Australian Coder Warns Users of Lightning Network’s Vulnerabilities (#GotBitcoin?)
Australian software programmer and Bitcoin’s (BTC) Lightning Network coder Rusty Russell warned users that “security issues have been found in various Lightning projects which could cause loss of funds.” Australian Coder Warns Users of Lightning Network’s Vulnerabilities (#GotBitcoin?)
Urgent Update Recommended
On Aug. 30, Russell published a tweet urging LN nodes operators to update their software as soon as possible. According to the message, his warning concerns all versions of c-lightning prior to 0.7.1, lnd older than 0.7, and eclair up to version 0.3.
Notably, just earlier this month blockchain development company Blockstream announced the release of the version 0.7.2 of its BTC scalability software c-lightning.
Details To Be Released
In a PGP-signed message published on Linux Foundation’s domain Russell explicitly warns users of security issues and promises that more details will be released in the future:
“Full details will be released in 4 weeks (2019-09-27), please upgrade well before then.”
Lightning Network is a second-layer off-chain Bitcoin scalability solution meant to enable instant and near-free BTC payments. Blockstream’s chief strategy officer Samson Mow recently said that Bitcoin is bad for payments, but Lightning Network could solve this.
As Cointelegraph reported earlier this month, Andreas Antonopoulos announced his new “Mastering Lightning Network” book, co-authored by René Pickhardt and Lightning Labs CTO Olaoluwa Osuntokun.
10,000 Nodes Are Running BTC Lightning Network In New All-Time High
The number of Bitcoin (BTC) Lightning Network (LN) nodes has reached 10,000 for the first time, according to real-time LN statistics site 1ML.
According to 1ML, the number of nodes on the LN has grown by 3.17% over the past 30 days to reach a record high of 10,003 network nodes at press time. At the same time, the number of nodes with active channels is 5,975 out of total of 36,246 channels at press time, with just a 0.34% growth over the past month.
The LN is a second-layer blockchain protocol designed to provide high-speed transactions for Bitcoin, wherein nodes are individual payment channels between various parties allowing them to send and receive BTC between each other.
The LN State, According To LNBIG
As the person behind the LNBIG entity that controls over 40% of the Lightning Network’s capacity told industry-focused media outlet The Block, they maintain statistics of all local balances, which are hidden from public view. They explained that LN explorers can not know who created channels and which side bitcoins were used.
When asked what features should be added to the LN to attract more BTC users, the speaker singled out atomic multi-path payments, which will purportedly play a big role in Bitcoin automated teller machines. “For the widespread adoption of the Lightning Network, it is important to have software that integrates the wallet with accounting,” they added.
Stipulating the LN’s viability in the event that routing fees do not outperform lending rates, the individual said that it is too early to make money in the LN. As for the biggest weakness of the LN, they note the small audience, adding:
“Other problems concern node operators, but here they are not problems of mass adoption. The infrastructure of nodes already allows for orders of magnitude more payments than now. Moreover, for this, you can not increase the capacity because the funds are distilled from one end of the channel to the other, and this process does not consume bitcoins from node operators. It’s like a circulatory system, and the body is already full of blood. It only remains for him to live an active life.”
Recent Developments Of The LN
In late August, blockchain development company Blockstream announced the release of version 0.7.2 of its scalability software c-lightning, an LN implementation that supports dynamic plugin management as well as “the upcoming signet.”
In July, the LN developers revealed a new node monitoring tool. One of the main goals of this tool is to provide a way to prevent certain network issues before they manifest. Users could purportedly also use this tool to monitor trends such as the number of channels over time, as well as which spots have the best routing fees.
Bitcoin’s LN Developer Discloses the Network’s Vulnerability
Bitcoin’s (BTC) Lightning Network (LN) developer Rusty Russel has published the full disclosure of the network’s vulnerability discovered in August, accompanied by a solution.
Russel pointed out that the vulnerability appeared while opening funding channels. The described process does not require that receivers check if a transaction is the one promised by the funder in terms of amounts and the actual scriptpubkey.
Scriptpubkey is an output transaction script that requires specific conditions to be observed for a receiver to spend their Bitcoins. The file explains:
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount. Once that transaction reaches the minimum depth, it can spend funds from the channel. The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
A Possible Solution
Russel also proposed a solution to the aforementioned problem. Once the funding transaction is seen, peers “must check that the outpoint as described in `funding_created` is a funding transaction output with the amount described in `open_channel`.”
The file also warns that c-lightning versions 0.7.1 and above perform the process correctly, urging users to upgrade the older versions of their Lightning Nodes.
On Sept. 10, Olaoluwa Osuntokun, CTO at LN-focused startups Lightning Labs and ACINQ, also claimed to have found instances of the vulnerability being exploited. In order to avoid the risk of losing funds, Osuntokun strongly advised users to update their LN versions. The affected versions included, per Osuntokun, LND nodes version 0.7 and below, c-lightning nodes version 0.7 and below, and eclair nodes version 0.3 and below, the post noted.
On Sept. 26, the number of Bitcoin’s LN nodes reached 10,000 for the first time.
As Cointelegraph previously reported, Andreas Antonopoulos announced his new “Mastering Lightning Network” book, co-authored by René Pickhardt and Lightning Labs CTO Olaoluwa Osuntokun.
Researchers Uncover Bitcoin ‘Attack’ That Could Slow or Stop Lightning Payments
The bitcoin lightning network could be vulnerable to a simple and disruptive attack, according to a recent research paper.
Written by Saar Tochner, Aviv Zohar, and Stefan Schmid, the paper describes a denial-of-service (DoS) attack that could be used to slow down or even stop a huge percentage of payments on the network and, although the behavior hasn’t been seen in the wild and lightning’s technology is still in-progress, it’s considered a major flaw in the network as it stands today. The paper, entitled “Hijacking Routes in Payment Networks,” was published in mid-September.
Tochner and Zohar both hail from the Hebrew University of Jerusalem while Schmid works at the University of Vienna.
“The attack allows for a disruption of payments on the lightning network,” said Zohar.
This is possible because each lightning network payment is passed across a network of nodes in order to reach its destination. If one of these middle nodes is a bad actor it can slow the payment down rather than swiftly pass along the payment as it’s supposed to.
What’s more, it currently doesn’t take much to execute the denial of service attack, according to Zohar.
“It is extremely easy to execute. It takes opening a few lightning channels to key points, promising zero fees, and then not relaying any payments,” he said.
It’s an attack that the researchers haven’t seen in the wild, but it could potentially make the lightning payment network more difficult to use. And it’s a discovery that has gotten the attention of developers who work on bitcoin and lightning.
“I wish I had thought of the attack,” bitcoin researcher Gleb Naumenko told CoinDesk.
“The paper is very interesting, so is the analysis of the different heuristics used for path-finding, and we’re very happy to see independent researchers work on how lightning can be abused and attacked,” said lightning startup Acinq CTO Fabrice Drouin.
‘Amplified’ Denial of Service
When a user sends a payment across lightning, their app decides which path to take based on many factors, including which node requires the lowest fees.
Though there are hundreds of nodes in the lightning network, a bad actor can use this attack to make sure there’s a high probability that their node will be selected. They can do this by “analyzing how each implementation computes routes to design a strategy that enables attackers to get their nodes selected in as many routes as possible,” said Drouin.
“We can open channels that offer short and low-cost routes in the network which then are selected (almost always) for the route,” Zohar further explained.
By doing this, they can capture a significant portion of the network’s payments at a given time. “We find that just five new links are enough to draw the majority (65% – 75%) of the traffic regardless of the implementation being used,” the paper explains.
What’s more, they can do this over and over again to ensure the payment keeps getting stopped.
“Then, when a payment request comes in, we can just refuse to pass it onward. When a new path is selected […] the attacker channels are again selected for the route,” Zohar said.
As bad as the attack sounds, it hasn’t appeared in the wild – yet.
“I think the network is just not in heavy use right now and disrupting it does not cause too much damage. The attack does not directly give funds to the attacker, so the incentive will only be there if lightning is heavily used as a payment network,” Zohar said.
It should be noted that, for the attacker, such a maneuver is “not cheap,” Drouin argues, because “attackers need to open actual channels and lock funds, which will get closed and pay on-chain fees whenever a payment is locked and times out.”
Still, Zohar argues it’s “not that expensive, given the damage you do,” adding: “You’d need around 20 or so new channels to attack some 80% of all transactions, so the total cost would be around $2000.”
Stopping The Attack
Lightning developers agree this is a serious attack vector but they are optimistic that future changes will make the attack much harder.
“It’s something [that’s] hard to talk about because we are still developing the pathfinding system in LND and it’s a moving target,” said Alex Bosworth, who is the infrastructure lead at Lightning Labs.
LND is an implementation of lightning network made by Lightning Labs. Bosworth further noted that changes are coming in fast, and that the new version of LND that just came out on Tuesday, for example, has some “major changes” that impacts the routing analyzed by the researchers to come up with this attack.
“I wouldn’t say that there is any way to conclusively stop people who are trying to disrupt payments because this is a system where the peer-to-peer design means that anyone can participate and route or not route as they prefer,” he said.
The lightning code is changing very rapidly and there are plenty of modifications still in the pipeline.
Some of these changes could make it a lot harder for bad actors to execute an attack, lightning developers argue, including system for banning “bad” users.
“Also, as the network grows, lightning network implementations will deploy more aggressive heuristics to ban misbehaving peers … and such attacks will become more an more short-lived,” Drouin said.
“For example, we don’t just look at the cheapest fees when we compute routes, we try to select older channels, so an attacker would have to wait and behave before they can carry out the attack,” he said.
Drouin further argued that there are other improvements forthcoming including trampoline payments, a feature proposed by Blockstream lightning developer Christian Decker, who was known for independently inventing a payment channel network similar to lightning in 2015.
Lightning is supposed to be instant but behind the scenes each node in the network carrying a payment from point A to point B needs to do a little computation as it carries the data. In fact, not all lightning users have equipment that’s powerful enough to perform these calculations, thereby requiring the “trampoline” system.
The typical user in today’s network might send a bitcoin payment from a smartphone, for instance, which isn’t exactly a powerful machine. So one idea is to allow these smaller nodes to outsource computation to “trampoline” nodes that have more computational power.
Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,Australian Coder Warns,