Lightning Labs developer Joost Jager described a micropayment network vulnerability that could lead to compromise of Lightning Network channels at low cost.
Joost Jager said the Lightning Network could attack Wumbo payment channels , which allow for larger transactions on the network and increase transaction volumes. Prior to the addition of Wumbo Channels this summer, users could create channels with a maximum capacity of 0.1677 BTC – this limitation was made as a precautionary measure.
Jager states that Wumbo channels can be exploited by attackers because a channel cannot contain more than 483 hash-locked and time-bound (HTLC) contracts, regardless of its capacity. Thus, the fraudster can send himself 483 micropayments and control the HTLC to disable the channel for up to two weeks.
According to the developer, this can be achieved by using the maximum route length to add channels and more contracts. At the same time, according to Jager’s calculations, the cost of such an attack will be small – about 5.8 million satoshi. The developer noted:
“Using the maximum route length for adding channels, each payment can take up to 9 HTLC slots on the target channel. If the attacker is lucky, he will only need to send 54 payments to reach the target. One tiny channel can knock out double-digit BTC amounts. “
Jager said he launched a new project called Circuit Breaker to address the issue , a firewall for Lightning nodes. Its main purpose is to induce thinking about this attack. According to the developer, the project has the potential to become a full-fledged protection system for Lightning. When asked if this attack is the largest undisclosed attack vector on LN today, he replied :
“It depends on what is considered a major attack vector. There are other attacks that can make you lose money, which seems even worse. But this is one of the biggest problems in terms of the fact that we do not know how to solve it. “
As a reminder, in June, the Lightning Network discovered the possibility of an attack on payment channel chains. In addition, in the spring, researchers from universities in Norway and Luxembourg discovered the possibility of an attack on the Lightning Network. In this case, the balances of the nodes through which the transaction passes can be disclosed.