Massive DDOS Attack Disturbs 4 Lightning Services
Update: the article was corrected to reflect the fact that lnurl-pay.me was affected, not lnurl-pay
Bad news for users of the lightning payments service lntxbot. Over the weekend, the service exerienced an outtake, with many users locked out of their account, unable to access their funds. The bot allows its users to send satoshis directly on the famous Telegram messenger. With a simple command — /send 1000 @username — users can wire payments around the world without paying a cent in fees.
This weekend the beloved service was under attack:
LNTXBOT is down today because @LiteServer "suspended" the VPS. All they did was to send an email saying "Your VPS was suspended."— lntxbot (@lntxbot) September 2, 2021
We've been trying to get in contact for over 4 hours, but no answer.
If you know someone that can help, please reach out on https://t.co/7qoPdmceuL.
Shortly after, the popular payment service lnurl-pay.me experienced a similar outtake, which rendered payments impossible. The two outtakes have something in common: The attack targeted the centralized components of these services which are necessary to communicate with the rest of the internet. In the case of lntxbot, the owner fiatjaf’s IP address was targeted and overwhelmed. In the case of lnurl-pay.me the DNS of the payment rail was targeted.
The events are worrying for users of the Lightning Network. While the underlying decentralized structure of the network remains unaffected, the centralized services on top of it have shown to be vulnerable.
The more people rely on payment rails with centralized components such as lnurl-pay.me, the more the network as a whole becomes targetable for such attacks. It is therefore extremely important that the users are aware of such risks and know how to mitigate. One obvious solution is to take care of your own funds by running a Lightning Network node or by using a non-custodial wallet, for which there are many options.
Even more importantly, the Lightning Network should not become dependent on payment options with centralized aspects. Even though such services offer convenience, let’s not forget that we must build tools that are resilient against all kinds of attacks, especially if there are Lightning Network native solutions like bolt12.org in the works, waiting to be deployed.
The two attacks should serve as a wake-up call to implement more decentralized and robust user experiences.
Thankfully the issue was resolved as statements on twitter confirm.
The bot should be working 100% now.— lntxbot (@lntxbot) September 6, 2021
Some users however, experienced quiet a shock as they’ve seen their funds disappear. Venezuelan designer Raul Bedoya who also created an exclusive shirt design for the Superb Bitcoin Summit reports in an interview for DCA Signals:
DS: How does lntxbot help you as a professional creative from venezuela?
“So far it has seemed to me the most practical way to receive, send, help with tips to other users and save money as savings avoiding the superinflation and devaluation in the national fiat currency, it is simply easier for everything, it is even fast to change to fiat currency if I want to pay someone who does not know it yet, however I always try to teach people to know the Lightning Network.”
DS: You almost lose the money of 2 weeks of work due to the attack, what did you learn?
I was about to lose them, it was very worrying because it is the money to take care of my family and they depended on it. This taught me that due to the bot attacks I must have a new wallet, one that can have the security and backup of my savings. Custodial wallets may seem safe until they aren’t anymore. So if I rely on money I need to use self-custody to secure it better.
DS: Are you still optimistic about Lightning and Bitcoin?
So far I don’t feel disappointed… it is the best thing that can exist for me at this moment… I got that it is the best way to break the limits that we had in terms of receiving money from other countries… and this brings us closer to do business and projects internationally…
During the attack users and fans of lntxbot kept supporting fiatjaf and discussed the situation like a hot football match.
When the attack was defended generous users sent donations to fiatjaf to thank him for his work. Of course using the lntxbot very own tipping function.
Ultimately the infamous lntxbot didn’t die that day but survived the attack. Due to the relentless fight of bot owner fiatjaf all funds where safe and no user was harmed. Hopefully lntxbot will live long and will gain robustness from this attack.
New measures for safety such as warning notifications will be implemented to help protect users. Lightning is still very experimental and the lntxbot should not be used as a bank or storage solution for bitcoin but rather an innovative experimental open source project.
Or as fatjaf concluded ironically: