From luke at dashjr.org  Mon Oct  4 16:27:59 2021
From: luke at dashjr.org (Luke Dashjr)
Date: Mon, 4 Oct 2021 16:27:59 +0000
Subject: [Lightning-dev] Full Disclosure: CVE-2021-41591/ CVE-2021-41592
	/ CVE-2021-41593 "Dust HTLC Exposure Considered Harmful"
In-Reply-To: <CALZpt+FRob+8Y55Cp+iXa-KBX0K6doHN4aUX1GKKB34MsVkOPQ@mail.gmail.com>
References: <CALZpt+H1fH-G8Q5T2teZxYYWJRxMzeee6unuHACU3dSf1hMZag@mail.gmail.com>
 <202110041557.13862.luke@dashjr.org>
 <CALZpt+FRob+8Y55Cp+iXa-KBX0K6doHN4aUX1GKKB34MsVkOPQ@mail.gmail.com>
Message-ID: <202110041627.59721.luke@dashjr.org>

On Monday 04 October 2021 16:14:20 Antoine Riard wrote:
> > The "dust limit" is arbitrarily decided by each node, and cannot be
> > relied upon for security at all. Expecting it to be a given default value
> > is in itself a security vulnerability
>
> Reality is that an increasing number of funds are secured by assumptions
> around mempool behavior.

In other words, simply not secured.

> And sadly that's going to increase with Lightning growth and deployment of
> other L2s.

L2s shouldn't build on flawed assumptions.

> Maybe we could dry-up some policy rules in consensus like the dust limit
> one :)

No thanks. Not sure that would even help (since policies can always be set to 
a higher dust limit than any consensus rule)