As reported by the published details, an attacker could pretend to open a new payment channel, and then send fake transactions. The vulnerability appeared when the channels were being opened using a process which did not require the receiver to check if the transaction was the one promised by the finder in terms of the actual script pubkey, which is an output transaction script that needs specific conditions to be met, before a receiver spends their Bitcoins. The file reads:
“A lightning node accepting a channel must check that the funding transaction output does indeed open the channel proposed. Otherwise an attacker can claim to open a channel but either not pay to the peer, or not pay the full amount. Once that transaction reaches the minimum depth, it can spend funds from the channel. The victim will only notice when it tries to close the channel and none of the commitment or mutual close transactions it has are valid.”
When the vulnerability was first revealed to the public in August, Russel urged Lighnting Network node operators to update their software as soon as possible. He tweeted at the time:
Friday’s announcement also stated that all major lightning software clients have already been upgraded in order to fix the vulnerability. It also revealed that the “bug” was first discovered towards the end of June, and that the companies that maintained the most popular lightning implementations were notified immediately.