Bitcoin’s Lightning Network Is Vulnerable to ‘Looting’: New Research Explains

Flood-and-Loot
6 July 2020

Savvy attackers might be able to “loot” bitcoin from others by way of the Lightning Network if users aren’t careful, a new cybersecurity report warns. 

The Hebrew University of Jerusalem computer scientists Jona Harris and Aviv Zohar have taken a closer look at a “systemic” Lightning Network attack that could lead to loss of funds. The attack, which they describe in their new paper, “Flood & Loot: A Systemic Attack on the Lightning Network,” preys on Bitcoin blockchain congestion. 

The problem with the Bitcoin blockchain is it’s slow to settle payments and it only supports a few transactions per second. The Lightning Network is a second-layer solution that helps to solve this massive problem by pulling payments off the Bitcoin blockchain. 

But Lightning is still tied to the Bitcoin blockchain. This attack exploits the connection and tries to take advantage of Bitcoin’s aforementioned limitations.

Developers have long known about this attack vector. But before Harris’ and Zohar’s report, no one had done a deep analysis to measure in detail how feasible such an attack would be. These researchers found an attack is not very hard and it could be lucrative for attackers.

“The resulting high volume of transactions in the blockchain will not allow for the proper settlement of all debts, and attackers may get away with stealing some funds,” writes Harris in a post explaining the mechanics of the attack.

Harris cautions users not to experiment with this attack since it “can allow funds to be stolen from innocent users. Do not try this at home.”

The 'Flood'

The attack relies on a couple components of the Lightning Network. 

The whole point of the Lightning Network is to keep funds “off-chain,” meaning “off” the Bitcoin blockchain. That way, people can make bitcoin payments while using bitcoin’s scarce block space as little as possible. Bitcoin only can handle a few transactions per second in total, which isn’t a lot.

That said, if something goes wrong, a user always has the ability to kick their Lightning transaction back to the Bitcoin blockchain.

Read more: Lightning Solves Bitcoin’s Speed Problem, but Watch Out for Fraudsters

First, Lightning works the best when the underlying blockchain is used very minimally. The problem comes if a bunch of Lightning channels are closed at once in the “flood” portion of the attack: The underlying bitcoin network cannot handle the volume, leading to problems. 

Second, there’s an expiration date built into each transaction by which users can send their bitcoin back to the blockchain without someone stealing it.

The Lightning Network is made up of thousands of nodes. Similar to how the internet works under the hood, a payment needs to hop along several nodes before it reaches its destination. Lightning uses “hash time-locked contracts” (HTLCs) undergirded by cryptography so that users don’t have to trust their money with these complete strangers. HTLCs have baked in rules, such as requiring knowledge of a “secret” to obtain the bitcoin inside, which none of these intermediary strangers know. 

But the researchers are exploring a way to kind of game the system. In short, HTLCs build a deadline into each of these payments, giving users a chance to “settle” their funds on the bitcoin blockchain if something goes awry. After this deadline passes, the HTLCs are up for grabs; as a result, a malicious user can steal the funds held in the contracts. 

The 'Loot'

You might be able to see where this is going. Attackers take advantage of the blockchain congestion and pair it with exploiting the HTLC deadlines. 

The attack relies on the bitcoin blockchain being filled to the brim with transactions so that no more can get through. The attacker hopes he or she can push the contracts past the built-in deadlines. If successful, the attacker can begin to “loot” the expired contracts.

“By attacking many channels and forcing them all to be closed at the same time […], some of the victims’ HTLC-claiming transactions will not be confirmed in time, and the attacker will steal them,” Harris explains in the blog post.

lightning_loot
"By attacking many channels and forcing them all to be closed at the same time [...], some of the victims’ HTLC-claiming transactions will not be confirmed in time, and the attacker will steal them."
Source: Harris and Zohar, "Flood & Loot: A Systemic Attack on the Lightning Network"

The researchers ran simulations on a test Lightning Network with dummy coins to test how feasible such an attack is.

In short, each closed channel results in one more transaction being pushed to the Bitcoin blockchain. The attacker will attempt to simultaneously close as many channels as possible to increase the number of transactions sent to the blockchain, increasing the chance of success. 

Using their simulations, the researchers found that attacking 85 channels at once was enough to “guarantee a successful attack.”

Harris notes an attacker targeting 100 channels leads to a reward of “at least” 7402 HTLCs, with the average HTLC today holding about $138 worth of bitcoin. That could mean a payday of roughly $1,021,476.

They also found that, as expected, less block space leads to a higher attack success rate because an HTLC is less likely to go through before the deadline.

Finding “potential victims” was also eerily easy. In the simulation, the researchers found it wasn’t hard to set up channels with other users. Indeed, 95% of Lightning nodes accepted their invitations to set up a Lightning channel.

The Fix

Still, this research could be seen as a part of a broader effort to improve the payment system and, one hopes, make it safer for more users. In this way, bitcoiners like to describe bitcoin as “anti-fragile” – the more a system fails and the more it is subject to attacks, the stronger it gets. 

The researchers argue the attack is systemic and “eliminating the risk entirely seems to be a complicated task.” 

That said, Harris suggests several strategies for solving the problem, or at least ameliorating it if the issue can’t be stomped out entirely. One is increasing the HTLC deadline so it is easier for a user tp counter the attacker via the Bitcoin blockchain in time.

Lightning Network watchtower Teos developer Sergi Delgado told CoinDesk that so-called “anchor outputs,” an in-progress upgrade, could also make the attack much harder. 

Anchor outputs would allow users to bump up their transaction fee to get the transaction into the Bitcoin blockchain faster. This step would make it more difficult for the attacker to prevent a counter-transaction from being sent to the blockchain.

“The current, simple version of anchors doesn’t fix it […], but a more mature version should,” Delgado said.

Read more: Researchers Surface Privacy Vulnerabilities in Bitcoin Lightning Network Payments

The Lightning Network could significantly improve bitcoin payments by speeding them and scaling Bitcoin as a whole so more people can use the digital currency at once. But many argue the network isn’t ready for prime time. As the network grows, researchers are exploring problems like this one in the hopes that one day they can be fixed.

With these and other potential improvements, Harris thinks there’s hope. But it will take some work. “I believe the Lightning Network is here to stay, but of course more work is required in order to minimize the potential of such threats before [Lightning] could become mainstream. There are ongoing discussions in the community around this and I believe we are on the right track,” Harris said.