עמערגענסי האָטפיקס דיפּלויד צו פאַרהיטן דיסראַפּשאַן צו די בליץ נעטוואָרק

After the recent v0.15.3. update to the Lightning Network, a critical security vulnerability was discovered by independent cybersecurity researchers that would potentially allow bad actors to stop lnd nodes from parsing transactions.

A Lightning Network Daemon (lnd) is a full implementation of a Lightning Network Node, along with the services and plug-ins that allow it to connect to the rest of the Lightning network, a Layer-2 blockchain for Bitcoin that enables smart contracts to be run on the BTC network.

Update Released Mere Hours After Discovery

Thanks to watchful community member Burak’s work and responsive devs, hotfix v0.15.4-beta was released about three hours after the bug was discovered.

If left unattended, the bug could have stopped transactions going through if the nodes responsible for parsing them had been attacked by bad actors.

"דאָס איז אַ נויטפאַל הייס פאַרריכטן מעלדונג צו פאַרריכטן אַ זשוק וואָס קען פאַרשאַפן אַז נאָדעס קענען נישט פּאַרסירן זיכער טראַנזאַקשאַנז וואָס האָבן אַ זייער גרויס נומער פון עדות ינפּוץ."

Devs using the Lightning Network now have two weeks to apply the update. Afterward, channel timelocks currently in place will expire and leave the nodes vulnerable again.

Second Critical Bug in a Month, Discovered by Burak

The most recent bug, which affected the btcd wire parsing library of the Lightning Network, was discovered and announced by Burak on Twitter.

מאל צו געפינען די ליכט, מיר מוזן ערשטער אָנרירן די פינצטערניש.https://t.co/dhCwF0DxpE

— בוראַק (@brqgoo) נאוועמבער קסנומקס, קסנומקס

In the blockchain transaction used to demonstrate the bug, the developer left a tongue-in-cheek message indicating the root cause of the problem: “you’ll run cln. And you’ll be happy.”

The developer was also responsible for uncovering a similar bug on the 9th of October. In that instance, Burak created a 998-out-of-999 multisig transaction that was promptly rejected by both LND and btcd nodes. This resulted in the entirety of the block the transaction was recorded in being rejected, leading to a measly transaction fee of only $5.16.

Although this bug may have made many in the Bitcoin community happy, it was still technically an exploit of the system and was patched shortly after.

This vulnerability had also allegedly been reported by white hat hacker Anthony Towns, who forwarded the info to a lead Lightning Network dev.

For what it’s worth, I also noticed this bug and disclosed it to @roasbeef about two weeks ago. The btcd repo doesn’t seem to have a reporting policy for security bugs, so not sure if anyone else working on btcd found out about it.

— Anthony Towns (@ajtowns) נאוועמבער קסנומקס, קסנומקס

In spite of the speedy resolution to these two bugs, they led to calls for a bug bounty program for the Lightning Network – as these were reported due to nothing more than good faith. Without incentives for ethical hackers to discover and report similar bugs, there’s no telling who may discover future issues first.