Lightning Network Under Benevolent Attack by bitPico Group

ivan · April 4, 2018, 6:23pm

Originally published at: https://toshitimes.com/lightning-network-under-benevolent-attack-by-bitpico-group/

Bitcoin’s Lightning Network has recently been under attack. However, it would appear that the attack is not malicious in nature. Rather, the surreptitious ”bitPico” group recently took to Twitter, taking full responsibility for the attack, and claiming that it is part of a Lightning Network ”stress tool” designed to improve the Bitcoin network. The bitPico…

iwan.spillebeen · April 5, 2018, 4:52am

At a minimum I would argue that any such “attack” to test the network should be announced up front, so that those experiencing the attack can validate that such is a test and understand why their transactions may no be going through.

Posting a notification afterwards seems a low play.

whatsoncrypto · April 5, 2018, 7:46am

Hi Ivan, it is my first time visiting your website/forum.

I found the article written nicely and have shared it with a telegram channel where we share news from well-known sources. We recently opened the channel so working hard to create “CryptoFansmotphere”. Appreciate your collaboration and keep it up with “Good Morning Crypto” - a Unique idea so far!

Thanks,
What’s On Crypto Team

Jepb100 · April 6, 2018, 12:01am

@iwan.spillebeen @ivan You know this brings up a question that I had that no one ever talks about…how do you carry out white hat testing/attacks in the crypto space? What is the protocol? What is considered polite versus required? Who do you need to notify? How do you notify teams? (Ie would Vitalik take me seriously if I tweeted him saying I knew about a bug that they need to fix or would I have to find a legit bounty program first?) Could I transfer everyones money to my wallet then announce there is a obvious bug and then after the patch has been applied transfer the money back to everyones wallets? Would there be any legal ramifications doing this? Have people/devs been blackballed in the crypto space for bad security practices? Is the testnet the only sanctioned place to do this type of testing? Are classes being taught on crypto security and will this become a certification in the future? What are the different methods of attacking a network?

I have got to be honest, if I am going to spend time learning how to code crypto I am going to want to learn how to tear it up, burn it down and rebuild it over and over again before I make something that I promise people it is safe for them to park their hard earned money.

iwan.spillebeen · April 9, 2018, 3:07am

Really awesome questions, not easy to address though so sorry for the lengthy reply.

I think this is a matter of common sense. If I decided to test the security and transaction capability of my bank, and conducted the tests without telling the bank I might go to jail for hacking / fraud / etc. Even if I did tell them I might still suffer the same consequences.

I think before doing any type of testing, you need to coordinate with the people involved, however hard this may be.

The easiest way to notify is through Github, almost all projects are on there and have areas for testing, discussions on vulnerabilites, etc. It really wouldn’t take much effort to notify a dev team of your intentions and upcoming tests. There have been bugs discussed this way (and unfortunately also exploited this way) that could have lead to people not losing considerable amounts of their coins.

In principle you could do this and the ramifications would be light, if any, in today’s unregulated environment. This would be more a ramification from the community than anything else. If done maliciously you would see your accounts blocked and you being unable to spend the ill gotten gains … or nothing would happen if the devs are not on point.

People would have to trust you to give the money back (which would be difficult to achieve once you’ve taken it), one possible way to do it in Ethereum would be to park them in a smart contract that automatically redistributes them to the original owners, with a condition added that triggers the contract when the bug has been resolved, and with the ownership of this trigger assigned to the lead developer. So you wouldn’t be in control of the funds and can clearly show that you had no bad intentions.

There are loads and loads and loads, all depending on which network you’re looking at. I’ve summarised some for Nano / Raiblocks / the block lattice right here, some of these apply to all cryptocurrencies, some are highly specific to Nano.

I will be writing individual blogs about each of them in the near future.