<p>Full details of the security vulnerability <a href="https://www.theblockcrypto.com/linked/38068/bitcoins-lightning-network-found-to-have-security-vulnerabilities/">found</a> on Bitcoin's Lightning Network late last month have been <a href="https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html">published</a> on Friday by software developer Rusty Russel. </p> <p>According to the disclosure, the vulnerability was in the process of creating and funding a Lightning Network channel. When a channel is created, the receiver of the channel was not required to verify the amount of the funding transaction output or the scriptpubkey, a script that ensures certain conditions are satisfied before an output is spent.</p> <p>Because the Lightning Network protocol does not require this verification, an attacker "can claim to open a channel but either not pay to the peer, or not pay the full amount," the disclosure states. This enables an attacker to spend the funds in a channel created with a victim, without alerting the victim. Only when a victim closes their channel with the attacker will they notice that none of the committed transactions between their channels were valid.</p> <p>While Lightning Network developers have pushed updates to this vulnerability, older implementations are still affected. Users are advised to upgrade the following affected Lightning Node versions:</p> <p>- LND nodes version 0.7 and below<br /> - c-lightning nodes version 0.7 and below<br /> - eclair nodes version 0.3 and below</p> <p>Developers have also created a <a href="https://github.com/lightninglabs/chanleakcheck">tool</a> for users to check if their LND Lightning nodes were affected. In mid-September, developers warned that the vulnerability was <a href="https://www.theblockcrypto.com/linked/39181/security-vulnerabilities-found-in-bitcoins-lightning-network-were-exploited">exploited</a>. The size of this exploit, however, was not disclosed.</p>