Bitcoin, originally designed as both a digital store of value and modern payments network, has long struggled to compete with fast-moving commercial payment channels.
Projects like the bitcoin lightning network, aiming to speed up low value bitcoin transactions by moving them off the bitcoin blockchain, are growing in popularity—with the number of lightning network access points up 33% over the last year.
As the lightning network grows, it is becoming a more attractive target for attackers, and researchers have warned bitcoin on the burgeoning payment network could be stolen if users aren't careful—and it might be impossible to ever guarantee the safety of funds.
Bitcoin that's currently "locked in" the lightning network payments channel, currently around $9 million of bitcoin tokens, could be "looted" by attackers, researchers from the Hebrew University of Jerusalem have warned. While the vulnerability is potentially dangerous, it should also be solvable.
"Payment channel networks are known to be susceptible to blockchain congestion, which may not allow participants to withdraw funds in time if they are being attacked," computer scientists Jona Harris and Aviv Zohar wrote in a Medium post explaining the attack.
"In this attack, an attacker forces many victims at once to flood the blockchain with claims for their funds. He is then able to leverage the congestion that they create to steal any funds that were not claimed before the deadline."
The bitcoin lightning network works by creating a layer on top of the bitcoin blockchain where transactions can be passed back and forth before being added to the underlying blockchain.
"The attack can allow funds to be stolen from innocent users," Harris and Zohar wrote. "Do not try it at home. Unfortunately, no obvious change to the protocol eliminates it entirely."
Around 95% of some 2,000 existing lightning nodes are vulnerable to this attack, according to Harris and Zohar.
"None of this is new and has been highlighted by other people in mailing list posts and even in part in the original lightning network white paper from 2015, so the community is well aware," Elizabeth Stark, the chief executive of lightning network developer Lightning Labs, admitted via email.
Software vulnerabilities that put user funds at risk are usually fixed by developers as a matter of urgency but this particular problem may never be resolved, according to Zohar.
"To some degree, we believe that there is no 100% fix, as the main principles at work here are: 1) the lightning network is there because the blockchain isn't highly scalable 2) we are aware of no trustless 2nd layer mechanism that can avoid accessing the blockchain to resolve disputes 3) The attack relies on overloading the blockchain via this exact mechanism," Zohar, who has been trying to highlight the seriousness of the vulnerability for some time, said via email.
The attack has a side effect of spamming the bitcoin blockchain and raising fees for other transactions that have to compete with all the lightning transactions of victims that are trying to salvage their funds, Zohar explained.
"All of this spam is generated by the victims at no significant cost to the attacker," Zohar told me. "I think we can however hope that increases in on-chain scale and more careful behavior on the lighting layer will push the attack's profitability threshold further from the reach of attackers."
As the bitcoin price has climbed over the last few years many bitcoin investors and developers have begun to prioritise bitcoin's "digital gold" characteristics over its payment functions.