Author: Rusty Russell 2019-09-27 12:01:46
Published on: 2019-09-27T12:01:46+00:00
A vulnerability in the Lightning Network protocol has been discovered wherein an attacker can open a channel without paying the full amount. The victim will only notice this when it tries to close the channel and none of the commitment or mutual close transactions it has are valid. Implementations of Lightning Network did not always check for this, with c-lightning versions prior to v0.7.1 and lnd versions prior to v0.7.1 not checking correctly, while eclair versions prior to v0.3.1 did not check if using the bitcoin core backend, and electrum users only checked the script, not the amount. Exploiting Electrum users requires the user to actively connect to a malicious Lightning node, and the attacker to use the correct scriptpubkey, which burns the coins in the funding output. Since Eclair Mobile doesn’t relay payments, the attacker can’t cash out without an offband interaction.To address this issue, peers must check that the outpoint as described in `funding_created` is a funding transaction output with the amount described in `open_channel`. To open a channel, the funding peer sends `open_channel` with the proposed `funding_satoshis`. The fundee replies with `accept_channel` providing the keys it wants to use for the funding transaction. Then the funder creates the funding transaction, and sends the transaction id and output number in a `funding_created` message. Exploitation via an incorrect amount is possible against all prior versions of lnd, but in v0.7.0 and above, the attacker must use the correct scriptpubkey, which burns the coins in the funding output. Exploitation via an incorrect scriptpubkey is possible on all versions prior to v0.6.0, and this exploit is also possible in v0.6.x if the node is offline when the funding transaction reached the required number of confirmations and running with -txindex=0 on either full node backend. Finally, exploiting neutrino users (usually mobile or laptop) with an incorrect outpoint would require the attacker to collide their fake outpoint with the script of the real outpoint in the BIP 158 filter.
Updated on: 2023-06-01T18:16:43.109027+00:00