Author: Antoine Riard 2020-10-20 22:05:18
Published on: 2020-10-20T22:05:18+00:00
A vulnerability has been discovered in Lightning Network Daemon (LND) prior to version 0.11 that could allow a malicious peer to steal an intercepted hash time-locked contract (HTLC). When LND had relayed the HTLC hash-and-amount collision with an expected payment HTLC on the same channel, it would release the preimage for the later while claiming on-chain the former. This issue was due to the vulnerability in its invoice database while claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC and stolen the intercepted HTLC.This vulnerability was exposing routing nodes also receiving payments, such as merchant nodes. A peer servicing as an intermediary hop of a payment path could have guessed that the next hop is the final receiver by comparing the HTLC's amount_msat with any goods/services advertised by the victim node merchant website. The current spec requirement is "a local node if it receives (or already possesses) a payment preimage for an unresolved HTLC output that it has been offered AND for which it has committed to an outgoing HTLC MUST resolve the output by spending it, using the HTLC-Success transaction". The LN ecosystem is advised to consider mandatory deployment of `payment_secret`, reducing the surface area for this class of bugs, among other benefits. The vulnerability was discovered while working on Rust-Lightning, and a quick manual test against LND confirmed this vulnerability. The LND team released v0.11.0-beta with a fix, and users are encouraged to upgrade to LND v0.11.x ASAP. A partial disclosure was made on October 8, 2020, and a full disclosure was made on October 20, 2020.
Updated on: 2023-06-01T18:36:33.096055+00:00