Lightning Network developers have identified a vulnerability that could leave the funds of users at risk. Lightning Labs recommends that all users immediately upgrade to the latest implementation of the Lightning Node software, in which the weakness has been patched.
According to a post on Lightning Labs’ blog, many versions of the Lightning Node software have not been performing crucial checks on the validity of a channel before accepting it. Without these checks, nodes have been vulnerable to an exploit that could potentially lose funds.
There are two checks that a node should do on an incoming channel: “that the outpoint (transaction id and index pair) matches the input signed commitment transaction references, [and that] the value created of the output matches the expected size of the channel.”
Lightning developer Rusty Russel reportedly identified that many implementations of the Lightning Node software were not performing one or both of these checks. Of the two, the first is more dangerous since it is entirely free of financial cost for an attacker to exploit. However, this has largely been patched in implementations after v.0.6.0. The latter, though more expensive for the attacker, was only partially patched in v.0.6.0 and fully patched in the release of v.0.7.1 on July 30.
Blog post authors Olaoluwa Osuntokun and Conner Fromknecht explained how a malicious actor could take advantage of the vulnerability:
If a node accepts an invalid channel, loss of funds could occur if the node forwarded any payments that originated from that channel. If this happened, the victim node (that accepted the channel) would have lost an amount roughly equal to the amount of the forwarded HTLC(s). It loses this money as it cannot close the invalid channel.”
According to developer and Bitcoin advocate Udi Wertheimer, few people were likely impacted by the potential vulnerability.
lightning vulnerability disclosed today. Make sure you upgrade
While very few if any were likely affected, I’d say it’s pretty severe. LN implementations are still early and could use a lot of ❤️ in the form of reviews
Thanks to the 3 teams for handling this quickly and safely! https://t.co/AET8F7lwK3
— Udi Wertheimer IS RIGHT (@udiWertheimer) September 27, 2019
The Lightning Labs blog post also suggests that there have been no successful exploits of the vulnerability. However, its authors do provide a tool for node operators to test if their node had been targeted.
The authors also take the opportunity to remind Lightning Network users that the software is still very much in its infancy. They stress the importance of sticking to the recommended limits on channels and updating the software to the latest version frequently.
As part of its commitment to constantly improving the security and functionality of the Lightning Network, the developers have also announced the creation of a formal bug bounty program. However, more details on this are still pending.
Are you surprised to see the Lightning Network suffering such teething problems? Do you think we’ll see more in the future? Leave your thoughts in the comments below.
Images courtesy of Shutterstock, Twitter.
A former professional gambler, Rick first found Bitcoin in 2013 whilst researching alternative payment methods to use at online casinos. Having concluded that the root of most of the world’s evils stem from a toxic financial system during his time reading International Politics at university, the disruptive potential of a decentralised, borderless asset was immediately clear.After transitioning to writing full-time in 2016, Rick was able to put his passion for Bitcoin to work for him professionally. He has since written for a number of digital asset publications in a variety of capacities.