Bitcoin Lightning Network Critical Vulnerability Identified

According to a post on Lightning Labs’ blog, many versions of the Lightning Node software have not been performing crucial checks on the validity of a channel before accepting it. Without these checks, nodes have been vulnerable to an exploit that could potentially lose funds. There are two checks that a node should do on an incoming channel: “that the outpoint (transaction id and index pair) matches the input signed commitment transaction references, [and that] the value created of the output matches the expected size of the channel.” Lightning developer Rusty Russel reportedly identified that many implementations of the Lightning Node software were not performing one or both of these checks. Of the two, the first is more dangerous since it is entirely free of financial cost for an attacker to exploit. However, this has largely been patched in implementations after v.0.6.0. The latter, though more expensive for the attacker, was only partially patched in v.0.6.0 and fully patched in the release of v.0.7.1 on July 30. Blog post authors Olaoluwa Osuntokun and Conner Fromknecht explained how a malicious actor could take advantage of the vulnerability:

If a node accepts an invalid channel, loss of funds could occur if the node forwarded any payments that originated from that channel. If this happened, the victim node (that accepted the channel) would have lost an amount roughly equal to the amount of the forwarded HTLC(s). It loses this money as it cannot close the invalid channel.”

According to developer and Bitcoin advocate Udi Wertheimer, few people were likely impacted by the potential vulnerability.

lightning vulnerability disclosed today. Make sure you upgrade

While very few if any were likely affected, I’d say it’s pretty severe. LN implementations are still early and could use a lot of ❤️ in the form of reviews

Thanks to the 3 teams for handling this quickly and safely! https://t.co/AET8F7lwK3

— Udi | BIP-420 🐱 (@udiWertheimer) September 27, 2019

The Lightning Labs blog post also suggests that there have been no successful exploits of the vulnerability. However, its authors do provide a tool for node operators to test if their node had been targeted. The authors also take the opportunity to remind Lightning Network users that the software is still very much in its infancy. They stress the importance of sticking to the recommended limits on channels and updating the software to the latest version frequently. As part of its commitment to constantly improving the security and functionality of the Lightning Network, the developers have also announced the creation of a formal bug bounty program. However, more details on this are still pending. Are you surprised to see the Lightning Network suffering such teething problems? Do you think we’ll see more in the future? Leave your thoughts in the comments below.