Lightning Network Vulnerable to Slowing, Freezing DDOS Attack
The Lightning network is becoming more appealing to startups, though it is still in experimental mode and may face glitches.
The Lightning Network may be vulnerable to an attack based on malicious interior nodes, a recent research paper shows. The approach is not an exploit or a code error, but uses the rules of the Lightning Network to hijack transactions.
Anyone can create nodes and include them in payment routes. The Lightning Network relies on each node to make the transactions to the next one, and take a fee for the activity. But a malicious actor could place nodes that actually hold back transactions. With strategically placed nodes, the LN routes could become unusable.
Because the LN is voluntary, the pathways are still rather centralized, and routing is predictable. The researchers discovered that the network can be easily congested with just a few strategically placed malicious nodes.
“More specifically, we find that there exists a group of 10 nodes that participates in 80% of the routes, and 30 nodes that participate in more than 95% of the routes. On the other hand, we find that by creating 5 new new channels, an attacker can hijack about 65% of the routes, and with 30 channels, it can hijack 80% of the routes of every implementation.”
The paper arrived just as the LN developers warned about an exploit within the code that could lead to lost coins. Despite the experimental nature, the LN is already inviting startups that offer LN-based Bitcoin (BTC) purchases for fiat.
The LN is a second-layer solution that actually relies on peer-to-peer interaction. On the other hand, on-chain transactions do not go through pathways, but are distributed among nodes until each node has verified the transaction.
The Lightning Network now grows every day, based on the latest data. But the high number of nodes, above 10,000, does not ensure against the attack.
The LN is one of the hopes for BTC micropayments. It is also one of the last remaining networks that allow for relatively anonymous transfers of BTC. So far, exchanges have avoided LN transactions, and it is uncertain what would happen if FATF reporting requirements need to be applied to node operators. A node with a capacity of $40, run on consumer software, may not be an entity with resources to monitor the source of all transactions.