Bitcoin’s hottest layer 2, the Lightning Community, had one other bug that put customers’ funds in danger. Lightning scales sooner and cheaper than common bitcoin transactions by permitting customers to affix fee channels, therein conducting off-blockchain, ‘bar tab’-like transactions.
By jotting down will increase and reduces in bitcoin balances inside these fee channels, Lightning customers ‘send’ and ‘receive’ bitcoin sooner and cheaper than paying miners for the complete safety and decentralization of on-blockchain transactions.
Nevertheless, the trade-off for this velocity and affordability is clear on this week’s disclosure: safety.
LND, one of many 4 hottest implementations of Lightning, is now in model 18 but has disclosed a vulnerability affecting variations previous to 17. (Lightning builders waited roughly 9 months to reveal the bug, as a precaution.)
They named the bug the LND Onion Bomb.
LND Onion Bomb
The vulnerability is a traditional denial of service (DoS) assault. Particularly, attackers can overwhelm LND nodes with onion knowledge packets, utilizing up all the node’s RAM and taking the node offline.
Worse, the assault is Tor/Onion-based, so it’s personal by default. The identification of the assailant stays personal all through the prolonged assault, making it tough.
Learn extra: Critics declare ‘buggy’ Bitcoin Lightning Community is slowly dying
Going offline isn’t problematic for a daily Bitcoin full node, but it surely’s very dangerous information for a Lightning node. Offline Lightning nodes could not validate or obtain funds, can’t surveil the community for dishonest, and are susceptible to compelled channel closures whereby a counterparty steals all remaining funds within the fee channel.
If the attacker continues DoS’ing the victimized node operator for lengthy sufficient, the time interval for broadcasting a Justice Transaction expires and irrevocably transfers possession of the stolen bounty to the attacker.
A accountable Lightning bug disclosure
To this point, there are not any main stories of funds stolen from this so-called ‘LND Onion Bomb’ assault. A developer responsibly disclosed it to Lightning Labs on June 20, 2023 and builders patched the exploit by October 3, of that very same 12 months with Lightning node software program launch LND 17.0.
Two days in the past — 9 months after the patch — builders publicly disclosed the problem.
It’s not the primary time the Lightning community has suffered a critical vulnerability that positioned customers’ funds in danger. Over time, hackers discovered a jamming assault, substitute biking assault, BTCD library bug, unattributed fee routes, LNTXbot breach, and numerous different bugs in Lightning implementations.
Received a tip? Ship us an e mail or ProtonMail. For extra knowledgeable information, comply with us on X, Instagram, Bluesky, and Google Information, or subscribe to our YouTube channel.