Lightning Network Releases Emergency Update After Critical LND Node Bug
An emergency update was released for all Lightning Network LND node operators on November 1, after a critical bug knocked LND nodes out of the sync chain. This was the second critical bug encountered by the network in less than a month.
According to Lightning Labs, developer of the Bitcoin Lightning Network, some LND nodes have stopped syncing due to an issue with the btcd thread analysis library. The patch (v.015.4) was released almost three hours after the break. The statement stated:
“This is an emergency patch release to fix a bug that may prevent lnd nodes from parsing certain transactions that have a very large number of witness entries.”
According to the issue on GitHub, unupdated nodes will be vulnerable to malicious channel shutdowns once channel hourly locks expire in two weeks. The bug only affected LND nodes, rendering the current state of the chain obsolete, although payment transactions are still available. Some versions of electrs have also been impacted, according to another issue on GitHub.
The bug was triggered by a developer nicknamed Burak on Twitter, with a message in the transaction saying, “you will run cln. and you will be happy”.
Sometimes to find the light, you have to first touch the darkness.https://t.co/dhCwF0DxpE
— Burak (@brqgoo) November 1, 2022
Burak was also responsible for triggering a similar bug on October 9, when they created a 998 of 999 multisig transaction that was rejected by the btcd and LND nodes, causing the entire block and all blocks following the transaction. On the same day, Lightning Labs released a patch to resolve the issue.
I just did a tapscript multisig of 998 on 999, and it only costs $4.90 in transaction fees.https://t.co/CvBHaRAqPu
— Burak (@brqgoo) October 9, 2022
Related: What is the Lightning Network in Bitcoin and how does it work?
On Twitter, users suggested it was time for an LND bug bounty program:
Savage takedown of Lightning LND nodes by exploiting a consensus divergence between Bitcoin Core and btcd with a single Bitcoin transaction.
Coded message :
“you will run cln. and you will be happy.”
Probably not a “responsible disclosure”. Is it time for an LND bug bounty program? https://t.co/sLZQIsS4Zt pic.twitter.com/S8HwKXdoip
— Stadicus (@Stadicus3000) November 1, 2022
The hacker Anthony Towns too claims disclosing the vulnerability to LND developers two weeks ago, noting that “the btcd repository doesn’t seem to have a security bug reporting policy, so I don’t know if anyone else working on btcd has it discovered”.
The Lightning Network is a second layer added to the Bitcoin (BTC) blockchain that enables off-chain transactions, i.e. transactions between parties not part of the blockchain network.