Russel pointed out that the vulnerability appeared while opening funding channels. The described process does not require that receivers check if a transaction is the one promised by the funder in terms of amounts and the actual scriptpubkey.
Scriptpubkey is an output transaction script that requires specific conditions to be observed for a receiver to spend their Bitcoins. The file explains:
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount. Once that transaction reaches the minimum depth, it can spend funds from the channel. The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
A possible solution
Russel also proposed a solution to the aforementioned problem. Once the funding transaction is seen, peers “must check that the outpoint as described in `funding_created` is a funding transaction output with the amount described in `open_channel`.”
The file also warns that c-lightning versions 0.7.1 and above perform the process correctly, urging users to upgrade the older versions of their Lightning Nodes.
On Sept. 10, Olaoluwa Osuntokun, CTO at LN-focused startups Lightning Labs and ACINQ, also claimed to have found instances of the vulnerability being exploited. In order to avoid the risk of losing funds, Osuntokun strongly advised users to update their LN versions. The affected versions included, per Osuntokun, LND nodes version 0.7 and below, c-lightning nodes version 0.7 and below, and eclair nodes version 0.3 and below, the post noted.
On Sept. 26, the number of Bitcoin’s LN nodes reached 10,000 for the first time.