The problem concerns the channels for conducting large transactions with bitcoin.
Large bitcoin transactions performed on the Lightning Network have proven not to be as secure as expected. This conclusion was made by an independent developer, Joost Jager. He shared information on the results of his research with the readers of the microblog. In particular, he studied the network of Lightning channels for conducting transactions with BTC.
The developer noted that the vulnerability he discovered concerns operations with cryptocurrency, for which users use the Wumbo technical solution. With its help, cryptocurrency holders gained access to large transactions in the bitcoin network at reduced fees by expanding the limit of operations that can be carried out in Lightning channels.
The tool was presented to the crypto community at the end of August 2020. The technical solution has already been supported by many projects. The specialists of the Bitfinex exchange were one of the last to integrate the development into their platform.
Joost Jager believes that this method of transferring funds is unsafe. The developer is confident that Wumbo channels can be compromised by taking advantage of the features of their technical component. One of the problems of this method of funds transfer, in his opinion, was the impossibility of storing more than 483 smart contracts (Hash Time Locked Contract (HTLCs)) in the channel. The latter allows you to unlock funds in case of providing a secret number, the custodian of which is the creator of the smart contract. In HTLCs, the transmission of the number “x” can be equated with an agreement to transfer money.
According to the expert, a fraudster can use the features of the technical component of conducting Wumbo transactions in order to disable the channel for up to two weeks. To do this, it will be enough for him to make 483 microtransactions and take advantage of the peculiarities of the HTLCs time frame. In some cases, according to Joost Jager, only 54 transfers may be required (if the payment route is artificially extended to 9 “nodes”).
An example of the formation of a complex transaction route
The specialist drew attention to the fact that there are other flaws in Lightning. At the same time, he called the identified vulnerability one of the most serious problems. Joost Jager explained his point of view by the fact that there is no specific tool that would allow its elimination at the moment.
At the same time, the developer is confident that the problem can be solved. He intends to fight the vulnerability further in the framework of a new project Circuit Breaker: a firewall for Lightning nodes.
Earlier Israeli scientists found another vulnerability, with the help of which attackers can steal funds from users of Lightning channels on the bitcoin network.