Blockstream developer Rusty Russell has revealed more details about the Lightning Network vulnerability, which first became known in late August.
As Russell wrote, the vulnerability arose during the creation and replenishment of its channels. In particular, when creating a channel, the recipient did not need to verify the transaction output amount used to replenish the channel or use the scriptpubkey script, which allows you to verify that certain conditions are met before spending the output.
The Lightning Network at the protocol level does not require such verification, and for this reason, the attack organizer was able to inform about the opening of the channel without transferring payment to the recipient or transferring an incomplete amount.
As a result, the attacker could spend the funds in the channel without notifying the other side. Only after closing the channel did the latter discover that the transactions transmitted through it were invalid.
In mid-September, the developers recognized that the vulnerability was used in real conditions, without specifying the extent of the possible damage.
Earlier in September, the technical director of Lightning Labs and ACINQ, Olaoluwa Osuntokun, confirmed the cases of practical exploitation of the discovered vulnerability.
The following releases are still considered vulnerable:
- LND version 0.7 and below;
- c-lightning version 0.7 and below;
- eclair version 0.3 and below.
In this regard, developers of the main Lightning Network clients again remind about the need to upgrade to the latest versions. Special tools (Lightning Labs and Acinq) were also released to determine if the attack affected users.