Search on TFTC
Issue #1278: Another LND/btcd bug emerges

Issue #1278: Another LND/btcd bug emerges

Nov 2, 2022
Marty's Ƀent

Issue #1278: Another LND/btcd bug emerges

via GitHub

For the second time in less than a month btcd (an alternative implementation of Bitcoin), and by extension LND (one of the Lightning implementations), became incompatible with the rest of the Bitcoin network due to some meddling from a developer named Burak. On October 9th, Burak completed a 998-0f-999 tapscript multisig transaction that btcd recognized as invalid while Bitcoin Core and other implementations (correctly) recognized it as valid. Since lnd's implementation of the Lightning Network depends on btcd it became incompatible with the rest of the Lightning Network. Disrupting all of their users' ability to transact safely. Not ideal.

Fast forward to yesterday and Burak was back again to disrupt btcd and LND with the type of transaction you see above; a P2TR (pay-to-taproot) spend containing N OP_SUCCESSx with 500,001 pushes, which exceeds the limit hardcoded into btcd. While the 998-of-999 tapscript multisig transaction seemed to be an honest mistake, yesterday's transaction was an overt exploit in the wild by Burak.

proof Burak knew this would break lnd

Something to note about this OP_SUCCESSx transaction is that it typically wouldn't be included in a block. However, it seems that Burak bribed miners by attaching a particularly high fee to this transaction that F2Pool couldn't resist.

This situation has surfaced a lot of debate over the last two days. Was Burak wrong to exploit this bug in the wild on mainnet? Should he have properly disclosed the vulnerability to btcd and lnd in private, allowing them to patch the code before the bug was exploited in the wild? Should lnd be dependent on btcd, which is an alternative implementation of Bitcoin that doesn't get nearly as close to the amount of attention and review that Bitcoin Core receives?

Your Uncle Marty certainly doesn't have the right answers to all of these questions, but it's important for you freaks to be aware of this stuff so I thought I'd bring it to your attention.

This is the nature of open source distributed systems. There could be a lot of vulnerabilities lurking out there and there is no clear way to handle the problems. Many will advocate for responsible disclosures in private while others will advocate for overt adversarial actions that force the issue. This is one of the tradeoffs you choose when you decide to opt into a free market monetary network.

We'll keep you freaks abreast of the situation as it develops.

Clip of the day...

This isn't a clip, but the whole episode of TFTC I recorded yesterday with John Constable. I highly recommend you freaks give it a listen when you get a chance. The way John lays out how misguided current Western energy policy is should hopefully jolt you to action.

Final thought...

Bullish on smaller private regional airlines.

Sleep soundly at night knowing your bitcoin are secured by multisig.
If you don't have Braiins on your ASIC you're leaving sats on the table.
CrowdHealth BTC is now accepting memberships starting June 1st and later. Use code TFTC during sign-up and the first 1000 members will receive a discounted membership of $99/ month for the first 6 months.


Current Block Height

Current Mempool Size

Current Difficulty