A popular Bitcoin tipping bot for Telegram messenger powered by the Lightning Network was exploited over the weekend by hackers who stole 14 million satoshis (0.14 BTC, worth about $9,480).
Éclair by French unit ACINQ is one of the Lightning Network’s top-three implementations. The other two are LND by Lightning Labs, and C-Lightning by Blockstream.
The team has now taken the bot offline while they investigate.
Altana Digital Currency Fund chief information officer Alistair Milne volunteered to replace the stolen Bitcoin.
Lightning Network uses Bitcoin
Lightning Network is a “layer 2” payment protocol that’s distinct from Bitcoin’s base-layer.
When users want to make a Lightning payment, they:
- Open and fund a “channel” by signing a multi-signature smart contract as one transaction on Bitcoin’s base blockchain.
- Users can then exchange BTC within their Lightning channel for negligible costs, avoiding the high miner fees of Bitcoin’s ‘layer 1’ blockchain.
- To exit Lightning, users close the channel back onto Bitcoin’s blockchain, finalizing and distributing funds.
Some Bitcoiners claim that “Lightning is Bitcoin” because it utilizes legitimate Bitcoin protocols, does not create any new coins or tokens, and is a valid use of Bitcoin’s permissionless network.
Lightning does help Bitcoin scale, reduce fees, optimize blockchain storage capacity, and improve speed for the average user. Indeed, Lightning is a cheap way to temporarily transfer funds between counterparties until payment channels close.
It accomplishes these feats without breaching any rules of the Bitcoin protocol. In this sense, it is Bitcoin.
Bitcoin with added trust
However, proponents of Lightning Network often advertise Lightning transactions as tantamount to — or even better than — layer 1 transactions. Faster, cheaper, easier, and still Bitcoin? What’s not to love?
The truth is that although Lightning is a valid utility of the Bitcoin protocol, while users are within the Lightning Network their transactions and activities do not benefit from Bitcoin’s blockchain.
In particular, Lightning Network transactions are not quickly validated by 12,000 globally distributed full nodes, nor secured by 160 million terahashes per second. Until they leave Lightning and settle on-blockchain, users must trust a relatively small number of counterparties.
In essence, Lightning Network reintroduces temporary trust and centralization. Lightning is a trade-off.
Users sacrifice the security and trustlessness of Bitcoin’s blockchain to temporarily gain faster and cheaper fees. They can leave Lightning at any time and reclaim these benefits; but again, risks are elevated until they exit Lightning.
Case in point: hackers stealing 0.14 BTC from Lightning Network Transaction Bot.
Receiving Bitcoin via Lightning is (slightly more) risky
Although Lightning users do not break any of Bitcoin protocols, its users briefly compromise the security of their funds while inside of Lightning (before settling on-chain).
Lightning Network relies on hubs that link bidirectional payment channels through an expansive mesh network.
Liquidity within the publicly accessible Lightning Network exceeds 3,100 BTC ($210 million).
Hub operators hold channels open until users are ready to settle on-chain. If any particular node drops its connection, all channels it was holding open must close and settle on-chain.
And unlike a Bitcoin full node, a Lightning node requires a continuous internet connection.
Lightning Network also requires all users to be alert for potential scams, which has led to the development of “watchtower” nodes capable of watching for fraud.
Attack vectors, only on Lightning
Various cybersecurity vulnerabilities are entirely unique to Lightning.
The most famous, described by developer Joost Jager, demonstrated that the Lightning Network is vulnerable to denial-of-service attacks.
- An attacker could fill channels to maximum capacity for hash-time-lock contracts (HTLCs).
- This attack would force a Lightning user to close the channel because the funds would be “stuck.”
- Attackers could use this griefing attack to sabotage someone else’s transaction, even if they cannot directly steal the funds.
Attackers could also compromise a user through an eclipse attack, which uses hundreds of fraudulent (non-routing, uncooperative) nodes to make it difficult for a victim to find a legitimate node through which to send transaction data.
Attackers could also use a pinning attack by transmitting conflicting transaction data to nodes with different mempools, tricking a user into sending funds or improperly closing their channels.
During a presentation at the 2019 Lightning Conference in Berlin, Blue Wallet’s Igor Korsakov described a few ways in which hackers could exploit APIs to attack Lightning Network-based apps.
Korsakov published these slides on his website.
In last weekend’s Lightning Network Transaction Bot theft, the attackers exploited the Éclair API.
According to ACINQ’s Éclair GitHub repository, it is a “feature-rich HTTP API that enables application developers to easily integrate” its Scala implementation of the Lightning Network.
The repository page warns that the JSON API should not be easily accessible to the outside world.
Follow us on Twitter for more informed crypto news.