A study published on June 29 revealed a way to drain Bitcoin (BTC) wallets’ funds on the Lightning Network by exploiting a bottleneck in the system.
According to the “Flood & Loot: A Systemic Attack On The Lightning Network” paper, Jona Harris and Aviv Zohar from the Hebrew University in Israel evaluated a systemic attack on the Lightning Network that allows for the theft of BTC funds that were locked in payment channels.
The Lighting Network is used to send payments through intermediary nodes, which can be leveraged to steal Bitcoin. This usually must be done quickly. However, the effective window of time could be extended by hackers flooding the network.
For the attack to be successful, hackers would only need to attack 85 channels simultaneously in order to steal funds from the network.
Researchers provided more details, noting:
“The key idea behind Hash Time Locked Contracts (HTLC) is that after they are established, payments are ‘pulled’ by the target node from the previous node in the path by providing a secret (a preimage of a hash). Our attacker will route a payment between his own two nodes, and pull the payment at the end of the path. He will refuse to cooperate when the payment is eventually pulled from the source node – forcing the victim to do so via a blockchain transaction.”
The paper clarifies that the results of the study were shared with the developers of the three main Lightning implementations prior to publishing the report.