A person named Antoine Riard, who works on improving Bitcoin and the Lightning Network, discovered a problem that affects the second-layer network. This network focuses on making really quick payments with Bitcoin. He found this issue in December 2022, and the important customers who connect the Lightning network to the nodes have already fixed it.
The problem that Riard talks about in his message sent to Bitcoin-Dev and Lightning-Dev emails is about a certain kind of attack called “cyclic replacement.” This type of attack directly affects the safety of Lightning channels. These channels are used to do transactions quickly and at a low cost, separate from the main Bitcoin system.
As the developer details, the cyclic replacement attack exposes Lightning routing nodes to security risks and is even capable of causing them to lose funds. This affects both legacy channels and channels with anchored outputs, says Riard. The worrying thing is that this attack “is practical and can be exploited even if there is no congestion in the Bitcoin network mempool.” Furthermore, the attacker does not need to have a high hashrate capacity on the main network.
The text ensures that the vulnerability was never executed in the period of 10 months, in which there was the possibility of doing so on the Bitcoin main network. The author of the email clarifies that “a cyclic replacement attack does not require privileged capabilities on the part of an attacker” and adds that “only access to basic Bitcoin and Lightning software is needed.” “However, I still believe that successfully carrying out such an attack requires solid technical knowledge of Bitcoin and adequate preparation,” says Riard.
How does a cyclic replacement attack work?
As a post by Antoine Riard on cyclical replacement attacks explains, in these cases an attacker sends a transaction with a higher fee than a legitimate transaction in progress. It could even be presumed that both the legitimate transaction and the replacement transaction could be coordinated by the same attacker who controls several nodes and has the ability to create payment channels with the victim node.
The technical explanation for this type of attack is the possibility of an attacker transmitting his HTLC preimage transaction (time-locked and hashed contract) with higher fees than a seemingly honest HTLC transaction from a Lightning node. This triggers a replacement and causes the previous transaction to be removed from the mempool (temporary memory for unapproved transactions in Bitcoin), exposing the forwarding nodes to loss of funds. Transaction replacement is a legitimate full-node mempool mechanism, which an attacker can exploit to their advantage if the feature is enabled by default on all nodes involved.
In simpler terms, these attacks are comparable to the case of a person cutting a line at a store, getting what someone else wanted to buy, and leaving them empty-handed. This is a way of “cheating the system” by putting one transaction before others to move them from the mempool and thus obtain the payment that corresponded to them.
The specialist explains that “the Lightning network solves the scalability problem of Bitcoin through off-chain payment channels” and that “the security of this layer depends on the ability of participants to confirm transactions on the main Bitcoin chain at any time.” moment”.
“This capability is critical, especially when off-chain balances are at stake for a limited period of time, regulated by Bitcoin Script time locks. However, there is a vulnerability related to malicious interference in the propagation of transactions on the Bitcoin base network, which can lead to blocking attacks,” he continues in his argument.
According to research by Riard and other programmers, “it is currently possible to steal the entire routing channel capacity of the Lightning network if the capacity can be routed entirely as pending HTLCs.”
Mitigations in Lightning Implementations
To address this threat, major Lightning implementations designed and deployed mitigation measures. These measures are found in the latest versions of the LDK (v0.0.118), Eclair (v0.9.0), LND (v.0.17.0-beta), and Core-Lightning (v.23.08.01) clients, which allow nodes connect to the network.
Among the strategies adopted is “aggressive rebroadcasting,” which Riard explains as follows: “Since the replacement loop attacker takes advantage of the fact that HTLC-time-out is typically broadcast over Lightning nodes only once in each block, or even less, malicious replacement cycle transactions only pay an amount equal to the sum of the absolute fees paid by the HTLC, adjusted with the replacement penalty. Retransmitting randomly and multiple times before the next block increases the absolute cost of the fee to the attacker.”
Despite the mitigation measures implemented, Antoine Riard highlights that cyclical replacement attacks remain a threat to advanced attackers and raise questions about the long-term security of off-chain transactions. The developer believes that “it has not yet been determined whether the implemented mitigation measures are sufficiently robust against advanced cyclic replacement attackers, especially those that can combine different classes of transaction locks.”
To this day, it is uncertain to me whether the Lightning network is not affected by a critical security issue of long-term packet malleability under current consensus rules, and whether some other time-sensitive multiparty protocol, designed or implemented, is not affected de facto (loss of funds or denial of service).
Antoine Riard, developer of the Lightning network.
Antoine Riard’s discovery also raises concerns about possible vulnerabilities in other Bitcoin applications. Several applications have been identified, such as Bitcoin difference contracts (DLCs), coinjoins, wallets with time-sensitive paths, peer exchanges, and accelerated transactions, that could be affected under certain mempool congestion conditions.