One of the Lightning Network’s lead developers, Antoine Riard, resigned from his position on October 20, 2023, due to the discovery of a critical security flaw in the network. What is it, and is it fixable for the popular Bitcoin network overlay?
The Lightning Network causes concern
The Lightning Network at the heart of the storm? Antoine Riard, one of the key developers of the Bitcoin overlay solution, stepped down on October 20 after discovering a critical security flaw in the network’s structure.
According to Riard, the Lightning Network is currently unable to counter sophisticated replacement cycling attacks, which are likely to enable malicious actors to divert user funds by exploiting a flaw in the mempools. This new type of attack was explained in more detail by @mononautical on X :
How does a lightning replacement cycling attack work?
There’s a lot of discussion about this newly discovered vulnerability on the mailing lists, but the actual mechanism is a bit hard to follow.
So here’s an illustrated primer…
1/n pic.twitter.com/mvvS8bEc5f
– mononaut (@mononautical) October 21, 2023
Before going any further, let’s remember that the Lightning Network is an overlay for the Bitcoin network, designed to solve the problem of block size on the mother network. In addition to resolving this scalability issue, the Lightning Network’s dedicated channels enable ultra-fast payments (hence the name) at very low cost. To find out more, read our Lightning Network fact sheet.
In view of the complexity of this type of attack, we won’t go into detail here. However, their danger is sufficient to get the network’s developers into trouble. According to Antoine Riard, the Lightning Network is currently in a “perilous” situation
An unresolvable problem?
According to Antoine Riard, the structure of the flaw requires modifications to be made directly on the Lightning Network’s base layer… i.e. on the Bitcoin blockchain. But since Bitcoin is decentralized, such changes cannot be made without a clear consensus on the part of the community.
“I think this new class of replacement cycle attacks puts Lightning in a very perilous position, where only a lasting fix can occur at the base layer level, for example with the addition of a history of all transactions seen, which would require a lot of memory, or else a consensus upgrade. […] These types of changes are the ones that require the greatest transparency as well as buy-in from the community at large, as we change the processing requirements of complete nodes or the security architecture of the entire decentralized Bitcoin ecosystem. “
Since its implementation in 2017, the Lighting Network saw rapidly growing interest until mid-2022, before this declined and eventually more or less stabilized.
Evolution of the number of nodes on the Lightning Network from 2017 to today
At the time of writing, the Lightning Network comprises 14,735 nodes for around 63,500 payment channels, representing a drop of just under 10% on each of these metrics over the last 30 days.
