summaryrefslogtreecommitdiff
path: root/d3/5b369ac875d31cd105e14f86d03a9483829b1e
blob: 93df57cb22357f19c9c3161d82899cd0973fa462 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
Return-Path: <mattmorehouse@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 0F8A8C0032;
 Thu, 19 Oct 2023 16:23:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id E732283EBD;
 Thu, 19 Oct 2023 16:23:27 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E732283EBD
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=V9fS0myS
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id yfgx2pbdYR19; Thu, 19 Oct 2023 16:23:26 +0000 (UTC)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com
 [IPv6:2607:f8b0:4864:20::b34])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 03CBE83EBB;
 Thu, 19 Oct 2023 16:23:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 03CBE83EBB
Received: by mail-yb1-xb34.google.com with SMTP id
 3f1490d57ef6-d9ad90e1038so8877647276.3; 
 Thu, 19 Oct 2023 09:23:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1697732605; x=1698337405;
 darn=lists.linuxfoundation.org; 
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=SnnqAjCsj1bce7DbXA5g6tk4RtR+z18odLPEMWhbrwk=;
 b=V9fS0mySf/TNOQ+RFMMtC5lgX/Al8nkM2KH09nEWxgY7My7/9Vxt9FjFVh3RaNehzO
 O8vOV1YuSL1lEgcTe7Ius+kCDudJyJMaiDdB8sXvYTCmDETgY38wEGC/9AnBu7bHZ3kS
 LDfdQiUSKHjOOGsBaLFhJZ++8w8LqcTdlV7ZRhBn45eSmmXOAAjznoYmXPvvH1K/obdj
 nwzMCiBRaBUtZ52zl/BRWDoJsL0Sd/2jXKHq2yq/6/+MVlCjOTdQeK1vRhGoqhevwAh7
 /N6QCm8C8QlahfYIdPL0FCGVrbvcRvuBPHEY9+JOb30oVuJdIooj1RGEAIibwadvbmru
 xyTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697732605; x=1698337405;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=SnnqAjCsj1bce7DbXA5g6tk4RtR+z18odLPEMWhbrwk=;
 b=n/oax3NROPUdttOHTPgHOKbv8eWzevGcBOq95Hy4y2liidSBQ08UVOsRV8zPZV1pYi
 vAk6hmksz/qnsgBt292InkINvWiTjxawfdoPzsU5szA0rthQFTEDOS5GBEBtfsWqJpjS
 hxQVytoe6Np5DgE4jKR213WZ0wHp5ggksKET+l0xgNEUGV2YhNzAE3qU218tMACi0Jps
 RhxNB1yFou7mjJSscuHNEzEpn+M1Vt8Ve4PJ/gVT0pKTmNFcQNY7cxQBv2OitErJaXA/
 8gN3gpgs2Xj8zGOHJMos/Sm+vMzt4zq2yq25h8+QmApQI4Sdnf3rKgMpm6LN1pcGFqhe
 6BZg==
X-Gm-Message-State: AOJu0Yz0khO83EBsM66FEwKQk9IHL669kb7mRLy6qVbZpcPd/BKd1PES
 CdPGlC5AqkF3xObpsgFuGgKhCNs9xg8mfR5qFFw=
X-Google-Smtp-Source: AGHT+IFbBaLwvbmmVGpr5ZGj0TPvonwAbBS7BmDTYZb/+6Mi563YRSxTqUK4H04TzFsexTbpgMlyQduxcgFapT8y3Sw=
X-Received: by 2002:a25:8201:0:b0:d7b:9211:51a5 with SMTP id
 q1-20020a258201000000b00d7b921151a5mr2741705ybk.44.1697732604500; Thu, 19 Oct
 2023 09:23:24 -0700 (PDT)
MIME-Version: 1.0
References: <CALZpt+GdyfDotdhrrVkjTALg5DbxJyiS8ruO2S7Ggmi9Ra5B9g@mail.gmail.com>
 <ece6f28b-5b14-4f9c-a115-945082a63d68@mattcorallo.com>
In-Reply-To: <ece6f28b-5b14-4f9c-a115-945082a63d68@mattcorallo.com>
From: Matt Morehouse <mattmorehouse@gmail.com>
Date: Thu, 19 Oct 2023 16:23:13 +0000
Message-ID: <CAGyamEWnSNAwJ1HpcgiYtNYwUqWOBn7RzhfR_W8460B_9n=qng@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 19 Oct 2023 16:52:10 +0000
Cc: security@ariard.me, "lightning-dev\\\\@lists.linuxfoundation.org"
 <lightning-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] [Lightning-dev] Full Disclosure: CVE-2023-40231 /
 CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are
 belong to us"
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2023 16:23:28 -0000

On Wed, Oct 18, 2023 at 12:34=E2=80=AFAM Matt Corallo via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> There appears to be some confusion about this issue and the mitigations. =
To be clear, the deployed
> mitigations are not expected to fix this issue, its arguable if they prov=
ide anything more than a PR
> statement.
>
> There are two discussed mitigations here - mempool scanning and transacti=
on re-signing/re-broadcasting.
>
> Mempool scanning relies on regularly checking the mempool of a local node=
 to see if we can catch the
> replacement cycle mid-cycle. It only works if wee see the first transacti=
on before the second
> transaction replaces it.
>
> Today, a large majority of lightning nodes run on machines with a Bitcoin=
 node on the same IP
> address, making it very clear what the "local node" of the lightning node=
 is. An attacker can
> trivially use this information to connect to said local node and do the r=
eplacement quickly,
> preventing the victim from seeing the replacement.
>
> More generally, however, similar discoverability is true for mining pools=
. An attacker performing
> this attack is likely to do the replacement attack on a miner's node dire=
ctly, potentially reducing
> the reach of the intermediate transaction to only miners, such that the v=
ictim can never discover it
> at all.
>
> The second mitigation is similarly pathetic. Re-signing and re-broadcasti=
ng the victim's transaction
> in an attempt to get it to miners even if its been removed may work, if t=
he attacker is super lazy
> and didn't finish writing their attack system. If the attacker is connect=
ed to a large majority of
> hashrate (which has historically been fairly doable), they can simply do =
their replacement in a
> cycle aggressively and arbitrarily reduce the probability that the victim=
's transaction gets confirmed.

What if the honest node aggressively fee-bumps and retransmits the
HTLC-timeout as the CLTV delta deadline approaches, as suggested by
Ziggie?  Say, within 10 blocks of the deadline, the honest node starts
increasing the fee by 1/10th the HTLC value for each non-confirmation.

This "scorched earth" approach may cost the honest node considerable
fees, but it will cost the attacker even more, since each attacker
replacement needs to burn at least as much as the HTLC-timeout fees,
and the attacker will need to do a replacement every time the honest
node fee bumps.

I think this fee-bumping policy will provide sufficient defense even
if the attacker is replacement-cycling directly in miners' mempools
and the victim has no visibility into the attack.

>
> Now, the above is all true in a spherical cow kinda world, and the P2P ne=
twork has plenty of slow
> nodes and strange behavior. Its possible that these mitigations might, by=
 some stroke of luck,
> happen to catch such an attack and prevent it, because something took lon=
ger than the attacker
> intended or whatever. But, that's a far cry from any kind of material "fi=
x" for the issue.
>
> Ultimately the only fix for this issue will be when miners keep a history=
 of transactions they've
> seen and try them again after they may be able to enter the mempool becau=
se of an attack like this.
>
> Matt
>
> On 10/16/23 12:57 PM, Antoine Riard wrote:
> > (cross-posting mempool issues identified are exposing lightning chan to=
 loss of funds risks, other
> > multi-party bitcoin apps might be affected)
> >
> > Hi,
> >
> > End of last year (December 2022), amid technical discussions on eltoo p=
ayment channels and
> > incentives compatibility of the mempool anti-DoS rules, a new transacti=
on-relay jamming attack
> > affecting lightning channels was discovered.
> >
> > After careful analysis, it turns out this attack is practical and immed=
iately exposed lightning
> > routing hops carrying HTLC traffic to loss of funds security risks, bot=
h legacy and anchor output
> > channels. A potential exploitation plausibly happening even without net=
work mempools congestion.
> >
> > Mitigations have been designed, implemented and deployed by all major l=
ightning implementations
> > during the last months.
> >
> > Please find attached the release numbers, where the mitigations should =
be present:
> > - LDK: v0.0.118 - CVE-2023 -40231
> > - Eclair: v0.9.0 - CVE-2023-40232
> > - LND: v.0.17.0-beta - CVE-2023-40233
> > - Core-Lightning: v.23.08.01 - CVE-2023-40234
> >
> > While neither replacement cycling attacks have been observed or reporte=
d in the wild since the last
> > ~10 months or experimented in real-world conditions on bitcoin mainet, =
functional test is available
> > exercising the affected lightning channel against bitcoin core mempool =
(26.0 release cycle).
> >
> > It is understood that a simple replacement cycling attack does not dema=
nd privileged capabilities
> > from an attacker (e.g no low-hashrate power) and only access to basic b=
itcoin and lightning
> > software. Yet I still think executing such an attack successfully reque=
sts a fair amount of bitcoin
> > technical know-how and decent preparation.
> >
> >  From my understanding of those issues, it is yet to be determined if t=
he mitigations deployed are
> > robust enough in face of advanced replacement cycling attackers, especi=
ally ones able to combine
> > different classes of transaction-relay jamming such as pinnings or vett=
ed with more privileged
> > capabilities.
> >
> > Please find a list of potential affected bitcoin applications in this f=
ull disclosure report using
> > bitcoin script timelocks or multi-party transactions, albeit no immedia=
te security risk exposure as
> > severe as the ones affecting lightning has been identified. Only cursor=
y review of non-lightning
> > applications has been conducted so far.
> >
> > There is a paper published summarizing replacement cycling attacks on t=
he lightning network:
> > https://github.com/ariard/mempool-research/blob/2023-10-replacement-pap=
er/replacement-cycling.pdf
> > <https://github.com/ariard/mempool-research/blob/2023-10-replacement-pa=
per/replacement-cycling.pdf>
> >
> >   ## Problem
> >
> > A lightning node allows HTLCs forwarding (in bolt3's parlance accepted =
HTLC on incoming link and
> > offered HTLC on outgoing link) should settle the outgoing state with ei=
ther a success or timeout
> > before the incoming state timelock becomes final and an asymmetric defa=
vorable settlement might
> > happen (cf "Flood & Loot: A Systematic Attack on The Lightning Network"=
 section 2.3 for a classical
> > exposition of this lightning security property).
> >
> > Failure to satisfy this settlement requirement exposes a forwarding hop=
 to a loss of fund risk where
> > the offered HTLC is spent by the outgoing link counterparty's HTLC-prei=
mage and the accepted HTLC is
> > spent by the incoming link counterparty's HTLC-timeout.
> >
> > The specification mandates the incoming HTLC expiration timelock to be =
spaced out by an interval of
> > `cltv_expiry_delta` from the outgoing HTLC expiration timelock, this ex=
act interval value being an
> > implementation and node policy setting. As a minimal value, the specifi=
cation recommends 34 blocks
> > of interval. If the timelock expiration I of the inbound HTLC is equal =
to 100 from chain tip, the
> > timelock expiration O of the outbound HTLC must be equal to 66 blocks f=
rom chain tip, giving a
> > reasonable buffer of reaction to the lightning forwarding node.
> >
> > In the lack of cooperative off-chain settlement of the HTLC on the outg=
oing link negotiated with the
> > counterparty (either `update_fulfill_htlc` or `update_fail_htlc`) when =
O is reached, the lightning
> > node should broadcast its commitment transaction. Once the commitment i=
s confirmed (if anchor and
> > the 1 CSV encumbrance is present), the lightning node broadcasts and co=
nfirms its HTLC-timeout
> > before I height is reached.
> >
> > Here enter a replacement cycling attack. A malicious channel counterpar=
ty can broadcast its
> > HTLC-preimage transaction with a higher absolute fee and higher feerate=
 than the honest HTLC-timeout
> > of the victim lightning node and triggers a replacement. Both for legac=
y and anchor output channels,
> > a HTLC-preimage on a counterparty commitment transaction is malleable, =
i.e additional inputs or
> > outputs can be added. The HTLC-preimage spends an unconfirmed and unrel=
ated to the channel parent
> > transaction M and conflicts its child.
> >
> > As the HTLC-preimage spends an unconfirmed input that was already inclu=
ded in the unconfirmed and
> > unrelated child transaction (rule 2), pays an absolute higher fee of at=
 least the sum paid by the
> > HTLC-timeout and child transaction (rule 3) and the HTLC-preimage feera=
te is greater than all
> > directly conflicting transactions (rule 6), the replacement is accepted=
. The honest HTLC-timeout is
> > evicted out of the mempool.
> >
> > In an ulterior move, the malicious counterparty can replace the parent =
transaction itself with
> > another candidate N satisfying the replacement rules, triggering the ev=
iction of the malicious
> > HTLC-preimage from the mempool as it was a child of the parent T.
> >
> > There is no spending candidate of the offered HTLC output for the curre=
nt block laying in network
> > mempools.
> >
> > This replacement cycling tricks can be repeated for each rebroadcast at=
tempt of the HTLC-timeout by
> > the honest lightning node until expiration of the inbound HTLC timelock=
 I. Once this height is
> > reached a HTLC-timeout is broadcast by the counterparty's on the incomi=
ng link in collusion with the
> > one on the outgoing link broadcasting its own HTLC-preimage.
> >
> > The honest Lightning node has been "double-spent" in its HTLC forwardin=
g.
> >
> > As a notable factor impacting the success of the attack, a lightning no=
de's honest HTLC-timeout
> > might be included in the block template of the miner winning the block =
race and therefore realizes a
> > spent of the offered output. In practice, a replacement cycling attack =
might over-connect to miners'
> > mempools and public reachable nodes to succeed in a fast eviction of th=
e HTLC-timeout by its
> > HTLC-preimage. As this latter transaction can come with a better ancest=
or-score, it should be picked
> > up on the flight by economically competitive miners.
> >
> > A functional test exercising a simple replacement cycling of a HTLC tra=
nsaction on bitcoin core
> > mempool is available:
> > https://github.com/ariard/bitcoin/commits/2023-test-mempool
> > <https://github.com/ariard/bitcoin/commits/2023-test-mempool>
> >
> > ## Deployed LN mitigations
> >
> > Aggressive rebroadcasting: As the replacement cycling attacker benefits=
 from the HTLC-timeout being
> > usually broadcast by lightning nodes only once every block, or less the=
 replacement cycling
> > malicious transactions paid only equal the sum of the absolute fees pai=
d by the HTLC, adjusted with
> > the replacement penalty. Rebroadcasting randomly and multiple times bef=
ore the next block increases
> > the absolute fee cost for the attacker.
> >
> > Implemented and deployed by Eclair, Core-Lightning, LND and LDK .
> >
> > Local-mempool preimage monitoring: As the replacement cycling attacker =
in a simple setup broadcast
> > the HTLC-preimage to all the network mempools, the honest lightning nod=
e is able to catch on the
> > flight the unconfirmed HTLC-preimage, before its subsequent mempool rep=
lacement. The preimage can be
> > extracted from the second-stage HTLC-preimage and used to fetch the off=
-chain inbound HTLC with a
> > cooperative message or go on-chain with it to claim the accepted HTLC o=
utput.
> >
> > Implemented and deployed by Eclair and LND.
> >
> > CLTV Expiry Delta: With every jammed block comes an absolute fee cost p=
aid by the attacker, a risk
> > of the HTLC-preimage being detected or discovered by the honest lightni=
ng node, or the HTLC-timeout
> > to slip in a winning block template. Bumping the default CLTV delta har=
dens the odds of success of a
> > simple replacement cycling attack.
> >
> > Default setting: Eclair 144, Core-Lightning 34, LND 80 and LDK 72.
> >
> > ## Affected Bitcoin Protocols and Applications
> >
> >  From my understanding the following list of Bitcoin protocols and appl=
ications could be affected by
> > new denial-of-service vectors under some level of network mempools cong=
estion. Neither tests or
> > advanced review of specifications (when available) has been conducted f=
or each of them:
> > - on-chain DLCs
> > - coinjoins
> > - payjoins
> > - wallets with time-sensitive paths
> > - peerswap and submarine swaps
> > - batch payouts
> > - transaction "accelerators"
> >
> > Inviting their developers, maintainers and operators to investigate how=
 replacement cycling attacks
> > might disrupt their in-mempool chain of transactions, or fee-bumping fl=
ows at the shortest delay.
> > Simple flows and non-multi-party transactions should not be affected to=
 the best of my understanding.
> >
> > ## Open Problems: Package Malleability
> >
> > Pinning attacks have been known for years as a practical vector to comp=
romise lightning channels
> > funds safety, under different scenarios (cf. current bip331's motivatio=
n section). Mitigations at
> > the mempool level have been designed, discussed and are under implement=
ation by the community
> > (ancestor package relay + nverrsion=3D3 policy). Ideally, they should c=
onstraint a pinning attacker to
> > always attach a high feerate package (commitment + CPFP) to replace the=
 honest package, or allow a
> > honest lightning node to overbid a malicious pinning package and get it=
s time-sensitive transaction
> > optimistically included in the chain.
> >
> > Replacement cycling attack seem to offer a new way to neutralize the de=
sign goals of package relay
> > and its companion nversion=3D3 policy, where an attacker package RBF a =
honest package out of the
> > mempool to subsequently double-spend its own high-fee child with a tran=
saction unrelated to the
> > channel. As the remaining commitment transaction is pre-signed with a m=
inimal relay fee, it can be
> > evicted out of the mempool.
> >
> > A functional test exercising a simple replacement cycling of a lightnin=
g channel commitment
> > transaction on top of the nversion=3D3 code branch is available:
> > https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2
> > <https://github.com/ariard/bitcoin/commits/2023-10-test-mempool-2>
> >
> > ## Discovery
> >
> > In 2018, the issue of static fees for pre-signed lightning transactions=
 is made more widely known,
> > the carve-out exemption in mempool rules to mitigate in-mempool package=
 limits pinning and the
> > anchor output pattern are proposed.
> >
> > In 2019, bitcoin core 0.19 is released with carve-out support. Continue=
d discussion of the anchor
> > output pattern as a dynamic fee-bumping method.
> >
> > In 2020, draft of anchor output submitted to the bolts. Initial finding=
 of economic pinning against
> > lightning commitment and second-stage HTLC transactions. Subsequent dis=
cussions of a
> > preimage-overlay network or package-relay as mitigations. Public call m=
ade to inquiry more on
> > potential other transaction-relay jamming attacks affecting lightning.
> >
> > In 2021, initial work in bitcoin core 22.0 of package acceptance. Conti=
nued discussion of the
> > pinning attacks and shortcomings of current mempool rules during commun=
ity-wide online workshops.
> > Later the year, in light of all issues for bitcoin second-layers, a pro=
posal is made about killing
> > the mempool.
> >
> > In 2022, bip proposed for package relay and new proposed v3 policy desi=
gn proposed for a review and
> > implementation. Mempoolfullrbf is supported in bitcoin core 24.0 and co=
nceptual questions about
> > alignment of mempool rules w.r.t miners incentives are investigated.
> >
> > Along this year 2022, eltoo lightning channels design are discussed, im=
plemented and reviewed. In
> > this context and after discussions on mempool anti-DoS rules, I discove=
red this new replacement
> > cycling attack was affecting deployed lightning channels and immediatel=
y reported the finding to
> > some bitcoin core developers and lightning maintainers.
> >
> > ## Timeline
> >
> > - 2022-12-16: Report of the finding to Suhas Daftuar, Anthony Towns, Gr=
eg Sanders and Gloria Zhao
> > - 2022-12-16: Report to LN maintainers: Rusty Russell, Bastien Teinturi=
er, Matt Corallo and Olaoluwa
> > Osuntunkun
> > - 2022-12-23: Sharing to Eugene Siegel (LND)
> > - 2022-12-24: Sharing to James O'Beirne and Antoine Poinsot (non-lightn=
ing potential affected projects)
> > - 2022-01-14: Sharing to Gleb Naumenko (miners incentives and cross-lay=
ers issuers) and initial
> > proposal of an early public disclosure
> > - 2022-01-19: Collection of analysis if other second-layers and multi-p=
arty applications affected.
> > LN mitigations development starts.
> > - 2023-05-04: Sharing to Wilmer Paulino (LDK)
> > - 2023-06-20: LN mitigations implemented and progressively released. We=
ek of the 16 october proposed
> > for full disclosure.
> > - 2023-08-10: CVEs assigned by MITRE
> > - 2023-10-05: Pre-disclosure of LN CVEs numbers and replacement cycling=
 attack existence to
> > security@bitcoincore.org <mailto:security@bitcoincore.org>.
> > - 2023-10-16: Full disclosure of CVE-2023-40231 / CVE-2023-40232 / CVE-=
2023-40233 / CVE-2023-40234
> > and replacement cycling attacks
> >
> > ## Conclusion
> >
> > Despite the line of mitigations adopted and deployed by current major l=
ightning implementations, I
> > believe replacement cycling attacks are still practical for advanced at=
tackers. Beyond this new
> > attack might come as a way to partially or completely defeat some of th=
e pinning mitigations which
> > have been working for years as a community.
> >
> > As of today, it is uncertain to me if lightning is not affected by a mo=
re severe long-term package
> > malleability critical security issue under current consensus rules, and=
 if any other time-sensitive
> > multi-party protocol, designed or deployed isn't de facto affected too =
(loss of funds or denial of
> > service).
> >
> > Assuming analysis on package malleability is correct, it is unclear to =
me if it can be corrected by
> > changes in replacement / eviction rules or mempool chain of transaction=
s processing strategy.
> > Inviting my technical peers and the bitcoin community to look more on t=
his issue, including to
> > dissent. I'll be the first one pleased if I'm fundamentally wrong on th=
ose issues, or if any element
> > has not been weighted with the adequate technical accuracy it deserves.
> >
> > Do not trust, verify. All mistakes and opinions are my own.
> >
> > Antoine
> >
> > "meet with Triumph and Disaster. And treat those two impostors just the=
 same" - K.
> >
> > _______________________________________________
> > Lightning-dev mailing list
> > Lightning-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev