A Bitcoin Lightning developer has publicly revealed a significant bug in the Bitcoin Lightning Network that allowed hackers to drain customers’ funds.
Rusty Russell, a developer at Blockstream, first announced the bug on August 30 but did not reveal the details until Friday, to allow for a network-wide update that patched the problem. Russell published his solution to the exploit on the Lightning developers mailing list, noting that all major apps that run on the Lightning Network have already been fixed.
The Lightning Network is a super-fast payments network that runs on top of the Bitcoin network. It lets users send and receive Bitcoin quickly and cheaply.
But the bug meant that Lightning nodes (computers that run the network) didn’t always check that transactions opened the right channel. If not, “An attacker can claim to open a [lighting payments] channel but either not pay to the peer, or not pay the full amount,” wrote Russell.
The victim, thinking that they’ve been receiving funds from the hacker, might continue to make payments within the channel. Yet, if this happens, the attacker can spend funds from the channel, and the victim will only notice it when they try to close it. By that time, all their funds could be gone.
Despite the attempts to keep it all hush-hush, Rusty’s post noted that someone had attempted to perform the exploit on September 7. It is unknown if the attacker was successful.