A bug discovered in the Lightning Network in June, which allowed lightning fake bitcoins not backed by actual bitcoins to be spent, has officially been addressed in a new dev full disclosure report released on Friday. The problem has reportedly been remedied, but the security oversight casts doubts on an already heavily scrutinized protocol, and whether a proper release of LN anytime soon is actually feasible.
Lightning Bug in June
On June 27, developer Rusty Russell discovered the security flaw while running tests on the network. As the bug was not independently discovered by malicious entities, it is unlikely that major damage was done, although conclusive evidence did show that at least one exploitation of the bug did occur “in the wild” on September 7. A quiet fix was made and the issue was revealed in August after most users had upgraded, culminating in the September 27 release of the full disclosure report.
The report states:
A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount … Implementations did not always do this check.
Listed implementations which were vulnerable were c-lightning v.0.7.0 and below, lnd v.0.7.0 and below, and eclair v.0.3.0 and below. Some implementations only checked for partial data necessary to confirm the authenticity of the transaction. According to the report “It did NOT, however, require the receiver to actually check that the transaction is the one promised by the funder: both the amount and the actual scriptpubkey.”
All systems seem to be back on track now, the bug report detailing that the discovery, for all the trouble it caused, “did provide an opportunity to test communications and methods of
While this security flaw was dealt with relatively efficiently, and no network is beyond critique, many in the crypto space still take issue with the layer two payment protocol for various reasons. Addressing this most recent report on Twitter, Bitcoin Unlimited’s Peter Rizun wrote: