Blockstream developer Rusty Russell has revealed more details about the Lightning Network vulnerability first became known in late August.
As Russell wrote, vulnerability arose inthe process of creating and replenishing Lightning Network channels. In particular, when creating a channel, the recipient did not need to verify the transaction output amount used to replenish the channel, or use the scriptpubkey script, which allows you to verify that certain conditions are met before spending the output.
Protocol-level Lightning Network does not requiresuch verification, and for this reason, the attack organizer had the opportunity to inform about the opening of the channel without transferring payment to the recipient or transferring an incomplete amount.
As a result, an attacker could spendfunds in the channel without notifying the other party about it. Only after closing the channel did the latter discover that the transactions transmitted through it were invalid.
In mid-September, the developers recognized that the vulnerability was used in real conditions, without specifying the extent of the possible damage.
Earlier in September, the technical director of Lightning Labs and ACINQ, Olaoluwa Osuntokun, confirmed the cases of practical exploitation of the discovered vulnerability.
The following releases are still considered vulnerable:
- LND version 0.7 and below;
- c-lightning version 0.7 and below;
- eclair version 0.3 and below.
In this regard, developers of major customersThe Lightning Network again reminds you to upgrade to the latest versions. Special tools (Lightning Labs and Acinq) were also released to determine if the attack affected users.
Recall that earlier this week the number of active Lightning nodes in the bitcoin network exceeded 10,000.