Author: Rusty Russell 2016-03-05 09:28:36
Published on: 2016-03-05T09:28:36+00:00
A vulnerability in the onion routing of Bitcoin's lightning network has been discovered by Mats Jerratsch via Lightning-dev. It is possible to attack the system with probing too short of an absolute CLTV refund timeout. When accepting a payment, one will check if the remaining timeout > MIN_TIMEOUT. One solution for this particular attack would be to remember the onion and always fail an identical one. However, this would allow a single probe, which asks "are you the final destination?". Additionally, the timeout for the next hop should probably be somewhat randomized, at least subtracting (MIN_TIMEOUT to MIN_TIMEOUT*2). The question remains about what HTLC timeout should be set to initially. Even if it is randomized, over time the pattern would reveal to your peer if you are originating all the HTLCS.
Updated on: 2023-05-23T22:39:02.204988+00:00