bitcoin-dev
A Free-Relay Attack Exploiting RBF Rule #6
Posted on: March 27, 2024 18:04 UTC
David A.
Harding shared his experiences with the bitcoin-security mailing list, highlighting the responsiveness to security issues raised in the past few years. He noted that every plausible concern brought to their attention received a reply within two days, acknowledging the effort and promptness in addressing potential vulnerabilities. This quick turnaround time for responses set an expectation for communication which, according to Harding, underscores the importance of at least acknowledging received queries with a provisional "give us more time" message if immediate solutions or detailed responses cannot be provided.
Further into the correspondence, Harding expressed his disillusionment stemming from a specific incident where he independently verified that his email had been seen by the relevant parties but was deliberately ignored. This lack of response led him to believe that his efforts to disclose a concern were not only unappreciated but met with resistance, hinting at an underlying issue within the community's approach to handling such disclosures. The nature of the attack he mentioned was implied to be a well-known class, suggesting a possible reason for the disregard—perhaps it was considered non-novel or already addressed in some manner.
Harding concluded with a reflection on his decision to disclose information to the bitcoin-security team first, hinting at regret. He suggested that his experience might serve as a lesson to others about the potential downsides of early disclosure, especially when it leads to unnecessary confrontation or harassment. The overall tone of his message conveyed a sense of frustration with the process and the reaction (or lack thereof) from the community tasked with ensuring the security of Bitcoin. For further details, Harding’s work and thoughts can be accessed through his website, Peter Todd, and he can be contacted directly via email at 'peter'[:-1]@petertodd.org.