🏷️ Categories: Lightning-dev
quoting naddr1qq…s9n5📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it’s a different payment. Developers can prevent this by using additional checks. A patch has been released.
👥 Authors: • Antoine Riard ( Antoine Riard [ARCHIVE] (npub1vjz…x8dd) ) • callebtc ( callebtc [ARCHIVE] (npub1wlh…90xk) )
📅 Messages Date: 2023-06-19
✉️ Message Count: 2
📚 Total Characters in Messages: 6791
Messages Summaries
✉️ Message by callebtc on 19/06/2023: LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.
✉️ Message by Antoine Riard on 19/06/2023: LNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.
Follow Lightning Mailing List (npub1j3t…4gll) for full threads
⚠️ Heads up! We've now started linking to replaceable long-form events (NIP-23), which allow for dynamic display of thread details like summaries, authors, and more. If you're unable to see this, your client may not support this feature yet.