📅 Original date posted:2023-06-19
🗒️ Summary of this message: LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.
📝 Original message:
Dear list,
earlier last month, our team at LNbits discovered a rather interesting exploit which wich would enable an attacker to create balances out of thin air by abusing a quirk in how invoices are handled internally. We've patched this in LNbits version 0.10.5 and urge anyone to update ASAP if you haven't done so already. I want to describe the attack here, since my gut feeling is that carrying out the same exploit is possible in other Lightning applications. If you're working on custodial wallets, payment processors, account management software, etc. you probably want to read this.
In short, the attacker was able to insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A.
Here is how it goes:
- Attacker creates invoice A of amount 1000 sat in LNbits
- Attacker creates invoice B' of amount 1 sat on her own node
- Attacker deserializes B', inserts payment_hash(A) into payment_hash(B), re-signs the invoice, and serializes it again, producing malicious invoice B
- Attacker creates a new account in LNbits and pays B
- LNbits backend uses payment_hash(B) to check whether this is an internal payment or a payment via LN
- Backend finds A in its database since we implicitly assume that payment_hash(A) commits to A
** This is the critical part! Payment hashes do *NOT* commit to any payment details (like amount) but only to the preimage! **
- Backend settles payment internally by crediting A debiting B
- Attacker has "created" 999 sats
Mitigation:
The mitigation is quite simple. Backends should either use self-generated unique "checking id's" for looking up internal payments or use additional checks to make sure that the invoice details have not been messed around with (e.g., asserting amount(A) == amount(B)).
Lessons:
I think there are two lessons here. First, it's good to realize the level of sophistication of LN-savvy attackers. This attack clearly involves a fundamental understanding of bolt-11 and requires custom tooling to produce the malicious invoice.
The second lesson is more valuable: The "payment hash" of an invoice is not a "payment" hash but merely a "preimage" hash – and nothing else. Naming this field as such increases the chance of developers implicitly assuming that the hash commits to payment details like amount, pubkey, etc. I will from now on call this simply the "preimage hash" and invite you to do so too.
Best
Calle
callebtc [ARCHIVE] /
npub1wl…h90xk
2023-06-19 19:42:41
in reply to nevent1q…qnh6
Author Public Key
npub1wlhtt0d2g4yu7plwqq4rnwfrda8du7xlvs8v57c32u0wear0v8tq6h90xkPublished at
2023-06-19 19:42:41Event JSON
{
"id": "8fd5b3f24dd8cebc6e505d51bc81443a23a43bcd71b96c768a79d8cde9373125",
"pubkey": "77eeb5bdaa4549cf07ee002a39b9236f4ede78df640eca7b11571eecf46f61d6",
"created_at": 1687196561,
"kind": 1,
"tags": [
[
"e",
"c412ecaa9cf2975917055bec79e22c25314cebb9517beff6dede6954caab69bf",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2023-06-19\n🗒️ Summary of this message: LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.\n📝 Original message:\nDear list,\n\nearlier last month, our team at LNbits discovered a rather interesting exploit which wich would enable an attacker to create balances out of thin air by abusing a quirk in how invoices are handled internally. We've patched this in LNbits version 0.10.5 and urge anyone to update ASAP if you haven't done so already. I want to describe the attack here, since my gut feeling is that carrying out the same exploit is possible in other Lightning applications. If you're working on custodial wallets, payment processors, account management software, etc. you probably want to read this.\n\nIn short, the attacker was able to insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A.\n\nHere is how it goes:\n\n- Attacker creates invoice A of amount 1000 sat in LNbits\n- Attacker creates invoice B' of amount 1 sat on her own node\n- Attacker deserializes B', inserts payment_hash(A) into payment_hash(B), re-signs the invoice, and serializes it again, producing malicious invoice B\n- Attacker creates a new account in LNbits and pays B\n\n- LNbits backend uses payment_hash(B) to check whether this is an internal payment or a payment via LN\n- Backend finds A in its database since we implicitly assume that payment_hash(A) commits to A\n\n** This is the critical part! Payment hashes do *NOT* commit to any payment details (like amount) but only to the preimage! ** \n\n- Backend settles payment internally by crediting A debiting B\n- Attacker has \"created\" 999 sats\n\nMitigation:\n\nThe mitigation is quite simple. Backends should either use self-generated unique \"checking id's\" for looking up internal payments or use additional checks to make sure that the invoice details have not been messed around with (e.g., asserting amount(A) == amount(B)).\n\nLessons:\n\nI think there are two lessons here. First, it's good to realize the level of sophistication of LN-savvy attackers. This attack clearly involves a fundamental understanding of bolt-11 and requires custom tooling to produce the malicious invoice. \n\nThe second lesson is more valuable: The \"payment hash\" of an invoice is not a \"payment\" hash but merely a \"preimage\" hash – and nothing else. Naming this field as such increases the chance of developers implicitly assuming that the hash commits to payment details like amount, pubkey, etc. I will from now on call this simply the \"preimage hash\" and invite you to do so too.\n\nBest \n\nCalle",
"sig": "c741adbc3f53b75b00eeddac1ef5d8dd722f738047c22d51e93b0eeda98b0af2db1270043aab826bef1e7f4896dc3f78bd005717124e5ce641cf9e18c1760d04"
}