Disclosure: Critical vulnerabilities fixed in LND 0.19.0

The concept of "Replacement Stalling Attacks" was notably brought to light by Bastien Teinturier in 2021, particularly within the context of adversarially aggregating and disaggregating option_anchors second-stage HTLCs transactions among Lightning developers. This form of attack represents a variant of the broader category known as "cat-and-mouse" attacks, which are not exclusive to the LND (Lightning Network Daemon) but concern the network more generally. The disclosure timeline for such vulnerabilities typically adheres to a 90-day embargo, considered standard within information security protocols. However, given the nature of these bugs—which may often be resolved directly within the implementation without necessitating cross-layer solutions—a 4-6 month window is suggested as more appropriate. This extended period aligns with the release cycles commonly seen in Lightning implementations and mitigates against making the fix overly conspicuous, which could otherwise simplify reverse-engineering efforts by malicious actors.

The dialogue around enhancing security within the Lightning Network also touches on the critical need for better clarity and guidelines surrounding claimable outputs detection, generation of claims transactions, fee selection, and the rebroadcasting schedule for these transactions. Despite the absence of a requirement for inter-compatibility between different Lightning implementations with respect to their logic, the sector has faced criticism for its approach to managing this aspect, crucial for the security of channel funds. In response, there have been proposals since at least 2020 to codify best practices within a specific BOLT (Basis of Lightning Technology) document. This effort aims to consolidate knowledge and recommendations for handling such processes more securely, although it remains an incomplete venture. An attempt to outline what such guidance might encompass can be found in an experience document related to the DLC spec. The ongoing challenge, however, is whether the Lightning community will proactively address these security concerns or continue to witness vulnerabilities being exploited due to insufficient attention to on-chain logic management.