Published on: 2023-07-16T18:11:58+00:00
The LNbits team recently discovered an exploit in how invoices are handled internally, allowing attackers to create fake balances. This exploit has been fixed in LNbits version 0.10.5 and users are advised to update their systems promptly. Similar exploits may be possible in other Lightning applications, particularly those related to custodial wallets, payment processors, and account management software. The attack involves manipulating payment hashes to trick the backend into treating a malicious invoice as legitimate. To mitigate this issue, backends should use unique "checking IDs" for internal payment lookups or implement additional checks to ensure invoice integrity. Developers should prioritize implementing robust security measures and regularly updating their software to prevent such attacks. The recent incident emphasizes the importance of caution and proactive measures to address vulnerabilities in Lightning applications. For more information, please refer to this link: [link].
Updated on: 2023-08-11T15:50:36.268843+00:00