Russel identified that the vulnerability appeared in the course of the opening of financing channels. The method described doesn’t require recipients to test or a transaction is the one that promised the financier by way of quantities and the precise script pubkey.
Scriptpubkey is an export transaction script for which particular situations should be met earlier than a recipient can difficulty his Bitcoins. The file explains:
“A lightning button that accepts a channel should test whether or not the financing transaction's output really opens the proposed channel. In any other case, an attacker may declare to open a channel however not pay to the peer or not pay the total quantity. As quickly as that transaction reaches the minimal depth, you’ll be able to spend the cash from the channel. The sufferer will solely discover if it tries to shut the channel and not one of the obligations or mutual transactions it has are legitimate. "
A attainable resolution
Russel additionally recommended an answer to the above downside. As soon as the financing transaction has been seen, friends should "test whether or not the merchandise described in" funding_created "(1) is an output of the financing transaction (2) with the quantity described in" open_channel "(3)."
The file additionally warns that c-lightning variations 0.7.1 and better carry out the method accurately and encourages customers to improve the older variations of their Lightning nodes.
On September 10, Olaoluwa Osuntokun, CTO at Lightning Labs and ACINQ centered on LN startups, additionally claimed authorities have discovered the vulnerability being exploited. To keep away from the chance of shedding cash, Osuntokun strongly suggested customers to replace their LN variations. The variations concerned embrace, per Osuntokun, LND nodes model 0.7 and decrease, c-lightning nodes model 0.7 and decrease, and eclair nodes model 0.Three and decrease, the message famous.
The variety of Bitcoin LN nodes on 26 September reached 10,000 for the primary time.
Like Cointelegraph earlier reportedAndreas Antonopoulos introduced his new ebook "Mastering Lightning Community", co-author of René Pickhardt and Lightning Labs CTO Olaoluwa Osuntokun.