Full details of the security vulnerability found on Bitcoin’s Lightning Network late last month have been published on Friday by software developer Rusty Russel.
According to the disclosure, the vulnerability was in the process of creating and funding a Lightning Network channel. When a channel is created, the receiver of the channel was not required to verify the amount of the funding transaction output or the scriptpubkey, a script that ensures certain conditions are satisfied before an output is spent.
Because the Lightning Network protocol does not require this verification, an attacker “can claim to open a channel but either not pay to the peer, or not pay the full amount,” the disclosure states. This enables an attacker to spend the funds in a channel created with a victim, without alerting the victim. Only when a victim closes their channel with the attacker will they notice that none of the committed transactions between their channels were valid.
While Lightning Network developers have pushed updates to this vulnerability, older implementations are still affected. Users are advised to upgrade the following affected Lightning Node versions:
– LND nodes version 0.7 and below
– c-lightning nodes version 0.7 and below
– eclair nodes version 0.3 and below
Developers have also created a tool for users to check if their LND Lightning nodes were affected. In mid-September, developers warned that the vulnerability was exploited. The size of this exploit, however, was not disclosed.