Security researcher and developer Antoine Riard is stepping down from the Lightning Network’s development, citing security issues and fundamental challenges to the Bitcoin ecosystem.
According to a thread on the Linux Foundation’s public mailing list, Riard believes the Bitcoin community faces a “hard dilemma” as a new class of replacement cycling attacks puts Lightning in a “perilous position.”
How does a lightning replacement cycling attack work?
There’s a lot of discussion about this newly discovered vulnerability on the mailing lists, but the actual mechanism is a bit hard to follow.
So here’s an illustrated primer…
— mononaut (@mononautical) October 21, 2023
The Lightning Network is the second-layer solution built over the Bitcoin blockchain. It is designed to improve the scalability and efficiency of Bitcoin transactions by enabling off-chain, peer-to-peer transactions.
Through the Lightning Network, users can open payment channels, conduct multiple transactions off-chain, and settle the final result on the Bitcoin blockchain. The replacement cycling attack targets these payment channels. It is a new type of attack that allows the attacker to steal funds from a channel participant by exploiting inconsistencies between individual mempools. According to Riard:
“I think this new class of replacement cycling attacks puts lightning in a very perilous position, where only a sustainable fix can happen at the base-layer, e.g adding a memory-intensive history of all-seen transactions or some consensus upgrade. Deployed mitigations are worth something in face of simple attacks, though I don’t think they’re stopping advanced attackers as said in the first full disclosure mail.”
Riard also noted that addressing the new type of attack may require changes to the underlying Bitcoin network:
“Those types of changes are the ones necessitating the utmost transparency and buy-in of the community as a whole, as we’re altering the full-nodes processing requirements or the security architecture of the decentralized bitcoin ecosystem in its integrality.”
Lightning developers grapple with challenges, including criticisms surrounding the network’s complexity and the demands placed on user experience. Since its inception in 2018, the layer-2 network has gained popularity, with a total value locked reaching $159.5 million at the time of writing, according to data from DefiLlama. However, this figure is still very modest when compared to Bitcoin’s $587 billion market capitalization.
Riard plans to focus now on Bitcoin core development, but warned about upcoming challenges for the major cryptocurrency ecosystem:
“On the other hand fully explaining why such changes would be warranted for the sake of lightning and for designing them well, we might need to lay out in complete state practical and critical attacks on a ~5 355 public BTC ecosystem. Hard dilemma. There might be a lesson in terms of bitcoin protocol deployment […]”