Detection Tool

This tool will detect if your node has been victim of the invalid funding tx attack.

Note the default location of eclair.sqlite is:

• on Windows: C:\Users\<username>\.eclair\mainnet\eclair.sqlite
• on Linux: /home/<username>/.eclair/mainnet/eclair.sqlite

Ask for help on gitter if needed.

Usage

java -jar checkfunding.jar --db eclair.sqlite

Help

$ java -jar checkfunding.jar --help
checkfunding 1.0
Usage: checkfunding [options]

  --db <eclair.sqlite>  path to eclair.sqlite
  --conf <eclair.conf>  path to eclair.conf
  --help                prints this usage text

This utility will detect if your node has been victim of CVE-2019-13000.
Please see the thread on https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html for more details on the vulnerability.

NB: This tool will only work if you have been using released versions of Eclair. If you are on e.g. latest master, please contact support.

Example: checkfunding --db /path/to/eclair.sqlite --conf /path/to/eclair.conf

Verifying signatures

You will need gpg and our release signing key E434ED292E85643A. Note that you can get it:

• from our website: https://acinq.co/pgp/padioupm.asc
• from github user @pm47, a committer on eclair: https://api.github.com/users/pm47/gpg_keys

To import our signing key:

$ gpg --import padioupm.asc

To verify the release file checksums and signatures:

$ gpg -d SHA256SUMS.asc > SHA256SUMS.stripped
$ sha256sum -c SHA256SUMS.stripped