A significant bug panicked Bitcoin Lightning customers immediately. Senior Bitcoin developer “Calle” alerted node operators operating software program older than Lightning Community Daemon (LND) Model 0.18.5 or LITD Model 0.14.1.
The vulnerability pertains to how LND checks description fields for the settlement of Lightning invoices. Intelligent hackers discovered a approach to manipulate the cost state of such invoices to remotely drain funds.
Satoshi Labs co-founder Pavol Rusnak rang an identical alarm bell. As posts gained tens of hundreds of impressions, customers of the Lightning community unfold the message in regards to the imminent menace of theft.
Lightning is a mesh community of roughly 5,000 BTC that transfer quicker and cheaper than common, on-chain BTC. By routing funds by 44,000 public channels connecting over 16,000 nodes, Lightning customers sacrifice the complete safety and decentralization of BTC for pace, thrift, and additional capabilities.
Additionally they expose themselves to Lightning-specific bugs that don’t have an effect on the bottom layer.
LND exploit within the wild
If you’re operating LND older than 0.18.5 and/or LITD older than 0.14.1, improve instantly. Apparently, affected Lightning nodes could be fully drained by attackers.
— calle (@callebtc) February 19, 2025
Patching Bitcoin Lightning nodes to LND 18.5
Newly launched node softwares LND 0.18.5 and LITD 0.14.1 patch this distant menace vector. Disturbingly, LND 18.5 was simply launched final week, so many LND nodes are nonetheless outdated and susceptible.
Out-of-date LND nodes quantity within the a whole lot or low-single-digit hundreds as of publication time. LND has traditionally been the popular software program for many Lightning node operators.
The bug entails an incapacity to cancel AMP invoices if they’ve a settled sub-invoice. Lightning developer often called ziggie1984 posted a patch request that steered permitting AMP invoices to run out even when they’ve a settled sub-invoice.
Effet Cantillon posted some reassurance that retailers utilizing Lightning Labs’ software program is likely to be nice in the event that they don’t have their LND node work together with invoices generated by companies like BTCPay.
BTCPay Server apparently upgraded its LND node to 0.18.5 only in the near past.
Learn extra: Bitcoin Lightning bug might jam and steal hundreds of thousands of {dollars}
A fast overview of feedback to well-liked posts on X revealed just a few real-world cases of precise theft of funds, though the vulnerability could be very a lot reside as of publication time and theft particulars had been sparse.
All main Lightning builders advisable upgrading to the newest model of LND, which fixes the exploit.
Lightning Labs personnel, the leaders of LND, haven’t issued an official assertion but. A pull request on GitHub signifies that its growth staff was conscious of the difficulty three weeks in the past.
Received a tip? Ship us an e-mail or ProtonMail. For extra knowledgeable information, observe us on X, Instagram, Bluesky, and Google Information, or subscribe to our YouTube channel.