Author: callebtc 2023-07-06 07:22:59+00:00
Published on: 2023-07-06T07:22:59+00:00
In a recent post, Calle from LNbits disclosed an exploit that could allow attackers to generate fraudulent balances by exploiting a quirk in how invoices are handled internally. This issue has been addressed in LNbits version 0.10.5, and users are encouraged to update their systems promptly. Calle believes that similar exploits may be possible in other Lightning applications, particularly those related to custodial wallets, payment processors, and account management software.The attack involves inserting the payment hash of one payment into a different payment, creating a malicious invoice that tricks the backend into treating it as a legitimate payment. The process begins with the attacker creating an invoice (A) for a specific amount in LNbits. Then, the attacker creates another invoice (B') with a small amount on their own node. By deserializing B', the attacker can insert the payment_hash(A) into payment_hash(B), re-sign the invoice, and serialize it again to create the malicious invoice (B). Finally, the attacker creates a new account in LNbits and pays invoice B.The LNbits backend uses payment_hash(B) to determine whether the payment is internal or via the Lightning Network. In this case, since payment_hash(A) is assumed to commit to invoice A, the backend finds A in its database. This critical assumption allows the attacker to settle the payment internally by crediting A and debiting B, effectively creating 999 satoshis out of thin air.To mitigate this issue, backends should either use self-generated unique "checking IDs" for internal payment lookups or implement additional checks to ensure that invoice details have not been tampered with (e.g., verifying that the amounts of A and B match).Calle highlights two lessons from this exploit. Firstly, it demonstrates the sophistication of LN-savvy attackers who possess a deep understanding of bolt-11 and employ custom tools to create malicious invoices. Secondly, Calle emphasizes that the "payment hash" of an invoice should be referred to as a "preimage" hash, as it solely commits to the preimage and not other payment details like amount or pubkey.Overall, this exploit underscores the importance of implementing robust security measures in Lightning applications and being aware of potential vulnerabilities in the handling of invoices.
Updated on: 2023-07-13T17:32:05.114285+00:00