The Lightning Network is designed to make Bitcoin and other cryptocurrencies more secure. Unfortunately, it seems that is not always the case. A recent vulnerability has been discovered which affects most clients used to access Bitcoin’s Lightning Network. While a fix exists already, it is still a worrisome development.
The CVE Bug on Lightning Projects
It is rather interesting to see how these vulnerabilities were discovered several weeks ago. As is always the case where software clients are concerned, it is possible bugs or exploits will show up sooner or later. In this particular case, a flaw was identified which could be exploited across multiple Lightning projects. As a result of this big, affected users could lose a fair bit of funds in the process.
Contrary to what most people may expect, this exploit has not been disclosed as of yet. The person reporting it, who goes by the name of Rusty Russell, sent the information to the Bitcoin developer mailing list in late August. He also claimed the full details would be released on September 27. To this date, it is unclear if that deadline is still in play. One can only hope some additional information comes to light in the weeks ahead.
Which Clients are Vulnerable?
Surprisingly, the affected releases encompass all of the popular Bitcoin Lightning Network projects. Eclair versions 0.3 and lower are all vulnerable to this bug. The same goes for all Lnd iterations below version 0.7.1, and all c-lightning implementations prior to 0.7.1. Since most of those clients were released some time ago, it is plausible to assume some LN users might not have upgraded their clients ever since. That would make them susceptible to loss of funds if this bug was exploited.
Speaking of which, the Bitcoin devs have confirmed this bug is being exploited on the Lightning Network today. Although very few details have been provided, it seems there are some incidents regarding the loss of funds. At the same time, the developers confirmed limits are put in place to avoid major funds loss. While that is a hindrance to increasing LN adoption, it is also a valuable safeguard when incidents like these take place.
A Valuable Lesson
While the person responsible for identifying these problems should be thanked for sharing the info with the appropriate developers, it seems at least one other individual knows about the bug. That in itself is rather worrisome, albeit completely expected. This is still an experimental technology and accompanying software, thus exploits are par for the course sooner or later.
The saving grace in this story is how Bitcoin’s Lightning Network isn’t as widely used yet. Officially, the technology is still in public beta testing. That could explain why most users are not running their own node or payment channel as of yet. Only time will tell if that situation can change for the better. It is a scaling solution designed to make Bitcoin faster and cheaper to use, which is something a lot of users have been asking for over the years.