Zero-day flaw in Lightning Network can be easily exploited by script kiddies to steal Bitcoin

Although Lightning Network has become one of the main trends among the cryptocurrency community, one researcher claims that large Bitcoin transactions through this medium are not secure enough. The work was done by independent researcher Joost Jager.

The expert noted the existence of a vulnerability that can be exploited to gain access to large cryptocurrency transactions at reduced commission using the Wumbo technique, expanding to the limit the operations that can be performed on Lightning Network channels.

The researcher introduced a tool at the end of August 2020 that has already been supported by multiple projects. Bitfinex, for example, already integrated this development into its platform.

Jager believes that this method of transferring funds is not secure, so he is confident that Wumbo channels can be compromised by taking advantage of the peculiarities of its technical component. One of the problems with this method of transferring funds was the inability to store more than 483 Hash Time Locked Contract (HTLCs) on the channel. The latter allows you to unlock funds in case you provide a secret number, whose custodian is the creator of the smart contract. In HTLC, the transfer of the number “x” can be equated with an agreement to transfer money.

Threat actors could use the functions of the Wumbo transaction technical component to deactivate the channel for up to two weeks by performing 483 microtransactions and taking advantage of the time frame peculiarities of HTLC.

In some cases, only about 54 transfers would be required if the payment path is artificially extended to 9 nodes.

In addition to reporting this flaw, the expert ensures that there are many other vulnerabilities in Lightning Network that could also cause severe problems for digital asset holders. Jager mentioned that it might be difficult at the moment to release updates that fix this flaw.

While the current picture is not the best, the expert hopes that the faults can be eventually corrected, even proposing combating these kinds of failures under the Circuit Breaker project, although we should not forget that some cases of cryptocurrency theft have already been reported on Lightning Network.