Author: Rusty Russell 2023-07-06 07:10:42+00:00
Published on: 2023-07-06T07:10:42+00:00
In a recent discovery, the team at LNbits found an exploit that allowed attackers to create balances out of thin air by exploiting a quirk in how invoices are handled internally. This exploit has been patched in LNbits version 0.10.5, and users are urged to update as soon as possible. The team believes that similar exploits may be possible in other Lightning applications, especially those involving custodial wallets, payment processors, and account management software.The attack involved the insertion of a bolt-11 payment hash of payment A into a different payment, creating a malicious invoice B that could trick the backend into believing that B is equal to A. The process included creating invoice A of 1000 sat in LNbits, creating invoice B' of 1 sat on the attacker's own node, deserializing B', inserting payment_hash(A) into payment_hash(B), re-signing the invoice, and serializing it again to produce the malicious invoice B. The attacker then created a new account in LNbits and paid B.The LNbits backend used payment_hash(B) to check whether the payment was internal or via Lightning Network. Since payment_hash(A) commits to A, the backend found A in its database. However, it is important to note that payment hashes do not commit to any payment details like amount, but only to the preimage. As a result, the backend settled the payment internally by crediting A and debiting B, effectively allowing the attacker to "create" 999 sats.To mitigate this type of exploit, backends should either use self-generated unique "checking id's" for looking up internal payments or implement additional checks to ensure that the invoice details have not been tampered with (e.g., verifying that amount(A) equals amount(B)).The incident highlights two important lessons. Firstly, it emphasizes the sophistication of LN-savvy attackers who possess a deep understanding of bolt-11 and utilize custom tooling to create malicious invoices. Secondly, it underscores the misconception that the "payment hash" of an invoice commits to payment details like amount or pubkey. The field should be referred to as the "preimage hash" to avoid developers implicitly assuming that it includes payment details.Overall, the LNbits team has addressed this exploit and encourages users to update their software promptly. Developers working on Lightning applications are advised to be aware of potential vulnerabilities and take appropriate measures to prevent similar attacks.
Updated on: 2023-07-13T17:31:49.520554+00:00