The developers have revealed a security hole in several versions of the Bitcoin Lightning Network software that could cause users to lose money if they are not updated.
It is not clear how much bitcoin, if any, was lost, or how many users were affected.
Several versions of Lightning node are vulnerable and should be updated immediately, Osuntokun warned a developer mailing list and added:
“We’ve confirmed instances of the CVE being exploited in the wild.”
Lightning, an experimental layer two solution, aims to allow transactions at almost no cost, making bitcoin feasible for mundane transactions such as coffee purchases.
But the error shows that technology still has problems like any financial product based on code.
“Security problems have been found in several lightning projects that could cause loss of funds,” Russel said in the original publication. “Full details will be released in 4 weeks (2019-09-27), please update well before that.”
Osuntokun emphasized that lightning is still in its infancy.
“We would also like to remind the community that we still have limits on the network to mitigate the widespread loss of funds,” he wrote, “and keep this in mind when you put funds into the network at this early stage.”
Lightning Labs continued the warning on Twitter, reminding users that it is still possible to lose funds on the network.
This is also a great time to remind folks that we have limits in place to mitigate widespread funds loss at this early stage. There will be bugs.
Don't put more money on Lightning than you're willing to lose!
— Lightning Labs⚡️ (@lightning) September 10, 2019
The affected versions include all versions of LND 0.70 and later, C-Lightning 0.70 and later, and éclair 0.3 and later.
Olaoluwa Osuntokun image via CoinDesk archive