bitcoin-dev

A Free-Relay Attack Exploiting RBF Rule #6

A Free-Relay Attack Exploiting RBF Rule #6

Original Postby Antoine Riard

Posted on: March 27, 2024 06:27 UTC

The email from Antoine touches upon several critical points regarding the handling of potential vulnerabilities within Bitcoin Core and the broader implications for security disclosures in the technology field.

Antoine begins by addressing the complexity of implementing changes in Bitcoin Core, such as reducing MAX_STANDARD_TX_WEIGHT, introducing a new rule max_replacement_bandwidth, or applying an absolute-fee-based penalty for bandwidth replacement cost. He highlights the challenges of making these modifications covertly without drawing community attention, which might question the motives behind altering marginal bandwidth costs and potentially adversely affect certain use cases.

Antoine also suggests that a structured disclosure timeline, similar to that used for CVE-2018-17144, could have been beneficial for managing security disclosures more effectively. This recommendation underscores the importance of transparency and methodical approaches in dealing with security vulnerabilities. He defends Peter's involvement and public stance on RBFR (Replace By Fee Rate), arguing there is no evident conflict of interest or private agenda negatively influencing Peter's conduct regarding the security issue's disclosure.

Furthermore, Antoine emphasizes a foundational principle in information security: it is the responsibility of software developers to justify why their software contains vulnerabilities or why there is a delay in addressing issues, assuming that sufficient technical evidence has been initially provided by the reporter. He challenges those dissatisfied with the current handling of disclosures to take a more active role in authoring vulnerability reports or coordinating patch responses, provided they are deemed trustworthy.

Lastly, Antoine comments on the nature of ethical discussions in the field, suggesting that critique from an external position can sometimes be unsubstantial. He advocates for leading by example as the best approach to addressing and improving ethical standards in technology and security practices.