Who will fix critical vulnerabilities in Bitcoin Lightning Network?

According to network security specialists, in 2016 a team of virtual asset enthusiasts implemented Lightning Network, a project that provided greater scalability by creating a second layer at the top of the Bitcoin blockchain with the goal of improve the speed of transactions, eliminating the need for everyone on the network to approve transactions.

Although it is indeed useful to users, some security vulnerabilities have been discovered on the network, all thanks to a security audit conducted a few months ago.  

The work of Blockstream, a blockchain technology firm, has been instrumental in this discovery. In addition to its corporate projects, this company has actively collaborated for the development of Lightning Network, especially with the creation of “c-lightning”, an implementation of this network in C programming language, mentioned by specialists in network security.

A team of Blockstream developers collaborated on an investigation into the polling mechanisms Lightning uses to determine whether these processes could be exploited by threat actors to gain access to sensitive cryptocurrency transaction data. After the investigation, specialists determined that there are two possible attack variants:

  • A malicious actor, through an active probe, attempts to determine the maximum amount that can be transferred through a connected target channel
  • A time attack that is triggered when a hacker tries to figure out how close the destination is really for a routed payment

Network security specialists demonstrated that it is possible to track channel payments on any node accessible from the attacking node, as long as you have only one channel whose balance is lower or equal to the second lowest balance on the path from the attacking node. However, the researchers also noted that nodes that are declared private could avoid being transmitted, something that could be useful for mobile cryptographic wallets or nodes with limited uptime, such as PCs.

The International Cyber Security Institute (IICS) mentions that these reports will be useful to Lightning Network developers, allowing the blockchain to be ready for its transition to the mass adoption of this technology.