A significant bug panicked Bitcoin Lightning customers right now. Senior Bitcoin developer “Calle” alerted node operators operating software program older than Lightning Community Daemon (LND) Model 0.18.5 or LITD Model 0.14.1.
The vulnerability pertains to how LND checks description fields for the settlement of Lightning invoices. Intelligent hackers discovered a strategy to manipulate the cost state of such invoices to remotely drain funds.
Satoshi Labs co-founder Pavol Rusnak rang an identical alarm bell. As posts gained tens of 1000’s of impressions, customers of the Lightning community unfold the message concerning the imminent risk of theft.
Lightning is a mesh community of roughly 5,000 BTC that transfer sooner and cheaper than common, on-chain BTC. By routing funds by 44,000 public channels connecting over 16,000 nodes, Lightning customers sacrifice the complete safety and decentralization of BTC for velocity, thrift, and additional capabilities.
Additionally they expose themselves to Lightning-specific bugs that don’t have an effect on the bottom layer.
🚨 LND exploit within the wild 🚨
In case you are operating LND older than 0.18.5 and/or LITD older than 0.14.1, improve instantly. Apparently, affected Lightning nodes may be fully drained by attackers.
— calle (@callebtc) February 19, 2025
Patching Bitcoin Lightning nodes to LND 18.5
Newly launched node softwares LND 0.18.5 and LITD 0.14.1 patch this distant risk vector. Disturbingly, LND 18.5 was simply launched final week, so many LND nodes are nonetheless outdated and weak.
Out-of-date LND nodes quantity within the lots of or low-single-digit 1000’s as of publication time. LND has traditionally been the popular software program for many Lightning node operators.
The bug entails an incapability to cancel AMP invoices if they’ve a settled sub-invoice. Lightning developer generally known as ziggie1984 posted a patch request that instructed permitting AMP invoices to run out even when they’ve a settled sub-invoice.
Effet Cantillon posted some reassurance that retailers utilizing Lightning Labs’ software program is perhaps tremendous in the event that they don’t have their LND node work together with invoices generated by companies like BTCPay.
BTCPay Server apparently upgraded its LND node to 0.18.5 only in the near past.
A fast evaluate of feedback to well-liked posts on X revealed just a few real-world situations of precise theft of funds, though the vulnerability may be very a lot stay as of publication time and theft particulars have been sparse.
All main Lightning builders advisable upgrading to the newest model of LND, which fixes the exploit.
Lightning Labs personnel, the leaders of LND, haven’t issued an official assertion but. A pull request on GitHub signifies that its improvement group was conscious of the difficulty three weeks in the past.