reply on: Stealing Sats from the Lightning Network Custodial Services (2022) \ stacker news

pull down to refresh

21 sats \ 3 replies \ @Wumbo 17 Jun 2025 \ on: Stealing Sats from the Lightning Network Custodial Services (2022) security

Interesting attack vectory

Cheap, but not free. A simple attack.

Simple, deposit funds into a custodial service then withdraw the funds, done. Congrats for your profit! I am sure you are thinking -"Those sats were mine anyway, right? How does this qualify as an attack?" Well, I forget to mention we also need to place a node that will be routing the payments between the custodial service and the receiving node. The routing node will collect a fee, hopefully the fee will be big enough so there is a net profit (i.e., withdrawal_fee + deposit_fee < routing_fee_collected). If a positive net return is possible, then it is just a matter of optimizing the size of the fee collected and the transaction speed rate to see how big the damage could be. It is easy to see how this attack must be feasible on any service with free withdrawal fee.

How do you place a node in the middle? Well, the sending node is in charge of selecting the route. A priori, it seems unlikely that the sender will select a very expensive route. However, there is a case when the sender will certainly have to send the payment trough our routing node. We will connect our receiving node to the Lightning Network only with a single channel to our routing node. Therefore payments, if they arrive at all, must always be relayed by ourselves.

65 sats \ 0 replies \ @ek OP 17 Jun 2025

My favorite part:

I wrote a simple python script able to generate local LN invoices and submit them to the exchange to process the withdrawals. It reached top speeds of up to ~300 withdrawals per minute (200 ms per withdrawal), simply wow! That makes for ~15K sats per minute. I did not optimize further the script, as the channel was already near being maxed out (current maximum pending HTLCs for a channel is 483 and they were taking long to settle). In addition, my RaspberryPi was getting CPU limited, I believe due to encrypting/decrypting the onion packages.

When your heist is limited by your own CPU haha

0 sats \ 1 reply \ @OT 17 Jun 2025

We will connect our receiving node to the Lightning Network only with a single channel to our routing node.

If the routing node charges too much the payment will likely fail due to high fees right?

0 sats \ 0 replies \ @ek OP 17 Jun 2025

You can lower the fee until the payment suceeds, then it's free money