Lightning Labs has warned users they face the loss of all of their Bitcoin if they use the Lightning Network currently.
“Don’t put more money on Lightning than you’re willing to lose” is not a message that inspires confidence among users or adoption from new users.
But that’s exactly what Lightning Labs tweeted just hours ago an ominous warning to users.
They also said: “This is also a great time to remind folks that we have limits in place to mitigate widespread funds loss at this early stage. There will be bugs.”
This is also a great time to remind folks that we have limits in place to mitigate widespread funds loss at this early stage. There will be bugs.
Don't put more money on Lightning than you're willing to lose!
— Lightning Labs⚡️ (@lightning) September 10, 2019
How it went down
The struggling Lightning Network is a second layer solution that allows users to send money instantly and with low fees off the main Bitcoin blockchain.
On August 30, a message from Lightning dev Rusty Russell went out to a developer mailing list warning that multiple Lightning node versions were vulnerable and needed to be updated immediately:
“Security issues have been found in various lightning projects which could cause loss of funds.
Full details will be released in 4 weeks (2019-09-27), please upgrade well before then.”
He didn’t reveal the exact details of the vulnerability to avoid tipping off malicious actors, but apparently they didn’t have too.
CTO of Lightning Labs admits exploits
In the past 24 hours Olaoluwa Osuntokun, CTO of startup Lightning Labs, has confirmed that the vulnerability has been exploited a number of times with a consequent loss of funds.
“We’ve confirmed instances of the CVE being exploited in the wild,” he wrote.
If you’re not on the following versions of either of these implementations (these versions are fully patched), then you need to upgrade now to avoid the risk of funds loss:
- lnd v0.7.1 — anything 0.7 and below is vulnerable
- c-lightning v0.7.1 — anything 0.7 and below is vulnerable
- eclair v0.3.1 — anything 0.3 and below is vulnerable
No details are yet available on how many users have been affected or how much funds have been stolen.
However, Lightning is still in its infancy with very little staked (and terrible returns), so it’s unlikely to be a huge amount at this stage.