Lightning Labs CTO downplays node security bug, citing compromised user

The chief technology officer of Lightning Labs, the firm behind the Bitcoin scaling network, has downplayed a purported new bug that could allow exploiters to drain funds from Lightning Nodes. 

“Based on the information we’ve been provided with so far, it appears that this was an instance of the user’s machine being compromised,” said Lightning Labs chief technology officer Olaoluwa Osuntokun on Feb. 19 following the discovery of the vulnerability. 

Satoshi Labs co-founder Pavol Rusnak reported the bug in an alarming X post on Feb. 19, cautioning users running Lightning Network Daemon (LND) older than version 0.18.5 and/or Lightning Terminal older than 0.14.1, to “stop what you are doing and upgrade immediately” before adding, “Thieves are draining funds using exploits that were fixed in these releases.”

However, Osuntokun said the bug doesn’t appear to be an issue with LND, which is a complete implementation of a Lightning Network node and was instead due to a user’s machine being compromised. 

Cointelegraph contacted Osuntoku and Lightning Labs for more information but did not receive an immediate response. 

The Lightning Network is Bitcoin’s layer-2 scaling solution, which has ‎a current capacity of 5,145 BTC, worth around $500 million at current prices. 

Private key extraction threat 

Only a week ago, another Bitcoiner warned of another potential vulnerability impacting the Bitcoin network, which was posted on GitHub on Feb. 13. 

The GitHub entry warned of a critical weakness in ECDSA (Elliptic Curve Digital Signature Algorithm) signature implementation that could lead to private key exposure.  

The elliptic library is a JavaScript package used for elliptic curve cryptography operations used by Bitcoin. The bug may have resulted in reused nonces, which are single-use random numbers for cryptographic signatures. If the same nonce is used to sign different messages, the private key can be mathematically extracted in theory. 

Related: Bitcoin Core devs set up new policy aimed at handling ‘critical bugs’

When asked about the potential impact on Bitcoin wallets, security experts from PeckShield told Cointelegraph that “it is always advised to ensure that the used Bitcoin wallet is up-to-date and the vulnerable elliptic package, if used, is patched or upgraded.”

Meanwhile, the Security Alliance team told Cointelegraph that “wallets will be fine if they strictly follow correct protocols and “nonces are derived deterministically from the hashed message, their input-to-bytes conversion is not erroneous, and they don’t allow custom nonce injection.”

Magazine: Cathie Wood stands by $1.5M BTC price, CZ’s dog, and more: Hodler’s Digest