After the recent v0.15.3. update to the Lightning Network, a critical security vulnerability was discovered by independent cybersecurity researchers that would potentially allow bad actors to stop lnd nodes from parsing transactions.
A Lightning Network Daemon (lnd) is a full implementation of a Lightning Network Node, along with the services and plug-ins that allow it to connect to the rest of the Lightning network, a Layer-2 blockchain for Bitcoin that enables smart contracts to be run on the BTC network.
Update Released Mere Hours After Discovery
Thanks to watchful community member Burak’s work and responsive devs, hotfix v0.15.4-beta was released about three hours after the bug was discovered.
If left unattended, the bug could have stopped transactions going through if the nodes responsible for parsing them had been attacked by bad actors.
“This is an emergency hot fix release to fix a bug that can cause lnd nodes to be unable to parse certain transactions that have a very large number of witness inputs.”
Devs using the Lightning Network now have two weeks to apply the update. Afterward, channel timelocks currently in place will expire and leave the nodes vulnerable again.
Second Critical Bug in a Month, Discovered by Burak
The most recent bug, which affected the btcd wire parsing library of the Lightning Network, was discovered and announced by Burak on Twitter.
Sometimes to find the light, we must first touch the darkness.https://t.co/dhCwF0DxpE
— Burak (@brqgoo) November 1, 2022
In the blockchain transaction used to demonstrate the bug, the developer left a tongue-in-cheek message indicating the root cause of the problem: “you’ll run cln. And you’ll be happy.”
The developer was also responsible for uncovering a similar bug on the 9th of October. In that instance, Burak created a 998-out-of-999 multisig transaction that was promptly rejected by both LND and btcd nodes. This resulted in the entirety of the block the transaction was recorded in being rejected, leading to a measly transaction fee of only $5.16.
Although this bug may have made many in the Bitcoin community happy, it was still technically an exploit of the system and was patched shortly after.
This vulnerability had also allegedly been reported by white hat hacker Anthony Towns, who forwarded the info to a lead Lightning Network dev.
For what it’s worth, I also noticed this bug and disclosed it to @roasbeef about two weeks ago. The btcd repo doesn’t seem to have a reporting policy for security bugs, so not sure if anyone else working on btcd found out about it.
— Anthony Towns (@ajtowns) November 1, 2022
In spite of the speedy resolution to these two bugs, they led to calls for a bug bounty program for the Lightning Network – as these were reported due to nothing more than good faith. Without incentives for ethical hackers to discover and report similar bugs, there’s no telling who may discover future issues first.