Disclosure: Critical vulnerabilities fixed in LND 0.19.0 \ stacker news ~lightning

pull down to refresh

Disclosure: Critical vulnerabilities fixed in LND 0.19.0 delvingbitcoin.org/t/disclosure-critical-vulnerabilities-fixed-in-lnd-0-19-0/2145

463 sats \ 6 comments \ @0xbitcoiner 5 Dec lightning

by morehouse

One denial-of-service and two theft-of-funds vulnerabilities were fixed in LND 0.19.0. Users should immediately upgrade to LND 0.19.0 or later protect their funds.

The Infinite Inbox DoS

Large internal queue sizes and an unrestricted incoming connection policy enabled attackers to quickly exhaust LND’s available memory and cause it to crash or hang.

More details are provided in the corresponding blog post.

The Excessive Failback Exploit #2

A variant of the previously disclosed excessive failback bug could still be exploited to steal funds from LND nodes. The variant was discovered while drafting an update to BOLT 5 that was intended to help prevent similar vulnerabilities in the future.

More details are provided in the corresponding blog post.

The Replacement Stalling Attack

Weaknesses in LND’s sweeper system enabled an attacker to stall LND’s attempts at claiming expired HTLCs on chain. After stalling for 80 blocks, the attacker could steal essentially the entire channel balance. This vulnerability was discovered during code review of LND’s sweeper rewrite in 2024.

More details are provided in the corresponding blog post.

view all related items

0 sats \ 5 replies \ @ek 7 Dec

Thank you, added them to my list

0 sats \ 4 replies \ @0xbitcoiner OP 7 Dec

I'm gone for 2 days and your nym gets yanked from the footer and Scoresby's is there? Is this what I think it is?

111 sats \ 3 replies \ @ek 7 Dec

If you think I don't work for Stacker News anymore, then yes.

It was my decision.

100 sats \ 2 replies \ @0xbitcoiner OP 7 Dec

That's exactly what I was thinking. Feels like I read your mind when you asked Darth if ZEUS was 'flying' solo. Ahahahah! It's one cycle ending, and another one's already coming up right after. All that's left is to wish you good luck with whatever you decide to do and hope you stick around.

33 sats \ 1 reply \ @ek 7 Dec

Feels like I read your mind when you asked Darth if ZEUS was 'flying' solo.

lol, it had nothing to do with that. I was just curious if he’s working alone, since I didn’t know anyone else was working with him

hope you stick around

for sure, just more focused on other things now, SN can waste a lot of time

thanks for the nice words!

21 sats \ 0 replies \ @0xbitcoiner OP 7 Dec

That's good to hear! If there's one thing we're good at, it's shitposting. ~lol