![\"bitcoin](\"https:\/\/s3.amazonaws.com\/arc-authors\/coindesk\/e664fcaf-7612-4acd-9c7e-6d8b5eba1a5d.png\")
<\/p>\n
<\/a><\/div>\n<\/div>\n
Frederick Munawa is a Technology Reporter for Coindesk. He covers blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
A Twitter user by the name “Burak” (@brqgoo<\/a>) sent a large swath of the Lightning Network into turmoil on Tuesday morning, when he allegedly created a non-standard Bitcoin transaction that prevented users from opening new Lightning channels (connections between Lightning nodes).<\/p>\n<\/div>\n Lightning is a layer 2 network that enables cheaper and faster Bitcoin transactions. Burak’s valid but non-standard transaction caused Bitcoin nodes running an implementation of Bitcoin called btcd<\/a>, to suddenly stop creating new transaction blocks. This caused a corresponding glitch on all Lightning Network Daemon<\/a> (LND) nodes. LND nodes rely on information from btcd Bitcoin nodes, and the glitch caused LND nodes to reject all new channel opening requests.<\/p>\n<\/div>\n Consensus conflict caused by max Witness Items Per Input #1906<\/p>\n @brqgoo I made a P2TR spend containing an OP_SUCCESSx opcode with 500,001 empty pushes, which as a result, caused a consensus conflict between btcd and core: Changing the max WitnessItemsPerInput parameter from 500,000 to 4,000,000 solves the issue: Burak’s shenanigans disrupted a good chunk of the Bitcoin and Lightning ecosystems. Nevertheless, one could argue the community’s anti-fragility<\/a> was on full display. Core Lightning<\/a> (CLN) nodes that rely on Bitcoin Core<\/a>, the most popular implementation of Bitcoin, were unaffected (although this seems to have been by design). Additionally, the bug Burak exploited was quickly patched (thanks to Elle Mouton<\/a> and Oliver Gugger<\/a>).<\/p>\n<\/div>\n “Burak was well aware of the consequences triggered by the transaction. I think everyone can decide for themselves if that is to be considered malicious or not,” Rene Pickhardt<\/a>, Bitcoin and Lightning developer and educator, told CoinDesk. Pickhardt co-authored the popular “Mastering Lightning<\/a>” book and helped demystify many technical aspects of this story.<\/p>\n<\/div>\n Burak’s actions not only sparked lively exchanges on Twitter, but also raised a key question – how should the Bitcoin community handle similar exploits in the future?<\/p>\n<\/div>\n “Generally, developers promote a well-known culture of responsible disclosure and ethics when discovering exploitable bugs. Lightning Labs had a reasonable plan for patching this problem beforehand, but maybe Burak felt the situation was more urgent and wanted to light a fire under [them],” John Cavarlho<\/a> told CoinDesk. Cavarlho is the CEO of Bitcoin software firm, Synonym. The firm’s CTO, Reza Bandegi, also helped clarify technical aspects of this story.<\/p>\n<\/div>\n What Cavarlho is describing could be further incentivized by establishing robust bug bounty programs. “It’s always hard to prepare against a novel bug. I guess more review and bug bounty programs for responsible disclosure may help.” Pickhardt weighed in. “However as I understand, Pieter Wuille thinks there may sometimes be a risk in fixing bugs, as that may raise awareness and attract potential malicious actors in the transition phase while nodes update.”<\/p>\n<\/div>\n Indeed, Bitcoin developer Pieter Wuille thinks the process of fixing bugs and managing exploits is not always straightforward.<\/p>\n<\/div>\n “I don’t think it’s necessarily that simple. It’d be reasonable to assume that exploiting this needed cooperation from miners (or ones with non-standard mempool\/relay policy at least), making it harder to pull off. And fixing this one-line without raising suspicion is hard,” Wuille tweeted.<\/p>\n<\/div>\n Wuille has a point. Rumors were circulating that Burak paid $700 to F2Pool, one of the largest Bitcoin mining pools, to have his non-standard transaction included in one of their blocks. He then embedded a bizarre message in the transaction, “You’ll run CLN and you’ll be happy,” a reference to Core Lightning (CLN), which, as discussed above, is an alternative to LND, the Lightning implementation affected by the exploit.<\/p>\n<\/div>\n “I can’t speak for Burak, but it took some special effort and expense to perform his demonstration, so I have to assume he knew exactly what he was doing and that he at least wanted to draw attention to himself, LND, and apparently, CLN too, because he left a supportive message for CLN within the instigating transaction on-chain,” Cavarlho explained.<\/p>\n<\/div>\n Christian Decker, a researcher at Bitcoin infrastructure firm, Blockstream, and contributor to the CLN project, distanced his team from the exploit and publicly denounced Burak’s actions.<\/p>\n<\/div>\n<\/div>\n Sign up for Valid Points, our weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets.<\/span><\/p>\n By signing up, you will receive emails about CoinDesk product updates, events and marketing and you agree to our terms of services<\/a> and privacy policy<\/a>.<\/span><\/p>\n<\/div>\n DISCLOSURE<\/p>\n Please note that our<\/p>\n privacy policy<\/a>,<\/p>\n terms of use<\/a>,<\/p>\n cookies<\/a>, <\/p>\n and<\/p>\n do not sell my personal information<\/a><\/p>\n has been updated<\/p>\n .<\/p>\n The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a<\/p>\n strict set of editorial policies<\/a>. <\/p>\n CoinDesk is an independent operating subsidiary of<\/p>\n Digital Currency Group<\/a>, <\/p>\n which invests in<\/p>\n cryptocurrencies<\/a><\/p>\n and blockchain<\/p>\n startups<\/a>.<\/p>\n As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of<\/p>\n stock appreciation rights<\/a>,<\/p>\n which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG<\/p>\n .<\/p>\n<\/div>\n<\/div>\n<\/div>\n <\/a><\/div>\n<\/div>\n Frederick Munawa is a Technology Reporter for Coindesk. He covers blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n![\"bitcoin](\"https:\/\/cloudfront-us-east-1.images.arcpublishing.com\/coindesk\/Z37NNJYMF5CDHAXPX5TE6G55IM.png\")
\nBitcoin has a consensus rule that limits the number of stack items in a row to 1000. However, a P2TR spend containing OP_SUCCESSx precedes this rule regardless.<\/p>\n
\nhttps:\/\/blockstream.info\/tx\/73be398c4bdc43709db7398106609eea2a7841aaf3a4fa2000dc18184faa2a7e<\/p>\n
\nhttps:\/\/github.com\/btcsuite\/btcd\/blob\/master\/wire\/msgtx.go#L103<\/p>\n<\/figcaption><\/figure>\n<\/div>\n<\/div>\nBitcoin How should Bitcoin handle bugs and exploits?<\/h2>\n<\/div>\n
\n<\/p>\n