It's been confirmed that is has been exploited already:
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html
So in the link posted above:
Quote
We've confirmed instances of the CVE being exploited in the wild. If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
* lnd v0.7.1 -- anything 0.7 and below is vulnerable
* c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
* eclair v0.3.1 -- anything 0.3 and below is vulnerable
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
* lnd v0.7.1 -- anything 0.7 and below is vulnerable
* c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
* eclair v0.3.1 -- anything 0.3 and below is vulnerable
But in the actual "release" of the vulnerability (It had been discussed for a while on some hacker sites and at DefCon)
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html
They put this in the timeline:
Quote
2019-09-07: First conclusive evidence of exploit attempt in the wild.
While having this in the text above it:
Quote
While this long-standing bug had not been independently discovered, and thus
was unlikely to be discovered by a malicious party before being fixed, it did
provide an opportunity to test communications and methods of upgrade across
the entire lightning ecosystem.
was unlikely to be discovered by a malicious party before being fixed, it did
provide an opportunity to test communications and methods of upgrade across
the entire lightning ecosystem.
That's some really good doublethink.
-Dave
