Lightning devs must ‘wake up’ and fix security bugs, not please VCs: Bitcoin dev

cointelegraph.com:

Developers working on the Bitcoin layer 2 Lightning Network have become less security-oriented and more focused on producing cash flow for their investors, argues a former Lightning Network developer.

Bitcoin core developer and security researcher Antoine Riard, made headlines last month after leaving the Lightning ecosystem over concerns about a new attack vector called “replacement cycling,” which exploiters could potentially use to steal funds by targeting payment channels.

How does a lightning replacement cycling attack work?

There's a lot of discussion about this newly discovered vulnerability on the mailing lists, but the actual mechanism is a bit hard to follow.

So here's an illustrated primer...

1/n pic.twitter.com/mvvS8bEc5f

At the time, Riard said the new class of attacks puts Lighting in a “perilous position" though other Bitcoin developers such as “Machine98” suggested it is a difficult attack to pull off in the first place.

Riard told Cointelegraph that he’s now working at the Bitcoin base layer to address the issue and urged Lightning developers to follow suit:

Riard also claimed that many Lightning-focused firms are compromising Lightning’s mission and security incentives for the sake of pleasing venture capitalists:

Riard said it’s a classic example of the “tragedy of the commons” — where individuals and entities with access to a public resource act in their own interest and deplete it.

Decentralization appears to be a trade-off that these VC-funded Lightning firms are willing to make, which is a major concern to Riard.

“I'm not sure this is an interesting Lightning future,” Riard said. In fact, it is something which he wants no part of, after departing from the Lightning ecosystem on Oct. 20:

Lightning is the best