📝 Summary: LNbits found an exploit that lets attackers create balances by manipulating invoices. The attacker can use a payment hash from one payment to create a malicious invoice that tricks the system into thinking it's a different payment. Developers can prevent this by using additional checks. A patch has been released.
📅 Messages Date: 2023-06-19
✉️ Message Count: 2
📚 Total Characters in Messages: 6791
Messages Summaries
✉️ Message by callebtc on 19/06/2023:
LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.
LNbits discovered an exploit that allows attackers to create balances out of thin air by abusing a quirk in how invoices are handled internally. The attacker can insert a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that can trick the backend into believing that B == A. The mitigation is simple, and developers should use additional checks to ensure that the invoice details have not been messed around with. The attack requires a fundamental understanding of bolt-11 and custom tooling to produce the malicious invoice.
✉️ Message by Antoine Riard on 19/06/2023:
LNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.
LNbits discovered an exploit allowing attackers to create balances by abusing a quirk in how invoices are handled internally, which may affect other Lightning applications. A patch has been released.