LNMarkets on Nostr: ⚡️DailyZap: Just in case you missed it ''Payment Hash Does Not Commit To ...
⚡️DailyZap: Just in case you missed it
''Payment Hash Does Not Commit To Payment''
The Lightning-dev mailing list got a quick heads@npub12rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sf485vg up from reminding everyone that the "payment_hash" of a Lightning invoice doesn't actually commit to the payment itself. Rather, it sets the condition under which the payment can be claimed: the revealing of a preimage which hash is equal to the payment_hash (e.g. hash(preimage) = payment_hash).
The LNBits team discovered an exploit in the LNBits codebase that could be used to create sats out of thin air, and stems directly from this misconception. A payment's "payment_hash" is not a unique identifier, and one should always perform additional checks (for example on amounts) when trying to correlate two payments.
Published at
2023-07-07 19:00:25Event JSON
{
"id": "fec1be8f26e6ff5b7926af5059aae95b187cfb9b6a592ab32e0f4e2f825440e1",
"pubkey": "fcf6fee0e959c7195dadc5f36fe5a873003b389e7033293b06057c821fcbc9c5",
"created_at": 1688749225,
"kind": 1,
"tags": [],
"content": "⚡️DailyZap: Just in case you missed it\n\n''Payment Hash Does Not Commit To Payment''\n\nThe Lightning-dev mailing list got a quick heads@npub12rv5lskctqxxs2c8rf2zlzc7xx3qpvzs3w4etgemauy9thegr43sf485vg up from reminding everyone that the \"payment_hash\" of a Lightning invoice doesn't actually commit to the payment itself. Rather, it sets the condition under which the payment can be claimed: the revealing of a preimage which hash is equal to the payment_hash (e.g. hash(preimage) = payment_hash).\n\nThe LNBits team discovered an exploit in the LNBits codebase that could be used to create sats out of thin air, and stems directly from this misconception. A payment's \"payment_hash\" is not a unique identifier, and one should always perform additional checks (for example on amounts) when trying to correlate two payments.\n\nhttps://nostrcheck.me/media/public/nostrcheck.me_6734699359468046851688749146.webp ",
"sig": "bbefedc10e0161324278460f0399e1d4dedfb4c2e62699f411158f656d1709376a1272b4665c3cf04ab732466a8aac679c20106bfa6467805762e93b182c568e"
}
