Is the cock broken? Or was it the ridiculously large transaction that made it a direct attack on the Lund implementation? Does all this affect the larger Lightning Network? And what about the bitcoin network? This story starts with all kinds of questions and can’t promise to answer them all. The game is going on. something is happening. However, it is difficult to determine what. And it looks like more will be revealed, as we still don’t have all the data.
Let’s see what we have and try to get to the bottom of it. And it all starts with a summary of the story so far.
What’s with the loan and these big transactions?
On October 9, a developer called . is referred to as Burak announced “I just did 998-in-999 TapeScript Multisig, and it only costs $4.90 in transaction fees.” That curious transaction left the Lightning Network unconnected, which missed producing a block. The Lightning Labs team responsible for the LND implementation released a fix within a few hours. The incident made it abundantly clear that the Lightning Network is still a work in progress, and implementations are vulnerable to attacks.
with the help of @Lightning Labs Team (h/t) @guggero), us at @GaloyMoney and our CI pipeline @BTCBeachWallet Nodes are updated with bugfixes within 31 blocks after the 73be398c4bdc43709db7398106609eea2a7841aaf3a4fa2000dc18184faa2a7e hit.
Can this be a record now? pic.twitter.com/Utrabq86jF
— openoms (@openoms) 1 November 2022
Today, Burak strokes again. “Sometimes to get the light we have to touch the darkness first” he tweeted with another big transaction, This time the effect was only on the penis nodes. All the rest remained together, while Lund was stuck. For some time, LND nodes could route payments but were unaware of the status of the chain. Lightning Labs acknowledged the bug in its official channels and started working on it A hotfix that was released few hours later.
To explain the implications to the rest of us, Applied Cryptography Consultant Peter Todd analyzed Event. “Since LN is a consensus system, it is good to have separate implementations. Some network is down right now. But there is no real harm in staying on top of the rest. Meanwhile, the root cause of the problem is the buggy BTCD code, He tweeted.
So far, everything seems fine. The intent of the transaction seems to be exposing a vulnerability without causing significant harm. The thing is, Burak wrote, “You’ll run CLN. And you’ll be happy” in the OP_RETURN data. And the “CLN” refers to Core Lightning, LND’s main competition. Blockstream Products,
BTC price chart for 11/01/2022 on Bitstamp | Source: BTC/USD on TradingView.com
Did anyone report a malfunction of the cock before the attack?
Another pseudonymous developer wrote to badaki“The ethical point is to make the vulnerability disclosure to the Lightning Labs team, rather than removing the majority of nodes in the network.” Then, another developer named anthony town delivered A necessary plot twist, “For what it’s worth, I saw this bug as well and disclosed it to Olaoluwa Osuntokun about two weeks ago. Looks like the btcd repo has no reporting policy for security bugs, so not sure That someone else working on btcd has come to know about it.
Too @ajtowns Contacted me by making an issue on my public fork of btcd w/ details, as the post was public, I deleted it and followed up via email
We had a patch ready to go for minor releases (w/ some other memory optimization), but obv it undone
— Olaoluwa Osuntokun (@roasbeef) 1 November 2022
“The initial report was in the wrong place and missed, I followed a week later on the 19th and Olaoluwa Osuntokun responded with some ideas as to why this had not already been caught and how to do better,” Towns continued. explained in detail. Later, Osuntokun confirmed the report and revealed, “Since the post was public, I deleted it and then followed it up via email. We have a minor release (w/ some other memory optimizations) to go through.” There was a patch ready, but obv undone it.”
He also pointed out an important point, “I didn’t imagine anyone working this out for miners.” The involvement of miners was required to get through this particular bug. Maybe there’s more to this attack than meets the eye. However, there were over $700 in fees associated with the transaction. Although this exorbitant fee may be enough to pass on unusual transactions.
Is Blockstream Responsible for the Attack?
This is where everything gets tricky, as it looks like Burak was previously sponsored by Blockstream to work on Liquid contracts on Bitmatrix. In a series of then-deleted tweets, Lightning Labs CEO Elizabeth Stark has accused Blockstream of at least sponsoring the attacks. When questioned by a Blockstream employee, Stark replied, “Isn’t it true that this is a sponsored developer?” and “You seem to have left a deleted tweet where I specifically mentioned that it was clear that this attack was not sponsored.”
Isn’t it true that this is a sponsored dev? I didn’t mean to imply that this work was funded, but as you wrote this person is “def sponsored by Blockstream”. pic.twitter.com/s1SHZnnbo5
— Elizabeth Stark (@starkness) 1 November 2022
Enter Surebits Founder Chris Stewart, who took it even further And directly asked Adam Back to confirm that “Blockstream Core is not sponsoring these attacks on LND as a propaganda tool for Lightning.” Adam Back denied any sponsorship and explained what he thought Burak meant. “One can infer from the op_return message that the consensus is about the risks of using a non bitcoin core full node and that Lightning Core uses bitcoin core. Maybe Burak made that point empirically. This is a known limitation from LANGSEC security, making it nearly impossible to be bit-wise compatible.”
To put everything to bed, Blockstream researchers Christian Decker goes on record and tweeted, “This is horrible, the Core Lightning team does not condone attacks of any nature. And it is really bad taste to nominate a contestant. Please follow responsible disclosures, and avoid publicity stunts like this.” , it’s not helping, and is causing a lot of problems!”
Featured Image by Bethany Laird on Unsplash | Charts by TradingView