In December 2022, Bitcoin’s most popular scaling solution, the Lightning Network, experienced a critical vulnerability error. Had a hacker exploited this error, many users could have lost their bitcoin. For context, there are thousands of users and at least 5,500 bitcoin worth at least $150 million in the Lightning Network.
Now that the bug is patched and Bitcoin’s most popular second layer is safe to use, Lightning developer Antoine Riard has disclosed the full details of the vulnerability. Riard’s post-mortem of the vulnerability admits that many Lightning users could have lost their funds entirely.
Riard also explained the code maintenance required to prevent these so-called ‘transaction-relay jamming attacks’ from recurring in the future.
The bug is the latest in a long series of Lightning bugs. Protos has been following an underreported series of them, including the unattributed payment routing bug from November 2022, the BTCD library bug from October 2022, the zombie attack from August 2022, and the Éclair API bug from November 2021.
Brief primer on Bitcoin’s Lightning Network
For those not familiar with it, Bitcoin’s Lightning Network functions through users who commit bitcoin to payment channels with any willing peers. Once opened, bitcoin can be passed back and forth within the channel (on the Lightning Network) without an on-chain, layer 1 transaction.
As their peers then connect to other Lightning Network users and commit bitcoin to additional payment channels, a mesh network forms that now spans the entire globe with over 68,000 channels.
Within this mesh network, users pass bitcoin back and forth by updating a Lightning-based ledger, without an on-chain transaction.
Only when the users wish to exit the Lightning network must they request to settle their funds on-chain with a final, layer 1 transaction. Importantly, this final transaction is usually a Hash Time Locked Contract timeout transaction whose on-chain transaction fee is usually bid when the channel originally opens (more on this later).
Details from Riard’s jamming attack post-mortem
With this context in mind, consider the critical vulnerability bug that Antoine Riard responsibly disclosed. This transaction-relay jamming attack, which was open in December 2022, would have allowed an attacker to target a Lightning payment channel by broadcasting a Hash Time Locked Contract (HTLC) preimage transaction with higher fees than the honest lightning node’s HTLC-timeout.
In other words, the attacker could prevent a user from withdrawing bitcoin from the Lightning Network onto the base layer.
This attack exploited HTLCs by kicking an honest transaction out of Bitcoin’s dominant mempools, forcing the channel closing request to expire without the Lightning users being able to complete their channel closure.
Recall that Bitcoin’s consensus rules prevent double-spending of any kind of the base layer. Therefore, as long as the attacker bid more for the malicious preimage transaction which was tied to the same bitcoin as the existing HTLC-timeout bid, then the payment channel might never actually close.
Stated simply, the attack would have prevented users from withdrawing bitcoin from their Lightning channel. By outbidding their payment channel closing request, the attacker might be able to suspend bitcoin inside the channel indefinitely, assuming a rational mining pool selects the highest fee transactions for inclusion in blocks.
Responsible Lightning bug disclosure
Fortunately, no one ever actually exploited this vulnerability to seize anyone’s real bitcoin. Developers quietly patched the bug without stealing anyone’s money.
The potential attack also impacted any Lightning routing hops carrying HTLC traffic. (As Lightning users pass bitcoin through channels across the globe, the bitcoin hops through routing nodes that charge a small routing fee.)
The bug also introduced security risks and potential loss of funds for legacy and anchor output channels. Worse, the attack could occur even if the mempool was not congested, assuming the mining pool operators were rational economic actors who chose the highest-bidding transactions for inclusion in a block.
Bug contagion could have spread on-chain
The vulnerability also impacted a number of other Bitcoin protocols, including:
- Discreet Log Contracts (DLCs)
- wallets with time-sensitive paths
- peerswap and submarine swaps
- batch payouts
- transaction “accelerators”
All of the above were vulnerable to a malicious actor bidding a never-ending series of high fee, preimage transactions.
Lightning Network developers discovered the vulnerability in December 2022 while discussing other topics like layer 2 payment channels and ensuring incentives lined up with the mempool’s anti-denial of service (DOS) protocols.
Lightning jamming attack patch details
Riard says developers have released solutions for all major Lightning Network implementations. He says patches are live in the following software updates, covering all four of the major Lightning Network implementations.
- LDK: v0.0.118 – CVE-2023 -40231
- Eclair: v0.9.0 – CVE-2023-40232
- LND: v.0.17.0-beta – CVE-2023-40233
- Core-Lightning: v.23.08.01 – CVE-2023-40234
Riard added the disclaimer that the solution is not tested against real-world jamming attacks of previously vulnerable Lightning nodes operators who have not updated their software. He says a sophisticated attacker might still expose small weaknesses remaining in insecure channels with a combination of attacks, such as jamming, pinning, or other sophisticated tactics.
In summary, developers have responsibly kept a ‘jamming attack’ vulnerability under wraps since December 2022 until they released updates to the most popular clients for Bitcoin’s Lightning Network. Although they have avoided any major theft of the millions of dollars worth of bitcoin held by Lightning Network users, their security patches remain untested against any real-world attack.
Riard has issued a full disclosure of the bug and encourages continued diligence to avoid future bugs that would compromise the credibility of Bitcoin’s most popular scaling solution.