Author: Conner Fromknecht 2020-10-20 21:52:29
Published on: 2020-10-20T21:52:29+00:00
A vulnerability in the Lightning Network Daemon (LND) has been discovered, which could allow an attacker to steal bitcoin from other nodes. The vulnerability (CVE-2020-26896) affects any LND node permitting HTLC forwarding and operating as any form of merchant node. However, nodes that use rejecthtlc=1 are not affected. To exploit the vulnerability, the attacker intercepts a real or single-sharded MPP HTLC before creating a malicious HTLC with the same payment hash. They then route the malicious HTLC through the victim and back to themselves and trigger a unilateral close of the channel. The victim would promptly broadcast the HTLC-success transaction for the malicious HTLC, revealing the target invoice preimage on-chain when the incoming HTLC is claimed. Due to the bug, the preimage provided to sweep the malicious HTLC is obtained from the invoice database as a fallback to the (forwarded) preimage database, rather than being ignored. The victim would believe they had received the full payment when they had only received routing fees, while the attacker would have diverted the payment to themselves. The vulnerability was discovered by Antoine Riard and has been patched in LND v0.11.0-beta. Implementations are also encouraged to make payment secrets required by default, which would prevent attackers from guessing the payment secret. PGP signatures are used to authenticate the sender of a message and ensure its integrity. The signature is a long string of characters that includes a public key and a hash of the original message. The purpose of PGP signatures is to prevent tampering and impersonation in electronic communication. PGP (Pretty Good Privacy) is widely used encryption software that allows users to protect their emails and files with strong cryptography. It uses a combination of symmetric and asymmetric encryption, as well as digital signatures, to ensure the privacy and authenticity of data. Digital signatures are created by hashing the original message and encrypting the hash with the sender's private key. The recipient can then verify the signature by decrypting the hash with the sender's public key and comparing it to the hash of the received message. Overall, PGP signatures are an important tool for secure communication and help to protect against fraud and cyber attacks.
Updated on: 2023-06-01T18:35:54.294243+00:00