Bitcoin’s hottest layer 2, the Lightning Community, had one other bug that put customers’ funds in danger. Lightning scales quicker and cheaper than common bitcoin transactions by permitting customers to affix fee channels, therein conducting off-blockchain, ‘bar tab’-like transactions.
By jotting down will increase and reduces in bitcoin balances inside these fee channels, Lightning customers ‘ship’ and ‘obtain’ bitcoin quicker and cheaper than paying miners for the complete safety and decentralization of on-blockchain transactions.
Nevertheless, the trade-off for this pace and affordability is obvious on this week’s disclosure: safety.
LND, one of many 4 hottest implementations of Lightning, is now in model 18 but has disclosed a vulnerability affecting variations previous to 17. (Lightning builders waited roughly 9 months to reveal the bug, as a precaution.)
They named the bug the LND Onion Bomb.
LND Onion Bomb
The vulnerability is a basic denial of service (DoS) assault. Particularly, attackers can overwhelm LND nodes with onion information packets, utilizing up the entire node’s RAM and taking the node offline.
Worse, the assault is Tor/Onion-based, so it’s non-public by default. The id of the assailant stays non-public all through the prolonged assault, making it tough.
Learn extra: Critics declare ‘buggy’ Bitcoin Lightning Community is slowly dying
Going offline isn’t problematic for a daily Bitcoin full node, nevertheless it’s very unhealthy information for a Lightning node. Offline Lightning nodes might not validate or obtain funds, can not surveil the community for dishonest, and are weak to pressured channel closures whereby a counterparty steals all remaining funds within the fee channel.
If the attacker continues DoS’ing the victimized node operator for lengthy sufficient, the time interval for broadcasting a Justice Transaction expires and irrevocably transfers possession of the stolen bounty to the attacker.
A accountable Lightning bug disclosure
To this point, there aren’t any main studies of funds stolen from this so-called ‘LND Onion Bomb’ assault. A developer responsibly disclosed it to Lightning Labs on June 20, 2023 and builders patched the exploit by October 3, of that very same yr with Lightning node software program launch LND 17.0.
Two days in the past — 9 months after the patch — builders publicly disclosed the problem.
It’s not the primary time the Lightning community has suffered a severe vulnerability that positioned customers’ funds in danger. Through the years, hackers discovered a jamming assault, alternative biking assault, BTCD library bug, unattributed fee routes, LNTXbot breach, and varied different bugs in Lightning implementations.
