Lightning Network Security Overview \ stacker news ~bitcoin

6281 sats \ 8 comments \ @RecklessApotheosis 23 May 2023 bitcoin freebie

Hello Stackers!

For the past few months I've been working off-and-on writing an executive summary of the various security implications to running a node. The target audience includes individuals just beginning in their journey with noderunning, those looking for a summary of the history of issues the Lightning Network has faced, and those wishing to dive deeper in a topic to work on fixes.

It is by no means comprehensive, and as always do your own research. But if you appreciate my research or have suggestions on how to improve it, let me know in the comments! Also if you have a topic that should be expanded at a technical level, I was thinking about creating separate documents for deep dives into various topics at a more engineering rather than topical depth.

If you have insight into issues you've experienced noderunning, or maintaining Lightning software, I welcome any and all contributions to improve the comprehensiveness and depth of the document!

So please, take a look, and together let's improve our community's resilience to attack and failure!

⚡ Stay Reckless! ⚡

Lightning Network Security Overview - by RecklessApotheosis

view all related items

138 sats \ 6 replies \ @xz 23 May 2023

Yeah, nice overview. Some things there which I was aware of but didn't understand the details of.

One thing that came to mind that I expected to read under social engineering was a known instance of a node vps being hacked. Though not fundermental to LNP/ BTC infrastructure, the incident helped in understanding the inherent dangers of hot wallets.

316 sats \ 5 replies \ @RecklessApotheosis OP 23 May 2023

That's a great suggestion, thanks! I think you're referring to the "Medium of Exchange" social engineering attack on Vultr? I should totally include that! Unfortunately now that I'm checking, the website is down. I found the recap on the Wayback Machine, and will include it in my paper, thanks for the suggestion!

Do you have other examples I should include that you're aware of?

157 sats \ 4 replies \ @xz 23 May 2023

Yes. Regarding that case, from my PoV, Vultr have always seemed solid security and very thorough when contacting support when needed to. So, made me wonder how the hack had occured, but then again, I'd think twice hosting a node on a vps (being newish to linux security.)

I think it was a pretty good round up of most of the pitfalls of nodes and issues with LN development, not many other things spring to mind.

Maybe if I was to warn new node-spinners, just that LN is very much in development. I think that's often overlooked (as with Bitcoin Core, I suppose!) I've filed issues about bugs with both LND and bitcoin core, though both minor.

Some of the platforms like LN+ and amboss are super helpful to learn and experiment for the reckless, but guess the higher fees on bitcoin will be an issue for channel opening/closing, and keeping a lid on identity with nyms, social handles, emails etc., can never be overlooked.

just my 2 sats ;-)

122 sats \ 3 replies \ @RecklessApotheosis OP 23 May 2023

OK, could you refresh and check the paper now? I added a section in the examples with a fairly lengthy summary of the MoE event. I'm definitely willing to add citations or if you have a TG/Twitter handle (or this one on Stacker?) that you'd like credited!

0 sats \ 2 replies \ @xz 23 May 2023

It was nice to read that. Thanks! If you like, you can credit my memory [xz@stacker.news]

BTW, Not sure whether tor DoS is a related security issue that needs inclusion. Maybe a seperate topic?

5 sats \ 1 reply \ @RecklessApotheosis OP 24 May 2023

Next update I'll credit you, thanks for the memory!

I'm not sure, I feel like ToR DoS is a LN Node adjacent concern, especially among first-time noderunners and very small (or privacy concerned) operations that are ToR-only.

One of my ideas, was to retain this file as an "executive summary" and then a separate document for each failure event, and a deep dive into the technical aspects so if a reader wants an in-depth historical post mortem on a specific event, they can read up on just that event. What do you think?

0 sats \ 0 replies \ @xz 24 May 2023

Yeah, guess so. It's not a fundamental requirement, though privacy and security are entwined. Think that's a great idea for a project, to be summarised and can be referenced over time.

Trying to improve front-end web skills to summarize documentation in a more visual way, mostly just to aid my own understanding of bitcoin, but see where it all goes.

100 sats \ 0 replies \ @DarthCoin 23 May 2023

Very nice and well written paper. I don't know how you "compress" it into such a short document. But is good like that. Glad that I could help you with.