|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "LND: Excessive Failback Exploit #2" |
| 4 | +description: "Discussion of a variant of the previously-disclosed excessive failback exploit in LND." |
| 5 | +modified: 2025-12-04 |
| 6 | +tags: [lightning, security, theft, lnd] |
| 7 | +categories: [lightning] |
| 8 | +image: |
| 9 | + feature: lnd_excessive_failback_exploit_2_header.png |
| 10 | +--- |
| 11 | + |
| 12 | +A variant of the [excessive failback exploit](/lightning/lnd-excessive-failback-exploit/) disclosed earlier this year affects LND versions 0.18.5 and below, allowing attackers to steal node funds. |
| 13 | +Users should immediately upgrade to [LND 0.19.0](https://github.com/lightningnetwork/lnd/releases/tag/v0.19.0-beta) or later to protect their funds. |
| 14 | + |
| 15 | +## The Excessive Failback Bug Revisited |
| 16 | + |
| 17 | +As described in the previous [disclosure](/lightning/lnd-excessive-failback-exploit/), the original excessive failback bug existed in LND versions 0.17.5 and earlier. |
| 18 | +Essentially, when one of LND's channel peers force closed the channel, LND would mark any HTLCs missing from the confirmed commitment as "failed" in the database, even if the HTLC had actually succeeded with the *downstream* peer. |
| 19 | +If LND then restarted before the corresponding *upstream* HTLC was resolved, LND would incorrectly fail that HTLC with the upstream peer. |
| 20 | +Both the upstream and downstream peers would be able to claim the HTLC, and LND would be left with a loss. |
| 21 | + |
| 22 | +## The Variant Bug |
| 23 | + |
| 24 | +While a fix for the original excessive failback bug was included in LND 0.18.0, a minor variant of the bug remained when the channel was force closed using LND's commitment instead of the attacker's. |
| 25 | +In other words, the exact same attack was still possible if the attacker got the *victim* to force close the channel themselves. |
| 26 | +Unfortunately this is very easy to do; the attacker could simply send the victim an `error` message. |
| 27 | + |
| 28 | +## The Fix |
| 29 | + |
| 30 | +The excessive failback bug variant was [quietly fixed](https://github.com/lightningnetwork/lnd/commit/5a72d5258ff679071c4d7b687194e56ca163e02e) in the same way as the original bug, and the fix was included in the LND 0.19.0 release. |
| 31 | + |
| 32 | +## Discovery |
| 33 | + |
| 34 | +This variant was discovered shortly after the original disclosure, while I was [updating](https://github.com/lightning/bolts/pull/1233) BOLT 5 to prevent future excessive failback vulnerabilities. |
| 35 | +I realized there were actually *two* cases that needed to be updated in BOLT 5, but only one of the cases had been patched in LND. |
| 36 | + |
| 37 | +### Timeline |
| 38 | + |
| 39 | +- **2025-03-04:** Public disclosure of the [original](/lightning/lnd-excessive-failback-exploit/) excessive failback vulnerability. |
| 40 | +- **2025-03-04:** BOLT 5 update [drafted](https://github.com/lightning/bolts/pull/1233); variant discovered. |
| 41 | +- **2025-03-05:** Variant reported to the LND security mailing list. |
| 42 | +- **2025-03-20:** Fix [merged](https://github.com/lightningnetwork/lnd/pull/9602). |
| 43 | +- **2025-05-22:** LND 0.19.0 released containing the fix. |
| 44 | +- **2025-10-31:** Agreement to disclose publicly after LND 0.20.0 was released. |
| 45 | +- **2025-12-04:** Public disclosure. |
| 46 | + |
| 47 | +## Prevention |
| 48 | + |
| 49 | +In the previous disclosure post, I suggested that the excessive failback bug could have been prevented if the BOLT 5 specification had been clearer about how to handle HTLCs missing from confirmed commitment transactions. |
| 50 | +At the time, some Lightning maintainers were skeptical that a clearer specification would have helped. |
| 51 | + |
| 52 | +But this variant of the bug was only discovered *when I actually went and clarified BOLT 5 myself!* |
| 53 | +I think this is strong evidence that a clearer specification could have prevented both variants of the bug. |
| 54 | + |
| 55 | +## A Note on Collaboration |
| 56 | + |
| 57 | +As I noted in the previous excessive failback disclosure, it seems that at some point every Lightning implementation independently discovered and fixed bugs similar to the excessive failback bug in LND. |
| 58 | +Yet no one (including LND) thought to update the specification to help others avoid such bugs in the future. |
| 59 | + |
| 60 | +When I finally did update the specification, good things happened. |
| 61 | +This variant of the excessive failback bug was discovered and fixed in LND. |
| 62 | +But I also noticed that Eclair might have been vulnerable to this variant and reached out to Bastien Teinturier. |
| 63 | +While it turned out that Eclair was not vulnerable, the discussion with Bastien led to the accidental discovery of a different [serious vulnerability](/lightning/eclair-preimage-extraction-exploit/) in Eclair. |
| 64 | + |
| 65 | +This all happened from just a tiny bit of collaboration: a specification update for the common good and a short conversation with Bastien. |
| 66 | +In many ways, it is quite unfortunate that Lightning engineering talent is spread out over so many implementations. |
| 67 | +Everyone focuses on their own code first, and collaboration is secondary. |
| 68 | +Efforts are duplicated and lessons are learned multiple times. |
| 69 | +Imagine what we could accomplish with a little more cooperation. |
| 70 | + |
| 71 | +## Takeaways |
| 72 | + |
| 73 | +- Clear specifications benefit all Lightning implementations. |
| 74 | +- We should do more cross-implementation collaboration. |
| 75 | +- Users should keep their node software updated. |
0 commit comments