A serious bug panicked Bitcoin Lightning customers immediately. Senior Bitcoin developer “Calle” alerted node operators operating software program older than Lightning Community Daemon (LND) Model 0.18.5 or LITD Model 0.14.1.
The vulnerability pertains to how LND checks description fields for the settlement of Lightning invoices. Intelligent hackers discovered a strategy to manipulate the cost state of such invoices to remotely drain funds.
Satoshi Labs co-founder Pavol Rusnak rang an identical alarm bell. As posts gained tens of 1000’s of impressions, customers of the Lightning community unfold the message in regards to the imminent menace of theft.
Lightning is a mesh community of roughly 5,000 BTC that transfer sooner and cheaper than common, on-chain BTC. By routing funds by way of 44,000 public channels connecting over 16,000 nodes, Lightning customers sacrifice the total safety and decentralization of BTC for velocity, thrift, and further features.
In addition they expose themselves to Lightning-specific bugs that don’t have an effect on the bottom layer.
🚨 LND exploit within the wild 🚨
In case you are operating LND older than 0.18.5 and/or LITD older than 0.14.1, improve instantly. Apparently, affected Lightning nodes could be utterly drained by attackers.
— calle (@callebtc) February 19, 2025
Patching Bitcoin Lightning nodes to LND 18.5
Newly launched node softwares LND 0.18.5 and LITD 0.14.1 patch this distant menace vector. Disturbingly, LND 18.5 was simply launched final week, so many LND nodes are nonetheless old-fashioned and susceptible.
Out-of-date LND nodes quantity within the tons of or low-single-digit 1000’s as of publication time. LND has traditionally been the popular software program for many Lightning node operators.
The bug includes an incapability to cancel AMP invoices if they’ve a settled sub-invoice. Lightning developer often known as ziggie1984 posted a patch request that recommended permitting AMP invoices to run out even when they’ve a settled sub-invoice.
Effet Cantillon posted some reassurance that retailers utilizing Lightning Labs’ software program is perhaps high quality in the event that they don’t have their LND node work together with invoices generated by companies like BTCPay.
BTCPay Server apparently upgraded its LND node to 0.18.5 only in the near past.
A fast evaluation of feedback to standard posts on X revealed a couple of real-world situations of precise theft of funds, though the vulnerability could be very a lot reside as of publication time and theft particulars had been sparse.
All main Lightning builders advisable upgrading to the newest model of LND, which fixes the exploit.
Lightning Labs personnel, the leaders of LND, haven’t issued an official assertion but. A pull request on GitHub signifies that its improvement group was conscious of the difficulty three weeks in the past.
