BitDevs Wiki

Source

Article

Vulnerability Disclosure: Assertion DoS in Core Lightning

Chand-raMay 16, 2026 at 01:29 PM UTC

Added to the wiki June 17, 2026 at 06:17 PM UTC · full text archived June 17, 2026 at 06:17 PM UTC

This Delving Bitcoin post is a coordinated vulnerability disclosure for Core Lightning (CLN), one of the major Lightning implementations. It was written by Chand-ra, who found the bug during a Summer of Bitcoin 2025 internship mentored by Matt Morehouse, and published after the fix shipped.

The flaw was a denial-of-service: a remote peer could crash a CLN node by sending a channel-open message with an all-zero funding_txid. An overly strict assertion in handle_setup_channel() (in hsmd/libhsmd.c) treated a state the developers assumed was impossible as fatal, so the signing daemon aborted and took the node down. Because any node accepting inbound channel requests could be hit, operators were advised to upgrade. The fix removed the assertion and shipped in CLN release v26.04.

The post is also a case study in how the bug was found: a new fuzz target, fuzz-open_channel, that feeds both structurally-valid-but-randomized and fully random open_channel messages into the parser. The author's framing is that fuzzing surfaces "unknown unknowns" — state combinations no human writes a test for because they "shouldn't happen."

As a source it grounds an often-abstract point about the state of Lightning: the protocol is specified in the open, but the implementations are real software with real attack surface, and security depends on disclosure practices and tooling like fuzzing as much as on the spec.

Appears in