TY - GEN
T1 - Payout Races and Congested Channels
T2 - 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024
AU - Weintraub, Ben
AU - Nita-Rotaru, Cristina
AU - Kumble, Satwik Prabhu
AU - Roos, Stefanie
PY - 2024
Y1 - 2024
N2 - The Lightning Network, a payment channel network with a market cap of over 192M USD, is designed to resolve Bitcoin’s scalability issues through fast off-chain transactions. There are multiple Lightning Network client implementations, all of which conform to the same textual specifications known as BOLTs. Several vulnerabilities have been manually discovered, but to-date there have been few works systematically analyzing the security of the Lightning Network. In this work, we take a foundational approach to analyzing the security of the Lightning Network with the help of formal methods. Based on the BOLTs’ specifications, we build a detailed formal model of the Lightning Network’s single-hop payment protocol and verify it using the Spin model checker. Our model captures both concurrency and error semantics of the payment protocol. We then define several security properties which capture the correct intermediate operation of the protocol, ensuring that the outcome is always certain to both channel peers, and using them we re-discover a known attack previously reported in the literature along with a novel attack, referred to as a Payout Race. A Payout Race consists of a particular sequence of events that can lead to an ambiguity in the protocol in which innocent users can unwittingly lose funds. We confirm the practicality of this attack by reproducing it in a local testbed environment.
AB - The Lightning Network, a payment channel network with a market cap of over 192M USD, is designed to resolve Bitcoin’s scalability issues through fast off-chain transactions. There are multiple Lightning Network client implementations, all of which conform to the same textual specifications known as BOLTs. Several vulnerabilities have been manually discovered, but to-date there have been few works systematically analyzing the security of the Lightning Network. In this work, we take a foundational approach to analyzing the security of the Lightning Network with the help of formal methods. Based on the BOLTs’ specifications, we build a detailed formal model of the Lightning Network’s single-hop payment protocol and verify it using the Spin model checker. Our model captures both concurrency and error semantics of the payment protocol. We then define several security properties which capture the correct intermediate operation of the protocol, ensuring that the outcome is always certain to both channel peers, and using them we re-discover a known attack previously reported in the literature along with a novel attack, referred to as a Payout Race. A Payout Race consists of a particular sequence of events that can lead to an ambiguity in the protocol in which innocent users can unwittingly lose funds. We confirm the practicality of this attack by reproducing it in a local testbed environment.
KW - Lightning Network
KW - Model checking
KW - Payment channels
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85215523726&partnerID=8YFLogxK
U2 - 10.1145/3658644.3670315
DO - 10.1145/3658644.3670315
M3 - Conference contribution
AN - SCOPUS:85215523726
T3 - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
SP - 2562
EP - 2576
BT - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
PB - ACM
Y2 - 14 October 2024 through 18 October 2024
ER -