Full-Disclosure: CVE-2025-27586 "No Santa Claus under the Lightning Sun"

The report highlights a significant attack vector known as "fee-bumping reserves exhaustion attacks" on the Bitcoin Lightning Network, particularly impacting the time-sensitive contract protocols within the network. This vulnerability has been tracked since the adoption of anchor output deployment, with discussions among Lightning Network maintainers occurring around mid-2022. Despite some basic mitigations being implemented in Lightning Network (LN) implementations, the consensus is that more robust, protocol-level solutions are needed but are unlikely to be deployed imminently. The CVE tracking this issue is CVE-2025-27586.

The core of the problem lies in the lack of a provisioning mechanism for fee-reserves in the LN, which would ensure there are sufficient funds available for fee-bumping, crucial for the timely processing of transactions. Without this, nodes face the risk of having their fee-bumping reserves depleted by an attacker, potentially leading to monetary losses. This is particularly concerning for nodes running with option_anchor channels, which are advised to consult their implementation maintainers for mitigation strategies.

The report provides a detailed background on the evolution of fee management within the LN, emphasizing the transition from legacy channels to the introduction of anchor outputs. Anchor outputs were introduced as a solution to the dynamic nature of transaction fees, allowing nodes to unilaterally increase the fee of pending transactions to ensure timely confirmation. However, the specification did not account for external provisioning of fee-bumping reserves, leaving a gap exploited by attackers.

Detecting a node's fee-bumping reserve level poses a challenge for adversaries, yet certain deanonymization heuristics can provide estimates. These include observing unilateral force-closures and interactions with the base-layer blockchain. Mitigation efforts can be categorized into over-provisioning fee-bumping reserves, halting the increase of a node's overall channel weight, and collaborative efforts among LN nodes to reduce individual channel weights. Various LN implementations have adopted different degrees of these mitigations.

The broader implications of such attacks extend beyond the LN to other contract protocols and multi-party transactions that rely on timely confirmations. The discovery and ongoing discussion of this vulnerability underscore the need for continued research and development of more effective mitigations. The timeline provided traces the communication and planned disclosure process regarding this security concern within the developer community.

The conclusion drawn emphasizes the real-world plausibility of these attacks against lightning channels enabled with option_anchors, calling for further investigation and experimentation. The report advocates for a careful balance between adequate fee-reserve provisioning and the necessity of protocol-level solutions to mitigate the risks associated with liquidity constraints.

For more detailed information, the full report is accessible here.