After the recent v0.15.3. update to the Lightning Network, a critical security vulnerability was discovered by independent cybersecurity researchers that would potentially allow bad actors to stop lnd nodes from parsing transactions.
A Lightning Network Daemon (lnd) is a full implementation of a Lightning Network Node, along with the services and plug-ins that allow it to connect to the rest of the Lightning network, a Layer-2 blockchain for Bitcoin that enables smart contracts to be run on the BTC network.
Update Released Mere Hours After Discovery
Thanks to watchful community member Burak’s work and responsive devs, hotfix v0.15.4-beta was released about three hours after the bug was discovered.
If left unattended, the bug could have sustabdytas transactions going through if the nodes responsible for parsing them had been attacked by bad actors.
„Tai avarinis karštųjų pataisų leidimas, skirtas ištaisyti klaidą, dėl kurios lnd mazgai negalės išanalizuoti tam tikrų operacijų, turinčių labai daug liudininkų įvesties.
Devs using the Lightning Network now have two weeks to apply the update. Afterward, channel timelocks currently in place will expire and leave the nodes vulnerable again.
Second Critical Bug in a Month, Discovered by Burak
The most recent bug, which affected the btcd wire parsing library of the Lightning Network, was discovered and announced by Burak on Twitter.
Kartais norėdami rasti šviesą, pirmiausia turime paliesti tamsą.https://t.co/dhCwF0DxpE
– Burakas (@brqgoo) Lapkritis 1, 2022
In the blockchain transaction used to demonstrate the bug, the developer left a tongue-in-cheek message indicating the root cause of the problem: “you’ll run cln. And you’ll be happy.”
The developer was also responsible for uncovering a similar bug on the 9th of October. In that instance, Burak created a 998-out-of-999 multisig transaction that was promptly rejected by both LND and btcd nodes. This resulted in the entirety of the block the transaction was recorded in being rejected, leading to a measly transaction fee of only $5.16.
Although this bug may have made many in the Bitcoin community happy, it was still technically an exploit of the system and was patched shortly after.
This vulnerability had also allegedly been reported by white hat hacker Anthony Towns, who forwarded the info to a lead Lightning Network dev.
For what it’s worth, I also noticed this bug and disclosed it to @roasbeef about two weeks ago. The btcd repo doesn’t seem to have a reporting policy for security bugs, so not sure if anyone else working on btcd found out about it.
— Anthony Towns (@ajtowns) Lapkritis 1, 2022
In spite of the speedy resolution to these two bugs, they led to calls for a bug bounty program for the Lightning Network – as these were reported due to nothing more than good faith. Without incentives for ethical hackers to discover and report similar bugs, there’s no telling who may discover future issues first.
„Binance Free“ 100 USD (išskirtinis): Naudokite šią nuorodą užsiregistruoti ir gauti 100 USD nemokamą ir 10% nuolaidą „Binance Futures“ pirmajam mėnesiui (sąlygos).
Specialus „PrimeXBT“ pasiūlymas: Naudokite šią nuorodą užsiregistruoti ir įvesti POTATO50 kodą, kad gautumėte iki 7,000 USD už savo indėlius.
Source: https://cryptopotato.com/emergency-hotfix-deployed-to-prevent-disruption-to-the-lightning-network/