Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" [combined summary]

• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Antoine Riard 2021-10-04 19:11:59+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Antoine Riard 2021-10-04 18:50:55+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Antoine Riard 2021-10-04 18:45:45+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" lisa neigut 2021-10-04 18:15:59+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Luke Dashjr 2021-10-04 16:27:59+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Antoine Riard 2021-10-04 16:14:20+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Luke Dashjr 2021-10-04 15:57:13+00:00
• Full Disclosure: CVE-2021-41591/ CVE-2021-41592 / CVE-2021-41593 "Dust HTLC Exposure Considered Harmful" Antoine Riard 2021-10-04 15:09:28+00:00

Published on: 2021-10-04T19:11:59+00:00

Summary:

In August 2021, a vulnerability was discovered that could result in substantial losses to Bob's funds by publishing Alice's commitment on-chain. To address this issue, a proposed solution was introduced, which involved verifying the counterparty's announced `dust_limit_satoshis` at channel opening and defining a new configurable limit called `max_dust_htlc_exposure`. In order to mitigate the vulnerability, changes were made to the LDK-side and other Lightning developers were informed about the vulnerabilities.During this time, the Bitcoin Core dust limit was also being discussed on the mailing list, and any changes to the limit could have impacted the ongoing development of mitigations. Despite the lack of a well-defined communication process across Lightning teams, developers from three different implementations actively participated in diagnosing and developing mitigations for long-standing specification issues that affected the entire Lightning ecosystem.The timeline of events leading up to the full disclosure of CVEs (Common Vulnerabilities and Exposures) on October 4th, 2021, includes the discovery of a vulnerability against LND on April 19th, the finding of a method to exploit the trimmed-to-dust mechanism in 'update_fee' reception on July 21st, and the opening of BOLT PR #894 by Bastien Teinturier on August 11th, which addressed the lack of verification of counterparty per-HTLC 'dust_limit_satoshis'. Mitigations for these vulnerabilities were developed in LDK on August 16th, and a public disclosure date was communicated.On August 26th, Muun wallet was notified about the vulnerabilities but was found to be non-affected. The Electrum wallet, on the other hand, was notified on August 27th. Finally, on October 4th, BOLT PR #919 was submitted to cover the remaining vulnerabilities.Overall, despite the challenges posed by the lack of a structured communication process, Lightning developers actively collaborated to address the vulnerabilities and ensure the security of the entire Lightning ecosystem.

Updated on: 2023-07-31T23:50:51.046843+00:00