Lightning devs must ‘wake up’ and fix security bugs, not please VCs: Bitcoin dev
Developers working on the Bitcoin layer 2 Lightning Network have become less security-oriented and more focused on producing cash flow for their investors, argues a former Lightning Network developer.
Bitcoin core developer and security researcher Antoine Riard, made headlines last month after leaving the Lightning ecosystem over concerns about a new attack vector called “replacement cycling,” which exploiters could potentially use to steal funds by targeting payment channels.
How does a lightning replacement cycling attack work?
There’s a lot of discussion about this newly discovered vulnerability on the mailing lists, but the actual mechanism is a bit hard to follow.
So here’s an illustrated primer…
1/n pic.twitter.com/mvvS8bEc5f
— mononaut (@mononautical) October 21, 2023
At the time, Riard said the new class of attacks puts Lighting in a “perilous position“ though other Bitcoin developers such as “Machine98” suggested it is a difficult attack to pull off in the first place.
Riard told Cointelegraph that he’s now working at the Bitcoin base layer to address the issue and urged Lightning developers to follow suit:
“[They need to] wake up, stop the sleepwalking and go to the whiteboard to design a robust and sustainable fix in hand with other developers at the base-layer, preserving the long-term decentralization and openness of Lightning.”
Riard also claimed that many Lightning-focused firms are compromising Lightning’s mission and security incentives for the sake of pleasing venture capitalists:
“The sad fact being most of them are working for VC-funded entities, or commercial entities with the same low-time preference, at the long-term detriment of end-users.”
Riard said it’s a classic example of the “tragedy of the commons” — where individuals and entities with access to a public resource act in their own interest and deplete it.
Decentralization appears to be a trade-off that these VC-funded Lightning firms are willing to make, which is a major concern to Riard.
“Centralized systems are great in the scale of efficiency, however they come with the downside of systemic single-point-of-failure and lower cost of user censorship, fundamental risks that one might wish to hedge against as a Bitcoiner.”
“I’m not sure this is an interesting Lightning future,” Riard said. In fact, it is something which he wants no part of, after departing from the Lightning ecosystem on Oct. 20:
“I do not wish to be associated with being in charge or accountable of the Lightning Network security, and the ~5,300 BTC exposed here. There is little [I and others] can do to halt the haemorrhage, without compromising the core values of censorship-resistance and permissionless of the Lightning Network.”
Lightning is the best solution currently available, but it’s not good enough.
Lightning has several fundamental flaws, where each of them make the system as a whole a dead end for bitcoin, long term. An attempt at explaining these, and what we should do instead.
Liquidity…
— torkel (@torkelrogstad) November 20, 2023
Related: Bitcoin Lightning Network growth jumps 1,200% in 2 years
The Lightning Network is the second-layer solution built over the Bitcoin blockchain. It is designed to improve the scalability and efficiency of Bitcoin.
Through the Lightning Network, users can open payment channels, conduct multiple transactions off-chain, and settle the final result on the Bitcoin blockchain. The replacement cycling attack is a new type of attack that allows the attacker to steal funds from a channel participant by exploiting inconsistencies between individual mempools.
Cointelegraph reached out to Lightning Labs and other firms in the Lighting ecosystem but did not receive a response.
Don’t get me wrong here: Lightning is great! Always still amazed when using it.
The point is that it can’t scale enough. And Ark is not a competitor but more of an add-on. Gives you all the advantages of Cashu but without requiring trust.All we need is covenants. Ideally, CAT https://t.co/nhrmvqPYf0
— яobin linus (@robin_linus) November 19, 2023
However, despite the security concerns and potential move toward centralization, Riard explained that Lightning hasn’t seen as many attacks as many Ethereum layer 2s because Lightning users typically only store a small amount of funds in their wallets at any given time.
A total of $194.1 million in BTC is locked in the Lightning Network, according to DeFiLlama.
Magazine: Should you ‘orange pill’ children? The case for Bitcoin kids books