Lightning Network Developers recently disclosed that there is a security hole present in different Lightning Network versions. The hole can cause the user to lose funds in the event that the software is not updated.
Initially, the bug was reported on August 30 by Rusty Russel. Then, it was confirmed by Lightning Labs CTO, Olaoluwa Osuntokun. No mention of lost BTC or how many users were affected by the security hole.
At the moment, we know that different Lightning Network node versions are vulnerable. They have to be immediately updated. According to Osuntokun, in a sent developer mailing list:
“We’ve confirmed instances of the CVE being exploited in the wild.”
Lightning is an experimental solution that tries to give access to almost costless BTC transactions. This would make Bitcoin completely feasible for the mundane transactions, like buying a sandwich from the supermarket. However, the presence of this security hole shows us there are still problems that have to be taken care of before widespread implementation.
“Security issues have been found in various lightning projects which could cause loss of Funds. Full details will be released in 4 weeks (2019-09-27), please upgrade well before then.”
Osuntokun also added to this, with a focus on the infancy of the protocol:
“We’d also like to remind the community that we still have limits in place on the network to mitigate widespread funds loss, and please keep that in mind when putting funds onto the network at this early stage.”
The warning also appeared on Twitter, with users being reminded that funds can be lost on the network:
The versions that are affected include absolutely all the LND releases from 0.7 and below, C-Lightning 0.7 and below, together with éclair 0.3 and below.