Flood and Loot attack is threatening Bitcoin’s lightning network as two researchers prove that a well-known vulnerability on the network could earn the hackers a nice penny as we are reading further in the upcoming Bitcoin news.
The nodes that accept the attacker’s request to open a new payment channel are also vulnerable and before the publication of the research, 95% of the lightning network nodes were willing to open even more channels with unknown nodes. The paper was shared with the main developers of three implementations before it was publically available for everyone. Two crypto enthusiasts from the Hebrew University in Israel tested the known attack vector with Hash Time-locked contracts on the Lightning Network and concluded that attackers could use the vulnerability to perform better attacks on the victims.
Very good attack. It seems that the right near term solution is to strictly limit number of inflight HTLCs? I wonder if LN implementations are able to queue up HTLC requests by value so each payment can take its turn through a channel. https://t.co/wSr0uWmPM4
— Zero Knowledge Goof (@LLFOURN) June 28, 2020
Jona Harris and Aviv Zohar, the two researchers noted that these vulnerabilities are inherent to the way HTLC works, and avoiding a flood and loot attack is impossible. HTLCs is a form of cryptographic defense mechanism that allows payment receivers and senders to eliminate risks while still using the Lightning Network. The attack enables malicious actors to drain Bitcoin from as many victims at the same time by overloading their channels and the entire capacity of the network. One of the researchers said:
“We show that only 85 simultaneously attacked channels are enough to guarantee that the attacker gets away with some money.”
The victims are then unable to defend against the attack either and the cost of failing the attack is quite negligible as the attacker only spends the transaction fees without spending other assets in the process. The attackers start by opening as many payment channels and send transactions to other nodes that the hacker owns.
At a time once the Bitcoin transaction fees are high, the attacker accepts the transactions on one end but doesn’t deliver the HTLC amount on the other which forces the victim to go onto the blockchain to collect the fair share. Because the Bitcoin blockchain is congested and attackers are able to change the fees, he can outbid the victim in a race to claim the HTLC. If he succeeds, the blockchain treats the transaction as if it never happened and returns all funds back to the attacker.
The researchers studied the particular vulnerability after Bitcoin developer Matt Corallo discovered it back in April. The users on Twitter are expressing a mixture of disbelief and many other theories of possible solutions to help the researchers. Solving this issue is key for keeping Bitcoin’s ideas of a faster solution alive.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post