Author: Antoine Riard 2020-10-20 22:56:09
Published on: 2020-10-20T22:56:09+00:00
A vulnerability in the Lightning Network protocol has been discovered that could allow attackers to steal in-flight HTLCs. This vulnerability stems from lightning nodes verifying consensus-validity of counterparty signatures for channel transactions but not their tx-relay standardness, which makes it susceptible to malicious high-S signatures. Bitcoin Core 0.10 introduced a check against high-S signatures, which LND did not implement prior to v0.10, allowing invalid local commitment/HTLC transactions. The verification method used by LND relies on the default golang crypto ecdsa package, which does not enforce the lower-S form of the signature. To address this issue, LND adopted a solution to normalize high-S signatures to a tx-relay standard one, which can be done by the receiver. However, a more proactive solution was proposed to fail the channel at any reception of a high-S signature.Lightning node security is crucial as each party owns a different version of the transaction, including all parties' balances/HTLCs, and must own a valid witness at any time. The witness stack for commitment transactions includes signatures that might have been maliciously malleated by an attacker. These signatures are provided at channels updated by a counterparty's commitment signed exchange. Lightning node operators should be aware that they are running a Bitcoin bank in plain sight, and any failure might be observed and exploited by an attacker.This vulnerability highlights the importance of transaction standardness, which is a set of supplementary anti-DoS rules on top of Bitcoin consensus rules, and affects other time-sensitive multi-party protocols such as vaults/CoinSwaps. Tx-relay standardness issues pose a systematic risk for layer 2 protocols relying on time-sensitive transactions. Therefore, the wider Bitcoin ecosystem needs to address this issue.Another vulnerability has also been identified in the Lightning Network protocol related to the expiration of a preimage with outdated utility. This vulnerability is similar to the one described in the Flood & Loot paper and could lead to the exploitation of channel timelocks. The vulnerability has been addressed in two pull requests (PR) on the lightning-rfc repository, PR #764 and PR #772. A wider discussion on the topic can be found on the bitcoin-dev mailing list.To avoid potential attacks, it is recommended that Lightning Network users upgrade their software to the latest version.
Updated on: 2023-06-03T02:54:48.943192+00:00