“Security issues have been found in various lightning projects which could cause loss of funds.”
So says Rusty Russell, a developer of bitcoin’s Lightning Network, without revealing any detail regarding the problem.
Instead he says “full details will be released in 4 weeks,” presumably so that the vulnerability is not exploited in the meantime.
He urges all those running the Lightning Network (LN) to upgrade, publicly stating:
“Everyone should probably have upgraded a while ago, but just to be sure: c-lightning < 0.7.1, lnd < 0.7, eclair <= 0.3 vulnerable.”
Three Common Vulnerabilities and Exposures (CVE) have been reserved. One of them says:
“This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”
A new LN client version was released recently, with this vulnerability apparently not applying to this new client:
It isn’t very clear what exactly is going on, but there seems to be some problem with older LN nodes. Will update if further details become available.