Lightning Network developer Rusty Russell has revealed the full details on the vulnerability discovered three months but was kept under tight wraps in order to avoid exposing more users to the risk of losing their funds. On Friday, the developer stated that most for the available LN implementations have been patched and therefore it is safer to use the network at the moment. But some of the older versions of these implementations had not been patched so he advised LN users to upgrade their clients for better protection.
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed,” Russell started his explanation in a mailing list available on the Linux Foundation server.
“Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount. Once that transaction reaches the minimum depth, it can spend funds from the channel. The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
What this means is that if you are the sender of the funds, you could possibly dup the receiver of the funds by faking the signatures making the receiver believe that the transactions had actually been mutually signed.
Earlier this month, Lightning Labs CTO Olaoluwa Osuntokun released a report that was corroborated by LN developer ACINQ saying that the vulnerability was actually exploited.
“We’ve confirmed instances of the vuln[erability] being exploited in the wild, if you haven’t updated already, please update immediately!” Osuntokun informed.
At the time, the developers had already released a patch to the supported LN implementations, ‘éclair’, ‘lnd’ and ‘c-lightning.’ Users are advised to upgrade their nodes to versions v0.7.1 and above for the latter two implementations while those using éclair should upgrade to v0.3.1 and above.
It is worth noting that Russell discovered the vulnerability back in June 27th but it took three months to reveal the details. Commenting on why it took so long for the public to be informed, ACINQ CEO Pierre-Marie Padiou explained that the developers had to err to the side of caution in order to protect the majority of users.
Exposing the risk to the public before patching the implementations would have exposed all the users to the risk of losing their money as not only the good guys but also the bad guys would know about the vulnerability.
“The problem with this vulnerability is that once you know about it, it seems so obvious,” he said. “Three months is not a long time. It’s a pretty short time because you have to give users the amount of time needed to update. … A lot of users don’t do it.”