Lightning Network Eclair Node Exploit Enables Funds Theft Attack Prompting Urgent Upgrade

Lightning Network users running Eclair software face a serious security risk after the recent disclosure of a vulnerability that could allow attackers to siphon funds from affected nodes. The issue affects versions 0.11.0 and earlier, where a flaw in blockchain monitoring during channel closures leaves nodes unable to recover payments properly. Developers at ACINQ, the team behind Eclair, have urged all users to update to version 0.12.0 or higher right away to safeguard their Bitcoin holdings or face possible loss of funds.

This vulnerability surfaced publicly on September 23, 2025, following a coordinated effort to give the community time to patch their systems. It highlights ongoing challenges in the layer two built atop of Bitcoin, where speed and scalability come with the need for vigilant code maintenance. Node operators who forward payments through the network now have a narrow window to act before potential exploits spread.

How the Vulnerability Works in Lightning Channels

At its core, the Lightning Network relies on Hashed Time-Locked Contracts, or HTLCs, to route payments securely across multiple nodes without clogging the Bitcoin blockchain. When a payment reaches its destination, the recipient shares a preimage that unlocks the funds step by step back through the route, ensuring each intermediary claims its fee. During normal operations, this process happens offchain for efficiency, but if a channel closes forcefully, nodes must scan the blockchain to spot these preimages and settle outstanding claims.

The problem in Eclair stemmed from a narrow focus in its preimage extraction logic, which only scanned the node’s local view of the channel state. This oversight meant that if a dishonest peer broadcast an outdated commitment transaction, one still listing an HTLC that the victim had already cleared from its records, the node would overlook the preimage reveal. As a result, the victim misses out on claiming funds from upstream, while the attacker pockets the payment after the timeout period refunds the original sender.

Attackers could set up this scenario by initiating a payment route involving the victim node, then deliberately failing the payment to manipulate channel states. They would hold onto an older valid commitment that includes the HTLC, broadcast it to force a closure, and use the preimage to claim the funds onchain. The victim, relying on its updated local state, detects nothing amiss and forfeits the opportunity to relay the settlement upstream, leading to direct financial loss.

The Path to Discovery and Resolution

The flaw came to light during a routine code review sparked by a conversation with Bastien Teinturier, a key contributor to Lightning protocols. On March 5, 2025, the issue was flagged internally, prompting a swift analysis that uncovered the full attack vector. By March 11, the fix landed in a pull request focused on channel splicing features, and Eclair 0.12.0 rolled out with the updated preimage extraction function.

That revised code now examines HTLCs across local, remote, and pending remote commitments, ensuring no preimage slips through regardless of which state gets broadcast. The change was subtle, tucked into broader improvements, but it closed a gap that had lingered since Eclair’s early days. Disclosure was delayed until September 23, 2025, to allow widespread upgrades, a move that balanced transparency with user protection.

In the wake of the report, Teinturier acknowledged the code’s long-standing presence and the absence of thorough tests for malicious closures. He committed to building a dedicated test suite for force-close scenarios, which went live shortly after. This episode underscores the value of proactive auditing in open-source projects like Eclair, and the Lightning Network, where community scrutiny helps fortify the network against various cases, bugs, and exploits.

Impact on Popular Wallets and User Guidance

Several well-known wallets integrate Eclair for their Lightning Network capabilities, putting their users at risk until updates are applied. Phoenix Wallet, crafted by ACINQ for both Android and iOS, embeds a streamlined Eclair node to manage channels and payments seamlessly. It offers non-custodial control with automatic backups and onchain options, making it a go-to for mobile Bitcoin users seeking Lightning Network speed.

Eclair Mobile, another ACINQ product exclusive to Android, provides direct access to full node functions like channel openings and payment routing. Though it’s an earlier offering compared to Phoenix, it remains a solid choice for those wanting hands-on Lightning management. Zeus Wallet rounds out the list as a versatile remote interface for iOS and Android, compatible with Eclair nodes alongside other implementations for broader node control.

Wallet maintainers have pushed notifications to prompt upgrades, but individual users bear the responsibility to verify their software versions. Keeping nodes current not only dodges this specific threat but also aligns with best practices in a protocol where updates often bundle multiple safeguards.