The cyber attackers may intercept ongoing HTLC contracts to steal satoshis. Vulnerability in the “transaction standardization” protocol also exposes the network.
Users of versions before 0.11.0 are at risk of potential theft of funds due to two critical vulnerabilities on the Bitcoin payment network, Lightning (LN). The Lightning Labs team has published the details of these errors that affect smart contracts and network security protocols.
The Lightning Network Daemon (LND) client nodes, which the security breach specifically affects reported that they need to update to the latest version of the software. The Eclair and c-lightning teams also know of the event as a preventive measure.
The developers state that it is possible to exploit these vulnerabilities to conduct a Denial-of-Services (DoS) attack, which might disrupt LN transactions and intercept HTLC contracts. They also note that Antoine Riard, a contributor to Bitcoin Core and Rust-Lightning, discovered the error last April.
Riard said that bugs are “serious vulnerabilities” since they could easily steal user funds. The expert explained that “the channel connections of the nodes were open,” so anyone who discovered these flaws could “put funds in a node and steal them.” Antoine Riard also stated that “(Lightning) nodes are hot wallets.” Therefore, if an attacker took advantage of the bug, it would surely be a loss of money.
According to the developers, the two flaws are already patched in the latest version of the LND client, 0.11.0. Although the nodes received a two-week extension to update their software, previous versions of LND still have the bug. Consequently, potential attackers may be looking for nodes not yet updated.
Problem in Nodes of Bitcoin Lightning Network
Riard found vulnerabilities that affect two different functions of the Lightning Network nodes, the first of which is a security measure known as “transaction standardization.” They are a set of anti-denial of service (DoS) rules implemented in the nodes, in addition to Bitcoin’s basic consensus rules.
This measure emerged to protect the network, but no one expected it to have a malleability error. An attacker may use the protocol to improperly “invalidate” a transaction, as though it had not occurred. Any accidental or malicious failure has a direct impact on the loss of funds while opening avenues for a DoS attack that it should count.
Hashed Timelock Contracts (HTLC) would also be at risk of malicious third-party attacks. This function allows two parties to agree to make a payment at a specified time. It blocks the money until there is a confirmation of the payment, and generates a pre-image of the canceled invoice when the operation finishes.
Concerning the error that Riard found, it would allow a user to interrupt a transaction and thus not pay the generated invoice. The attacker would receive the pre-image to claim the invoice as paid, but the money would not reach its destination. Malicious third parties could take advantage of HTLC contracts to rob unsuspecting users.
Now that the LN can create channels of up to 10 BTC, the network’s security has to be more robust, a need that still challenges Lightning developers.
By Alexander Salazar
