Re: [bitcoindev] Full-Disclosure: CVE-2025-27586 "No Santa Claus under the Lightning Sun"

["David A. Harding" <dave@dtrt.org>]

On 2025-06-12 09:03, Antoine Riard wrote:
> This class of attacks dubbed "fee-bumping reserves exhaustion attacks"
> [...]
> ## Timeline
> 
> - 2022-07-11: Report of the finding to XXX, Bastien Teinturier
> (Eclair), Lisa Neigut

Hi Antoine,

I read your post twice but everything in it seems obvious.  What am I 
missing?  It's obvious that (1) exogenous fee bumping requires keeping 
an independent reserve of sufficient funds and (2) that the amount of 
the reserve can vary depending on transaction size and prevalent 
feerates.  The earliest description of that problem I found is from more 
than a year before your report ( 
https://github.com/lightningnetwork/lnd/pull/4908 ), but I suspect I 
could find other even earlier discussion if I looked harder.

Is there more to this vulnerability report that I'm missing?

Thanks,

-Dave

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1b4a4871c6531da5a7fdcf67cd218848%40dtrt.org.