From: Elias Rohrer <dev@tnull.de>
Date: Thu, 1 Aug 2024 16:30:41 +0000 (-0500)
Subject: Protect against Core's Merkle leaf node weakness
X-Git-Tag: v0.0.124-beta~21^2
X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=44a479e2ae7f9bf4a13a2b88829c730e5797559a;p=rust-lightning

Protect against Core's Merkle leaf node weakness

Bitcoin Core's Merkle tree implementation has no way to discern between
internal and leaf node entries. As a consequence it is susceptible to an
attacker injecting additional transactions by crafting 64-byte
transactions matching an inner Merkle node's hash (see
https://web.archive.org/web/20240329003521/https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/).

To protect against this (highly unlikely attack vector), we check that
the transaction isn't 64 bytes in length, and skip it otherwise.
---

diff --git a/lightning-transaction-sync/src/electrum.rs b/lightning-transaction-sync/src/electrum.rs
index e7edb3b7e..ddd74743f 100644
--- a/lightning-transaction-sync/src/electrum.rs
+++ b/lightning-transaction-sync/src/electrum.rs
@@ -270,6 +270,18 @@ where
 		for txid in &sync_state.watched_transactions {
 			match self.client.transaction_get(&txid) {
 				Ok(tx) => {
+					// Bitcoin Core's Merkle tree implementation has no way to discern between
+					// internal and leaf node entries. As a consequence it is susceptible to an
+					// attacker injecting additional transactions by crafting 64-byte
+					// transactions matching an inner Merkle node's hash (see
+					// https://web.archive.org/web/20240329003521/https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/).
+					// To protect against this (highly unlikely) attack vector, we check that the
+					// transaction is at least 65 bytes in length.
+					if tx.total_size() == 64 {
+						log_error!(self.logger, "Skipping transaction {} due to retrieving potentially invalid tx data.", txid);
+						continue;
+					}
+
 					watched_txs.push((txid, tx.clone()));
 					if let Some(tx_out) = tx.output.first() {
 						// We watch an arbitrary output of the transaction of interest in order to
diff --git a/lightning-transaction-sync/src/esplora.rs b/lightning-transaction-sync/src/esplora.rs
index f176d5351..b3e9285ec 100644
--- a/lightning-transaction-sync/src/esplora.rs
+++ b/lightning-transaction-sync/src/esplora.rs
@@ -372,6 +372,22 @@ where
 					return Err(InternalError::Failed);
 				}
 
+				// Bitcoin Core's Merkle tree implementation has no way to discern between
+				// internal and leaf node entries. As a consequence it is susceptible to an
+				// attacker injecting additional transactions by crafting 64-byte
+				// transactions matching an inner Merkle node's hash (see
+				// https://web.archive.org/web/20240329003521/https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/).
+				// To protect against this (highly unlikely) attack vector, we check that the
+				// transaction is at least 65 bytes in length.
+				if tx.total_size() == 64 {
+					log_error!(
+						self.logger,
+						"Skipping transaction {} due to retrieving potentially invalid tx data.",
+						txid
+					);
+					return Ok(None);
+				}
+
 				if let Some(block_height) = known_block_height {
 					// We can take a shortcut here if a previous call already gave us the height.
 					return Ok(Some(ConfirmedTx { tx, txid, block_header, pos, block_height }));