Two researchers have discovered a vulnerability in Bitcoin’s Lightning Network layer-two scaling solution that could lead to payment channels being locked for as little as 0.25 BTC ($2,400).

Ayelet Mizrahi and Aviv Zohar, two professors at Hebrew University, published a paper on Medium titled “Congestion Attacks in Payment Channel Networks.” According to the researchers, there is a “fundamental vulnerability” in the current iteration of Lightning’s trustless payment channel protocol. 

The professors claim to have identified two specific attacks on the network, which involve locking as many liquidity channels as possible for an extended period of time and isolating hubs from the rest of the network. In addition, the researchers say that recent changes to the default network parameters agreed upon by Lightning developers have made the attacks easier to carry out. 

The paper outlines the method of attack for paralyzing payment channels, which involves a hacker requesting numerous small payments and exhausting the number of simultaneously opened hash time locked contracts (HTLC). 

According to the paper,

The attacker is both the source and destination of this payment and can severely delay the final execution of the payment (up to several days). The attacker can then re-run the attack once again and lock the same path for an additional period of time.

The researchers discovered they were able to effectively paralyze the majority of liquidity on Lightning network for several days using less than 0.25 BTC.

The report reads, 

Our results show that the attacker can paralyze 650 BTC [$6.2 million] of liquidity in the Lightning Network for 3 days using less than 0.25 BTC.

Mizrahi and Zohar also detailed their method for disconnecting a single node from the network for an extended period of time. The attack involves an adversary connecting to the victim’s node and paralyzing its adjacent channels. The attacker does this by making payment requests over a path going back and forth through the victim’s channel. To the researcher’s astonishment, “this is surprisingly allowed in Lightning implementations.”

While Lightning has yet to reach mainstream as a payment protocol for bitcoin, the network currently supports 11,000 nodes and 35,000 channels, with an estimated 880 BTC in total capacity. 

Featured Image Credit: Photo via