Bitcoin and Lightning developer Antoine Riard discovered a security gap in various Lightning implementations yesterday and published it.
All common implementations and thus also all common node software systems such as Umbrel, Citadel or RaspiBlitz are affected.
The vulnerability can be exploited for a wide range of attacks, blackmailing node operators, destroying liquidity in competing businesses or even stealing the funds of channel partners. The examination of the vulnerability showed that a large part of the credit could be lost.
What to do now!
The vulnerabilities have been fixed in the following versions of the various implementations:
- Eclair: v0.6.2 + (CVE-2021-41591)
- LND: v0.13.3 + (CVE-2021-41592)
- C-lightning (CVE-2021-41593)
The two major node software providers, Umbrel and Raspiblitz, have already closed the security gap in the latest version. The Umbrel-Fork Citadel has also already fixed the problem.
This is why our warning to all node operators goes out here: Make sure to use the latest update immediately!