Bitcoin Lightning Network Struggles to Overcome Security Issues

Bitcoin, originally designed as a digital storefront and modern payment network, has long struggled to compete with rapidly evolving commercial payment rails.

Projects such as the Bitcoin Lightning Network, which aims to speed up low-value bitcoin transactions by moving them off the bitcoin blockchain, are growing in popularity — the number of Lightning Network access points has increased 33% over the past year.

As the Lightning Network grows, it has become a more attractive target for attackers, and researchers are warning that if users are not careful, bitcoin on the emerging payment network can be stolen and funds can never be guaranteed to be safe.

Researchers at the Hebrew University of Jerusalem warn that about $9 million in Bitcoin currently “locked” in Lightning Network payment channels could be “stolen” by attackers. While the vulnerability may only be potentially dangerous, it should also be fixable.

“Networks of payment channels are known to be susceptible to blockchain jams, which may not allow participants to withdraw funds in a timely manner if they are attacked,” computer scientists Jona Harris and Aviv Zohar wrote in a Medium article explaining the attack.

“In the attack, the attacker forces many victims at once to flood the blockchain with their funds. He can then take advantage of the congestion they cause and steal any funds that were not claimed before the deadline.”

The Bitcoin Lightning Network works by creating a layer on top of the Bitcoin blockchain where transactions can be passed back and forth before being added to the underlying blockchain.

“The attack could allow innocent users to have their funds stolen,” Harris and Zohar wrote. “Don’t try it at home. Unfortunately, there are no obvious changes to the Lightning Network protocol that could completely eliminate it.”

Harris and Zohar said that of the approximately 2,000 existing lightning nodes, about 95% are vulnerable to this attack.

“None of this is new, and has been highlighted by others on the mailing list and even in the original Lightning Network whitepaper in 2015, so the community is well aware of it,” Elizabeth Stark, CEO of Lightning Network developer Lightning Labs acknowledged via email.

Developers often rush to fix software vulnerabilities that put user funds at risk, but this particular issue may never be resolved.

“To the extent that we believe there is no 100% fix possible, the main principles at work here are: 1) Lightning Network exists because of the high scalability of its blockchain 2) We know of no untrusted second layer mechanism that can avoid blockchain transaction disputes 3) An attacker would have to rely on overloading the blockchain via this exact mechanism.”

Zohar explained that a side effect of such an attack would be to decentralize the Bitcoin blockchain and raise fees for other transactions, which would have to compete with all the lightning transactions from victims trying to save their funds.

“All this spam is generated by the victims, so there’s not much to lose for the attackers,” Zohar told me. “However, I think we can hope that the increase in on-chain transaction size and more cautious behavior on second-layer networks will make the bar for profitable attacks higher for attackers.”

As the price of Bitcoin has risen over the past few years, many Bitcoin investors and developers have begun to prioritize Bitcoin's "digital gold" characteristics over its payment function.

Lightning Network developers including Stark’s Lightning Labs, which is backed by Jack Dorsey, hope to reverse that trend and encourage people to spend the bitcoin they currently hold as an investment .

Although the vulnerability is serious, Zohar is confident that developers will eventually be able to find ways to mitigate the threat.

“The Lightning Network is one of the greatest hopes for scalability of bitcoin payments,” Zohar said. “In the short term, these are practical issues that may deter users from using the system, but in the long term we are actually optimistic.”

“The Lightning protocol is evolving rapidly to address multiple issues. We believe that the main hurdle remains the accessibility of the technology to the average person and the user experience, which needs to be improved further. Even today, you can still run a Lightning Network node and get relatively reliable security (just choose your node parameters carefully), but Lightning is where you need to be more tech-savvy to maintain the security that will benefit everyone in the future.”