Disclosure: Invalid Claims Liquidity Griefing in LDK v0.0.125 & Earlier
Bitcoin developer and security researcher Matt Morehouse has put together a disclosure for an invalid claims liquidity griefing vulnerability present in Lightning Dev Kit (LDK) versions 0.0125 and earlier.
- LDK versions 0.0.125 and earlier are susceptible to a liquidity griefing attack aimed at anchor channels. This attack results in funds being locked, and recovery is only possible by manually creating and broadcasting a valid claim transaction.
- The vulnerability was discovered during an audit of LDK’s chain module.
- Affected users can release their locked funds by upgrading to LDK v0.1 and replaying the series of commitment and HTLC transactions that resulted in the lock-up.
Timeline
- 2024-12-23: Vulnerability reported to the LDK security mailing list.
- 2025-01-15: Fix merged.
- 2025-01-16: LDK 0.1 released containing the fix, with public disclosure in release notes.
- 2025-01-23: Detailed description of vulnerability published.
Takeaways
- Code readability matters for preventing bugs.
- Update to LDK 0.1 for the vulnerability fix.
Full Disclosure / Archive
Delving Bitcoin Discussion
- Do you want more? Subscribe and get No Bullshit GM report straight to your mailbox and No Bullshit Bitcoin on Nostr.
- Feedback or news tips? Drop it here.
