In a critical move to secure Bitcoin‘s Lightning Network, developers have patched a severe bug that was discovered in December 2022. The flaw, which could have allowed an attacker to exploit Hash Time-Locked Contract (HTLC) transactions, had the potential to halt users from withdrawing bitcoin by outbidding their channel closing requests.
The bug was revealed post-patching by developer Antoine Riard, who emphasized the importance of future code maintenance to prevent similar transaction-relay jamming attacks. This issue is among a series of bugs that have affected the Lightning Network, with previous problems including unattributed payment routing and BTCD library bugs.
The Lightning Network forms a global mesh network of over 68,000 channels through users committing Bitcoin to payment channels. Legacy and anchor output channels and Lightning routing hops carrying HTLC traffic were also at risk from this bug.
Other Bitcoin protocols like Discreet Log Contracts (DLCs), conjoins, and payjoins were vulnerable too. Notably, transaction “accelerators” peer swaps, and submarine swaps were affected by this vulnerability.
To address these issues, patches have been implemented in software updates including LDK: v0.0.118 – CVE-2023 -40231, Eclair: v0.9.0 – CVE-2023-40232, LND: v.0.17.0-beta – CVE-2023-40233, and Core-Lightning: v.23.08.01 – CVE-2023-40234.
This incident underscores the ongoing challenges faced by the Bitcoin community in maintaining the security and integrity of its protocols and networks. As the Lightning Network continues to grow, rigorous code maintenance and regular software updates will be crucial in preventing similar vulnerabilities from compromising the system in the future.
