Disclosure: Replacement Cycling Attacks on the Lightning Network

"End of last year (December 2022), amid technical discussions on eltoo payment channels and incentives compatibility of the mempool anti-DoS rules, a new transaction-relay jamming attack affecting lightning channels was discovered."

Disclosure: Replacement Cycling Attacks on the Lightning Network
  • "After careful analysis, it turns out this attack is practical and
    immediately exposed lightning routing hops carrying HTLC traffic to loss of
    funds security risks, both legacy and anchor output channels. A potential
    exploitation plausibly happening even without network mempools congestion."
  • Mitigations have been designed, implemented and deployed by all major
    lightning implementations during the last months."
  • Please find attached the release numbers, where the mitigations should be
    - LDK: v0.0.115? - CVE-2023 -40231 (original letter says LDK v0.0.118 which is not out yet.)
    - Eclair: v0.9.0 - CVE-2023-40232
    - LND: v.0.16.1-beta - CVE-2023-40233 (original message says LND v0.17.0-beta but @Roasbeef clarified that all of LND's relevant mitigations were in place by lnd v0.16.1-beta [1], which was released on April 24th 2023.)
    - Core-Lightning: v.23.08.01 - CVE-2023-40234
"Please find a list of potential affected bitcoin applications in this full disclosure report using bitcoin script timelocks or multi-party
transactions, albeit no immediate security risk exposure as severe as the
ones affecting lightning has been identified. Only cursory review of
non-lightning applications has been conducted so far."
  • "From my understanding the following list of Bitcoin protocols and
    applications could be affected by new denial-of-service vectors under some
    level of network mempools congestion. Neither tests or advanced review of
    specifications (when available) has been conducted for each of them:

    - on-chain DLCs;
    - coinjoins;
    - payjoins;
    - wallets with time-sensitive paths;
    - peerswap and submarine swaps;
    - batch payouts;
    - transaction "accelerators."
  • "Inviting their developers, maintainers and operators to investigate how
    replacement cycling attacks might disrupt their in-mempool chain of
    transactions, or fee-bumping flows at the shortest delay. Simple flows and
    non-multi-party transactions should not be affected to the best of my
  • There is a paper published summarizing replacement cycling attacks on the
    lightning network.
  • "A functional test exercising a simple replacement cycling of a lightning
    channel commitment transaction on top of the nversion=3 code branch is available."
"Despite the line of mitigations adopted and deployed by current major
lightning implementations, I believe replacement cycling attacks are still
practical for advanced attackers. Beyond this new attack might come as a
way to partially or completely defeat some of the pinning mitigations which have been working for years as a community."

Full Disclosure