Lightning network: Vulnerability, LND version 0.10 affected, upgrade to 0.11.0

Understanding the Lightning Network

Is it possible to steal Bitcoins on Lightning Network?

Increasingly vulnerable?

Lightning network: Vulnerability, LND version 0.10 affected, upgrade to 0.11.0

Engineer Conner Fromknecht, head of cryptographic engineering at Lightning Labs. Fromknecht declared on October 9, 2020 that he has found a vulnerability affecting LND 0.10 and earlier versions of the Lightning Network.

Understanding the Lightning Network

The lightning network is a technological solution designed to solve the problem of transaction speed on the Bitcoin Blockchain.

Bitcoin was first released in 2008 but due to its construction, the Bitcoin network suffers from slow transaction speeds and high transaction costs. Bitcoin’s transactions are manual; Bitcoin’s blocking time or transaction speed is a few minutes. Bitcoin was then only able to process about 7 transactions per second. As a result, transactions take a long time to process and transaction costs are exorbitant.

The blockchain is a growing list of records, called blocks, which are linked together cryptographically. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. It is like a large, distributed public ledger that continues to grow and expand as new blocks are added. Blocks are added chronologically.

By design, a blockchain is resistant to data modification; it can record transactions between two parties in an efficient, verifiable, and permanent manner. By storing data on its peer-to-peer network, the blockchain is a distributed registry technology (DLT) that allows data to be stored globally on thousands of servers, making it difficult for a user to modify the data.

That’s why Joseph Poon and Thaddeus Dryja in 2015 proposed a solution to solve these problems (transaction time, security). Their solution was to provide a second additional layer that consists of several payment channels between the parties or bitcoin users.

Hence, the use and development of the Lightning network, a technology that uses micro payment channels to increase the capacity of its blockchain to carry out transactions more efficiently.

The Lightning network channel is a transaction mechanism between two parties. Through these channels, the parties can make or receive payments from each other. In other words, payment channels allow participants to transfer money between themselves without having to make all their transactions on the blockchain public.

On the lightning network:

- Two participants create an entry in the blockchain ledger that requires both participants to approve any spending of funds.

- Both parties create transactions that reimburse the ledger entry to their individual allocation, but do not release them to the blockchain.

They can update their individual allocations for the general ledger entry by creating numerous expense transactions from the output of the current general ledger entry.

- Only the most recent version is valid, which is enhanced by the Bitcoin blockchain.

- This entry can be closed at any time by either party without any trust or custody by releasing the most recent version in the blockchain.

As a result, transactions made on the lightning network are faster, cheaper and more easily confirmed than those made directly on the bitcoin blockchain.

The lightning network can also be used to perform other types of off-chain transactions involving crypto-currency exchanges.

For example, it is useful to facilitate atomic swaps, which allow to exchange one crypto for another without the intervention of an intermediary, such as the exchange of crypto-currencies.

Since its creation network, the lightning network is still under development; the problem that has been designed to solve is the slow transaction time and bitcoin throughput, which remains at about seven transactions per second (tps).

Is it possible to steal Bitcoins on Lightning Network?

In June 2020, two researchers specializing in cryptomoney named Jona Harris and Aviv Zohar claim to have found a way to steal funds from the Bitcoin Lightning Network.

They argued in a research paper entitled ‘Flood & Loot: A Systemic Attack On The Lightning Network’ that savvy attackers might be able to ‘plunder’ other people’s Bitcoins through the Lightning Network if users are not careful.

‘Flood & Loot: A Systemic Attack On The Lightning Network’ is the result of research by computer scientists Jona Harris and Aviv Zohar of the Hebrew University of Jerusalem, who have studied a ‘systemic’ attack on the Lightning Network more closely.

These researchers found that one of the risks that was identified early on was that of a large-scale systemic attack on the protocol, in which an attacker triggers the closure of several Lightning channels at the same time. The researchers stated:

‘We find that a large majority of the active nodes (95%) are ready to open a channel on demand, and are therefore likely to become victims in our attack’.

According to research by Jona Harris and Aviv Zohar, an attacker is able to simultaneously cause victim nodes to overload the Bitcoin blockchain with requests and steal funds that were blocked in the channels. They stated:

‘The resulting high volume of transactions in the blockchain will not properly settle all debts, and attackers could get away with stealing some funds’.

However, the researchers noted that this problem can be avoided by finding a way to detect hackers before they attack. But unfortunately, another vulnerability has recently been discovered in the lightning network.

Increasingly vulnerable?

A vulnerability in LND 0.10.x versions has been discovered and communicated to Lightning Labs, the developer of the Lightning Network.

Lightning developer Conner Fromknecht revealed it on October 9th on the project mailing list, where node operators were advised to update their software as soon as possible.

‘While we have no reason to believe that these vulnerabilities have been exploited in nature, we urge the community to upgrade to version 0.11.0 or higher of LND as soon as possible,’ he said.

The Lightning Network Daemon (LND) is a complete Golang implementation of a BOLT-compliant Lightning Network node developed by Lightning Labs. It can connect to Lightning Networks deployed on Bitcoin and Litecoin. It is an open source software under active development on GitHub.

In other words, the Lightning Network Daemon (LND) is an overlay network built on an existing blockchain protocol by creating an entirely new layer, providing instant, high-volume transactions that are designated in the standard blockchain currency.

This newly discovered vulnerability could affect all LND 0.10 and earlier versions, but version 0.11 was released at the end of August and contained the update, so most Lightning node operators have already upgraded to v0.11.0.

The announcement was published on October 9, 2020 by Conner Fromknecht, Protocol Engineer at Lightning Network (LN), who leads cryptographic engineering at Lightning Labs.

Lighting Labs also announced plans for a bug bonus program where developers will be rewarded with financial incentives for discovering future bugs.

The Lightning network is a solution dedicated to improving the speed of transactions on the Bitcoin Blockchain; however, the network is still under development and has vulnerabilities of its own. Does this mean that problems on the Bitcoin Blockchain are proving impossible to solve?

Written by Laetisia Harson, Project Manager at Magna Numeris

Magna Numeris is a startup developing solutions for cryptocurrency users, pushing the boundaries of conventional platforms to help grow the peer-to-peer economy