Disclosure: Critical vulnerabilities fixed in LND 0.19.0

The concept of "cat-and-mouse" attacks, specifically related to the aggregation and disaggregation of option_anchors second-stage HTLCs transactions in the Lightning Network (LN), was first shared by Bastien Teinturier in 2021. This type of attack exploits a general weakness in LND (Lightning Network Daemon) where transaction fees could be manipulated to remain low due to infrequent reaggregation and rebroadcasting of transactions, allowing attackers to execute these attacks at a low cost. Other LN implementations were found to be less susceptible to such manipulation as they responded more promptly to double spends.

A significant discussion revolves around the fee bumping strategies of various LN implementations, suggesting that improvements are necessary to protect against replacement cycling and similar attacks. An informative guide on enhancing these strategies can be found at morehouse.github.io. Furthermore, the standard practice for disclosing vulnerabilities is highlighted, noting a 90-day embargo timeline as basic yet acknowledging that a 4-6 month period may be more appropriate for the LN, considering its usual release cycles and the risk of making fixes too obvious through sparse changelog entries.

The email also touches on the broader logic areas within LN operations, such as claimable outputs detection, generation of claims transactions, and fee selection, emphasizing the lack of necessity for inter-compatibility among LN implementations in these critical areas. Despite this, there has been repeated mismanagement, leading to security vulnerabilities. An attempt to address some of these issues is documented in an (incomplete) experience for the DLC spec, available at github.com/discreetlogcontracts, suggesting that a specific BOLT encompassing best practices might be beneficial.

Additionally, it critiques the focus on optimizing force close fees within LN implementations, arguing that reducing the frequency of force closes through improved protocol stability and implementing 0-fee commitments might be a more effective strategy than attempting to save a marginal amount on fees through batching and other optimizations. This perspective suggests a shift in focus towards fundamental security and operational improvements rather than on superficial fee savings.