From dave at dtrt.org Mon Oct 23 08:49:55 2023 From: dave at dtrt.org (David A. Harding) Date: Sun, 22 Oct 2023 22:49:55 -1000 Subject: [Lightning-dev] [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" In-Reply-To: References: Message-ID: <0ae928c4209debc1fd4271fddfffde65@dtrt.org> On 2023-10-21 18:49, Nadav Ivgi via bitcoin-dev wrote: > Could this be addressed with an OP_CSV_ALLINPUTS, a covenant opcode > that requires _all_ inputs to have a matching nSequence, and using `1 > OP_CSV_ALLINPUTS` in the HTLC preimage branch? > > This would prevent using unconfirmed outputs in the > HTLC-preimage-spending transaction entirely, which IIUC should protect > it against the replacement cycling attack. I don't think that addresses the underlying problem. In Riard's description, a replacement cycle looks like this: - Bob broadcasts an HTLC-timeout (input A, input B for fees, output X) - Mallory replaces the HTLC-timeout with an HTLC-preimage (input A, input C for fees, output Y) - Mallory replaces the transaction that created input C, removing the HTLC-preimage from the mempool However, an alternative approach is: - (Same) Bob broadcasts an HTLC-timeout (input A, input B for fees, output X) - (Same) Mallory replaces the HTLC-timeout with an HTLC-preimage (input A, input C for fees, output Y) - (Different) Mallory uses input C to replace the HTLC-preimage with a transaction that does not include input A, removing the preimage from the mempool The original scenario requires input C to be from an unconfirmed transaction, so OP_CSV_ALLINPUTS works. The alternative scenario works even if input C comes from a confirmed transaction, so OP_CSV_ALLINPUTS is ineffective. -Dave