Bitcoin’s most popular layer 2, the Lightning Network, had another bug that put users’ funds at risk. Lightning scales faster and cheaper than regular bitcoin transactions by allowing users to join payment channels, therein conducting off-blockchain, ‘bar tab’-like transactions.
By jotting down increases and decreases in bitcoin balances within these payment channels, Lightning users ‘send’ and ‘receive’ bitcoin faster and cheaper than paying miners for the full security and decentralization of on-blockchain transactions.
However, the trade-off for this speed and affordability is evident in this week’s disclosure: security.
LND, one of the four most popular implementations of Lightning, is now in version 18 yet has disclosed a vulnerability affecting versions prior to 17. (Lightning developers waited approximately nine months to disclose the bug, as a precaution.)
They named the bug the LND Onion Bomb.
LND Onion Bomb
The vulnerability is a classic denial of service (DoS) attack. Specifically, attackers can overwhelm LND nodes with onion data packets, using up all of the node’s RAM and taking the node offline.
Worse, the attack is Tor/Onion-based, so it’s private by default. The identity of the assailant remains private throughout the lengthy attack, making it difficult.
— Olaoluwa Osuntokun (@roasbeef) June 19, 2024A DoS vulnerability affecting lnd versions *before* 0.17 (released ~9 months ago) has been disclosed: https://t.co/39QnSWKNis
if your node is updated to either 0.17.x or 0.18.x then you're safe ✅
if unable to update, then setting –rejecthtlc can mitigate the DoS vector
Read more: Critics claim ‘buggy’ Bitcoin Lightning Network is slowly dying
Going offline isn’t problematic for a regular Bitcoin full node, but it’s very bad news for a Lightning node. Offline Lightning nodes may not validate or receive payments, cannot surveil the network for cheating, and are vulnerable to forced channel closures whereby a counterparty steals all remaining funds in the payment channel.
If the attacker continues DoS’ing the victimized node operator for long enough, the time period for broadcasting a Justice Transaction expires and irrevocably transfers ownership of the stolen bounty to the attacker.
A responsible Lightning bug disclosure
So far, there are no major reports of funds stolen from this so-called ‘LND Onion Bomb’ attack. A developer responsibly disclosed it to Lightning Labs on June 20, 2023 and developers patched the exploit by October 3, of that same year with Lightning node software release LND 17.0.
Two days ago — nine months after the patch — developers publicly disclosed the issue.
It’s not the first time the Lightning network has suffered a serious vulnerability that placed users’ funds at risk. Over the years, hackers found a jamming attack, replacement cycling attack, BTCD library bug, unattributed payment routes, LNTXbot breach, and various other bugs in Lightning implementations.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.
