Connect with us

Blockchain

Good Griefing: A Lingering Vulnerability On Lightning Network That Still Needs Fixing

Republished by Plato

Published

on

What happens when your Lightning Network routing node is fed with garbage transactions that never resolve? In short, it causes a lot of grief for routing nodes. What was once a smooth, global payment system can be locked up with trivial effort from a savvy script writer.

Working in a small team of routing nodes, we successfully ran a test of the attack with real funds and demonstrated the “griefing” attack described by Joost Jager. The attack is called a grief attack since it is not a theft of funds, but it causes a victim’s Lightning funds to be frozen: a major upset. What we found is that griefing is a serious threat to large “wumbo” channels expecting to earn a yield on their bitcoin, only to have their funds frozen for a period of time. 

This is mostly a grief attack: no loss of funds, but the victim may be forced to pay for an expensive channel force close. This is a known vulnerability on mainnet Lightning and it needs to be understood and prioritized, especially at this early market stage of Bitcoin’s Lightning Network.

Thanks to Clark Burkhardt and Phillip Sheppard for their willingness to participate in this test and to Jager for his tireless work to bring attention and priority to this vulnerability. Jager played the role of the attacker for our demonstration, while Burkhardt and Sheppard joined me as connected victim routing nodes.

How The Attack Works

The attacker saturates one (or several) channel(s) with Hashed Time Locked Contracts (HTLCs) that don’t resolve as a finalized payment. These are a special breed of HTLCs known as HODL invoices. Only 483 of these unresolved HTLCs are required to overwhelm a channel per direction. Once those HTLCs are in the channel, any transactions using that same channel direction are impossible, including a transaction to cooperatively close that channel.

In theory, an attacker could contact the victim (perhaps via a keysend message or in an “onion blob”) and demand a ransom be paid to halt the attack. Once the ransom is paid, the attacker could remove the unresolved payments, ending the attack. The attack can be sustained indefinitely, halting all routing and payment activity in that channel. This freezes the funds in the Lightning channel.

Both directions of payments can be stalled in a channel by using 483 HTLCs in each direction, both inbound and outbound.

Thunderhub view of my balanced channel to Burkhardt under attack. The channel shows as “Not Active,” as if Burkhardt were offline, but he wasn’t. The amount in blue is the local balance in sats, the amount in green is the remote balance in sats owned by Burkhardt. Source: Thunderhub.

Why Would An Attacker Do Something Like This?

The first motive that comes to mind is to demand a ransom. This attack causes pain for the victim and paying a ransom may be attractive to a victim, even without assurance that the attack would stop. Contacting the victim might be risky for an attacker, but a ransom payment might not be the only reason someone would do this.

A secondary incentive for launching a griefing attack would be to disrupt routing competition. Jamming a competitor’s route could create more demand for a route owned by an attacker.

As a benchmark, consider that Lightning Labs’ Loop node has an ongoing demand for liquidity for which it will sometimes pay a 2,500 parts per million of the payment (ppm) (0.25 percent) fee rate. In my experience, they would normally exhaust 16 million sats’ worth of liquidity in about two weeks (5.2 percent annual percentage rate), but that is with competition present. 

If an attacker could disable any competing route with lower fee rates, Loop may be willing to pay a higher fee rate (since the supply of liquidity is now reduced). Let’s say Loop would pay 3,000 ppm (0.3 percent), as well as use that liquidity more quickly since no other channels are functioning. Loop might use that liquidity in half the time, say one week. The attacker would more than double their usual yield to 15.6 percent APR in this example. The only cost to the attacker is the cost of running a script on an existing channel and the psychological cost of doing something immoral/damaging to the Lightning Network. With a single attacker channel, a malicious actor could jam about nine channels (see Jager’s tweets about this).

What Would The Victim Of This Attack Experience?

The victim of this attack wouldn’t really know that this attack was happening unless they had some special alerts set for pending HTLCs. For Thunderhub users (a highly recommended tool), the home screen will show a chart of pending HTLCs as well as a warning stating that channels can only hold 483 pending HTLCs.

Source: Thunderhub

In practice, my node quickly became unreliable and experienced several app crashes, including Thunderhub, which was the only app to notify me of the problem. Then, thanks to my “Balance of Satoshis” Telegram bot, I got a channel closing notification. The channel under attack force-closed itself! That was not supposed to be part of the experiment. (For more technical information on the involuntary force close, see below for additional force-close data.)

A test payment using the channel with Burkhardt (salmiak) failed due to the attack. This warning reports that Burkhardt’s node is offline, though it was online. Source: Thunderhub.

What Can The Victim Do To Stop A Griefing Attack?

Once an attack starts, a victim essentially can’t do anything to stop it. The only alternatives available to halt an ongoing attack would be to force-close the channel being attacked, which means that the terrorists win. 

To add insult to injury, force-closing the channel will push the unresolved payments to the on-chain transaction data, triggering secondary on-chain transactions for the initiator of the force close. At 50 sats/vbyte and 483 on-chain transactions, that’s easily a 1 million sat price tag to force close a single channel under attack (a $368 channel close fee at today’s prices). The multiple on-chain transactions only occur if the output is above the minimum payment “dust” limit. (See this example on testnet.)

How To Prevent A Griefing Attack

Jager has been working on a proof-of-concept program to help isolate and fight attackers. He’s calling his program “Circuitbreaker.” The Circuitbreaker works at a network level, which unfortunately means that everyone has to participate for it to be effective.

Beyond that, this issue needs prioritization and attention from dedicated engineers/developers to find better solutions. There have also been some good discussions on modifying the protocol in the Bitcoin Optech newsletter (issue #122 or #126).

This attack can be executed today. It is a miracle that it hasn’t already been used maliciously. It’s a reflection of the incentives for those using Lightning today so that it can become an open, universal payment network. Please share this post as you see fit to encourage and inspire more work to fix this problem before it causes real harm.

Additional Technical Information About The Involuntary Force-Close

Here are the logs from my node running LND 0.11 at the moment that the above mentioned involuntary force-close occured:

2020-11-26 21:24:47.374 [ERR] HSWC: ChannelLink(657759:561:0): failing link: ChannelPoint (c37bec006b18df172698a84739ca47128935e0a8666fecd1a843e49b01db207c:0): received error from peer: chan_id=7c20db019be443a8d1ec6f66a8e035891247ca3947a8982617df186b00ec7bc3, err=rejected commitment: commit_height=455, invalid_commit_sig=3044022076fd65191eb6305b723fa6012be378413b6326e2786c38db58b4c02e1f3999d202207605ca31de8b4c5b1d9cd20dc1581dfa2383e0b4e06c8ad4f718ab5c434d8cf5, commit_tx=02000000017c20db019be443a8d1ec6f66a8e035891247ca3947a8982617df186b00ec7bc300000000008a792e8002210d0000000000002200201031cf10a1efef261edd3d0a1a6a953b27bc25bd7150bb2b07afdc69805e02157213000000000000160014de650929042bef58b71783ae1a44834a902a8f2d542ca720, sig_hash=4e0fb804c74376020e4c44a60969b9206eb0aaa9a89b76017d60f23ad5cf63e5 with error: remote error

The logs show an “invalid_commit_sig” which is a known issue in LND. Supposedly, this can happen upon reconnecting and isn’t a direct result of the channel jamming. The volume of pending HTLCs unfortunately makes it more likely to happen. Jager helped explain the process as channel jamming –> endless payment loop (bug) –> node down –> reconnect –> invalid commit sig (bug) –> channel force-close.

The “endless” loop bug is a known bug that occurs when the HTLC limit is reached and an additional HTLC is sent. Instead of ending in a payment failure, LND will continue to attempt the payment in a loop. To help with this bug, see LND issue #4656.

This is a guest post by Jestopher. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.

Source: https://bitcoinmagazine.com/articles/good-griefing-a-lingering-vulnerability-on-lightning-network-that-still-needs-fixing?utm_source=rss&utm_medium=rss&utm_campaign=good-griefing-a-lingering-vulnerability-on-lightning-network-that-still-needs-fixing

Blockchain

Co-Founder of Floyd Mayweather-Backed Centra Tech Sentenced to 8 Years in Prison

Republished by Plato

Published

on

The co-founder of a fraudulent ICO project that duped more than $25 million from investors, Sohrab Sharma, has received a sentence of eight years in prison for his role.

The project itself, dubbed Centra Tech, was previously backed by several celebrities, including the boxing legend Floyd Mayweather and the producer DJ Khaled.

Centra Tech Co-Founder Behind Bars for 8 Years

Founded in 2017, Centra Tech marketed itself as a debit card provider that supposedly allowed purchases with cryptocurrencies at any businesses accepting Visa and MasterCard.

The trio behind the project, namely Robert Farkas, Raymond Trapani, and Sohrab “Sam” Sharma, claimed that a Harvard-educated CEO with over 20 of experience will run the project and that the card had licenses to operate in 38 US states.

However, an investigation from the Department of Justice concluded that the three co-founders had fabricated the information. Consequently, the authorities charged the three men with deceiving investors into allocating over $25 million in the fraudulent ICO project.

ADVERTISEMENT

Farkas and Trapani pled guilty to conspiring to commit securities fraud, wire fraud, and mail fraud initially, while Sharma joined them last year, as reported. Now, several months later, he has received his sentencing – eight years in prison, according to the DOJ’s statement.

US Attorney Ilan Graff said that Sharma has “led a scheme to deceive investors by falsely claiming that the start-up he co-founded had developed fully functioning, cutting-edge cryptocurrency-related financial products.”

He added that “in reality, Sharma’s most notable inventions were the fake executives, fake business partnerships, and fake licenses that he and his co-conspirators touted to trick victims into handing over tens of millions of dollars.”

Mayweather and DJ Khaled Involved

Taking advantage of a common occurrence at the time, Cantra Tech received the endorsement of at least two celebrities – DJ Khaled and Floyd Mayweather. However, both failed to disclose that they had accepted funding for their actions.

Both received charges from the US Securities and Exchange Commission as a result of the investigation. Shortly after, they agreed to pay penalties without admitting to wrongdoing.

The boxer paid $300,000 in disgorgement, a $300,000 penalty, and $14,755 in prejudgment interest. He also agreed not to promote any securities, digital or otherwise, for a period of three years.

The musician paid $50,000 in disgorgement, a $100,000 penalty, and $2,725 in prejudgment interest while agreeing to avert any ICO promotions for two years.

SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

You Might Also Like:


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Check out Nord
Make your Money Grow with Mintos
Source: https://cryptopotato.com/co-founder-of-floyd-mayweather-backed-centra-tech-sentenced-to-8-years-in-prison/

Continue Reading

Blockchain

Mark Cuban’s Dogecoin decision is a mistake: Mike Novogratz

Republished by Plato

Published

on

Mike Novogratz thinks Mark Cuban’s decision to let people buy Dallas Mavericks tickets and merchandise with Dogecoin is a mistake. In an interview earlier today, the Galaxy Digital CEO told Bloomberg,

“I think Mark’s making a mistake there. He’d be better off with 15 other different ways to pay for his tickets.”

The exec also pointed out how the popular meme-coin isn’t exactly the safest bet, adding, “Let’s put people in the safest best stuff, not these joke coins.” To make his case, Novogratz also highlighted that he had actually made money betting on the value of Dogecoin falling on the price charts.

While many in the community were quick to fire back after the exec’s comments, Novogratz’s concerns are understandable, especially since Dogecoin is a meme-based cryptocurrency that was intended to be a joke according to its creator’s own admission. However, as is the case with most cryptocurrencies, the community belief system in a coin may be as important as the tokenomics of the coin itself.

In fact, data suggests that Dogecoin adoption is on the rise. According to crypto-Twitter analytics tracker Swarm Analytics, Dogecoin has consistently been the most mentioned cryptocurrency after Bitcoin and Ethereum.

With its adoption surging over the past few months, Mark Cuban isn’t the only one embracing DOGE as a means of payment. Crypto-merchant service provider Bitpay recently added DOGE to its list of supported currencies, with crypto-ATM operator CoinFlip also making DOGE available at 1800 crypto-ATMs worldwide.

“The rise in popularity and price of Dogecoin means that developers and entrepreneurs will take Dogecoin more seriously and contributions to the project will create a positive feedback loop that increases the popularity of the project,” Daniel Polotsky, CEO of CoinFlip, said.

As things stand, the most telling sign of the coin’s newly-found standing in the market may just be the timing of its most recent dip in price.

Despite last week’s tweets from DOGE’s most influential supporter, Elon Musk, the price of DOGE failed to pump higher, something that suggested that Musk’s influence on the cryptocurrency may be declining. At the time of writing, the altcoin was trading at $0.05151, up by 4.5% in the last 24-hours.


Sign Up For Our Newsletter


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Check out Nord
Make your Money Grow with Mintos
Source: https://ambcrypto.com/mark-cubans-dogecoin-decision-is-a-mistake-mike-novogratz

Continue Reading

Blockchain

Bitcoin Price Analysis: 06 March

Republished by Plato

Published

on

Disclaimer: The findings of the following analysis are the sole opinions of the writer and should not be taken as investment advice

In the short-term, Bitcoin flipped the $47,400-level from resistance to support. Bitcoin’s dominance has also been on a steady downtrend over the past few days, with the world’s largest cryptocurrency holding its own above the $45,000-mark, a sign that capital was flowing out of altcoins and into Bitcoin.

In fact, there were some signs that a bullish bias was back in the market as the correlation with the S&P 500 picked up too.

Bitcoin 1-hour chart

Bitcoin Price Analysis: 06 March

Source: BTC/USD on TradingView

The past two weeks have seen BTC trade within the range of $43,810 to $51,370. The mid-point of this range at $47,430 has been an important level of support and resistance over the same time period.

The descending trendline (cyan) was tested once more, and the bulls achieved a breakout as high as $49,400. However, there was some selling there that saw BTC pushed back lower to trade at $48,268, at the time of writing.

A move above $47,400 is an encouraging sign and another attempt to breach the $48,800-$49,350 area of supply is likely to be seen in the short-term.

Reasoning

On the hourly chart, the RSI was oscillating around the 50-mark, with market momentum not in favor of either side yet. The price dip from $49,350 over the past 12 hours was backed by low trading volume, indicating that it could be reversed.

The market’s bears were halted at $46,600 before a move above the trendline (cyan) was seen. Since then, the OBV has been making a series of higher lows to show that buying volume was rising. However, by and large, the OBV was pretty much in the same area it was before showing that short-term volatility notwithstanding, March has seen a deadlock between buyers and sellers.

A retest of $47,400 cannot be ruled out, but it is likely that this level will hold as support if tested. To the upside, a move beyond the aforementioned region of supply will likely see BTC test the $50,000-mark.

Conclusion

A retest of $47,400 or a hike above $49,350 can be an opportunity to enter a long position with a target of $52,000, based on the evidence at hand. Weekend volatility could also rear its head, making risk management all the more important.


Sign Up For Our Newsletter


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Check out Nord
Make your Money Grow with Mintos
Source: https://ambcrypto.com/bitcoin-price-analysis-06-march

Continue Reading
Blockchain5 days ago

Why Mark Cuban is looking forward to Ethereum’s use cases

Blockchain3 days ago

Amplifying Her Voice

Blockchain5 days ago

The Sony PlayStation 5 Game Console Mining Ethereum with almost 100 MH/s is Not True!

Blockchain3 days ago

Blockchain in Sports Betting

Blockchain3 days ago

Bitcoin Halving: Definitive Guide (In Just 5 Minutes)

Blockchain3 days ago

Libra Coin – A New Digital Currency Developed by FACEBOOK

Blockchain1 day ago

How to Protect Yourself from the Cryptojacking Threat

Blockchain3 days ago

DeFi token CRV spikes after reports PayPal acquired unrelated custody firm Curv

Blockchain2 days ago

BitGo To Introduce Crypto Custodial Services To New York Clients

Blockchain3 days ago

Will Netflix soon buy bitcoin?

Blockchain1 day ago

Experts divided on BTC predictions: Bullish or super bullish?

Blockchain4 days ago

DEX aggregator 1inch integrates Bitquery’s API-powered crypto trading data

Blockchain1 day ago

Analyst tells Tesla to dump Bitcoin for buybacks as shares plunge alongside MSTR’s

Blockchain1 day ago

Mark Cuban’s Dallas Mavericks to Accept Dogecoin Payments

Blockchain2 days ago

Bitcoin “Cheat Sheet” Calls For Next Leg Up To $77K

Blockchain2 days ago

Ethereum gas fees drop as daily DEX and DeFi volumes decline

Blockchain3 days ago

3 key Ethereum price metrics show pro traders are aiming for $2K ETH

Blockchain1 day ago

Thailand’s largest movie theater chain accepts Bitcoin

Blockchain1 day ago

TA: Bitcoin Price Back Below 100 SMA, Why BTC Could Retest $45K

Blockchain1 day ago

Decentralized Companies Are the New Norm and It’s the DAO Revolution That’s Making It Possible

Trending