Lightning Network Danger Vulnerability Details are disclosed, new versions of clients are not affected

According to Coindesk's September 28 report, the developer of the Bitcoin Lightning Network, Rusty Russell, announced details of the network vulnerability discovered in August (the attacker could steal the user's funds through this vulnerability) and proposed a solution.

Bullet-holes-1744860_1280 (Source: pixabay )

Russell wrote in the complete disclosure of the information:

Before the payment channel is opened, the lightning network node must check whether the output of the funds transaction meets the criteria. Otherwise, the attacker can open the payment channel without paying or not paying in full. Once the transaction reaches the minimum depth, the attacker can transfer funds from the channel. The victim will only notice that his funds have been transferred when he closes the payment channel, but any action or even closing the transaction will not recover the loss.

Lightning Network is Bitcoin's second layer payment protocol, which supports ultra-high-speed, low-cost transactions on the Bitcoin blockchain. In order to send a transaction by using a lightning network, the user must open a "payment channel" to send and receive funds from other users.

If the node does not properly check the payment channel, the attacker can pretend to open a new payment channel and send a fake transaction. After being deceived, the user will send funds to the attacker without knowing that the previous transaction was completely false. It is unclear how many users are victims of such attacks.

Russell said that all major lightning network clients have been upgraded and fixed.

When asked why it took three months to disclose the vulnerability to users, ACINQ CEO Pierre-Marie Padiou said developers must be cautious about this type of problem.

Padio said:

If you publish the details of this vulnerability, it will become very easy to exploit. Three months is not long, because you have to give users enough time to update their clients, and many users will not update.

He added that developers of Lightning Networks didn't want to risk exposing the vulnerability until it was completely certain that no users were in danger:

The problem will always arise. Even in the Bitcoin protocol, there are loopholes. The most important thing is how to deal with these issues in the best way to protect the security of users' funds.

Solution for this vulnerability

Russel also proposed a solution to the above problem. Once the node sees the new payment channel, it "must check if 'funding_created' is the transaction output for the funds and display the amount in 'open_channel'."

The document also warned that Lightning Network Client c-lightning version 0.7.1 and above will perform the process correctly and urge users to upgrade their older versions of the client.

On September 10th, London-based startup Lightning Labs and ACINQ's chief technology officer Osuntokun also said they found examples of the exploit being exploited. In order to avoid the risk of financial losses, Osuntokun strongly recommends that users update the version of the Lightning Network Client. The affected versions include 0.7 and below for LND, 0.7 and below for c-lightning, and 0.3 and below for Éclair.