Altcoin News: Details of an Attack That Could Stop Payments on the Lightning Network

October 21, 2019, by Marko Vidrih on ALTCOIN MAGAZINE

A group of researchers uncovered a simple-to-execute, but at the same time destructive attack on the second-level network to scale the Bitcoin Lightning Network.

A denial-of-service (DoS) attack can be used to slow down or completely stop a large proportion of payments in the network. Although it has not yet been applied in practice, and the Lightning Network is still at an experimental stage, the vulnerability is considered critical for the current implementation.

The vulnerability was facilitated by the principle of the Lightning Network, where each payment must go through a network of nodes to reach the destination. If one of these nodes belongs to an attacker, he can slow down the payment instead of quickly skipping it, as any other node would.

To realize its intent, a malicious node owner needs to set a zero transaction processing fee. In this case, the user’s application with a high degree of probability will choose it in determining the most optimal way to process the payment.

“We can open channels that offer short and low-cost routes in the network which then are selected (almost always) for the route,” the researchers explain. This will attract a significant portion of payments at any given time interval. “We find that just five new links are enough to draw the majority (65% — 75%) of the traffic regardless of the implementation being used,” the paper explains.

The process can be repeated until the payment is completely stopped, because if you refuse to process, a new path will be selected, which will also be controlled by the attacker.

Despite the relative simplicity of execution, an attack cannot be carried out without investments, which, however, are not so large compared to potential damage. According to researchers, it will be necessary to open about 20 new channels and provide them with Bitcoins in order to attack 80% of transactions on the network. The total cost, in this case, will be approximately $2,000.

The authors assume that the attack has not yet been implemented in practice, since the Lightning Network is not used much, because of which the damage will not be too big. In addition, an attacker will not be able to appropriate user funds, therefore, he will be motivated to take active actions only if there is a high demand for Lightning payments.

The developers acknowledge that they did not pay attention to this attack vector before, but note that the payment system will be improved in future versions. In addition, it is planned to further develop a mechanism for excluding users from the network who violate its performance.

Author: Marko Vidrih