Lightning Labs developer Joost Jager described a vulnerability in the micropayment network that could compromise Lightning Network channels at low cost.
Joost Jager said that the Lightning Network can be attacked on Wumbo payment channels, which allow you to make larger transactions on the network and increase the volume of transactions. Before adding Wumbo channels this summer, users could create channels with a maximum capacity of 0.1677 BTC – this restriction was made as a precautionary measure.
Jager States that Wumbo channels can be used by attackers because a channel cannot contain more than 483 hash-locked and time-bound (HTLC) contracts, regardless of its capacity. Thus, a fraudster can send himself 483 micropayments and control HTLC to disable the channel for up to two weeks.
According to the developer, this can be achieved by using the maximum route length to add channels and more contracts. At the same time, according to Jager’s calculations, the cost of such an attack will be small – about 5.8 million Satoshi. The developer noted:
“Using the maximum route length for adding channels, each payment can take up to 9 HTLC slots on the target channel. If the attacker is lucky, they will only need to send 54 payments to reach the goal. One tiny channel can disable double-digit amounts in BTC.”
Jager said that in connection with this problem, he launched a new project called Circuit Breaker – a firewall for Lightning nodes. Its main purpose is to encourage people to think about this attack. According to the developer, the project has the potential to become a full-fledged protection system for Lightning. When asked if this attack is the largest undisclosed attack vector on LN today, he replied:
“It depends on what is considered a major attack vector. There are other attacks that can make you lose money, which seems even worse. But this is one of the biggest problems in terms of not knowing how to solve it.”
Recall that in June, the Lightning Network discovered the possibility of an attack on the chain of payment channels. In addition, in the spring, researchers from universities in Norway and Luxembourg discovered the possibility of an attack on the Lightning Network. In this case, the balances of the nodes through which the transaction passes can be disclosed.