Hi Dave, Thanks for your thoughts on the subject. I don't know if I were among the first one to stumble on this problem. Of course, I wouldn't be surprised if some people who worked at that time on implementing anchor output such as Johan Toras Halseth or Joost Jager might have mentioned it publicly or semi-privately. Of course, if there are more links where it could have been discussed, please pointed out to me, though with my memory of the conv circa 2020 about anchor outputs, I'm not aware of them. About the pull request you're pointing out (https://github.com/lightningnetwork/lnd/pull/4908), it should be said that the original anchor output pull request didn't mention anything about fee-bumping reserves mngt ( https://github.com/lightning/bolts/pull/688/files). Only a "MUST contribute sufficient fee to ensure timely inclusion in a block". It's like "danke schon, aber was?". By the time of this pull LND pull request, anchor output was already deployed on the network (under the broken `option_anchor_output`) in early beta. I'm not going to make a rant in LN development if we ship first the cars, then we go to wonder if we have shipped the seat belts too. That would be too easy and too free... Share with you off-list more details. Best, Antoine OTS hash: dc78f072e3cd20c0efeea728e83b5f1b121824836543f0cda346a3c7dd5a36fa Le mer. 18 juin 2025 à 03:16, David A. Harding a écrit : > On 2025-06-12 09:03, Antoine Riard wrote: > > This class of attacks dubbed "fee-bumping reserves exhaustion attacks" > > [...] > > ## Timeline > > > > - 2022-07-11: Report of the finding to XXX, Bastien Teinturier > > (Eclair), Lisa Neigut > > Hi Antoine, > > I read your post twice but everything in it seems obvious. What am I > missing? It's obvious that (1) exogenous fee bumping requires keeping > an independent reserve of sufficient funds and (2) that the amount of > the reserve can vary depending on transaction size and prevalent > feerates. The earliest description of that problem I found is from more > than a year before your report ( > https://github.com/lightningnetwork/lnd/pull/4908 ), but I suspect I > could find other even earlier discussion if I looked harder. > > Is there more to this vulnerability report that I'm missing? > > Thanks, > > -Dave > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BGUH93TcjKevHu%2Bhrd45fvrDGvhY7tYXEPror0fw27CXA%40mail.gmail.com.