Serious Bitcoin Lightning Network Security Vulnerability Has Finally Been Fixed
On August 30, software programmer Rusty Russell announced that he had found a major security vulnerability in various lightning projects that could have allowed attackers to strip users off their money.
On Friday, he published all the details of the threat here.
Bitcoin’s Lightning Network adds a second layer to Bitcoin’s blockchain which creates a payment channel between two parties. It allows instant payments at almost zero fee so much so that a person can pay using bitcoin even for the smallest of purchases.
In the disclosure, Rusty outlined in detail the issue he had brought to light. The vulnerability was found in the process of creating and funding the lightning channel. The receiver of the channel could have gone without verifying the amount of the funding transaction or checking the conditions that are needed to be met before a transaction takes place. Exploiting this, an attacker could have claimed to open a channel without paying the peer or paying only a part of the full amount, enabling him to spend the funds in a channel created with a victim.
In his disclosure Rusty wrote,
”The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
Though there were some claims that surfaced in mid-September of the vulnerability being exploited, the size of the exploit has not been revealed.
The upgrades that have come about since have addressed this bug. As per Rusty, all the major lightning software clients have been upgraded. As per a lightning developer, the vulnerability was not revealed till everyone was sure the users were no more at risk.
Just goes to show that with any code-based payment method, bitcoin is susceptible to long-standing code vulnerabilities too and it is important to see how such issues are handled to protect the users.