Independent Bitcoin Lightning developer, Joost Jager, has outlined an exploit of the micro-payments network that could result in channels being compromised with very little effort and negligible cost.
However, he said he’s hard at work on a possible solution.
1/ Lightning is great, but can't say it is battle-tested. If script kids would be interested, they could take down those shiny new 5 BTC #wumbo channels with negligible cost and no effort at all. pic.twitter.com/9PTkxfF042
— Joost Jager (@joostjgr) September 22, 2020
Jager specifies that the attack could be carried out on wumbo channels, which essentially allow larger transactions between mutually agreeing parties on the Lightning network.
A wumbo channel removes the limit to the total amount of Bitcoin that can be held in a regular Lightning channel — which is around $1,760 worth at today’s prices. It also removes the approx. $450 limit to how large an individual payment can be.
Jager said the wumbo channels can be exploited because the channel cannot hold more than 483 hash and time-lock contracts (HTLCs) at any time regardless of its capacity. So a malicious actor sending 483 micro-payments to themselves, and holding on to the HTLCs is enough to incapacitate a channel for up to two weeks.
The developer demonstrated that this could be achieved by using the maximum route length to add loops and more contracts to quickly reach that total for just a small initial outlay, 5.8 million satoshis in this example.
If the script kid is lucky, they only need to send 54 payments to get it done. A single tiny channel takes double-digit amounts of Bitcoin out of business.
He added that he had started a new firewall for Lightning nodes project called Circuit Breaker to address this problem. When asked whether this ‘griefing attack’ is the biggest unsolved attack vector on LN today, he added;
That depends on how you define biggest. There are other attacks that can make you lose money which seems worse. But this one is one of the biggest in terms of not knowing how to solve it.
With wumbo channels a user can signal that they want to send more BTC than the regular limits and find a node that is willing to receive. Regular Lightning users sending micropayments will not be affected but it is a much better option for business and enterprise payments.
Wumbo channels are growing in adoption and Bitfinex has been the latest to announce support for them;
— Bitfinex (@bitfinex) September 22, 2020
The word “wumbo” comes from a cartoon series called SpongeBob SquarePants, and refers to the idea that two parties need to agree to ‘wumbo’ together for the transaction to take place.
This post first appeared here: https://cointelegraph.com/news/developer-reveals-biggest-unsolvable-lightning-attack-vector