LNbank Vulnerability Recap: Last week, a critical vulnerability was identified in the LNbank plugin, which I developed as a plugin for nostr:npub155m2k8ml8sqn8w4dhh689vdv0t2twa8dgvkpnzfggxf4wfughjsq2cdcvg. The following post aims to outline what transpired and steps I, as a maintainer of the plugin, and BTCPay Server team are taking to prevent similar occurrences in the future. https://d11n.net/lnbank-vulnerability-recap
Discussion
I'm sorry for all the have lost Bitcoin, but am also sorry for what you went through with this vulnerability. I know how much of your heart and soul you have put into this plugin over the years with the best of intentions.
Thank you for your contributions Dennis π«
I was not affected, but I read stories of those that were. They'll appreciate it he apology and the gesture. Thanks for the post mortem.
ππ«
Thank you nostr:npub14j7wc366rf8efqvnnm8m68pazy04kkj8fgu6uqumh3eqlhfst0kqrngtpf. Appreciate all that you do for Bitcoin.
We appreciate everything you do for Bitcoin Dennis π
Thank you very much for hanging in with this and work tirelessly to identify the source of the bug and fix it asap. Thank you for developing this great plugin in the first place.
It shows that we need to care more for the software we use and help reviewing code and doing more adverserial testing or help in any other way to improve it.
You mention that people can donate sats to distribute to people affected, where can we do that? Zap on this post or any special lnaddress or something?
You can donate to nostr:npub103wzz5eeegcwzrchje02m4rcxqxqtz2rauefhdshmtzd9xjxxdnqm5kd9u via the Lightning Address hugo@wallets.fyoumoneypod.com or onchain to bc1qz8dxk6h8gha5qvsnw67rjzz3xn6t4k0wmafqz3.
Related, can you explain why BTCPay asks for an admin macaroon in order to connect a remote LND instance? Shouldn't a read-only macaroon with invoice permission suffice?
Iirc we need it to access the connection details and health status of the GetInfo call. However, by now LND support baking custom macaroons and I'll look into if and how we can leverage that. /cc nostr:npub1y24gz5gwucl79vtv4ctwpysl0r5m4xyzu2rgulnr44ks3t5mt92q4nz2ad nostr:npub1zfytz6ktce3av2svlfpl0e79e44tnskxmvlpkcmc7q0xct3qa49swvm60l
At this point, it's not that big of a deal to not ask for it, maybe we can drop the requirement for the info.
fyi working on it here. Using invoice.macaroon suffices, only downside is we cannot display the connection details on the public Lightning node info page. https://github.com/btcpayserver/btcpayserver/pull/5567
Thank you for the recap!
Indeed these things can happen, but working and solving issues in the open teaches and benefits everyone.
While also being sorry for the losses I am looking forward to what more you are building! πππ
Youβre the man, Dennis. Thanks for all your amazing work.