Payment failure message with attached channel_update not checked

[joostjager]

Background

It seems that channel_updates that are received from hops during payment are not checked fully. It is possible for a hop to modify channel policies in the sender node graph for channels that that hop does not take part in.

This will make it possible for a node to modify other nodes policies. A malicous node could try to attract traffic to itself by effectively disabling competing channels.

Your environment

lnd master bb310a3
Linux 4.13.0-36-generic #40~16.04.1-Ubuntu SMP
btcd simnet

Steps to reproduce

• Create three nodes on simnet: A, B and C.
• Open channels: A-B, B-C, C-A.
• Modify node B to always report FeeInsufficient with a channel update that targets the channel id of channel A-C and a recognizable change like base fee 1234 msat.
• Use SendToRoute to send a payment A->B->C.
• It will fail because B reports FeeInsufficient.

Expected behaviour

A should not push the channel update for its channel A-C to its channel db.

Actual behaviour

The policy of channel A-C as reported by A is updated according to the data given by B.

[Roasbeef]

It is possible for a hop to modify channel policies in the sender node graph for channels that that hop does not take part in.

All channel updates are signed. Therefore, the only way for a node to make us accept an update for a channel they didn't take part in, is to obtain the private key of another node, or somehow trick/force them into signing an update.

So the main issue is that we don't currently validate the signature of channel update we receive via the onion error in the case of a routing failure.