Can someone explain the recently-found LN security flaw in simple terms? \ stacker news ~bitcoin

Can someone explain the recently-found LN security flaw in simple terms?

4430 sats \ 12 comments \ @MattInTech 23 Oct 2023 bitcoin

Hi guys, I was reading some stuff about the LN security flaw that everyone is talking about (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-October/022032.html) but found it quite technical and difficult to understand.

While I take some time to read all relevant documentation (will list it below), is there anyone patient enough to explain in very simple terms what happened, and what the security issue is about? I couldn't find good articles around, if you have interesting material please post it below!

Additional resources: https://github.com/ariard/mempool-research/blob/2023-10-replacement-paper/replacement-cycling.pdf https://arxiv.org/pdf/2006.08513.pdf https://github.com/ariard/bitcoin/commits/2023-test-mempool https://github.com/lightning/bolts/pull/772

view all related items

2609 sats \ 3 replies \ @TonyGiorgio 23 Oct 2023

The best resource visualized: https://www.nobsbitcoin.com/how-does-a-lightning-replacement-cycling-attack-work/

Explained simply:

Imagine papercliping garbage to a legal bill, but then the whole thing gets thrown out because of it. So a new bill is proposed but the attacker paperclipped more garbage to it and it doesn't pass again. Eventually it is no longer possible to submit the bill and attackers win.

In this case the bill is your in flight payment that you're trying to redeem on chain before the timeout.

92 sats \ 0 replies \ @go 23 Oct 2023

Thank you

21 sats \ 0 replies \ @oraltosun 23 Oct 2023

Nice explanation.

0 sats \ 0 replies \ @brandonsbytes 23 Oct 2023

deleted by author

253 sats \ 3 replies \ @Zepasta 23 Oct 2023

deleted by author

21 sats \ 1 reply \ @nicosey 23 Oct 2023

Storm in tea cup?

366 sats \ 0 replies \ @dieselbaby 24 Oct 2023

Hardly. I think the people who are trying to downplay this are engaging in a bit of copium, to be honest. There are many issues with the lightning network that people are keen to ignore and not discuss, I think it's actually quite a serious issue (the lack of discussion/willingness to engage in anything remotely bordering on self-criticism or critique in an honest way) in the bitcoin community that we need to talk about more often.

That said, aside from the aforementioned other issues (which there are plenty of; just outside of the scope of this particular post/thread), one of the more well-known bitcoin core/lightning network devs (who I understand is someone well-regarded and respected within that sphere of people) has decided to no longer be doing dev work for lightning because of this. I think that's worrying enough to merit concern.

0 sats \ 0 replies \ @brandonsbytes 23 Oct 2023

deleted by author

56 sats \ 1 reply \ @knorozov 23 Oct 2023

Latest Rabbit Hole Recap episode addressed it.

120 sats \ 0 replies \ @MerryOscar 23 Oct 2023

https://fountain.fm/episode/eqkU58CL31KmJiKOshFD

111 sats \ 0 replies \ @om 23 Oct 2023

There's a stupid mempool thing that if you have transactions X, Y and Z such that X conflicts with Y and Y conflicts with Z, then X could be ousted by Z even if they don't conflict. It goes like this: Y replaces X, then X is thrown out of mempool, then Z can replace Y.

In very specific circumstances this can be used maliciously to block somebody from posting a transaction. LN assumes that everybody is able to post a transaction within a certain time from the moment they desire to do so, but this assumption is invalidated by the attack.

In the specific case of LN, LN nodes can avoid the issue by scanning the mempool. But IMHO the mempool behaviour is the thing to fix.

0 sats \ 0 replies \ @w0nderl4nd 25 Oct 2023

Interesting to check out: https://bitcoinmagazine.com/technical/postmortem-on-the-lightning-replacement-cycling-attack

As my father used to say: 'Sometimes what seems like a tidal wave is just a fart in a bathtub'.