Re: [bitcoindev] Full-Disclosure: CVE-2025-27586 "No Santa Claus under the Lightning Sun"

[Antoine Riard <antoine.riard@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

Hi Dave,

Thanks for your thoughts on the subject.

I don't know if I were among the first one to stumble on
this problem. Of course, I wouldn't be surprised if some
people who worked at that time on implementing anchor output
such as Johan Toras Halseth or Joost Jager might have mentioned
it publicly or semi-privately. Of course, if there are more
links where it could have been discussed, please pointed out
to me, though with my memory of the conv circa 2020 about
anchor outputs, I'm not aware of them.

About the pull request you're pointing out
(https://github.com/lightningnetwork/lnd/pull/4908), it should be
said that the original anchor output pull request didn't mention
anything about fee-bumping reserves mngt (
https://github.com/lightning/bolts/pull/688/files).
Only a "MUST contribute sufficient fee to ensure timely inclusion in
a block". It's like "danke schon, aber was?".

By the time of this pull LND pull request, anchor output was already
deployed on the network (under the broken `option_anchor_output`)
in early beta. I'm not going to make a rant in LN development if
we ship first the cars, then we go to wonder if we have shipped the
seat belts too. That would be too easy and too free...

Share with you off-list more details.

Best,
Antoine
OTS hash: dc78f072e3cd20c0efeea728e83b5f1b121824836543f0cda346a3c7dd5a36fa

Le mer. 18 juin 2025 à 03:16, David A. Harding <dave@dtrt.org> a écrit :

> On 2025-06-12 09:03, Antoine Riard wrote:
> > This class of attacks dubbed "fee-bumping reserves exhaustion attacks"
> > [...]
> > ## Timeline
> >
> > - 2022-07-11: Report of the finding to XXX, Bastien Teinturier
> > (Eclair), Lisa Neigut
>
> Hi Antoine,
>
> I read your post twice but everything in it seems obvious.  What am I
> missing?  It's obvious that (1) exogenous fee bumping requires keeping
> an independent reserve of sufficient funds and (2) that the amount of
> the reserve can vary depending on transaction size and prevalent
> feerates.  The earliest description of that problem I found is from more
> than a year before your report (
> https://github.com/lightningnetwork/lnd/pull/4908 ), but I suspect I
> could find other even earlier discussion if I looked harder.
>
> Is there more to this vulnerability report that I'm missing?
>
> Thanks,
>
> -Dave
>

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BGUH93TcjKevHu%2Bhrd45fvrDGvhY7tYXEPror0fw27CXA%40mail.gmail.com.

[-- Attachment #2: Type: text/html, Size: 3755 bytes --]