Blockstream Developer Has Revealed More Details On The Lightning Network Vulnerability
Blockstream developer Rusty Russell has revealed more details on the Lightning Network vulnerability, which first became known in late August.
ICYMI: Here are all the details of the recent Lightning bug. https://t.co/NVzKmGW5I6
— TheRustyTwit (@rusty_twit) September 27, 2019
According to Russell, the vulnerability arose during the creation and replenishment of Lightning Network channels. In particular, when creating a channel, the recipient did not need to verify the transaction output amount used to replenish the channel or use the scriptpubkey script, which allows you to verify that certain conditions are met before spending the output.
The Lightning Network at the protocol level does not require such verification. For this reason, the attack organizer was able to inform about the opening of the channel without transferring payment to the recipient or transferring an incomplete amount.
As a result, the attacker could spend the funds on the channel without notifying the other side. Only after closing the channel did the latter discover that the transactions transmitted through it were invalid.
In mid-September, the developers recognized that the vulnerability was used in real conditions, without specifying the extent of the possible damage.
Earlier in September, the technical director of Lightning Labs and ACINQ, Olaoluwa Osuntokun, confirmed the cases of practical exploitation of the discovered vulnerability.
The following releases are still considered vulnerable:
- LND version 0.7 and below;
- c-lightning version 0.7 and below;
- eclair version 0.3 and below.
In this regard, developers of the main Lightning Network clients again remind about the need to upgrade to the latest versions. Special tools (Lightning Labs and Acinq) were also released to determine if the attack affected users.
Recall, this week the number of active Lightning nodes in the bitcoin network exceeded 10,000.