Replying to nitesh

Zaps are broken. There is a vulnerability/bug (depending on how you see it) where you could show off on social media that you zapped someone but you could just pay yourself.

Here’s how to reproduce it:

When you click zap, an invoice is fetched from a URL that looks like this

- https://stacker.news/api/lnurlp/02fbae2cc5/pay?SOMECRAP

- Replace 02fbae2cc5 with your own user ID and fetch the invoice and pay it, so you pay yourself. Check the post you’re trying to Zap, it will get updated saying you zapped them. LOL

https://snort.social/e/note1sxedhg4r6tyjamdtr7txzxda5e24tkfxh9amgxs5cpccw3e0v9vs36vfxq

This is an example post, Only one of my zap is real, 2 more I just paid myself.

#[0] found this out.

Avatar
andre 2y ago

This has always been the case though. This isn’t new.

I can zap from wallet A to wallet B in a diff provider and voila! This would still show up as a ZAP even though I’m paying my self on another provider. There’s no way around this because it’s infeasible that providers/wallets would know whether “this user Z is the same user W on your side”.

Reply to this note

Please Login to reply.

Discussion

Avatar
Egge 2y ago

At current we know a wallets accounts pubkey. So we would be be able to verify that the p-Tag is the same as the receivers pubkey.

But I guess for others it’s infeasible

Avatar
UNCLE ROCKSTAR 2y ago

Yeah, but if we're to obsolete likes and sort by zaps, this exploit should be solved first.

Avatar
Keysa - Simplest Bitcoin Edu 2y ago

Truly! Then again most people probably wouldn't do this, so maybe it's not that big of an issue?

Avatar
andre 2y ago

Not sure I see HOW though. I understand your point, but don't really see the way forward. Wallets / wallet providers don't share user data (on purpose) so provider A cannot know for a fact that the zap/payment incoming is from the same user but from a wallet in provider B.

Avatar
UNCLE ROCKSTAR 2y ago

This is where I believe in you figuring it out... you've never let Uncle Rockstar down 😉

Avatar
andre 2y ago

It’s a shame there wasn’t more discussion when the zap spec was being built out. But I’m sure we can investigate something.

02
nitesh 2y ago

Yes! 💯

Needed more discussion!

Avatar
UNCLE ROCKSTAR 2y ago

I wish everyone was coming to #[7] so discussions like this could take place.

Avatar
UNCLE ROCKSTAR 2y ago

Well, seems #[8] is already on it https://github.com/nostr-protocol/nips/pull/274

12
Carlos 2y ago

lol, people didn't pay attention in the zap PR, "discussion" is not where it's at with zaps

Avatar
Egge 2y ago

Clients could enforce that users need to set their pubkey when creating a Lightning address that should support nip57. Then providers could check for a matching p-Tag

Avatar
signal_and_rage 2y ago

likes are a gateway drug, we can’t get rid of them

Avatar
UNCLE ROCKSTAR 2y ago

At this point I realize that we're reached pattern: likes will go away on their own when better solution is in place.

12
Carlos 2y ago

If only there were a way to make likes also send sats...

Automatically, from your own non-custodial wallet...

#[0]

Avatar
Hunter ₿eaṩt 2y ago

I don't see how it could be solved without introducing deanonymization / KYC; a new npub could be generated for the spoofing, after all.