A dangerous bug has been fixed in bitcoin’s lightning network. A popular payment network running on top of the bitcoin blockchain was facing a vulnerable code where money could be drained from the payment app.
Disclosure of the bug
On Sept 27th, a disclosure was revealed by Bitcoin developer, Rusty Russell disclosed ‘detailing how this vulnerability could be exploited by an attacker’.
<img width="830" height="517" src="https://www.cryptonewspoint.com/wp-content/uploads/2019/09/rusty-russell-speaker-tedxadelaide.jpg" alt="" class="wp-image-2222 lazyload" />
Rusty Russell
“An attacker can claim to open a [lighting payments] channel but either not pay to the peer, or not pay the full amount,” Rusty Russell , Bitcoin developer
Bitcoin’s lightning network is a ‘Layer 2 payments protocol enabling ultra-fast and nearly costless transactions atop the bitcoin blockchain.’
Users must open the “payments channels” for transactions across the lightning network. The loophole of the payment app is that an attacker could ‘pretend to open a new payments channel and send fake transactions.’
Users on the other side could then send the money to the attacker without knowing the payment from the other side being completely fake. Reports are unclear on how many users have fallen prey to these attacks.
Russell adds that all the major lightning software has been upgraded to fix the attack.
Late Disclosure
On being asked ‘why it took three months for the vulnerability to be disclosed to users’, Pierre-Marie Padiou, CEO of a Bitcoin Telecom company said ‘developers had to err on the side of caution.’
<img width="1024" height="757" src="https://www.cryptonewspoint.com/wp-content/uploads/2019/09/a23dc28d964c3bedf0416d64c7b9c830-1024x757.jpg" alt="" class="wp-image-2218 lazyload" />
Pierre-Marie Padiou
“The problem with this vulnerability is that once you know about it, it seems so obvious…Three months is not a long time. It’s a pretty short time because you have to give users the amount of time needed to update. … A lot of users don’t do it.” Pierre-Marie Padiou, CEO of a Bitcoin Telecom company, ACINQ.
“There are always problems. Even on the bitcoin protocol, there have been bugs,” Padiou said, adding: “There will always be bugs. What matters the most is how to handle this in the best way to protect users.”