Lightning Network Vulnerability Exploited Before Patch Released

Reading Time: 2 minutes

The Lightning Network is dubbed as the future of Bitcoin, with it being hailed in some circles as the solution to Bitcoin’s inherent scaling issues. However, a major vulnerability was spotted back in August, with the Common Vulnerability and Exposures (CVEs) discovered in the core libraries of Eclair, C-Lightning, and Lightning Network Daemon. At the time it wasn’t clear whether the bug had been exploited, but Lightning Labs CTO Olaoluwa Osuntokun confirmed Bitcoin had gone missing through these CVEs.

Trying to Keep it Quiet

Australian developer Rusty Russell reported the issue to the Lightning-dev mailing list, and deliberately left out exactly what the issues are – promising to reveal them on September 27. Despite his best efforts to keep the CVEs under wraps, it appears as if a hacker has managed to crack the code and steal Bitcoin from the network. In his email to the Lightning-dev mail list, Osuntokun said:

We’ve confirmed instances of the CVE being exploited in the wild. If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
* lnd v0.7.1 — anything 0.7 and below is vulnerable
* c-lightning v0.7.1 — anything 0.7 and below is vulnerable
* eclair v0.3.1 — anything 0.3 and below is vulnerable

People Are Not Afraid

Typically, when a bug of this magnitude is identified and exploited, people would take their cash and run for the hills. However, according to data from Bitcoin Visuals, the total network capacity has held steady around the 830 region. While the network’s capacity has fallen significantly since its all-time high of just over 1,100, the Lightning Network is still going strong and holding steady amidst this latest scandal.

It’s going to take a lot more than a fund stealing bug to put people off using the layer 2 scaling solution, but if more bugs are found in the coming months we could see newcomers to the Lightning Network get scared off and switch to a more scalable network such as Bitcoin Cash or Bitcoin SV. Users are still being urged to update to the latest version of the Lightning Network.

Share