Lightning Labs has confirmed that a major vulnerability in the Lightning Network has been exploited ‘in the wild.’ The peer-to-peer payment network is meant to provide fast and inexpensive Bitcoin payments, but as the bug incident demonstrates, it may not yet be ready for serious payments.
The bug was originally revealed on a mailing list at the end of August by Rusty Russell, a prominent Blockstream developer. Russell only partially disclosed the details of the bug, noting that security issues had been found in “various lightning projects” and that this “could cause loss of funds.”
Full details of the vulnerability will not be revealed until the end of September, giving users four weeks to upgrade to a more secure version of the software. However, this precaution was too late to prevent an exploit, as Lightning Labs revealed in a separate message on Tuesday.
Are Lightning Users At Risk?
Lightning Labs has taken the time to warn users that the Lightning Network is still in its early stages. “Don’t put more money on Lightning than you’re willing to lose,” the company posted to Twitter. This isn’t exactly reassuring, although most users know that Lightning is only intended for small transfers.
This is also a great time to remind folks that we have limits in place to mitigate widespread funds loss at this early stage. There will be bugs.
Don't put more money on Lightning than you're willing to lose!
— Lightning Labs⚡️ (@lightning) September 10, 2019
Most users are not at risk: it seems that the bug affects node software, not wallets. But at least some funds have been compromised, and although Lightning Labs claims to have preventative measures in place, it is not clear what those measures actually are.
It’s also not clear how much money has actually been stolen. Currently, the Lightning Network’s capacity is 830 BTC (about $8.5 million), but it seems likely that high-value node operators keep their software up to date.
Is Lightning Secure Or Not?
The Lightning Network has long been a point of contention in the crypto community. Some argue that Lightning is prone to centralization, and they may have a point. The network has grown significantly since it launched last year – and a few well-connected nodes provide most of the capacity.
However, centralization might be a necessary trade-off to achieve scalability, as explained in the scalability trilemma. Andreas Antonopoulos has argued that the “vast majority” of Bitcoin transactions are already off-chain, in the databases of exchanges and merchant providers. According to Antonopoulos, Lightning mainly provides trustlessness, not decentralization – that is, Lightning does not require you to trust a single organization.
Unsurprisingly, the idea that Lightning is trustless is controversial in and of itself. Peter Rizun of Bitcoin Unlimited has argued that Lightning relies too much on trust between participants. He believes that routing nodes can lose user funds, and that hubs may gain de facto custody over funds as Lightning fees get higher.
These concerns might be overblown, at least with respect to the recently-announced bug. Since the vulnerability only affects some versions of its software, it is probably not a fundamental problem in Lightning’s approach to security.
Where Will Things Go From Here?
The latest incident is unlikely make anyone lose faith in the Lightning Network, unless they were already a non-believer. However, Lightning has been faltering in terms of adoption even prior to this incident. In spite of past growth, recent reports suggest that Lightning’s channel counts and network capacity have been falling in recent months.
But it’s still the only game in town when it comes to BTC micropayments. Right now, the average Bitcoin transaction costs about $1.00, and there are few ways to send small amounts of Bitcoin on the blockchain. Other cryptocurrencies, such as Bitcoin Cash, offer lower fees and faster transactions, but that is of little use to BTC holders.
Meanwhile, other payment channel projects such as Strawpay, haven’t gained much traction. Lightning has outdone the competition in terms of publicity and gained allies like the mining giant Bitfury and the payment processor CoinGate. It might not be ready for prime time, but the project isn’t going to lose what it has accomplished so far.