From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 17 Jun 2025 20:05:29 -0700 Received: from mail-qk1-f183.google.com ([209.85.222.183]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uRj7B-0003bU-8T for bitcoindev@gnusha.org; Tue, 17 Jun 2025 20:05:29 -0700 Received: by mail-qk1-f183.google.com with SMTP id af79cd13be357-7d38f565974sf63293985a.1 for ; Tue, 17 Jun 2025 20:05:29 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750215923; cv=pass; d=google.com; s=arc-20240605; b=Br7hl2v0damU4achDmUX8pCNsU0mduaW6WIH4k+/XvrzIN0BK4VsW84JvqUI7l+Egf WZQ9TVIO1hxom9HBebQ3ALOgexjZQoPKxczoaWkb9pvdR/1XisXHru+x+zHPAVu95I1+ 9nXe3T/MFjqArkyLWNfvrLg/gXqNr8yh88N1rFXP7Z3+A5ml2dvZy8sdZZOJQ0bg/5cl q8KESLbohfAu/CVTd3pTo8Ogf1EZw1tI4r4cVQKDwf++ezi3o8aZcHqaPw0vgamFFebc dOwspUHKIHImF7KetvJGPQzWk+Ho0Wsc8GmnV1X98byJ5JY+lBkKogEBHql8ne+vagwO rQbA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:references:in-reply-to :subject:cc:to:from:date:mime-version:sender:dkim-signature; bh=j7kSghD1ysjVVCxdiYMCGude58MFcMdgmpRBNdRhAxM=; fh=BvHIUfo7ABtpXaC1m5Efv1Lmi3Tt3ZuodCN1ZzedXMw=; b=DPMg5H+wTuy3C0YB+UOmmGZuSvyQkNiqz/Sg4eQOhkMRRm0ap1le5y+KpA123diRGl TpKAat15Ey84VLt3B5TvK96wiMB3mYEFwq3esWjA+V6Oznr5szu1uV970hAYSlRtQM2m D3eI++i32dr1yMI9lM6sbTpDmZybSBv/xJn5k01QIe1t55mkoS9QllXCmh5g1X/zrys0 RzmN6XW54GgiUnqOVhP4TqlWWjxywJNNAsDKOhYxmTKmyx8DHhGsBkExtyJnT0+fjHvf oQeQJCkdZ3JI6NjnmDelNwUj9qUQxx32/eMbkflF9ea5PZNFBkuyv7/IsSCew+VhjJWi iBMw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750215923; x=1750820723; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:message-id:references:in-reply-to:subject:cc:to :from:date:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=j7kSghD1ysjVVCxdiYMCGude58MFcMdgmpRBNdRhAxM=; b=oo0WICE30Tloq0Ll4axA7XMiVsLf6F6Yvg91OT1K66SANgSleo0pG6VkGo1Xv0zver BZd6f+xvbK2ruMHXeGC3OhuXdpaaCvD2VLbBOyrdzTsHo8e6yMMYH8hzXsjzzmoo+fpA JIyRphWCpTgM8/LHrle6yYiPe+rhCw3mU++lzmq66qtgsRZFBoM77GNxnYvCFyAfo54F K4Hr5rEImnOnWDl7wZWVQn1oyjjpOG6vZsFopB61MfUkdM0yjfvXWEdy+7thUqRjwteY SAG1boLjWAakmyq7hG21rjjjd13o1RzrlJG9k7rTLYZtuXADRlLmXJuBhwJFucJv6oo+ ZNow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750215923; x=1750820723; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:message-id:references:in-reply-to:subject:cc:to :from:date:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=j7kSghD1ysjVVCxdiYMCGude58MFcMdgmpRBNdRhAxM=; b=ZL+zGLdU9ExlabIVRgmfNX9JMP/y3aj7IoEtl0XxOZPczsjFDZ4f3hzqehtc8hxcaF 43uwJNgh1XTT6I4V81P78EtGDNWRcVgFDoHI2cqj/17uqFGHDQJuits9Gl7lljOLTCMP iYz2GC9pnc/skPMrGt8U3cwGwzLG4IMATBZnZn0qiZZFn2eDdH0S+S2wxsuDNZHxGSI+ 5taz6EU+ELwbZ0NYKsUTQ40wlNR6rN6YvSdwGmtEk2D2Nkt1bTXbdE/aE9GGamUOnGb3 NBTTB2cCsj2D/of0KAlJajc3ENEq7LYwFQSZhgeEiAWiU9L4tKTjZUDpvaCskJ0CQFIs SOMw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVpnL1x97U5tkiF5APTCZXRv8KJZHz3ci5PKb3U9E8CtJotrrMOyOXGKw5YxkwzP9u142SPr9p027lQ@gnusha.org X-Gm-Message-State: AOJu0YyIWUEkAu4SiEa4nnXTE/WMoIuY5xpbubwSi86DAeJEbS2dYoSe CFS4TnMt7t1nh+Lhn+nrklDr+OmzNsMydcA0E7hrDIjh6KKGasdz/BI8 X-Google-Smtp-Source: AGHT+IEPO1bAV7uc4QaRQKH4uCoRMvE/I6Vakp4F5DrCusRxrvAZaDWjMPMg2jkwM7EZJZcyPZhX+g== X-Received: by 2002:a05:620a:244a:b0:7ce:ed0e:423c with SMTP id af79cd13be357-7d3e93d7cdfmr156456485a.9.1750215922987; Tue, 17 Jun 2025 20:05:22 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZe2KO5N1PyfcTtgvF9GbEWAP4Okr4uhdC0K+uJCYiauTQ== Received: by 2002:a05:6214:20ab:b0:6fa:fb8f:7fd7 with SMTP id 6a1803df08f44-6fb35570a3cls127566516d6.2.-pod-prod-00-us; Tue, 17 Jun 2025 20:05:19 -0700 (PDT) X-Received: by 2002:a05:620a:440a:b0:7d2:26b4:66d2 with SMTP id af79cd13be357-7d3e943f0aamr126078985a.22.1750215919610; Tue, 17 Jun 2025 20:05:19 -0700 (PDT) Received: by 2002:a05:620a:34b:b0:7c5:50d5:7703 with SMTP id af79cd13be357-7d3dff56090ms85a; Tue, 17 Jun 2025 19:17:00 -0700 (PDT) X-Received: by 2002:a05:620a:2612:b0:7c5:d71c:6a47 with SMTP id af79cd13be357-7d3e9345eebmr149263585a.8.1750213019929; Tue, 17 Jun 2025 19:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750213019; cv=none; d=google.com; s=arc-20240605; b=jpMT8SlQ1biFoFjFEYKov1VVXpI9FHgVwDj1RBCto26xOsR3Zjk0QOWicteLCCXZsJ LXiBa2aUq0ByGSrBqj7zBiXIfzgCSvF1zu5WaOc62TvwyJnGfZZXa6chTjF7UDKjU0nw MLJcK2xInZwxQ7QdueaX2gV5SptJn8FyxiV+/OdxbHaO7tHX+4k6yQ5OQL1iqeH5Ekrn 1rpT645rY0s7U+z+enUdXugyJgiGuZx44eaJOM4yG5UMa6xMQ4WaECbfbcP1s5LSzUHx owCMJokECL7/XxPU/xbC1jBiYmt6M65dukcJadadh+0CYl1OyuZIlA75CHDF5cAYnfSd Gc7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:message-id:references:in-reply-to:subject :cc:to:from:date:mime-version; bh=psgDJ5r6fFOEXQC74+dvaqD8kv/NJ4UpVn+MCYMdRic=; fh=sapDHqhE46zLmMBeB1lkoe0zq8J9+V3Afx71/j8kvug=; b=LBpl6tF7SYR2xQNXSJ66xGTyxIE8i2MFlrVJAMFLf/rA2gjb/WQPAUnFOK9qwNHAwF hRPtRZMELN+AFiNVsxEWLgkOYzkHCmV1KDBi1EKKxStGed44CUiXyYf6j26h3CqBlTtc 6MHjZB1fuBGrBwdhS3/DxBG3dWTYewX9tDramfKOOSsffqOUhjt/6ociTpbsAWfBv7JC KqpAhCoUh1MACx/uxhsDqwyFrAAmqCrwDPSAYnAHpZDoVUEfzQ0GUO+flBo68WaaX80T +ydEvU/qvciG64lkzWBzbaK4XwPku0DiQrGpQWftdzAh02j3n4WdONV0z9IAUx6w6JwW ulvg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org Received: from smtpauth.rollernet.us (smtpauth.rollernet.us. [2607:fe70:0:3::d]) by gmr-mx.google.com with ESMTPS id af79cd13be357-7d3b8eb9b98si60636485a.7.2025.06.17.19.16.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Jun 2025 19:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) client-ip=2607:fe70:0:3::d; Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 4CF1E2800056; Tue, 17 Jun 2025 19:16:57 -0700 (PDT) Received: from webmail.rollernet.us (webmail.rollernet.us [IPv6:2607:fe70:0:14::a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Tue, 17 Jun 2025 19:16:56 -0700 (PDT) MIME-Version: 1.0 Date: Tue, 17 Jun 2025 16:16:56 -1000 From: "David A. Harding" To: Antoine Riard Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] Full-Disclosure: CVE-2025-27586 "No Santa Claus under the Lightning Sun" In-Reply-To: References: Message-ID: <1b4a4871c6531da5a7fdcf67cd218848@dtrt.org> X-Sender: dave@dtrt.org Content-Type: text/plain; charset="UTF-8"; format=flowed X-Rollernet-Abuse: mailto:abuse@rollernet.us https://www.rollernet.us/policy X-Rollernet-Submit: Submit ID 7185.68522198.d6a75.0 X-Original-Sender: dave@dtrt.org X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.3 (/) On 2025-06-12 09:03, Antoine Riard wrote: > This class of attacks dubbed "fee-bumping reserves exhaustion attacks" > [...] > ## Timeline > > - 2022-07-11: Report of the finding to XXX, Bastien Teinturier > (Eclair), Lisa Neigut Hi Antoine, I read your post twice but everything in it seems obvious. What am I missing? It's obvious that (1) exogenous fee bumping requires keeping an independent reserve of sufficient funds and (2) that the amount of the reserve can vary depending on transaction size and prevalent feerates. The earliest description of that problem I found is from more than a year before your report ( https://github.com/lightningnetwork/lnd/pull/4908 ), but I suspect I could find other even earlier discussion if I looked harder. Is there more to this vulnerability report that I'm missing? Thanks, -Dave -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1b4a4871c6531da5a7fdcf67cd218848%40dtrt.org.