In December 2022, the Bitcoin Lightning Network, the most widely used scaling solution for Bitcoin, encountered a critical vulnerability. This error, if exploited by a malicious actor, could have resulted in significant losses for Bitcoin users. To provide some context, the Lightning Network boasts thousands of users and holds a value of at least 5,500 Bitcoin, equivalent to a substantial sum of over $150 million.
With the vulnerability now addressed and the Bitcoin Lightning Network deemed safe for utilization, Antoine Riard, a developer in the Lightning community, has chosen to reveal the comprehensive details of this vulnerability. In his post-mortem analysis of the flaw, Riard acknowledges the potential risks that many Lightning Network users faced, where their funds were at risk of complete loss.
Riard has also elucidated the necessary code maintenance measures to safeguard against future occurrences of what are referred to as ‘transaction-relay jamming attacks.’
This particular bug adds to a series of vulnerabilities that have affected the Lightning Network. Protos has been diligently tracking these often underreported issues, including the unattributed payment routing bug in November 2022, the BTCD library bug in October 2022, the zombie attack in August 2022, and the Éclair API bug from November 2021.
A concise introduction to Bitcoin’s Lightning Network:
Here’s a brief overview of the Bitcoin Lightning Network.
For those unacquainted with it, Bitcoin’s Lightning Network operates by enabling users to lock up Bitcoin in payment channels with willing peers. Once established, Bitcoin can be seamlessly transferred back and forth within the channel, all within the Lightning Network, without the need for an on-chain, layer 1 transaction.
As these peers proceed to link with other Lightning Network users and establish additional payment channels, a mesh network takes shape, extending across the globe with an impressive count of over 68,000 channels.
Within this intricate mesh network, users engage in the exchange of Bitcoin by continually updating a ledger built on Lightning technology, all without the necessity of an on-chain transaction.
It’s only when users intend to exit the Lightning network that they initiate the process of settling their funds on-chain with a final, layer 1 transaction. It’s worth noting that this final transaction typically employs a Hash Time Locked Contract timeout transaction, with the on-chain transaction fee usually determined during the channel’s initial setup (more details on this to follow).
Insights from Riard’s post-incident analysis of the jamming attack
With this context in mind, let’s delve into the significant vulnerability disclosed by Antoine Riard. This vulnerability, identified as the transaction-relay jamming attack, came to light in December 2022. It had the potential to allow an attacker to target a Lightning payment channel by broadcasting a Hash Time Locked Contract (HTLC) preimage transaction with higher fees than the honest lightning node’s HTLC-timeout.
In simpler terms, the attacker could obstruct a user’s ability to withdraw Bitcoin from the Lightning Network and return it to the base layer.
This attack took advantage of HTLCs by effectively pushing an honest transaction out of Bitcoin’s primary mempools. As a result, the channel closure request would expire, preventing Lightning users from finalizing the closure of their channel.
It’s essential to remember that Bitcoin’s consensus rules strictly prohibit any form of double-spending on the base layer. Therefore, if the attacker offered a higher fee for the malicious preimage transaction linked to the same Bitcoin as the existing HTLC-timeout bid, the payment channel might effectively remain open indefinitely. In essence, this attack would have halted users from withdrawing Bitcoin from their Lightning channel by outbidding their channel closure request, contingent on a rational mining pool selecting transactions with the highest fees for inclusion in blocks.
Responsible disclosure of a Lightning Network bug
Thankfully, no malicious actors took advantage of this vulnerability to abscond with real Bitcoin from anyone. The diligent developers discreetly rectified the bug without causing any financial harm.
It’s worth noting that the potential attack had ripple effects on any Lightning routing hops responsible for carrying HTLC traffic. As Bitcoin journeys through channels worldwide via Lightning users, it traverses routing nodes that levy nominal routing fees.
Furthermore, this bug introduced security vulnerabilities and the possibility of financial losses, especially for legacy and anchor output channels. What’s even more concerning is that the attack could transpire even in scenarios where the mempool wasn’t congested, provided that mining pool operators acted rationally and selected the highest-bidding transactions for inclusion in a block.
The potential for the bug to propagate and affect on-chain operations was a concern.
The vulnerability also had ramifications for various other Bitcoin protocols, such as:
- Discreet Log Contracts (DLCs)
- Coinjoins
- Payjoins
- Wallets with time-sensitive paths
- Peerswap and submarine swaps
- Batch payouts
- Transaction “accelerators”
All of the mentioned protocols were susceptible to exploitation by a malicious actor employing an unending series of high-fee preimage transactions.
Lightning Network developers brought this vulnerability to light in December 2022 while in discussions covering topics like layer 2 payment channels and ensuring that incentives aligned with the mempool’s anti-denial of service (DOS) protocols.
Details regarding the patch for the Lightning jamming attack
Riard mentions that developers have addressed the issue by providing solutions for all the major Lightning Network implementations. He notes that patches are now integrated into the following software updates, encompassing all four of the primary Lightning Network implementations:
- LDK: Version 0.0.118 – CVE-2023-40231
- Eclair: Version 0.9.0 – CVE-2023-40232
- LND: Version 0.17.0-beta – CVE-2023-40233
- Core-Lightning: Version 23.08.01 – CVE-2023-40234
Riard offers a disclaimer that these solutions have not been tested against real-world jamming attacks on previously vulnerable Lightning nodes whose operators have not updated their software. He highlights the possibility of sophisticated attackers exploiting any remaining vulnerabilities in insecure channels through a combination of tactics, including jamming, pinning, and other advanced methods.
To sum it up, developers have responsibly kept the ‘jamming attack’ vulnerability undisclosed since December 2022, until they introduced updates to the most widely used clients for Bitcoin’s Lightning Network. While they have successfully prevented any significant theft of the substantial Bitcoin holdings within the Lightning Network, these security patches have yet to undergo real-world testing. Riard has provided a comprehensive disclosure of the bug and emphasizes the importance of ongoing vigilance to safeguard against potential future vulnerabilities that could undermine the credibility of Bitcoin’s premier scaling solution.