One denial-of-service and two theft-of-funds vulnerabilities were fixed in LND 0.19.0. Users should immediately upgrade to LND 0.19.0 or later protect their funds.
The Infinite Inbox DoS
Large internal queue sizes and an unrestricted incoming connection policy enabled attackers to quickly exhaust LND’s available memory and cause it to crash or hang.
More details are provided in the corresponding blog post.
The Excessive Failback Exploit #2
A variant of the previously disclosed excessive failback bug could still be exploited to steal funds from LND nodes. The variant was discovered while drafting an update to BOLT 5 that was intended to help prevent similar vulnerabilities in the future.
More details are provided in the corresponding blog post.
The Replacement Stalling Attack
Weaknesses in LND’s sweeper system enabled an attacker to stall LND’s attempts at claiming expired HTLCs on chain. After stalling for 80 blocks, the attacker could steal essentially the entire channel balance. This vulnerability was discovered during code review of LND’s sweeper rewrite in 2024.
More details are provided in the corresponding blog post.