um let’s say it took them 3 months of constant reminders that allowed anyone to log onto your LNbits instance and
- destroy all data
- drain all your LN funds
- etc
Discussion
TRUST, BUT VERIFY, YOU MUST. CODE, AUDIT, YOU SHOULD. BLINDLY, TRUST NOT. FOOLISH, IT IS.
bUt HoW cOuLd YoU sAy SuCh MeAn ThInGs???? 🤣
I don't enable the super admin and I only allow users to be added via the .env file. Problem solved.
I wouldn't want random internet people being able to create accounts on my instance.
Nope
Okay, can you link a GitHub issue?
Was reported a few years ago in DMs. Finally fixed
Found a few other bugs that got fixed too.
But the codebase probably has way more, looking at the code quality. Not interested in doing free work for a project ran by someone that called me a “FUDer” for saying they have issues in their code.
Fair enough and thank you for the added context.
I have a separate single channel LND node running LNBits so I can run the Lightning Piggys for my kids. I don't allow new signups. Are you saying I should not be running this cause it could still get owned?
I'm weary of any publicly accessible program that can send sats from my node, hence why I built a seperate node with minimal funds on it.
Only the node that is used can be drained
Also, if you do not expose it to the internet, you are mostly fine
Closing it off from the web defeats its use case. Limiting sign ups is probably a good first step.. but Does this problem still exist in v1 (pending release)
Seems like a glaring issue like this should be more broadly discussed. Especially for a codebase that is so regularly utilized by the Bitcoin Lightning community
Not currently. There likely are a lot of other bugs though due to the garbage code quality, and the current payment handling code can register sent payments as not sent in certain cases