The Lightning Network is viewed by many in the Bitcoin community as the network’s best hope for long-term scalability. The concept uses payment channels to perform bitcoin transactions off-chain, with the blockchain acting as a sort of backup court system for situations where someone decides not to play nice. The creators of this system for instant micropayments estimate that it could eventually be used to process billions of transactions per second.
While a combination of smart contracts and game theory are used to make sure the system works properly for everyone, Bitcoin Core contributor, Peter Todd, explained a possible failure mode of the Lightning Network at the Bitcoin in Use conference late last month.
Editor's note added at 1:11 EST: The failure mode discussed in this article has been known since the early development of the Lightning Network and is discussed in the white paper. This article is not an attempt to give Peter Todd credit for discovery of the failure mode; he simply provided an overview of the issue during a recent talk.
The Lightning Network’s Failure Mode
The Lightning Network failure scenario described by Todd, takes place when a large number of people on the Bitcoin network need to settle their Lightning Network disputes on the blockchain in a relatively short period of time.
“We do have a failure mode which is: Imagine a whole bunch of these [settlements] have to happen at once,” Todd explained. “There’s only so much data that can go through the bitcoin network and if we had a large number of Lightning channels get closed out very rapidly, how are we going to get them all confirmed? At some point, you run out of capacity.”
In a scenario where a large number of people need to settle their Lightning contracts on the blockchain, the price for doing so could increase substantially as the available space in bitcoin blocks becomes sparse. “At some point some people start losing out because the cost is just higher than what they can afford,” Todd said. “If you have a very large percentage of the network using Lightning, potentially this cost is very high. Potentially, we could get this mass outbreak of failure.”
The way the Lightning Network works, a user must be able to issue a breach remedy transaction in order to keep their counterparty honest. If a user is unable to make the proper transaction on the blockchain in a certain amount of time, their counterparty may be able to take control of bitcoins tied up in the smart contract between the two parties.
What Are the Possible Solutions?
Any situation that allows for coins to be stolen obviously needs to be avoided and according to Todd, there are some theoretical solutions available for this problem. For one, an adaptive block size limit could allow miners to increase capacity in these sorts of failure scenarios. Another possible solution would be to allow users of the Lightning Network to reserve space in future blocks to make sure they can broadcast a transaction on the blockchain before the expiration of a timelock.
Having said that, Todd indicated that a real, vetted solution is not available for this issue at this time. “There’s a whole lot of complexity and we’re not really at the point there where I could go and confidentially say, ‘Yes, we’re going to have the whole world buying coffees with these systems,’” he said. “There’s tons more engineering to be done and I think it’s going to be a slow process ‒ figuring out how all this works.”
What Could Cause This Scenario?
One of the main reasons Todd is concerned about this disaster scenario is that users could be lulled into complacency due to their ignorance as to what everyone else on the network is doing. “It’s very hard for me as a Lightning user to know how many other people are potentially vulnerable to the failure of a whole bunch of Lightning channels all at once,” Todd explained. “I don’t know that information; I can’t necessarily react to that.”
One possible catalyst for the Lightning Network’s failure mode, which has also been articulated by BitGo Engineer, Jameson Lopp, could be too much centralization in the network topology. If a number of big players on the network all fail at once, all of the counterparties connected to those nodes will need to settle their smart contracts on-chain in a timely manner.
“In the Lightning world, your Mt. Gox may not be able to steal your money, but it may cause you to have to do a transaction within a few days, and there might be a million other people like that,” Todd explained.