An emergency update was released for all Lightning Network LND node operators on November 1, after a critical bug caused LND nodes to fall out of sync chain. This was the second critical bug experienced by the network in less than a month.
According to Lightning Labs, developer of the Bitcoin Lightning Network, some LND nodes stopped syncing due to an issue with the btcd wire analysis library. The hotfix (v.015.4) was released almost three hours after the break. The statement said:
“This is an emergency release to fix a bug that may cause lnd nodes to be unable to parse certain transactions that have a large number of token entries.”
According to the issue on GitHub, non-updated nodes will be vulnerable to malicious channel shutdowns once channel timelocks expire in two weeks. The bug affected only LND nodes, making the current state of the chain obsolete, although payment transactions were still available. Some versions of electrs were also affected, according to another issue on GitHub.
The bug was triggered by a developer nicknamed Burak on Twitter, with a message in the transaction saying “you’ll run cln. and be happy.”
Sometimes to find the light, we must first touch the darkness.https://t.co/dhCwF0DxpE
— Burak (@brqgoo) November 1, 2022
Sometimes, to find the light, we must first touch the darkness.
Burak was also responsible for triggering a similar bug on Oct 9, when they created a 998 out of 999 multisig transaction that was rejected by btcd and LND nodes, causing the entire block and all post-transaction blocks to be rejected. . On the same day, Lightning Labs released a patch to fix the problem.
I just did a 998-of-999 tapscript multisig, and it only cost $4.90 in transaction fees.https://t.co/CvBHaRAqPu
— Burak (@brqgoo) October 9, 2022
On Twitter, users suggested it was time for an LND bug bounty program:
Savage takedown of LND lightning nodes by exploiting a consensus discrepancy between Bitcoin Core and btcd with a single Bitcoin transaction.
Encodedmessage:
“you’ll run cln. and you’ll be happy.”Probably not a “responsible disclosure”. Time for an LND bug bounty program? https://t.co/sLZQIsS4Zt pic.twitter.com/S8HwKXdoip
— Stadicus (@Stadicus3000) November 1, 2022
Savage destruction of LND lightning nodes by exploiting a consensus discrepancy between Bitcoin Core and btcd with a single Bitcoin transaction.
Coded message:
“you will execute cln. and you will be happy”.Probably not a “responsible disclosure”. Is it time for an LND bug bounty program?
Computer hacker Anthony Towns too he claimed having disclosed the vulnerability to the LND developers two weeks ago, noting that “the btcd repository doesn’t appear to have a security bug reporting policy, so I’m not sure if anyone else working on btcd found out about it.”
The Lightning Network is a second layer added to the Bitcoin (BTC) blockchain that allows for off-chain transactions, meaning transactions between parties that are not on the blockchain network.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.