Lightning Network’s Vulnerability Exposes Users to Loss of Funds
August 30th, 2019
A developer of Bitcoin’s Lightning Network, Rusty Russell today, announced that the Network is currently facing some security challenges which “could lead to a loss of funds.” The announcement was made via a blog post on Lightning Network’s Common Vulnerabilities and Exposure page and affected users have been advised to upgrade to a newer version immediately to avoid loss of funds.
Users Should Have Upgraded Since
According to the blog post, more details on the security issues will be announced four weeks from today but everyone on the Lightning Network should have upgraded by then.
The blog post reads “Security issues have been found in various lightning projects which could cause loss of funds. Full details will be released in 4 weeks (2019-09-27), please upgrade well before then.” A new Lightning Network version 0.72 ‘Nakamoto’s pre-approval by US Congress’ which supposedly does not contain any of these vulnerabilities was released on the 20th of August.
The affected nodes CVE Nodes are:
CVE-2019-12998 c-lightning <0.7.1
CVE 2019-12999 lnd < 0.7
CVE-2019-13000 éclair <= 0.3
A quick search revealed that the affected CVE’s have all been reserved. One of them reads:
“This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided”
No one seems to be sure about what exactly is going on with the Lightning Network and how compromised users might be as Russell says full details of the attack won’t be released until the 27th of September. For now, everyone on the Lightning Network has been advised to upgrade to the uncompromised 0.7.2 version.
Some users on Reddit and Twitter have suggested that the reason behind the surrounding ‘secrecy’ and withholding more information which the network appears to be doing, is to ensure people do not take advantage of or abuse the vulnerability.
Most security updates usually come without more information until a later time, in other to provide the network with sufficient time to solve the problem while also being transparent with users and keeping them out of harm’s way.