Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes

A major bug panicked Bitcoin Lightning users today. Senior Bitcoin developer “Calle” alerted node operators running software older than Lightning Network Daemon (LND) Version 0.18.5 or LITD Version 0.14.1.

The vulnerability relates to how LND checks description fields for the settlement of Lightning invoices. Clever hackers figured out a way to manipulate the payment state of such invoices to remotely drain funds.

Satoshi Labs co-founder Pavol Rusnak rang a similar alarm bell. As posts gained tens of thousands of impressions, users of the Lightning network spread the message about the imminent threat of theft.

Lightning is a mesh network of approximately 5,000 BTC that move faster and cheaper than regular, on-chain BTC. By routing payments through 44,000 public channels connecting over 16,000 nodes, Lightning users sacrifice the full security and decentralization of BTC for speed, thrift, and extra functions.

They also expose themselves to Lightning-specific bugs that don’t affect the base layer.

Patching Bitcoin Lightning nodes to LND 18.5

Newly released node softwares LND 0.18.5 and LITD 0.14.1 patch this remote threat vector. Disturbingly, LND 18.5 was just released last week, so many LND nodes are still out of date and vulnerable.

Out-of-date LND nodes number in the hundreds or low-single-digit thousands as of publication time. LND has historically been the preferred software for most Lightning node operators.

The bug involves an inability to cancel AMP invoices if they have a settled sub-invoice. Lightning developer known as ziggie1984 posted a patch request that suggested allowing AMP invoices to expire even if they have a settled sub-invoice.

Effet Cantillon posted some reassurance that merchants using Lightning Labs’ software might be fine if they don’t have their LND node interact with invoices generated by services like BTCPay.

BTCPay Server apparently upgraded its LND node to 0.18.5 just recently.