Litecoin MimbleWimble November Summary Update
This update was written and provided by Litecoin MimbleWimble lead developer. David Burkett.
———
security vulnerability
Shared on Twitter yesterday:
cut, a long-time GRIN community member, contacted Charlie and me to let us know about a vulnerability in our non-interactive transaction design. Although the attack is difficult to carry out in practice, the theft of funds is acceptable when the conditions are right.
This attack is somewhat technical and difficult to understand without first learning all the cryptocurrencies behind MWEB. Very informally, it works like this:
- Alice sends Bob 2 coins:
- Coin 1 = 10 LTC
- Coin 2 = 20 LTC
- Bob creates two transactions (one back to Charlie and one back to Alice) and sends them almost simultaneously.
- tx1 = Send 8 LTC to Alice using Coin 1 (8 LTC Alice, 2 LTC Change)
- tx2 = Send 15 LTC to Charlie using Coin 2 (15 LTC Charlie, change 5 LTC).
- Alice changes tx1 to use coin 2 instead and keeps the additional 10 LTC for herself.
- tx3 = Use Coin 2 to send 18 LTC to Alice and 2 LTC back to Bob as Change.
- tx1 and tx2 are deleted and replaced with tx3
There are many reasons why this attack actually fails almost every time. But it was clear that it was something we had to prevent, because if successful the consequences would be very serious.
We are very grateful to Kurt for taking the time to research MWEB’s design and reaching out to share this attack with us. Due to the importance of his discovery, Charlie generously donated his own money to pay Kurt the 0.15 BTC bounty he deserved.
Fixes
Considering that the planned release date was getting closer, panic was starting to set in. Fortunately, I realized that there is a relatively simple solution to the attack, which consists in introducing a new public key for each input, preventing reuse of the input signature.
At the same time, we came into contact with some top cryptographers who proposed a security audit of our design while reviewing the details of the attacks and fixes, which they were considering using as a starting point for other designs. The project they were working on.
The need for a more formally documented design became apparent, so over the next few weeks I spent the next few weeks rewriting LIP-0004 into a more complete, formally specified design, with minor modifications to strengthen it as much as possible. Clearly this should have been done from the beginning. Because there were almost as many reviewers last month as there have been LIP-0004 reviewers over the past 1.5 years. 🙂
I’ve been wanting to have all these looks at the design for a long time, but I’m really excited about all the feedback I’ve received.
Unfortunately, we now need to change some code to fit the new design, which means development work will take several more weeks. Fortunately, almost all changes will be included in the highly modular and thoroughly tested libmw subproject. This is good news because it means changes can be made, tested, and most importantly, reviewed, more easily. This review can be done discreetly by another LTC developer, so we don’t think it’s necessary to send the changes back to the auditors. This will impact the release date, but delays should be minimal.
release process
Last month I mentioned that the release build process was time consuming and the scripts were outdated, so I spent some time cleaning up all the old scripts and creating a simpler, more automated build process. Build scripts and verification keys will be stored in a separate repository in the future. Currently the new ltc-release-build is right under my personal github account, but if it works well with the MWEB release it will be moved to litecoin’s github org.
Timeline updates
We decided to push the release back to January to allow enough time to fix any vulnerabilities discovered. I hope this is the last time 🤞. wenmweb.com is once again updated with the latest information.
v0.21.1 any day now™ For real this time™
