Using LNsploit to Steal from LND Nodes: How to Exploit the Recent Transaction Bugs
This post walks through how to use LNsploit to steal funds from an LND node affected by some of the recent critical bugs, in regtest.
- This post walks through how to use LNsploit to steal funds from an LND node affected by some of the recent critical bugs, in regtest.
- By now you might have heard of a few different bugs ([1],[2]) with LND that has left the Lightning Network temporarily crippled and most nodes in a state where funds can be stolen from them. This has occurred twice within a month and is due to LND's reliance on a library that also pretends to be a bitcoin node and is seldom looked at or maintained, called BTCD ([3],[4]).
- Luckily the fix was released within a day, both times. So most people would not lose funds if they updated promptly, though there are still some HTLC edge cases that exist that would allow an attacker to take off with funds within even a few hours. If you've been in a coma and you're just now hearing about this, I'm sorry. The responsible thing to do is to close your channels before you go into a coma.
- It is too late to utilize this now on testnet / mainnet (actually, I believe the latest bug hasn't been executed on testnet yet!). If you would have used this tool to coordinate with Burak while he broadcasted his breaking transactions, you could have possibly stolen funds on mainnet too. However, you would have run into the risk that the node updated in time before the channel timelock expires. LNsploit does not yet broadcast transactions with a held HTLC payment still in flight, which would allow you to steal funds in hours rather than the ~2-week channel timelocks.
- I applaud the efforts of all devs, breakers, and lightning community members throughout the last month. Lightning is NOT operating in an adversarial environment and if we're going to be serious about this $100M+ network that this entire industry is building upon, then we NEED things like this to happen to grow, learn, adapt, and be resilient. I appreciate the way Burak has gone about this and, to my knowledge, without trying to steal funds, especially knowing that LNsploit existed since we chatted about this at TABConf. Hopefully, I can continue to work on LNsploit during my free time and push the limits of Lightning myself. I feel the moral obligation to. If we don't do it, and lightning developers don't consider it, then someone with malicious intent will.