The developers disclosed the details of the vulnerability found in the Lightning Network
Developer Rusty Russell this Friday revealed detailed information about a vulnerability in the Lightning Network, which was first reported to the general public at the end of last month..
According to the publication, the vulnerability arose during the creation and replenishment of the Lightning Network channels. When the user created the channel, the recipient did not need to verify the withdrawal amount of the transaction used to fund the channel, or use the scriptpubkey to make sure that certain conditions were met before spending the output.
Since the Lightning Network does not require such verification at the protocol level, an attacker “can declare the opening of the channel without transferring payment to the recipient or transferring an incomplete amount.” Thus, the organizer of the attack could spend funds from the channel shared with the victim without notifying her about it. Only after closing such a channel did the victim discover that the transactions transmitted through it were invalid..
Lightning Network client developers have made the necessary changes to their software, but older versions are still vulnerable to this attack vector, in particular:
- LND nodes version 0.7 and below;
- C-lightning nodes version 0.7 and below;
- Eclair nodes version 0.3 and below.
The developers have also created a tool through which users can check if their LND nodes were affected by this attack..
Speaking about why it took three months to disclose information about the vulnerability, Pierre-Marie Padiou, CEO of Lightning company Acinq, said: “The problem with this vulnerability is that once you know about it, it seems obvious. Three months is a short time. This is a fairly short time, because users need to be given time to update. Many of them don’t. There are always problems. There were even bugs in the Bitcoin protocol. The main thing is to deal with them in such a way as to better protect users. “.
In mid-September, the developers admitted that the vulnerability was exploited in real conditions, without specifying the extent of the possible damage..
Electrum crypto wallet developers warn users of phishing attack Electrum crypto wallet developers on Twitter…
The Bank of Russia revealed the first plans to test the digital ruble The Central Bank of the Russian Federation announced the testing of the digital ruble with the involvement of a limited circle…
Ethereum developers provided Casper update code to change the consensus mechanism Developer Vlad Zamfir published the first version of the software…