New Class of Replacement Cycling Attacks Might Put Lightning Network in Perilous Position

• "After writing the mail reply on the economics of sequential malicious replacement of honest HTLC-timeout, I did write one more test to verify the behavior on core mempool, and it works as expected."
• "Responsible disclosure process has followed the lines of hardware issues affecting operating system, as documented for the Linux kernel, while adapted to the bitcoin ecosystem."

"Effective now, I'm halting my involvement with the development of the lightning network and its implementations, including coordinating the handling of security issues at the protocol level (I informed some senior lightning devs in that sense before)."

• "I think this new class of replacement cycling attacks puts lightning in a very perilous position, where only a sustainable fix can happen at the base-layer, e.g adding a memory-intensive history of all-seen transactions or some consensus upgrade."
• "Deployed mitigations are worth something in face of simple attacks, though I don't think they're stopping advanced attackers as said in the first full disclosure mail."
• "Those types of changes are the ones necessitating the utmost transparency and buy-in of the community as a whole, as we're altering the full-nodes processing requirements or the security architecture of the decentralized bitcoin ecosystem in its integrality."

"On the other hand fully explaining why such changes would be warranted for the sake of lightning and for designing them well, we might need to lay out in complete state practical and critical attacks on a ~5 355 public BTC ecosystem. Hard dilemma."

• "I'll be silent on those issues on public mailing lists until the week of
  the 30 oct. Enough material has been published and other experts are
  available. Then I'll be back focusing more on bitcoin core."

Full Letter / Archive