A dangerous bug has been fixed in bitcoin’s lightning network. A popular payment network running on top of the bitcoin blockchain was facing a vulnerable code where money could be drained from the payment app.
Disclosure of the bug
“An attacker can claim to open a [lighting payments] channel but either not pay to the peer, or not pay the full amount,” Rusty Russell , Bitcoin developer
Bitcoin’s lightning network is a ‘Layer 2 payments protocol enabling ultra-fast and nearly costless transactions atop the bitcoin blockchain.’
Users must open the “payments channels” for transactions across the lightning network. The loophole of the payment app is that an attacker could ‘pretend to open a new payments channel and send fake transactions.’
Users on the other side could then send the money to the attacker without knowing the payment from the other side being completely fake. Reports are unclear on how many users have fallen prey to these attacks.
Russell adds that all the major lightning software has been upgraded to fix the attack.
On being asked ‘why it took three months for the vulnerability to be disclosed to users’, Pierre-Marie Padiou, CEO of a Bitcoin Telecom company said ‘developers had to err on the side of caution.’
“The problem with this vulnerability is that once you know about it, it seems so obvious…Three months is not a long time. It’s a pretty short time because you have to give users the amount of time needed to update. … A lot of users don’t do it.” Pierre-Marie Padiou, CEO of a Bitcoin Telecom company, ACINQ.
“There are always problems. Even on the bitcoin protocol, there have been bugs,” Padiou said, adding: “There will always be bugs. What matters the most is how to handle this in the best way to protect users.”