Skip to content

Check correct merkle leaf size and validate txids on Electrum#4675

Open
tnull wants to merge 3 commits into
lightningdevkit:mainfrom
tnull:2026-06-merkle-base-size
Open

Check correct merkle leaf size and validate txids on Electrum#4675
tnull wants to merge 3 commits into
lightningdevkit:mainfrom
tnull:2026-06-merkle-base-size

Conversation

@tnull

@tnull tnull commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Just a few minor Electrum/Esplora fixes.

These findings were discovered by Project Loupe.

tnull added 3 commits June 10, 2026 15:56
@tnull
Check Electrum Merkle leaf risk by base size
1f616e4 
Electrum confirmation checks must reject transactions whose non-witness serialization is 64 bytes, since txids and Merkle leaves are computed from that serialization. Witness padding can otherwise move total_size above 64 without removing the inner-node ambiguity.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@tnull
Check Esplora Merkle leaf risk by base size
e1c411e 
Esplora confirmation checks must use the non-witness transaction size for the 64-byte Merkle leaf guard. Witness padding can otherwise raise total_size without changing the serialization hashed into the txid and Merkle tree.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@tnull
Verify Electrum transaction responses before use
57524e3 
Electrum confirmations must reject transaction_get responses whose body does not compute the requested txid. Otherwise a malicious server can substitute an unrelated transaction and provide matching Merkle data for the substituted body.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-claude-review-bot
ldk-claude-review-bot reviewed Jun 10, 2026
View reviewed changes
Comment thread lightning-transaction-sync/src/electrum.rs
if tx.compute_txid() != txid {
log_error!(self.logger, "Retrieved transaction for txid {} doesn't match expectations. This should not happen. Please verify server integrity.", txid);
return Err(InternalError::Failed);
}

@ldk-claude-review-bot ldk-claude-review-bot Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This watched-output spend path adds the txid verification but, unlike the watched-transactions path above (line 292), it never applies the is_potentially_unsafe_merkle_leaf check before accepting the spending tx via get_confirmed_tx. Esplora avoids this asymmetry by placing the base-size check inside its shared get_confirmed_tx, covering both paths. The 64-byte merkle-leaf weakness is exactly an attack that lets a crafted node pass validate_merkle_proof, so a malicious server could claim a watched output is spent by a 64-byte (base size) transaction and have it accepted here. Consider moving the base-size check into Electrum's get_confirmed_tx so both call sites are protected.

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

The core fix is sound: base_size() is the correct metric for the 64-byte merkle-leaf weakness (txid is hashed over the non-witness/base serialization), so the previous total_size() check was a genuine gap that witness transactions with a 64-byte base could slip through. The added Electrum txid verifications mirror Esplora's pre-existing one and are correct.

Issues found:

  • lightning-transaction-sync/src/electrum.rs:380 — The watched-output spend path adds txid verification but, unlike the watched-transactions path, never applies the is_potentially_unsafe_merkle_leaf base-size check before accepting the spend via get_confirmed_tx. Esplora avoids this by placing the check inside its shared get_confirmed_tx. Since the 64-byte weakness is precisely what defeats validate_merkle_proof, this leaves a residual attack surface on the Electrum output-spend path.

Cross-cutting notes:

  • The "we check that the transaction is at least 65 bytes in length" comments (electrum.rs:290-291, esplora.rs:394-395) are now slightly stale — the check is specifically on base size being exactly 64, not total length ≥ 65.
  • The new transaction_get_responses_are_verified_at_call_sites test in electrum.rs uses include_str! + concat! to assert the source text contains the txid-check expressions. This is brittle (sensitive to formatting/refactoring) and only verifies the strings exist, not that the checks actually run; a behavioral test would be more robust.

@ldk-reviews-bot ldk-reviews-bot requested a review from wpaulino June 10, 2026 14:24
@wpaulino

wpaulino commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

LGTM once the bot's comment is addressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wpaulino wpaulino Awaiting requested review from wpaulino

1 more reviewer

@ldk-claude-review-bot ldk-claude-review-bot ldk-claude-review-bot left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport 0.2 backport 0.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tnull @ldk-reviews-bot @ldk-claude-review-bot @wpaulino