Rogue Actor Disrupts Lightning Network With a Single Transaction

The individual exploited a Bitcoin block parsing bug that had a downstream effect on certain Lightning nodes.

AccessTimeIconNov 2, 2022 at 5:27 a.m. UTC
Updated Nov 4, 2022 at 1:57 p.m. UTC

Frederick Munawa is a Technology Reporter for Coindesk. He covers blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.

A Twitter user by the name “Burak” (@brqgoo) sent a large swath of the Lightning Network into turmoil on Tuesday morning when he allegedly created a non-standard Bitcoin transaction that prevented users from opening new Lightning channels (connections between Lightning nodes).

Lightning is a layer 2 network that runs atop the Bitcoin blockchain to enable cheaper and faster transactions. Burak’s valid but non-standard transaction caused Bitcoin nodes running an implementation of Bitcoin called btcd to reject valid incoming blocks. This caused a corresponding glitch on all Lightning Network Daemon (LND) nodes. LND nodes rely on information from btcd Bitcoin nodes, and the glitch caused LND nodes to deny all new channel opening requests.

CoinDesk - Unknown

Consensus conflict caused by max Witness Items Per Input #1906 (Github)

Burak’s shenanigans disrupted a good chunk of the Bitcoin and Lightning ecosystems. Nevertheless, one could argue the community’s anti-fragility was on full display. Core Lightning (CLN) nodes that rely on Bitcoin Core, the most popular implementation of Bitcoin, were unaffected (although this seems to have been by design). Additionally, the bug Burak exploited was quickly patched (thanks to Elle Mouton and Oliver Gugger).

“Given the context, it seems Burak was well aware of the consequences triggered by the transaction. I think everyone can decide for themselves if that is to be considered malicious or not,” Rene Pickhardt, Bitcoin and Lightning developer and educator, told CoinDesk. Pickhardt co-authored the popular “Mastering Lightning” book and helped demystify many technical aspects of this story.

How should Bitcoin handle bugs and exploits?

Burak’s actions not only sparked lively exchanges on Twitter, but also raised a key question – how should the Bitcoin community handle similar exploits in the future?

“Generally, developers promote a well-known culture of responsible disclosure and ethics when discovering exploitable bugs. Lightning Labs had a reasonable plan for patching this problem beforehand, but maybe Burak felt the situation was more urgent and wanted to light a fire under [them],” John Carvalho told CoinDesk. Carvalho is the CEO of Bitcoin software firm, Synonym. The firm’s chief technology officer, Reza Bandegi, also helped clarify technical aspects for this report.

What Carvalho is describing could be further incentivized by establishing robust bug bounty programs. “It's always hard to prepare against a novel bug. I guess more review and bug bounty programs for responsible disclosure may help.” Pickhardt weighed in. “However, as I understand, Pieter Wuille thinks there may sometimes be a risk in fixing bugs, as that may raise awareness and attract potential malicious actors in the transition phase while nodes update.”

Indeed, Bitcoin developer Pieter Wuille thinks the process of fixing bugs and managing exploits is not always straightforward.

“I don't think it's necessarily that simple. It'd be reasonable to assume that exploiting this needed cooperation from miners (or ones with non-standard mempool/relay policy at least), making it harder to pull off. And fixing this one-line without raising suspicion is hard,” Wuille tweeted.

Wuille has a point. Rumors were circulating that Burak paid $700 to F2Pool, one of the largest Bitcoin mining pools, to have his non-standard transaction included in one of their blocks. He then embedded a bizarre message in the transaction, “You'll run CLN and you'll be happy," a reference to Core Lightning (CLN), which, as discussed above, is an alternative to LND, the Lightning implementation affected by the exploit.

“I can't speak for Burak, but it took some special effort and expense to perform his demonstration, so I have to assume he knew exactly what he was doing and that he at least wanted to draw attention to himself, LND, and apparently, CLN too, because he left a supportive message for CLN within the instigating transaction on-chain,” Carvalho explained.

Christian Decker, a researcher at Bitcoin infrastructure firm, Blockstream and contributor to the CLN project, distanced his team from the exploit and publicly denounced Burak’s actions.

CORRECTION (Nov. 2, 2022, 14:24 UTC): Fixes the explanation in the second paragraph, a quote in the fourth paragraph and John Carvalho's last name.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Frederick Munawa is a Technology Reporter for Coindesk. He covers blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.

CoinDesk - Unknown

Frederick Munawa is a Technology Reporter for Coindesk. He covers blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.