One of the developers of Bitcoin’s Lightning Network, Rusty Russel, has revealed a vulnerability in the network, which was discovered in August. In his statement and further publications, he gave a solution to the problem. Continue reading to find out more.
The Issue
The discovery of this vulnerability was made public on 30th August by Russell. According to him, “An attacker can claim to open a [lightning payments] channel but either not pay to the peer, or not pay the full amount”. The Lightning Network allows very fast and cheap transactions on top of the bitcoin blockchain, as it’s a Layer 2 payment protocol. These payment channels are what two parties open between each other and exchange funds freely until they decide to close the channel. The balances of both parties are calculated automatically at the end and sent to the blockchain as a single transaction.
Without proper checks and security in place, a malicious user could pretend to open such a channel and send fake transactions. This way, an honest user could then send back real funds without knowledge that the receiver is an attacker. There is no information on how much people are victims to this scam, but all major lightning clients have been upgraded in order to fix this vulnerability.
The Solution
Russell proposed a solution, where once a transaction is seen “peers must check that the output as described in ‘funding_created'[1] is a funding transaction output[2] with the amount described in ‘open_channel'[3]”. He mentioned that c-lighting versions 0.7.1 and above will perform said process correctly and recommends that users upgrade the older versions of their nodes.
On 10th September, Olaoluwa Osuntokun, who is a CTO at Lightning Labs and ACINQ, also claims to have witnessed where the vulnerability was exploited. He also urged users to update their Lightning Nodes in order to protect the network and fix the loophole. There is information that this bug was known three months prior to the public announcement. When asked, why it took so long to release the information, Pierre-Marie-Padiou advised that the developers had to be cautious not to spread word of the bug before they found a solution, thus minimizing the damage it causes. On 26th September, the number of lightning nodes on the Bitcoin network reached 10,000 for the first time, setting a new record.
Conclusion
There will always be bugs with projects like these. Even Bitcoin still has its own bugs, which with time will be fixed. The way that the developers reacted to the possible exploit is the best-case scenario – limiting exposure of the problem and containing damage until they find a fix.