LND Lighning Network Vulnerability reported
Recently lightning network developer Russel updated a serious vulnerability for the old versions. The versions which is less than v0.7.0
The issue he described as below:
A lightning node accepting a channel must check that the funding transaction
output does indeed open the channel proposed. Otherwise an attacker can claim
to open a channel but either not pay to the peer, or not pay the full amount.
Once that transaction reaches the minimum depth, it can spend funds from the
channel. The victim will only notice when it tries to close the channel and none
of the commitment or mutual close transactions it has are valid.
Solution
--------
Once the funding transaction is seen, peers MUST check that the outpoint as
described in `funding_created`[1] is a funding transaction output[2] with
the amount described in `open_channel`[3].
Fixed versions:
c-lightning: v0.7.1 and above
lnd: v0.7.1 and above
eclair: v0.3.1 and above
So the best way to fix the issue is you need t upgrade to the latest release, While right this i can see the latest version for the lnd is v0.8.0-Beta. From this release onwards, lnd will only support database upgrades from the previous major release. So that means those who are running on v0.6.0 would be required to upgrade v0.7.0 first and then to v0.8.0.
Recently lightning network developer Russel updated a serious vulnerability for the old versions. The versions which is less than v0.7.0
The issue he described as below:
A lightning node accepting a channel must check that the funding transaction
output does indeed open the channel proposed. Otherwise an attacker can claim
to open a channel but either not pay to the peer, or not pay the full amount.
Once that transaction reaches the minimum depth, it can spend funds from the
channel. The victim will only notice when it tries to close the channel and none
of the commitment or mutual close transactions it has are valid.
Solution
--------
Once the funding transaction is seen, peers MUST check that the outpoint as
described in `funding_created`[1] is a funding transaction output[2] with
the amount described in `open_channel`[3].
Fixed versions:
c-lightning: v0.7.1 and above
lnd: v0.7.1 and above
eclair: v0.3.1 and above
So the best way to fix the issue is you need t upgrade to the latest release, While right this i can see the latest version for the lnd is v0.8.0-Beta. From this release onwards, lnd will only support database upgrades from the previous major release. So that means those who are running on v0.6.0 would be required to upgrade v0.7.0 first and then to v0.8.0.
No comments:
Post a Comment