Wild! Thanks for sharing this.
In a nutshell, from the victim LN address, we can easily find its Spark on-chain address throught LNURL "well-known" URL, for example:
https://walletofsatoshi.com/.well-known/lnurlp/warmestfuture710
From here, we can browse all the address details on a blockchain explorer like:
Conclusion: Everything is public... ๐คฌ
cc nostr:nprofile1qyvhwue69uhkyat8d4skutndva6hjtnwv46r5dpcxsuqz9nhwden5te0vfjhgcfwdehhxarjd9kzucmpd5qzqxvfqd89dw8kqmrjfaz6zt8gfggcg93p4tm3s2slv4jrszuugfmt74rjkj nostr:nprofile1qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcqyqxzfcer2g508mjnd8223frw4yhj3udg8ymducdvddqq84qrgn2zyd6ur5w
Discussion
nostr:npub1renaud65zug8r570ndztde2xhk206z3v50a5mwa3kp2xshy3zmjqkqaw97 I emailed nostr:npub1hcwcj72tlyk7thtyc8nq763vwrq5p2avnyeyrrlwxrzuvdl7j3usj4h9rq yesterday about this and hereโs the response I got back:
โWe were testing a beta feature with the Spark address/LNURL, but it is no longer required. We've removed the Spark address from that location now.โ
Sounds like this privacy leak is getting patched in the next update. Let me know if you find anything else and Iโll forward it on.
Removing the Spark address from the "well-known" LNURL address doesn't solve anything. Monitoring sparkscan.io for a given amount (for example sending 1 sat to a LN address) is enough to uncover the Spark address from the LN address... It's security by obscurity, nothing more! ๐คก
Anyway, thanks for reporting them the issue, but it cannot be solved while they stay on a plaintext blockchain...
Damn it man, donโt make me into a Monero maxi.
Solution is easy: stay on Lightning, not on a side-chain...
Itโs not technically a sidechain, itโs kind of a different concept than something like Liquid but it still serves the same functional purpose of a public ledger that can handle micropayments. Lightning is the connection layer but most people will never run it due to the complexity, so they will end up sacrificing privacy for convenience and ease of use.