The Lightning Network continues to grow despite ongoing criticism and the disclosure of a critical vulnerability.
A bug report published by Blockstream developer Rusty Russell provided details on a critical vulnerability that could have allowed bad actors to steal their targets’ bitcoins.
ICYMI: Here are all the details of the recent Lightning bug. https://t.co/NVzKmGW5I6
— TheRustyTwit (@rusty_twit) September 27, 2019
The Lightning Network (LN) is a second-layer scaling solution for Bitcoin that has been under development for several years. It is designed to allow more transactions to be processed – and at lower fees – without clogging the network.
There are currently three independent teams working on their own implementations of the LN protocol in different languages.
C-Lightning was developed by Blockstream while Eclair and Lightning Network Daemon (LND) were developed by ACINQ and Lightning Labs, respectively.
LN fails to verify funding transaction amounts
The way LN works, in simplest terms, is that when two or more parties want to transact, they open up a payment channel on the network and agree to deposit a certain amount of BTC each into a multi-signature wallet that they have created.
From there, the parties involved can transact as often as they like through that channel and, once they close the channel, the funds will be distributed accordingly.
If someone were to exploit the vulnerability that Russell discovered, however, they could open up a channel and either not send the full amount of BTC or not send any at all.
The attacker would be able to spend the funds in the wallet and the victim would never know until they tried to close the channel.
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise, an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount,” the report explained.
“Once that transaction reaches the minimum depth, it can spend funds from the channel. The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
Discover, debug, divulge
Russell first discovered the LN bug in late June and immediately notified ACINQ and Lightning Labs.
After determining that the same vulnerability was present in all three implementations, the teams worked together to fix the problem.
By July 4th, all three implementations had been updated and other projects, like rust-lightning, ptarmigan, and BLW, were notified.
On August 30th, a general notice of the existence and subsequent patch of the vulnerability was published along with a recommendation to upgrade to the latest versions of the LN implementations.
The bug report notes that the decision to delay full disclosure was made jointly by all three teams.
“Together the teams made the decision to fix this quietly for pending releases, then reveal the existence of a problem 8 weeks later, once most users had already upgraded. Four weeks after that, the full disclosure would be made.”
Lightning Network expansion continues
Despite the revelation of the vulnerability and ongoing criticism, the Lightning Network continues to grow.
Bitrefill, a service which enables people to purchase gift cards and pre-paid mobile refills with cryptocurrencies, has become one of the largest Lightning node operators.
In a recent interview with Bitcoin Magazine, Bitrefill CEO Sergej Kotliar spoke about Lightning Network and how, despite Bitcoin’s shortcomings related to micro-transactions, it is a good fit for their business model.
“Lightning is a promising technology for a business like ours, and despite the issues surrounding it, we are consistently trying to become the best at running it,” he said.
“The main focus is to contribute to the building blocks of crypto-centric economy and we are trying to connect more people to this ecosystem with our various products.”
As for the Lightning Network itself, it recently hit another milestone, surpassing 10,000 active nodes. Nearly 6,000 of those nodes contain active channels.
The network has reached a total capacity of 816.46 BTC, equal to roughly US$6.7 million [AU$9.9 million].
Earlier this year, it had a capacity of over 1,000 BTC, however, as Bitcoin prices have risen, the capacity has by around 200 BTC.