The Lightning Network, the micropayments solution that is being developed to scale bitcoin transactions, is newly hardened after its builders coordinated to patch a bug that attackers could have exploited to steal other users’ funds.
The bug, which was discovered by developer Rusty Russell on June 27th and first publicly revealed on August 30th, could have been used by an attacker to fake channel openings to cheat other users of their money, as Russell explained in a full disclosure report published on September 27th:
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount.”
For context, the second-layer network is layered atop Bitcoin, as it facilitates quick off-chain bitcoin transactions between users who have opened payment channels with each other. Once these channels are closed, their collections of transactions are sent on-chain as one efficient bitcoin payment instead of many, which opens the doors to micropayments.
Upon the patch of this latest vulnerability then, these channels will no longer be able to be spoofed. Lightning’s three main implementations — c-lightning, lnd, and eclair — had all been vulnerable in previous versions.
The network currently has $6.9 million USD worth of bitcoin locked up in its channels according to tracker site DeFi Pulse. In his disclosure report, Russell noted that it appears no one exploited the bug while it was live.
“The problem with this vulnerability is that once you know about it, it seems so obvious,” Pierre-Marie Padiou, the chief executiver officer of eclair maintainers ACINQ, told CoinDesk on Friday.
Beyond the Fix, There Is a Bright Side
The silver lining?
The level of coordination that went into this bug fix was unprecedented in the Lightning ecosystem, meaning the lines have now been laid for project stakeholders to work together that much more efficiently in the future.
“While this long-standing bug had not been independently discovered, and thus was unlikely to be discovered by a malicious party before being fixed, it did provide an opportunity to test communications and methods of upgrade across the entire lightning ecosystem,” Russell wrote in the full disclosure report.
So while the “This is good for Bitcoin” may be a bit overused lately, this bug fix is good for Lightning — not simply because the problem is now rectified but also because it spurred the conditions for the project to be more resistant going forward.
Micropayments the Future?
Like many things in the cryptoverse, Lightning is an open question. And there is still plenty of work to be done around the network before it can be thought of as a mature payments system.
With that said, the project’s basic infrastructure is already in place and it’s pointing to a future where micropayments become not just feasible but practical. That’s according to LNBIG, the pseudonymous operator who presently provides capacity for a large swathe of Lightning, in a recent interview with The Block:
“I have no doubt in Bitcoin and the Lightning Network. In any case, the Lightning Network is the same breakthrough in itself as Bitcoin. Micropayments are the future. Especially without waiting a long time. Over the year, I saw how many merchants on the Lightning Network appeared. I see no reason for this to slow down. It may take another year for LN to get the properties users need. The infrastructure for payments will be formed. But the basic infrastructure is already there, and it’s becoming significant.”
If LNBIG is right, then bitcoin isn’t going anywhere any time soon.