Why Nostr? What is Njump?

Conversation Details /

npub12l…p0p6n

2023-06-20 13:15:34

Conversation Details

📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it's a different payment. Developers can prevent this by using additional checks. A patch has been released.

👥 Authors: • Antoine Riard ( <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8dd" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Antoine Riard [ARCHIVE]</span> (<span class="italic">npub1vjz…x8dd</span>)</a></span> ) • callebtc ( <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1wlhtt0d2g4yu7plwqq4rnwfrda8du7xlvs8v57c32u0wear0v8tq6h90xk" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>callebtc [ARCHIVE]</span> (<span class="italic">npub1wlh…90xk</span>)</a></span> )

📅 Messages Date: 2023-06-19

✉️ Message Count: 2

📚 Total Characters in Messages: 6791

Messages Summaries

✉️ Message by callebtc on 19/06/2023: LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.

✉️ Message by Antoine Riard on 19/06/2023: LNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.

Follow <span itemprop="mentions" itemscope itemtype="https://schema.org/Person"><a itemprop="url" href="/npub1j3t00t9hv042ktszhk8xpnchma60x5kz4etemnslrhf9e9wavywqf94gll" class="bg-lavender dark:prose:text-neutral-50 dark:text-neutral-50 dark:bg-garnet px-1"><span>Lightning Mailing List</span> (<span class="italic">npub1j3t…4gll</span>)</a></span> for full threads

Author Public Key

npub12llycjh8gg2lhy4aph9c5au8ch5s0km5axrlxrc6e24dnsaqyu0s3p0p6n

Show more details

Published at

2023-06-20 13:15:34

Kind type

30023 Long-form Content

Event JSON

{ "id": "c10991f40a065e07ba2c8ebc816d67255bc2349568023672210a477548677146", "pubkey": "57fe4c4ae74215fb92bd0dcb8a7787c5e907db74e987f30f1acaaad9c3a0271f", "created_at": 1687259734, "kind": 30023, "tags": [ [ "d", "5c152f85-028a-4571-85dc-3a0d078bb9a8" ], [ "title", "Conversation Details" ], [ "image", "https://nostr.build/i/dbc5bd7993c8d036431edeefea63a2b3b796e1f49baf96bf6b09e13c8c662833.jpg" ], [ "p", "6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551" ], [ "p", "77eeb5bdaa4549cf07ee002a39b9236f4ede78df640eca7b11571eecf46f61d6" ], [ "p", "9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c" ] ], "content": "📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it's a different payment. Developers can prevent this by using additional checks. A patch has been released.\n\n👥 Authors: \n• Antoine Riard ( nostr:npub1vjzmc45k8dgujppapp2ue20h3l9apnsntgv4c0ukncvv549q64gsz4x8dd )\n• callebtc ( nostr:npub1wlhtt0d2g4yu7plwqq4rnwfrda8du7xlvs8v57c32u0wear0v8tq6h90xk )\n\n📅 Messages Date: 2023-06-19\n\n✉️ Message Count: 2\n\n📚 Total Characters in Messages: 6791\n\n## Messages Summaries\n\n✉️ Message by callebtc on 19/06/2023:\nLNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.\n\n✉️ Message by Antoine Riard on 19/06/2023:\nLNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.\n\n\nFollow nostr:npub1j3t00t9hv042ktszhk8xpnchma60x5kz4etemnslrhf9e9wavywqf94gll for full threads", "sig": "dfd03621289a0b9c0d698c716ec0cdf23b9be51be3d5c5b53aab3e6076eff44afbae75b1faf53178dfb2b267fe3b270ed30545a925472e930013b3a12f9c1f79" }