Bitcoin Forum

However, I shake my head on how the Lightning network can quickly transform bitcoin as secure money into bitcoin, the unsafe money.

Do not listen to people who are encouraging everyone to be reckless.

https://i.ibb.co/S0rDNMq/image.jpg

A popular payments network running atop the bitcoin blockchain suffered from a long-standing code vulnerability – one where attackers could drain users’ of their money.

While initially flagged to the public on Aug. 30 by bitcoin developer Rusty Russell, the full disclosure detailing how this vulnerability could be exploited by an attacker was released Friday.

“An attacker can claim to open a [lighting payments] channel but either not pay to the peer, or not pay the full amount,” Russell wrote in the full disclosure.

Without the proper checks, an attacker could pretend to open a new payments channel and send fake transactions. Being duped, an honest user could then send back real money to the attacker not knowing the previous transactions had been completely artificial. It’s unclear how many users fell victim to such attacks.

Lightning developers, he added, did not want to risk revealing the vulnerability until absolutely sure no users were at risk.

“There are always problems. Even on the bitcoin protocol, there have been bugs,” Padiou said, adding:

"There will always be bugs. What matters the most is how to handle this in the best way to protect users."

Read in full https://www.coindesk.com/a-dangerous-bug-in-bitcoins-lightning-network-has-been-fixed

Full disclosure https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html

if you think that's right, you obviously don't understand what happened


and if it's that easy to fool yourself into thinking something that's not true, it would be really easy for you to get tricked by other people.


Wise up

I don't see what the actual problem is? Lightning in no shape or form has been said to be totally secure at this stage, hence the reason it is continuously stressed that you only use small amounts when you experiment with it.

What you do is blame beta code for containing bugs. Let me tell you, every critical bug that is discovered at this stage, is going to make the network exponentially more secure in the long run. This is the time these bugs should be discovered and fixed, so don't be surprised if we get to see more bugs be exposed in the forthcoming months, because the more use the network experiences, the more likely it is for people to spot them.

I never saw any Lightning enthusiasts telling other people to start using Lightning for real transactions right now. "Reckless" is just a meme from Twitter, don't take it too seriously. Developers of the Lightning protocol and Lightning clients always warn users that the software is still in beta stage.

Well, could it be that they delayed telling the public until they fixed the bug.  ;)  How helpful would it have been to tell everyone and expose them to the exploit and only then start working on the solution.  ::)

Nobody can realistically expect any new technology to be without bugs, even if it was tested thoroughly in it's beta testing phase. The Lightning Network still have some minor issues and it is still a work in progress, so let's just ignore all the fud that are being spread about it.  >:(

Nobody said it was perfect.

It depends on how you explain it to people. Using a third party LN works extremely well, which I have been for a while. I only top up my balance once or twice a month with $25-$50 at most, which is enough to start with.

I know the risks of what I am doing because I did my research, and whenever I explain people how it works, I'll be sure to point out the risks so that they understand what they are getting themselves into.

Most of this LN nonsense comes from the Bcash, Dash, BSV, XRP camps. It by no means is secure in any way, but it's perfectly usable if you understand what the risks are. If it was total garbage there wouldn't be 800BTC tied up in liquidity.

Agreed because nothing happened. However, there was a dangerous bug that would have been exploited. What would the news be if someone exploited the bug?

In any case, are the receivers of channels not required to verify the amount of the funding transactions?

There's no reason for drama.At the end of the day,nobody is obligated to use Lightning Network.Everyone should use LN at their own risk.Nothing is 100% safe and secure in the digital world.The good thing is that LN has an active team of developers,that handles such issues.

If you're connecting to peers running old versions of lnd, then yes.


I suppose there would be nasty sounding headlines for a few days and then everyone would move on? People working on Lightning have repeated ad nauseam, "don't put funds on LN that you can't afford to lose."

Now there is a pull request to the specification to add the requirement. Bottom line, we'll have a more robust specification now. This is what beta testing is all about.

He didn't say that nothing has happened. In fact, there have been reports of losses that I read about on Twitter. It's probably so deeply buried that crypto news outlets are too stupid to find them.

I already know their headlines.... LN is not secure and therefore Bitcoin isn't secure either. I'm sure they will exaggerate by a factor ten just to make people click on their articles and generate a few pennies.

@BitHodler. I am skeptical. They might be fake.




The old versions required verification of the amount of funding transactions? I assumed the old version did not and the new version did.

In any case, I did not intend for this to irritate some people when I said Lightning network can quickly transform bitcoin as secure money into bitcoin, the unsafe money. But it did in a way, however.

Yep, it seems to have been patched relatively quickly, and they held out the public announcement to give people time to upgrade to newer versions.


There doesn't seem to be verified losses. There are a lot of people who are rooting for Bitcoin to fail, and I wouldn't put it past them to lie about losing money.


Suprisingly, that doesn't seem to be the case. Headlines in Google only talk about the vulnerability itself. Bugs are expected out of any beta software, so detractors (same people who wouldn't want to touch it in the first place lol) are really the only ones making a big deal out of this.

I'm obviously skeptical too, but we can't rule out any of these claims either. I'm trying to find the conversation on Twitter where I read the complaints but without success. My browser deletes history upon exit. I'll keep searching.

Maybe that Carlton Banks can hop in to shed light on this matter as he is much closer to the workings and progress on the side of the developers, but I'm not sure if he's going to do so because it might feed the skeptics and haters.

It's important to choose your words wisely, because there is no other way to decipher what you wrote. Not the first time though....

I expected Roger to be super loud about it everywhere on social media, but it seems that it has gone past him, or he has paid sockpuppets to do the work for him now he has to maintain a more serious image as head of an exchange.

Either way, it seems that everything we see news outlets report about nowadays has some fundamental agenda behind it, either to discredit Bitcoin, or to get the price to tank. The crap that's been written about hashrate drops and burned mining farm is an example of that. There is no shortage of ignorant people in crypto so these news outlets will keep spewing fud.

That is not actually scared problem, and do not scared upurself about the issue is part of the networking system to encounter mnimal problem. And do not listen to the people blaming crypto or bitcoin as also a dangerous investment.

I know I might be wrong sometimes, however, is it not right for someone to criticize, to question and to make skeptical comments in the forum anymore? Is it deserving for someone to be accused of opening a discussion because I only want attention?

The argument does not need to be deciphered. No one agreed because it is an unpopular opinion. Bitcoin transactions might be insecure in the Lightning network because of unknown bugs and attack vectors. True or false?

Security issues are not that uncommon with cryptocurrencies. Fortunately in this case, it was fixed in relatively quick time.  Lightning Network, ever since its implementation in 2018 played a huge role in reducing the transaction fees and speeding up the confirmations. And as far as I know, till now no one has ever blamed it for any of the major exchange hacks or any other robberies. Despite its status as a relatively new innovation, additional features such as watchtower has worked towards gaining the trust of cryptocurrency users.

Like it or not, Lightning is here to stay. A few minor bugs needs to be fixed, and that will be done in quick time.

I'd love for these guys to show proof they lost money to attackers. Far as I know, the only ones who've accidentally lost it is when they didn't update book balances and this was even last year.

IT was a theoretical risk yes, and it's great the bug was fixed, but hey, the whole reason it's still in testing and not yet recommended to the masses simply is that they expect many bugs to be found.

This isn't turning secure money to unsafe money.

There were plenty of threads about it in r/btc the past few days, and the Bitcoin.com article reporting it actually claims that the bug was exploited at least once, but without evidence:


So yeah, they probably did try to make it a bigger deal than it is.

ok, so the actual Lightning devs seem to be saying that real-world instances of the exploit have happened, not just a bunch of whiners from competing cryptocurrencies. That's not to say that someone couldn't be deceiving the devs, you have to take these claims on trust, as it'd be simple to falsify any evidence. But I guess that must be the underlying point: some person who the Lightning devs genuinely trust have reported this to them.

Is there any indication of how much has been stolen according to those making the claims? Tbh, I wouldn't expect the devs to come up with such statements if they haven't been given the data to review what actually has happened. If they did anyway, then that's a very poor show from the devs because it's more fuel to those looking to leverage it against Bitcoin.

well, they believe it really happened, and that's all we (and they) have: belief

like I said, it's be easy to fake this, so I guess they must trust whoever reported it to them. The data could be totally correct, but the person reporting it could have known about the bug, and stole the money from themself, then presented the thief as a 3rd party when in fact they "stole" their own money.

not seen the details, so I have no info as to how much was lost

As I said someplace else. It was known and discussed informally by a small group @ DefCon back in early August.

However since:
(a) I really didn't pay attention to it
(b) everyone I mentioned it to after accused me of FUD
(c) since it was just a bunch of people sitting around drinking & talking at a bar I had no proof said conversation ever happened.
(d) I really didn't understand the attack (did I mention drinking at a bar)
(e) the amount of funds I have on my lighting node won't buy 2 cups of coffee so even if all the of lightning network crashed it and I lost all of it, it would be a zero event for me at the end of the day.

I didn't follow up on it.

So there was more then 1 person who knew about it so it's a safe bet someone did something. That's just human nature.

As to how much. I doubt it was that much or there would be discussions about it. But that's just my opinion.

-Dave

It's not necessarily that your opinion is unpopular, or that you can't question certain things, but the way it was understood by people (due to your wording) is the actual problem.

True. If you worded it like that I'm sure your previous statement wouldn't have backfired on you.

No one agreed because it was pure fud. You can't expect to say something that is factually incorrect without being pointed at that. Please read both opinions of yours above and tell me how fundamentally different both opinions are. It's not an attack on you at all, so please don't see it as such, but there are newbies reading through this forum too, and they might take your initial words for granted.

@1Referee. Unknown bugs and attack vectors are fud? Will it stop to be fud only until someone loses his money because of a bug in the Lightning network?

I never said bugs in Lightning are fud. I don't even rule out that more bugs will be found this year.

The main fud part is where you said that Lightning can quickly transform Bitcoin as secure money into Bitcoin the unsafe money. That's incorrect. It has always been clear to anyone using it that there are certain tradeoffs when using Lightning. If you want to enjoy the uttermost security, then just conduct on-chain transactions.

Nothing will change how on-chain transactions work and no security will be lost due to Lightning. Bitcoin and Lightning are two different transactional foundations.

@1Referee. Where is the fud? You also agree on the bugs and more hidden bugs. You have also mentioned that there are tradeoffs.

Also, I am wrong about saying the Lightning network is transforming bitcoin from safe to unsafe money. I should have said from safe transactions to unsafe transactions.

^^^

see what I'm talking about, anyone?

?