A Dangerous Bug in Bitcoin's Lightning Network Has Been Fixed

A popular payments network running atop the bitcoin blockchain suffered from a long-standing code vulnerability - one where attackers could drain users' of their money.

While initially flagged to the public on Aug. 30 by bitcoin developer Rusty Russell, the full disclosure detailing how this vulnerability could be exploited by an attacker was released Friday.

The lightning network is a Layer 2 payments protocol enabling ultra-fast and nearly costless transactions atop the bitcoin blockchain.

In order for users to send transactions across the lightning network, they must open what are called "Payments channels" to send and receive funds from other lightning users.

It's unclear how many users fell victim to such phishing attacks.

Already, all major lightning software clients have been upgraded to fix this vulnerability, according to Russell.

When asked why it took three months for the vulnerability to be disclosed to users, Pierre-Marie Padiou - the CEO of a company maintaining one of the three most popular lightning implementations - said developers had to err on the side of caution.

"Three months is not a long time. It's a pretty short time because you have to give users the amount of time needed to update. A lot of users don't do it."

Lightning developers, he added, did not want to risk revealing the vulnerability until absolutely sure no users were at risk.

"There will always be bugs. What matters the most is how to handle this in the best way to protect users."