attack system. If the att=
acker is connected to a large majority of<br>
>> > hashrate (which has historically been fairly doable), they ca=
n simply do their replacement in a<br>
>> > cycle aggressively and arbitrarily reduce the probability tha=
t the victim's transaction gets confirmed.<br>
>><br>
>> What if the honest node aggressively fee-bumps and retransmits the=
<br>
>> HTLC-timeout as the CLTV delta deadline approaches, as suggested b=
y<br>
>> Ziggie?=C2=A0 Say, within 10 blocks of the deadline, the honest no=
de starts<br>
>> increasing the fee by 1/10th the HTLC value for each non-confirmat=
ion.<br>
>><br>
>> This "scorched earth" approach may cost the honest node =
considerable<br>
>> fees, but it will cost the attacker even more, since each attacker=
<br>
>> replacement needs to burn at least as much as the HTLC-timeout fee=
s,<br>
>> and the attacker will need to do a replacement every time the hone=
st<br>
>> node fee bumps.<br>
>><br>
>> I think this fee-bumping policy will provide sufficient defense ev=
en<br>
>> if the attacker is replacement-cycling directly in miners' mem=
pools<br>
>> and the victim has no visibility into the attack.<br>
>><br>
>> ><br>
>> > Now, the above is all true in a spherical cow kinda world, an=
d the P2P network has plenty of slow<br>
>> > nodes and strange behavior. Its possible that these mitigatio=
ns might, by some stroke of luck,<br>
>> > happen to catch such an attack and prevent it, because someth=
ing took longer than the attacker<br>
>> > intended or whatever. But, that's a far cry from any kind=
of material "fix" for the issue.<br>
>> ><br>
>> > Ultimately the only fix for this issue will be when miners ke=
ep a history of transactions they've<br>
>> > seen and try them again after they may be able to enter the m=
empool because of an attack like this.<br>
>> ><br>
>> > Matt<br>
>> ><br>
>> > On 10/16/23 12:57 PM, Antoine Riard wrote:<br>
>> > > (cross-posting mempool issues identified are exposing li=
ghtning chan to loss of funds risks, other<br>
>> > > multi-party bitcoin apps might be affected)<br>
>> > ><br>
>> > > Hi,<br>
>> > ><br>
>> > > End of last year (December 2022), amid technical discuss=
ions on eltoo payment channels and<br>
>> > > incentives compatibility of the mempool anti-DoS rules, =
a new transaction-relay jamming attack<br>
>> > > affecting lightning channels was discovered.<br>
>> > ><br>
>> > > After careful analysis, it turns out this attack is prac=
tical and immediately exposed lightning<br>
>> > > routing hops carrying HTLC traffic to loss of funds secu=
rity risks, both legacy and anchor output<br>
>> > > channels. A potential exploitation plausibly happening e=
ven without network mempools congestion.<br>
>> > ><br>
>> > > Mitigations have been designed, implemented and deployed=
by all major lightning implementations<br>
>> > > during the last months.<br>
>> > ><br>
>> > > Please find attached the release numbers, where the miti=
gations should be present:<br>
>> > > - LDK: v0.0.118 - CVE-2023 -40231<br>
>> > > - Eclair: v0.9.0 - CVE-2023-40232<br>
>> > > - LND: v.0.17.0-beta - CVE-2023-40233<br>
>> > > - Core-Lightning: v.23.08.01 - CVE-2023-40234<br>
>> > ><br>
>> > > While neither replacement cycling attacks have been obse=
rved or reported in the wild since the last<br>
>> > > ~10 months or experimented in real-world conditions on b=
itcoin mainet, functional test is available<br>
>> > > exercising the affected lightning channel against bitcoi=
n core mempool (26.0 release cycle).<br>
>> > ><br>
>> > > It is understood that a simple replacement cycling attac=
k does not demand privileged capabilities<br>
>> > > from an attacker (e.g no low-hashrate power) and only ac=
cess to basic bitcoin and lightning<br>
>> > > software. Yet I still think executing such an attack suc=
cessfully requests a fair amount of bitcoin<br>
>> > > technical know-how and decent preparation.<br>
>> > ><br>
>> > >=C2=A0 From my understanding of those issues, it is yet t=
o be determined if the mitigations deployed are<br>
>> > > robust enough in face of advanced replacement cycling at=
tackers, especially ones able to combine<br>
>> > > different classes of transaction-relay jamming such as p=
innings or vetted with more privileged<br>
>> > > capabilities.<br>
>> > ><br>
>> > > Please find a list of potential affected bitcoin applica=
tions in this full disclosure report using<br>
>> > > bitcoin script timelocks or multi-party transactions, al=
beit no immediate security risk exposure as<br>
>> > > severe as the ones affecting lightning has been identifi=
ed. Only cursory review of non-lightning<br>
>> > > applications has been conducted so far.<br>
>> > ><br>
>> > > There is a paper published summarizing replacement cycli=
ng attacks on the lightning network:<br>
>> > > <a href=3D"https://github.com/ariard/mempool-research/bl=
ob/2023-10-replacement-paper/replacement-cycling.pdf" rel=3D"noreferrer" ta=
rget=3D"_blank">https://github.com/ariard/mempool-research/blob/2023-10-rep=
lacement-paper/replacement-cycling.pdf</a><br>
>> > > <<a href=3D"https://github.com/ariard/mempool-researc=
h/blob/2023-10-replacement-paper/replacement-cycling.pdf" rel=3D"noreferrer=
" target=3D"_blank">https://github.com/ariard/mempool-research/blob/2023-10=
-replacement-paper/replacement-cycling.pdf</a>><br>
>> > ><br>
>> > >=C2=A0 =C2=A0## Problem<br>
>> > ><br>
>> > > A lightning node allows HTLCs forwarding (in bolt3's=
parlance accepted HTLC on incoming link and<br>
>> > > offered HTLC on outgoing link) should settle the outgoin=
g state with either a success or timeout<br>
>> > > before the incoming state timelock becomes final and an =
asymmetric defavorable settlement might<br>
>> > > happen (cf "Flood & Loot: A Systematic Attack o=
n The Lightning Network" section 2.3 for a classical<br>
>> > > exposition of this lightning security property).<br>
>> > ><br>
>> > > Failure to satisfy this settlement requirement exposes a=
forwarding hop to a loss of fund risk where<br>
>> > > the offered HTLC is spent by the outgoing link counterpa=
rty's HTLC-preimage and the accepted HTLC is<br>
>> > > spent by the incoming link counterparty's HTLC-timeo=
ut.<br>
>> > ><br>
>> > > The specification mandates the incoming HTLC expiration =
timelock to be spaced out by an interval of<br>
>> > > `cltv_expiry_delta` from the outgoing HTLC expiration ti=
melock, this exact interval value being an<br>
>> > > implementation and node policy setting. As a minimal val=
ue, the specification recommends 34 blocks<br>
>> > > of interval. If the timelock expiration I of the inbound=
HTLC is equal to 100 from chain tip, the<br>
>> > > timelock expiration O of the outbound HTLC must be equal=
to 66 blocks from chain tip, giving a<br>
>> > > reasonable buffer of reaction to the lightning forwardin=
g node.<br>
>> > ><br>
>> > > In the lack of cooperative off-chain settlement of the H=
TLC on the outgoing link negotiated with the<br>
>> > > counterparty (either `update_fulfill_htlc` or `update_fa=
il_htlc`) when O is reached, the lightning<br>
>> > > node should broadcast its commitment transaction. Once t=
he commitment is confirmed (if anchor and<br>
>> > > the 1 CSV encumbrance is present), the lightning node br=
oadcasts and confirms its HTLC-timeout<br>
>> > > before I height is reached.<br>
>> > ><br>
>> > > Here enter a replacement cycling attack. A malicious cha=
nnel counterparty can broadcast its<br>
>> > > HTLC-preimage transaction with a higher absolute fee and=
higher feerate than the honest HTLC-timeout<br>
>> > > of the victim lightning node and triggers a replacement.=
Both for legacy and anchor output channels,<br>
>> > > a HTLC-preimage on a counterparty commitment transaction=
is malleable, i.e additional inputs or<br>
>> > > outputs can be added. The HTLC-preimage spends an unconf=
irmed and unrelated to the channel parent<br>
>> > > transaction M and conflicts its child.<br>
>> > ><br>
>> > > As the HTLC-preimage spends an unconfirmed input that wa=
s already included in the unconfirmed and<br>
>> > > unrelated child transaction (rule 2), pays an absolute h=
igher fee of at least the sum paid by the<br>
>> > > HTLC-timeout and child transaction (rule 3) and the HTLC=
-preimage feerate is greater than all<br>
>> > > directly conflicting transactions (rule 6), the replacem=
ent is accepted. The honest HTLC-timeout is<br>
>> > > evicted out of the mempool.<br>
>> > ><br>
>> > > In an ulterior move, the malicious counterparty can repl=
ace the parent transaction itself with<br>
>> > > another candidate N satisfying the replacement rules, tr=
iggering the eviction of the malicious<br>
>> > > HTLC-preimage from the mempool as it was a child of the =
parent T.<br>
>> > ><br>
>> > > There is no spending candidate of the offered HTLC outpu=
t for the current block laying in network<br>
>> > > mempools.<br>
>> > ><br>
>> > > This replacement cycling tricks can be repeated for each=
rebroadcast attempt of the HTLC-timeout by<br>
>> > > the honest lightning node until expiration of the inboun=
d HTLC timelock I. Once this height is<br>
>> > > reached a HTLC-timeout is broadcast by the counterparty&=
#39;s on the incoming link in collusion with the<br>
>> > > one on the outgoing link broadcasting its own HTLC-preim=
age.<br>
>> > ><br>
>> > > The honest Lightning node has been "double-spent&qu=
ot; in its HTLC forwarding.<br>
>> > ><br>
>> > > As a notable factor impacting the success of the attack,=
a lightning node's honest HTLC-timeout<br>
>> > > might be included in the block template of the miner win=
ning the block race and therefore realizes a<br>
>> > > spent of the offered output. In practice, a replacement =
cycling attack might over-connect to miners'<br>
>> > > mempools and public reachable nodes to succeed in a fast=
eviction of the HTLC-timeout by its<br>
>> > > HTLC-preimage. As this latter transaction can come with =
a better ancestor-score, it should be picked<br>
>> > > up on the flight by economically competitive miners.<br>
>> > ><br>
>> > > A functional test exercising a simple replacement cyclin=
g of a HTLC transaction on bitcoin core<br>
>> > > mempool is available:<br>
>> > > <a href=3D"https://github.com/ariard/bitcoin/commits/202=
3-test-mempool" rel=3D"noreferrer" target=3D"_blank">https://github.com/ari=
ard/bitcoin/commits/2023-test-mempool</a><br>
>> > > <<a href=3D"https://github.com/ariard/bitcoin/commits=
/2023-test-mempool" rel=3D"noreferrer" target=3D"_blank">https://github.com=
/ariard/bitcoin/commits/2023-test-mempool</a>><br>
>> > ><br>
>> > > ## Deployed LN mitigations<br>
>> > ><br>
>> > > Aggressive rebroadcasting: As the replacement cycling at=
tacker benefits from the HTLC-timeout being<br>
>> > > usually broadcast by lightning nodes only once every blo=
ck, or less the replacement cycling<br>
>> > > malicious transactions paid only equal the sum of the ab=
solute fees paid by the HTLC, adjusted with<br>
>> > > the replacement penalty. Rebroadcasting randomly and mul=
tiple times before the next block increases<br>
>> > > the absolute fee cost for the attacker.<br>
>> > ><br>
>> > > Implemented and deployed by Eclair, Core-Lightning, LND =
and LDK .<br>
>> > ><br>
>> > > Local-mempool preimage monitoring: As the replacement cy=
cling attacker in a simple setup broadcast<br>
>> > > the HTLC-preimage to all the network mempools, the hones=
t lightning node is able to catch on the<br>
>> > > flight the unconfirmed HTLC-preimage, before its subsequ=
ent mempool replacement. The preimage can be<br>
>> > > extracted from the second-stage HTLC-preimage and used t=
o fetch the off-chain inbound HTLC with a<br>
>> > > cooperative message or go on-chain with it to claim the =
accepted HTLC output.<br>
>> > ><br>
>> > > Implemented and deployed by Eclair and LND.<br>
>> > ><br>
>> > > CLTV Expiry Delta: With every jammed block comes an abso=
lute fee cost paid by the attacker, a risk<br>
>> > > of the HTLC-preimage being detected or discovered by the=
honest lightning node, or the HTLC-timeout<br>
>> > > to slip in a winning block template. Bumping the default=
CLTV delta hardens the odds of success of a<br>
>> > > simple replacement cycling attack.<br>
>> > ><br>
>> > > Default setting: Eclair 144, Core-Lightning 34, LND 80 a=
nd LDK 72.<br>
>> > ><br>
>> > > ## Affected Bitcoin Protocols and Applications<br>
>> > ><br>
>> > >=C2=A0 From my understanding the following list of Bitcoi=
n protocols and applications could be affected by<br>
>> > > new denial-of-service vectors under some level of networ=
k mempools congestion. Neither tests or<br>
>> > > advanced review of specifications (when available) has b=
een conducted for each of them:<br>
>> > > - on-chain DLCs<br>
>> > > - coinjoins<br>
>> > > - payjoins<br>
>> > > - wallets with time-sensitive paths<br>
>> > > - peerswap and submarine swaps<br>
>> > > - batch payouts<br>
>> > > - transaction "accelerators"<br>
>> > ><br>
>> > > Inviting their developers, maintainers and operators to =
investigate how replacement cycling attacks<br>
>> > > might disrupt their in-mempool chain of transactions, or=
fee-bumping flows at the shortest delay.<br>
>> > > Simple flows and non-multi-party transactions should not=
be affected to the best of my understanding.<br>
>> > ><br>
>> > > ## Open Problems: Package Malleability<br>
>> > ><br>
>> > > Pinning attacks have been known for years as a practical=
vector to compromise lightning channels<br>
>> > > funds safety, under different scenarios (cf. current bip=
331's motivation section). Mitigations at<br>
>> > > the mempool level have been designed, discussed and are =
under implementation by the community<br>
>> > > (ancestor package relay + nverrsion=3D3 policy). Ideally=
, they should constraint a pinning attacker to<br>
>> > > always attach a high feerate package (commitment + CPFP)=
to replace the honest package, or allow a<br>
>> > > honest lightning node to overbid a malicious pinning pac=
kage and get its time-sensitive transaction<br>
>> > > optimistically included in the chain.<br>
>> > ><br>
>> > > Replacement cycling attack seem to offer a new way to ne=
utralize the design goals of package relay<br>
>> > > and its companion nversion=3D3 policy, where an attacker=
package RBF a honest package out of the<br>
>> > > mempool to subsequently double-spend its own high-fee ch=
ild with a transaction unrelated to the<br>
>> > > channel. As the remaining commitment transaction is pre-=
signed with a minimal relay fee, it can be<br>
>> > > evicted out of the mempool.<br>
>> > ><br>
>> > > A functional test exercising a simple replacement cyclin=
g of a lightning channel commitment<br>
>> > > transaction on top of the nversion=3D3 code branch is av=
ailable:<br>
>> > > <a href=3D"https://github.com/ariard/bitcoin/commits/202=
3-10-test-mempool-2" rel=3D"noreferrer" target=3D"_blank">https://github.co=
m/ariard/bitcoin/commits/2023-10-test-mempool-2</a><br>
>> > > <<a href=3D"https://github.com/ariard/bitcoin/commits=
/2023-10-test-mempool-2" rel=3D"noreferrer" target=3D"_blank">https://githu=
b.com/ariard/bitcoin/commits/2023-10-test-mempool-2</a>><br>
>> > ><br>
>> > > ## Discovery<br>
>> > ><br>
>> > > In 2018, the issue of static fees for pre-signed lightni=
ng transactions is made more widely known,<br>
>> > > the carve-out exemption in mempool rules to mitigate in-=
mempool package limits pinning and the<br>
>> > > anchor output pattern are proposed.<br>
>> > ><br>
>> > > In 2019, bitcoin core 0.19 is released with carve-out su=
pport. Continued discussion of the anchor<br>
>> > > output pattern as a dynamic fee-bumping method.<br>
>> > ><br>
>> > > In 2020, draft of anchor output submitted to the bolts. =
Initial finding of economic pinning against<br>
>> > > lightning commitment and second-stage HTLC transactions.=
Subsequent discussions of a<br>
>> > > preimage-overlay network or package-relay as mitigations=
. Public call made to inquiry more on<br>
>> > > potential other transaction-relay jamming attacks affect=
ing lightning.<br>
>> > ><br>
>> > > In 2021, initial work in bitcoin core 22.0 of package ac=
ceptance. Continued discussion of the<br>
>> > > pinning attacks and shortcomings of current mempool rule=
s during community-wide online workshops.<br>
>> > > Later the year, in light of all issues for bitcoin secon=
d-layers, a proposal is made about killing<br>
>> > > the mempool.<br>
>> > ><br>
>> > > In 2022, bip proposed for package relay and new proposed=
v3 policy design proposed for a review and<br>
>> > > implementation. Mempoolfullrbf is supported in bitcoin c=
ore 24.0 and conceptual questions about<br>
>> > > alignment of mempool rules w.r.t miners incentives are i=
nvestigated.<br>
>> > ><br>
>> > > Along this year 2022, eltoo lightning channels design ar=
e discussed, implemented and reviewed. In<br>
>> > > this context and after discussions on mempool anti-DoS r=
ules, I discovered this new replacement<br>
>> > > cycling attack was affecting deployed lightning channels=
and immediately reported the finding to<br>
>> > > some bitcoin core developers and lightning maintainers.<=
br>
>> > ><br>
>> > > ## Timeline<br>
>> > ><br>
>> > > - 2022-12-16: Report of the finding to Suhas Daftuar, An=
thony Towns, Greg Sanders and Gloria Zhao<br>
>> > > - 2022-12-16: Report to LN maintainers: Rusty Russell, B=
astien Teinturier, Matt Corallo and Olaoluwa<br>
>> > > Osuntunkun<br>
>> > > - 2022-12-23: Sharing to Eugene Siegel (LND)<br>
>> > > - 2022-12-24: Sharing to James O'Beirne and Antoine =
Poinsot (non-lightning potential affected projects)<br>
>> > > - 2022-01-14: Sharing to Gleb Naumenko (miners incentive=
s and cross-layers issuers) and initial<br>
>> > > proposal of an early public disclosure<br>
>> > > - 2022-01-19: Collection of analysis if other second-lay=
ers and multi-party applications affected.<br>
>> > > LN mitigations development starts.<br>
>> > > - 2023-05-04: Sharing to Wilmer Paulino (LDK)<br>
>> > > - 2023-06-20: LN mitigations implemented and progressive=
ly released. Week of the 16 october proposed<br>
>> > > for full disclosure.<br>
>> > > - 2023-08-10: CVEs assigned by MITRE<br>
>> > > - 2023-10-05: Pre-disclosure of LN CVEs numbers and repl=
acement cycling attack existence to<br>
>> > > <a href=3D"mailto:security@bitcoincore.org" target=3D"_b=
lank">security@bitcoincore.org</a> <mailto:<a href=3D"mailto:security@bi=
tcoincore.org" target=3D"_blank">security@bitcoincore.org</a>>.<br>
>> > > - 2023-10-16: Full disclosure of CVE-2023-40231 / CVE-20=
23-40232 / CVE-2023-40233 / CVE-2023-40234<br>
>> > > and replacement cycling attacks<br>
>> > ><br>
>> > > ## Conclusion<br>
>> > ><br>
>> > > Despite the line of mitigations adopted and deployed by =
current major lightning implementations, I<br>
>> > > believe replacement cycling attacks are still practical =
for advanced attackers. Beyond this new<br>
>> > > attack might come as a way to partially or completely de=
feat some of the pinning mitigations which<br>
>> > > have been working for years as a community.<br>
>> > ><br>
>> > > As of today, it is uncertain to me if lightning is not a=
ffected by a more severe long-term package<br>
>> > > malleability critical security issue under current conse=
nsus rules, and if any other time-sensitive<br>
>> > > multi-party protocol, designed or deployed isn't de =
facto affected too (loss of funds or denial of<br>
>> > > service).<br>
>> > ><br>
>> > > Assuming analysis on package malleability is correct, it=
is unclear to me if it can be corrected by<br>
>> > > changes in replacement / eviction rules or mempool chain=
of transactions processing strategy.<br>
>> > > Inviting my technical peers and the bitcoin community to=
look more on this issue, including to<br>
>> > > dissent. I'll be the first one pleased if I'm fu=
ndamentally wrong on those issues, or if any element<br>
>> > > has not been weighted with the adequate technical accura=
cy it deserves.<br>
>> > ><br>
>> > > Do not trust, verify. All mistakes and opinions are my o=
wn.<br>
>> > ><br>
>> > > Antoine<br>
>> > ><br>
>> > > "meet with Triumph and Disaster. And treat those tw=
o impostors just the same" - K.<br>
>> > ><br>
>> > > _______________________________________________<br>
>> > > Lightning-dev mailing list<br>
>> > > <a href=3D"mailto:Lightning-dev@lists.linuxfoundation.or=
g" target=3D"_blank">Lightning-dev@lists.linuxfoundation.org</a><br>
>> > > <a href=3D"https://lists.linuxfoundation.org/mailman/lis=
tinfo/lightning-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.lin=
uxfoundation.org/mailman/listinfo/lightning-dev</a><br>
>> > _______________________________________________<br>
>> > bitcoin-dev mailing list<br>
>> > <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targ=
et=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
>> > <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo=
/bitcoin-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfound=
ation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--000000000000da31e3060816d4d7--
|
