Transaction Pinning Attack

A transaction pinning attack abuses the very mempool limits that protect nodes from denial of service, turning them into a weapon that makes fee-bumping a transaction prohibitively expensive or outright impossible. The danger is acute in multiparty protocols like the Lightning Network, where one participant must reliably confirm a transaction before a timelock expires. If an attacker can "pin" an unfavorable version in the mempool, the honest party may be unable to bump it in time and can lose funds.

Common Pinning Vectors

Several mempool rules can be abused. Under RBF rules, a replacement must pay a higher absolute fee than the original and all its descendants; an attacker attaches large, low-feerate children so that replacing the package becomes wildly expensive. Alternatively, an attacker saturates the descendant or package limits (historically 25 transactions / 101 kvB) with junk children, so no further CPFP child can be added to bump the fee. If the attacker already runs a service producing such transactions, the attack can be effectively free.

Mitigations

The ecosystem has layered defenses: the CPFP carve-out reserves room for a fee-bumping child, anchor outputs give each party a dedicated bumping point, and newer TRUC (v3) transaction relay plus ephemeral anchors and package relay tighten the rules so pinning vectors close. Cluster mempool in Core 31.0 further reshapes the limits attackers leaned on.

Pinning is the threat that motivated much of modern fee-bumping design. See Anchor Outputs and Standardness for the defensive machinery.