Security expert and developer Antoine Riard is leaving the Lightning Network development team shortly after a new severe vulnerability was found in the payment protocol. In a post released last week, he stated his decision to “halt his involvement with the development of the lightning network including handling of security issues”.
Notably, in 2021, Riard was awarded a grant from OKcoin to support his development and security efforts on the Lightning Network.
The newly identified attack vector is called the Replacement Cycling Attack. It targets a key component in the protocol called Hash Time Locked Contracts (HTLC) and lets attackers steal funds from the network's channels by interrupting the usual transaction flow. To execute the attack, the attacker does not require any special network access. They can simply have regular lightning channels with the victim and access to a basic Bitcoin full node.
Worryingly, Riard's analysis suggests that various other Bitcoin applications, including wallets with time-sensitive path, coinjoins, peerswap, and batch payouts, could also be impacted by the vulnerability.
However, the most concerning aspect of this vulnerability is that there is no immediate solution. The only sustainable fix would be at the base layer, indicating a potential need for a soft fork in the Bitcoin network.
The Bitcoin community is well-known for its inflexibility and slow pace when it comes to adjustments. It remains uncertain whether it would choose to implement this soft fork to fix the issue and how long that might take. For context, the most recent soft fork on Bitcoin, known as Taproot, was implemented two years ago, in 2021. It incorporated several Bitcoin improvement proposals including reduced transaction costs and support of complex transactions.
When it comes to Lightning Network statistics, no significant changes were observed at the time of writing. Currently, there are over 16,000 nodes and 63.7k channels in the network. The total Bitcoin capacity across all channels is 5405 BTC or $161 million.
Notably, in the past 10 months, Riard had not detected any real-world instances where this vulnerability was exploited. However, the public announcement might increase the likelihood of hackers attempting to exploit the flaw, potentially resulting in negative consequences for the protocol and its users.